CyberWire Daily - Phishing from the library. Facebook and Cambridge Analytica updates. Bots as propaganda readers. SamSam still plagues Atlanta. Aadhaar leaky? Many nations expel Russian diplomats.
Episode Date: March 27, 2018In today's podcast, we hear that the Mabna Institute was pretty good at phishing. Facebook's Mark Zuckerberg sends regrets to Westminster. Facebook is under FTC investigation. Cambridge Analytica ...is in hot water with the FEC. Kaspersky says outing Slingshot was just part of the job. The City of Atlanta is finding it surprisingly hard to recover from SamSam ransomware. Aadhaar may be leaky, again. Bots as Lord Haw-Haws. More than twenty countries expel Russian diplomats. Russian cyber reprisal expected. Justin Harvey from Accenture on cryptocurrency mining. Guest is Steve Piper from CyberEdge with results from their 2018 Cyberthreat Defense Report. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
The Mabna Institute was pretty good at fishing.
Facebook's Mark Zuckerberg sends regrets to Westminster.
Facebook is under FTC investigation.
Cambridge Analytica is in hot water with the FEC.
Kaspersky says outing Slingshot was just part of the job.
The city of Atlanta is finding it surprisingly hard to recover from SamSam ransomware.
Adhar may be leaky again.
Bot says Lord Ha Ha's.
More than 20 countries expel Russian diplomats.
And a Russian cyber reprisal
is expected. From the Cyber Wire studios at Data Tribe, I'm Dave Bittner with your Cyber Wire
summary for Tuesday, March 27, 2018. Those Iranians the U.S. indicted last week for a
variety of cyber crimes were apparently pretty good at fishing.
They got their university victims to swallow fish bait constructed to resemble an anodyne but worrisome message from their university library.
Your account has expired, the message said, and you need to reactivate it.
The message changed little over the four years of the campaign.
Why tinker with success?
It was working nicely. Thank you very much.
Troubles for Facebook and Cambridge Analytica continue amid a growing awareness of the activities of data brokers,
firms that collect, aggregate, and sell data about those of us who use the Internet.
Facebook CEO Zuckerberg has declined a request that he appear before the UK's parliament
to explain what his company has been about.
Instead, he will send what sections of the British press describe as underlings to do the explaining.
Yesterday, the Federal Trade Commission confirmed what had been widely reported last week.
It's investigating Facebook for possible misuse of users' data.
The advocacy group Common Cause has filed a complaint with the Federal Election Commission,
alleging that Cambridge Analytica, its corporate parent SCL Group Limited,
and several named individuals, including whistleblower Christopher Wiley,
with violations of federal election laws that prohibit foreigners from participating in U.S. political campaigns.
Kaspersky defends its decision to blow the anti-ISIS Slingshot cyber campaign.
It's their job to, quote, take the fish from the water, end quote.
They don't care what language said fish speaks. They have to catch it.
Critics say the report on Slingshot not only compromised a useful U.S. Joint Special Operations
Command collection effort against ISIS terrorist cells, but it may also have put lives at risk.
Atlanta's Sam Sam ransomware infestation seems unusually resistant to remediation.
Estimates now suggest it will take the city months to recover, but Atlanta's city mothers
and fathers are being tight-lipped about the details.
The criminals have taken down their contact portal as they've received increased scrutiny
and gotten tired, evidently, of answering questions.
Assurances by responsible authorities to the contrary,
India's Athar National Identification Database may have been compromised again.
ZDNet reports that security researchers are telling the news service that the database is leaking personal information.
The ruling Janata Party calls such reports fake news, but ZDNet and others say no, there's really still a problem here.
British Defense Secretary Gavin Williamson calls Russian bots the Lord Ha-Ha's of the 21st
century. He's alluding to William Joyce, the British traitor who broadcast for Nazi Germany
during the Second World War. Joyce was captured soon after VE Day and hanged for treason in 1946.
If Secretary Williamson is right, then okay. Lord Haw-Haw had about the same level of
influence in Britain that Tokyo Rose had in the U.S. But in other respects, the comparison may
be wayward. Lord Haw-Haw always began his broadcast by saying, Germany calling, Germany calling,
Germany calling. The Russian trolls are less overt.
