CyberWire Daily - Presidential Commission on Cybersecurity offers its recommendations to the next President. Russia says its financial system is under cyber threat. Cybercrime notes, and a scorecard.
Episode Date: December 5, 2016In today's podcast, we hear what the US Presidential Commission on Cybersecurity recommended in its long-anticipated report. Russia's FSB says today's the day foreign intelligence services are going t...o try to disrupt the Russian financial system. Ransomware author Pornpoker gets collared. Distributed guessing attacks might have been made against Tesco. Gooligan's business model is mostly advertising and garbage apps. Markus Rauschecker from University of MD's Center for Health and Homeland Security ponders IoT liability. Tenable's Global Cybersecurity Assurance Report Card tells the globe it's got room for improvement. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
The U.S. Presidential Commission on Cybersecurity
released its long-anticipated report late Friday.
Russia's FSB says today's the day
foreign intelligence services
are going to try to disrupt
the Russian financial system.
Ransomware author PornPoker gets collared.
Distributed guessing attacks
might have been made against Tesco.
Gooligan's business model
is mostly advertising and garbage apps.
Antenable's Global Cybersecurity
Assurance report card tells the globe
it's got room for improvement.
I'm Dave Bittner in Baltimore with your CyberWire summary for Monday, December 5, 2016.
The U.S. Presidential Commission on Cybersecurity reported Friday.
The long-expected report offers six imperatives yielding 16 recommendations and 53 action items. The recommendations and action items will, per force, be left to the incoming
administration. The report strongly emphasizes resilience. Its six imperatives, which the
commissioners take to be essential to U.S. security and prosperity in cyberspace, include,
first, protect, defend,
and secure today's information infrastructure and digital networks. The recommendations
associated with this imperative stress the importance of public-private collaboration,
especially with respect to securing cyber-physical infrastructure, improving identity management,
and building on the success of the NIST cybersecurity framework.
Second, innovate and accelerate investment for the security and growth of digital networks
and the digital economy.
Here, the emphasis is on securing the Internet of Things and on research and development
of usable, affordable, inherently secure, defensible, and resilient, recoverable systems.
The third imperative, prepare consumers to thrive in a digital age,
calls upon IT and communication industry leaders to work with both consumer organizations
and the Federal Trade Commission to help consumers make informed decisions about buying and using
connected devices and services. There's also an emphasis on research into understanding how humans
interact with connected systems.
Fourth, and this one will be especially familiar, build cybersecurity workforce capabilities.
Here the commissioners recommend moving on both labor and technology.
They also urge the federal government to accelerate its technology refresh cycle, to move from requirements management to enterprise risk management,
and to improve engagement with the executive office of the president.
The fifth imperative is the inside baseball one.
Better equip government to function effectively and securely in the digital age.
This calls for clarity in agency cyber roles and missions.
Finally, ensure an open, fair, competitive, and secure global digital economy.
Finally, ensure an open, fair, competitive, and secure global digital economy.
This enjoins the incoming administration to engage the international community to develop cybersecurity law and global norms of behavior.
The Cyber Wire received reactions to the report from Ray Rothrock,
CEO of cybersecurity analytics shop Red Seal,
who not surprisingly liked the emphasis on resilience.
Quote, Resilience looks inside the network at the various components and connections.
That's where the bad guys are lurking and probing for vulnerabilities.
End quote.
He thinks that where the attackers enjoys an advantage, as seems to be the case in cyberspace,
resilience has to be seen as the responsibility of any organization's highest levels.
Rothrock would carry this relatively far, elevating it to a board-level responsibility.
Elsewhere in the world, Russia's FSB claimed Friday that it had foiled a plot by Foreign Special Services
to disrupt Russia's financial sector with a mix of hacking and disinformation aimed at fueling speculative panic.
D-Day for the operation was
supposed to have been today, but as far as we can tell, it hasn't yet materialized.
Russia's FSB, the successor to the Cold War's KGB, has apparently been given the lead in
defending the banks. They are coordinating defenses with various financial stakeholders.
The Russian government says the operation was to have been launched through the Ukrainian ISP Blazing Fast servers in the Netherlands. Blazing Fast says, in effect,
you got me, it hasn't seen any signs of an attack being staged through its systems.
Blazing Fast does add that it wants everyone to know it's happy to cooperate with any legitimate
law enforcement authority, but that it doubts the FSB really needs any help.
Russia hasn't said which foreign special services, as they call them, are prepping the attack,
but it's pretty clear they're scowling in America's direction, and especially in the
direction of that Kremlin betenoir, Vice President Biden, who said the U.S. would take action
at a time of its own choosing against attempted Russian interference with U.S. elections,
the U.S. intelligence community said it discerned.
