CyberWire Daily - Persona non grata, Ivan Ivanovich. Grid threat worries. Data scandal updates. Malware notes. Reaction to Iranian indictments. Alleged Carbanak kingpin collared.
Episode Date: March 26, 2018In today's podcast we hear that Sixty Russian diplomats are now persona non grata in the US. It's the largest such retaliation so far for the Russian nerve agent attack in Salisbury, England. Fear ...of a Russian riposte against Western power grids remains high. Cambridge Analytica was raided over the weekend in the continuing Facebook data scandal. Facebook faces more difficulties over Android data collection. Notes on malware circulating in the wild. Iran objects to US indictments.  Daniel Prince from Lancaster University discussing risk management. And the alleged Carbanak "mastermind" is arrested in Spain. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
60 Russian diplomats are now persona non grata in the U.S.
It's the largest retaliation so far for the Russian nerve agent attacked in Salisbury,
England. Fear of a Russian response against Western power grids remains high. Cambridge
Analytica was raided over the weekend in the continuing Facebook data scandal. Facebook faces
more difficulties over Android data collection. Notes on malware circulated in the wild. Iran
objects to U.S. indictments. And the alleged Karbanek mastermind is arrested in Spain.
From the Cyber Wire studios at Data Tribe, I'm Dave Bittner with your Cyber Wire summary for Monday, March 26, 2018.
The U.S. this morning expelled 60 Russian diplomats in response to Russia's nerve agent assassination attempt in Salisbury, England.
The U.K. had expelled 23 Russian diplomats last week.
Other countries doing the same in solidarity with the U.K. include Germany, France, and Poland, expelling four diplomats each,
Lithuania, with three expulsions and bans on visits from 44 Russian nationals,
and Ukraine, with 13 Russians being declared persona non grata.
Other NATO and European Union countries are expected to follow suit.
The moves come during a period of heightened fears of cyber attack,
especially Russian cyber attacks against vulnerable power grids.
Enforcement officers from the UK's Information
Commissioner's Office raided Cambridge Analytica's London headquarters late Friday night,
tossing the place until 3 o'clock Saturday morning. Cambridge Analytica acting CEO Alexander Taylor,
standing in for the suspended Alexander Nix, said the company believed the data they obtained had
been gotten in accordance with both Facebook's terms of service and applicable data protection laws.
He made this public statement.
Quote,
I am sorry that in 2014, SCL Elections, an affiliate of Cambridge Analytica, licensed Facebook data from a research company that had not received consent from respondents.
The company believed the data had been obtained in line with Facebook's terms of service and data protection laws.
We are now undertaking an independent, third-party audit to verify that we do not hold any GSR data.
GSR is the research firm that initially obtained the information.
Taylor also said the whistleblower who was the source of the allegations against the company, Christopher Wiley,
was no whistleblower at all, but a part-time contractor who worked for Cambridge Analytica for less than a year and left in 2014.
What the ICO officers found in their raid, if anything, is of course not yet known.
The judge, who issued the search warrant Friday, is expected to explain his ruling this
week. We do know that Cambridge Analytica and Facebook are in hot water in Chicago.
Cook County, Illinois, charged them Friday with violations of Illinois anti-fraud laws
for compromising users' privacy. Facebook disputes an Ars Technica report that Facebook
indiscriminately collected Android data, including calls.
The denial insists that in this case Facebook collected only data users gave it permission to collect.
Ars Technica found that call logs were being collected and retained.
The information collected is said to include numbers of contacts and the date, time, and duration of calls.
and the date, time, and duration of calls.
Facebook's explanation is that call and text history logging is part of an opt-in feature for users of Messenger or Facebook Lite on Android.
The company began to ask for explicit permission to access SMS and call data in 2016
after complaints that their previous way of obtaining opt-in was an OK button
that approved, quote, keeping all your SMS messages
in one place, end quote.
Facebook has been clobbered in the market by the data scandal, losing, according to
MarketWatch, $75 billion in market cap last week.
For purposes of comparison, that's like losing a Raytheon plus two Booz Allens, which is
a lot of market cap lost.
Yesterday, Facebook took out a big full-page print ad in The Washington Post,
The New York Times, The Wall Street Journal, and six British papers.
The ad apologizes for not better protecting users' data.
Writing in the first-person singular, CEO Zuckerberg writes,
quote,
You may have heard about a quiz app built by a university researcher
that leaked Facebook data of millions of people in 2014. This was a breach of trust, and I'm sorry we didn't do
more at the time. We're now taking steps to make sure this doesn't happen again, end quote. So,
the company continues to frame the scandal as a relatively restricted app issue. Zuckerberg says,
quote, finally, we'll remind you of which apps you've given access to
your information so you can shut off the ones you don't want anymore, end quote. And he closes with
a, quote, thank you for believing in this community. I promise to do better for you, end quote.
It's worth noting that the ad ran in papers, that is, in dead tree legacy media. The irony is obvious, and the ad campaign has already prompted a Twitter hashtag,
print is the new privacy app.
Other similar hashtags will surely follow.
Here's one we suggest, as officials consider election security.
How about hashtag, paper is voting's killer app?
It's catchy, hmm?
Several relatively new strains of malware are being
tracked in the wild. Here's a quick rundown.
Late last week, the
gang behind the Rapid ransomware
released version 2.0.
It's little changed from the original, but
with one significant alteration.
It will not execute on a victim machine
if it detects Russian locale settings.
Malware hunter team,
which found Rapid 2.0, sees signs it may have Russian locale settings. MalwareHunter Team, which found Rapid 2.0,
sees signs it may have been released prematurely.
Its source code wasn't packed.