But Williamson's shot may have hit home anyway.
Russia Today is outraged by the comparison.
Security firm CyberEdge Group recently published the fifth edition of their annual Cyber Threat Defense Report,
setting out to take a vendor-agnostic look at cybersecurity challenges.
Steve Piper is CEO and co-founder of CyberEdge Group, and he joins us with the highlights.
This was a web-based survey conducted in November 2017, a 27-question survey to be specific.
And we surveyed 1,200 security professionals, and each security professional worked for an organization with a minimum
of 500 employees. But we have respondents from smaller organizations like that,
up to multinational Fortune 100 enterprises and everything in between. These respondents came from
17 countries and 19 industries. So it's very much a geographically dispersed survey.
Take us through some of the key findings of the report.
Let me give you the top three takeaways from this year.
And again, this is our fifth annual report.
I'm going to start out with some good news.
I'm an optimistic guy, glasses half full type of guy.
So the good news that I want to share is for the first time in our report history, we saw a decline in successful cyber attacks.
So we asked the respondents, was your organization successfully attacked by a cyber threat last year?
And last year, 79.2% said yes.
This year, that dropped two points to 77.2.
The last four years, it's risen every year. So I know a 2% drop,
I'm not dancing in the streets, but a drop is better than an increase. So I'm going to take
what I can get. Ransomware obviously is still very much in the news. And what we learned is only half
of those ransomware victims that actually paid the ransom, only half of them got their data back, got it unencrypted.
So that's kind of a discouraging statistic.
Overall, 55% of organizations that participated in our survey were victimized by ransomware last year.
So it's kind of like flipping a coin twice.
Flip a coin once to see if you're likely
to be victimized by ransomware. And then if you decide to pay the ransom, pony up the bucks for
some Bitcoin, well then flip the coin again to see if you're likely to get your data back.
And then the third takeaway from this year's study is the growing concern of the shortage of skilled IT security personnel.
This has been a problem for years. Each year we ask a question. This is my favorite question from
the survey on a scale of one to five, with five being highest. Rate how each of the following
inhibit your organization from adequately defending itself. So in other words, what's
standing in the way of cybersecurity professionals succeeding and defending their networks from attacks?
Well, the number one response for the past few years has been low security awareness among employees, lack of investment in the human firewall, as I put it.
But this year, for the first time, we have a new inhibitor, lack of skilled personnel.
And so this is on a lot of organizations' minds. We have a new inhibitor, lack of skilled personnel.
And so this is on a lot of organizations' minds.
When we asked this question five years ago, lack of skilled personnel was in fifth place,
then the next year in fourth place, then third, then second, and this year in first.
So it's a growing problem affecting all organizations.
That's Steve Piper from CyberEdge. You can find their 2018 Cyber Threat
Defense Report on their website. The British anti-doping organization sustained a cyber attack
over the weekend, and suspicion turns to Fancy Bear. That is, if you're just joining us, of course,
Russia's GRU. UK anti-doping confirmed yesterday that it had stopped an attack by unknown hackers over the weekend.
The attackers were evidently after test and personal information about athletes.
While Fancy Bear is the animal of interest in this matter,
this seems probably to be just Fancy's normal business,
another manifestation of Russia's long-standing grudge against clean athletes,
rather than its blowback for Her Majesty's government ongoing work to rally the civilized world against the Salisbury
incident.
Such blowback is widely expected.
Twenty-two countries have now taken action against Russia in solidarity with the UK over
the nerve agent attack in Salisbury.
182 Russian nationals are affected, most of them diplomats declared
persona non grata. Lithuania is the outlier here. In addition to expelling diplomats,
they told 21 other Russian nationals to get out and banned a further 23 from entering the country.
The 60 the U.S. has told to leave include 48 from the Russian embassy in Washington and 18 from Russia's U.N. delegation in New York.
The U.S. says they're all engaged in espionage.
Washington has also ordered the Russian consulate in Seattle closed.
Officials describe that closure as based on Seattle's proximity
to the major U.S. Navy submarine base on the Kitsap Peninsula
and the big Boeing facilities around Puget Sound.
This is the second consulate the U.S. has ordered shuttered in less than a year.
In August, the administration told Russia to close its San Francisco consulate.