That such concerns aren't entirely idle may have been demonstrated Friday,
when the Russian Central Bank reported that cybercriminals got away with 2 billion rubles,
about $31 million, in attacks on corresponding accounts.
The bank thinks the crooks may have been after up to 5 billion rubles.
The Cyber Wire heard this afternoon from security firm Plixer's director of IT and services,
Thomas Poore, who noted social media and SMS mass messaging that coincided with the theft.
Quote, SMS messages have a 98% open rate, with 90% being read within three seconds.
That type of inbound attention already attracts digital marketers,
so it's not surprising that someone would want to market chaos as well.
But we must note that cybercrime and market manipulation
aren't the exclusive or even typical province of hostile intelligence services.
We also heard from Group IB,
who point out that some stories on the bank fraud were misleading.
The total given was a total for attacks over the course of 2016, not a single crime spree.
And Group IB would know. They're over there in Moscow.
They think some of the English-language news services may have been misled by a translation error.
Russian authorities did secure a win over the weekend.
They arrested malware author PornPoker.
No other name was given for the gentleman.
Mr. Poker was attempting to re-enter Russia from his Thailand hideout.
The police were waiting for him at Doma de Dova airport.
Elsewhere in the world of what's clearly unambiguously cybercrime,
British researchers demonstrate a distributed guessing method that
could enable criminals to determine security details on visa cards, expiration date, and
three-digit security code. Observers speculate the technique might have been used in the Tesco
bank attacks. And Gooligan, the rapidly spreading Android malware strain reported last week,
apparently uses a business model that generates revenue from ads and garbage apps. And finally, cybersecurity company Tenable this morning
released its annual Global Cybersecurity Assurance Report Card. We'll get insights from Tenable's
Chris Thomas on tomorrow's show, but in the meantime, the commentary in the report warns
of the risk of emerging technologies and the overwhelming threat environment,
by which it means the relative advantage attackers enjoy over defenders.
Since they're publishing a report card, Tenable naturally offers grades.
And unfortunately, no one's making the Dean's List.
The GPA for the countries surveyed comes in at a 1.6.
India scores highest with a solid B.
Japan gets an F.
The United States? A gentlemanly C+.
The average is even worse when they look across seven sectors, just 1.6.
Retail leads with a C.
Financial services, manufacturing, and telecommunications get a C-.
Healthcare, education, and government pull in, alas, an unsurprising D.
So, since we're all being advised to avoid the FUD and look on the sunny side,
the grades are good news, we guess.
Maybe if you're Bart Simpson.
Ms. Krabappel, call your office.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. Thank you. ThreatLocker, the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full
suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And I'm pleased to be joined once again by Marcus Roshecker. He's the Cybersecurity Program Manager
at the University of Maryland Center for Health and Homeland Security. Marcus, we've been seeing these huge botnet attacks, and they've been making the use of
ordinary devices, DVRs, cameras, and things like that. There's an interesting question that comes
up with all this is, who's responsible when, if my DVR or my camera is part of an attack,
do I have any responsibility for that?
That's a good question. And it's a question that we're unfortunately asking more and more these days. We have seen massive denial of service attacks recently. So the question is, who's
ultimately responsible for these kinds of attacks? Well, I would say first and foremost, of course,
the hackers who are actually doing the attack. But it's oftentimes very difficult to get at those
hackers. They might be located abroad. It might be hard to actually attribute the attack to any
particular person or organizations. So the next question is, what else can be done to protect from
these kinds of attacks? And do consumers or the manufacturers of devices that are being used in
these kinds of attacks, do they
share some sort of responsibility in all of this? And I think there's really two ways of looking at
this. I think on the one hand, manufacturers do have some degree of responsibility to make sure
that the devices that they're selling have security measures put in place into the devices.
Security should be built into these devices. Unfortunately,
more often than not, security is an afterthought when it comes to building these devices or
developing these devices. And manufacturers don't really have an incentive to really
put into these devices any kind of security measures or very robust security measures.
And then consumers who are buying these devices, they really don't really
have a full understanding of what the risks are, or at least for the most part, generally speaking,
don't have the understanding of what kind of risk an Internet of Things device could pose
to the larger networks around them. I think it's a little bit unfair, perhaps, to ask a regular consumer to institute security measures
for the devices that they're purchasing and that they're using at home. But I think you could have
more of an educational campaign for consumers so that they would know a little more about
the risks that are associated with Internet of Things devices, and to tell consumers a little bit about what they could be doing to ensure greater security for those devices.
Marcus Roschecker, thanks for joining us.
And now, a message from Black Cloak.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
And that's The Cyber Wire. We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Thank you. AI and data into innovative uses that deliver measurable impact. Secure AI agents connect,
prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.