MalwareHunter Team has also described AVCrypt ransomware,
remarkable for its attempt to uninstall security software
before it begins encrypting files on a victim machine.
It may be a wiper, since it offers no instructions for paying the ransom.
And like Rapid 2.0, AVCrypt's source code also wasn't packed.
DiskWriter, or Useless Disk, is a master boot record bootloader that Bleeping Computer thinks
may also be a wiper, since the criminals leave no way of paying the $300 ransom they demand.
WebRoot reports that the TrickBot banking trojan has received a new module that can
lock an infected system to hold it for ransom.
Sophos Labs found six malicious apps in Google's Play Store, five posed as QR readers, the
sixth as a smart compass.
All have been reported and removed, but not before attracting half a million downloads.
have been reported and removed, but not before attracting half a million downloads.
Trend Micro has found Monero crypto miners installed in Linux servers via an old vulnerability in the Cacti Network Weather Map plug-in.
Iran has expressed outrage over the U.S. indictment of nine hackers working for the Mabna Institute.
Their long-running cyber espionage campaign began by phishing universities,
then pivoting to corporations and government agencies.
Interestingly, universities in the US seem not particularly concerned about the campaign.
The Chronicle of Higher Education reports that the Academy seems blasé about the whole
affair, regarding it apparently as more geopolitics than IP theft, IP theft that might affect spinoffs and so forth.
The alleged leader of the Carbonac Financial Services hacking gang has been arrested in Spain,
collared in a collaborative effort involving at least five nations.
Europol was in on the bust, as were the FBI, and police in Spain, Belarus, Taiwan, and Romania.
The gentleman's identity has not yet been made public.
He's just being referred to as leader, mastermind, and so forth.
But he'll no doubt receive his day in court, and then we'll all know.
Europol thinks the arrest likely to amount to a decapitation of the gang.
Ukrainian police also arrested one of the gang's principal developers,
a resident of Kiev.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Daniel Prince.
He's a senior lecturer in cybersecurity at Lancaster University.
Daniel, welcome back.
We wanted to talk today about risk management,
specifically the way that people talk about cybersecurity risks
and the effect that has on the industry.
What can you share with us with this?
So for a very long time, I've been really interested in cybersecurity risk management.
And that really stemmed from a lot of the work that I was doing around teaching this
as part of the master's degree,
and then also a lot of the work that I was doing around teaching this as part of the master's degree, and then also a lot of the work that I was doing working with companies
and just observing the way that they all had different approaches to not just the risk management systems that they had in place,
but also the kinds of conversations they were having with each other.
conversations they were having with each other. And so I just started then wondering,
do we really have a really strong handle on what it means to have a really good cybersecurity risk management approach that is robust for organizations that really enables positive
outcomes rather than slightly more defensive conversations that we typically have
in this particular domain. And so what is your take on that? How are organizations
doing well and falling short when it comes to their risk management?
So I had an opportunity to work with a large, very large organization in the UK as they established
a new approach to cybersecurity within their organization.
They were setting up a brand new organizational structure specifically to deal with cybersecurity.
And what was interesting is around how they actually did that. Unlike a lot of organizations
where the cybersecurity function is rolled into, say, for example, the IT function or a specific risk function,
their information security group was actually separate from all of that,
but sat underneath the chief operating officer
and had the chief information security officer
had the same sort of status as the chief information officer.
And what that really meant was that unlike if, say, for example,
an information security group is part of the IT group,
they could actually have sort of almost separate conversations.
They could have much better advisory conversations
because they weren't then the ones responsible for implementing the security solutions
or marking whether they'd done the security solutions right.
It was a completely separate sort of group within the organization. solutions or marking whether they've done the security solutions right.
It was a completely separate sort of group within the organisation.
And that meant that the business unit owners could have what I perceive to be much more open and free communications with the information security group because they could come in
and say, well, here are what the risks we have, we think you have as part of your day-to-day business.
And this is what we think you should do.
But it's up to you to go away and make sure that you get that implemented as part of your operational risk approach and commission those types of services from the internal security group.
And they were having much more open and frank conversations around risk and what the hazards were to that particular
business unit. And what I perceived was a much more positive response from those business units.
Unlike where you do have oftentimes information security groups as part of the IT group where,
you know, it's really somebody coming in and telling you what you should
be doing, why you're doing it wrong, and then also being responsible for implementing that
solution and then marking it.
So it's a very, very different approach to have that separation and I believe to be a
much more positive approach.
And then from that, I started to ask questions around sort of consent within organizations do
you when you're trying to inform people about information security challenges do you actually
have the appropriate levels of consent with the people that you're talking to and then i started
to pull in ideas around uh the original concept of uh policing within uh the. So Sir Robert Peel was the sort of the father of policing in the UK.
He established the first police force. And one of his key tenets of policing was you cannot police
unless you have the consent of the population. I started to ask questions around, do we really
have the organisational structures and the risk management approaches to foster that consent and foster that permission for the information services teams to really be able to support the rest of the organization to deliver very positive security outcomes for the organization?
That's fascinating. So rather than being adversarial, it sounds like this leads toward collaboration. Yeah, and I think that's one of my big things over the last 15 years
has been that I firmly believe that cybersecurity is a business enabler.
It's not a thing that you have to do to protect your business.
If you do cybersecurity right, it's about being able to drive your organization forward
in a much more positive way.
And so that fits with my overall ethos,
that actually collaborating rather than getting that adversarial approach, which
seems to be a lot of the approaches that are out there at the moment, actually enables you to
drive forward the organization in a positive way rather than it's just a task that you have to do
to kind of meet regulator requirements. Daniel Prince, thanks for joining us.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your
company safe and compliant. And that's the Cyber Wire. For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.