That move was in response to Russia's order that the U.S. cut its own diplomatic staff in Russia.
As is being widely noted, Russian retaliation in the form of a cyber attack is
generally expected. Attacks on electrical power grids are particular matters of concern,
but for now Russia's response is likely to be a tit-for-tat expulsion of diplomats.
Moscow is crowdsourcing its response, asking people to recommend which consulates and missions
they should shut down.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices,
home networks, and connected lives. Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more
at blackcloak.io.
And joining me once again is Justin Harvey.
He's the Global Incident Response Leader at Accenture.
Justin, welcome back.
Obviously, hot in the news these days is cryptocurrency mining.
And you want to make the point that
this is a big deal and it's something we need to take seriously. Yes, from a cyber defense
perspective, this is a new type of threat. Well, I guess it's not a new type of threat.
It's still there are still cryptocurrency mining malware variants that we're seeing out there.
malware variants that we're seeing out there. They're not doing anything new. What we're seeing is the usage of or the end goal of this cryptocurrency mining malware is what's
startling. And that is with the proliferation of cryptocurrency, it seems like it's a gold rush.
There are multiple types of cryptocurrencies out there. There's Bitcoin, there's Ethereum, there is Monero, and everyone wants to cash in on this. What you're finding,
though, is that for the average home user or the hobbyist or the person who feels like, oh,
I'm going to devote my computing power to this, my two or three machines, is that it is not enough
because the cryptographic algorithms are getting harder and harder to crunch.
So you need more and more CPU and more power.
The more enterprising people are thinking,
okay, well, I could get that CPU power in order to essentially print my cryptocurrency.
I could go to the cloud. I could go to rent servers.
But what's happening is that still requires electricity and hardware costs.
So it's really being transitioned to cyber criminals who are thinking, well, let's see.
We have malware.
We have the means to distribute it.
And we have the total addressable market is every machine out there.
So let's write malware, get it onto people's machines, and start to, without their knowledge, let's start mining this cryptocurrency.
And that way they're able to get the scale and to get the money they need without actually paying for any of the CPU or for the electricity.
Yeah, and you know, I think you and I have talked about this before, you know, from an IoT point of view, when we were talking about DDoS with things like video cameras, you know, using excess computing power and something like a connected video camera.
I suppose some people could say, well, if my video camera is still doing its video camera job, why should I care if it's using its extra processor cycles to mine Bitcoin for someone. It's still doing what I need it to do.
Great point.
And in fact, we were just part of a large-scale investigation where there was a cryptocurrency mining malware that was also self-propagating,
meaning it would infect its neighbors.
And on top of that, it was fileless and PowerShell-based.
So it was very difficult to detect and to stop. The reason why everyone
should be concerned is that for two reasons. Number one is it's taking CPU and power away
from the device and therefore away from you. So if in your example, your camera is still doing
its work, it's still driving up the CPU in the fan and causing you more money.
And there's also a possibility that due to the CPU limitations of that IoT device or
your laptop or your notebook or your server, for instance, it could actually be denying
you services or denying you service by not allowing you to complete things on time or
even completing them at all
because your CPU is 100% busy. The second reason that people should pay notice to this is that
you have to wonder how it actually got on there. And what cyber criminals are doing here is that
they are essentially sourcing their total addressable market by looking at Shodan.
Shodan gives them a list of millions of IP addresses and services that are available out there.
They're writing their own code to go scan all those IP addresses and looks for vulnerabilities.
And then they're implanting, instead of malware to spy on you or malware to steal data,
they're essentially putting in their cryptocurrency mining.
So as I always say, where there's smoke, there's fire, which means if your organization
is cryptocurrency mining, you might not think it's a big deal, but it is a big deal because
they're stealing from you, your CPU and your power, and there's a way it got in there. So
maybe if cryptocurrency mining cyber criminals can find that hole, maybe other adversaries can find that hole or they found it already.
Justin Harvey, thanks for joining us.
Thank you.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions
designed to give you total control,
stopping unauthorized applications,
securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios ofribe, where they're co-building the next generation of cybersecurity teams and
technologies. Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri,
Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. AI agents connect, prepare, and automate your data workflows, helping you gain insights,
receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.