CyberWire Daily - Risk mitigation scores some wins this week. Amazon finds the typo that took out the Internet. Symantec gets into the VC game. Yahoo! agonistes. Wassenaar's prospects. PRC wants cyber peace. And farewell to Howard Schmidt.
Episode Date: March 3, 2017In today's podcast, we review some encouraging news about Android apps, Cloudbleed, and Slack's swift bug patching. Amazon finds a typo at the root of Wednesday's internet outages. Symantec opens a ve...nture arm. Yahoo! breach post mortems continue. Decryption tools for Dharma ransomware are out. Prospects look dim, again, for Wassenaar. China calls for the demilitarization of cyberspace. Terbium's Emily Wilson surveys the Dark Web scene during tax season. MasterCard's Melanie Gluck takes us behind the scenes of credit card security. And the security sector bids farewell to Howard Schmidt—leader, advisor, and mentor. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Encouraging news about Android apps,
Cloudbleed, and Slack's Swift bug patching.
Amazon finds a typo at the root of Wednesday's Internet outages.
Symantec opens a venture arm.
Yahoo breach postmortems continue.
Decryption tools for Dharma ransomware are out.
Prospects look dim again for Vossner.
China calls for the demilitarization of cyberspace.
My discussion with Melanie Gluck from MasterCard
on the behind-the-scenes security systems that protect credit cards.
And the security sector bids farewell to Howard Schmidt, leader, advisor, and mentor.
I'm Dave Bittner in Baltimore with your CyberWire summary for Friday, March 3, 2017.
There's some welcome good news about vulnerabilities and risk mitigation today.
First, Google has removed 132 Android apps from the Play Store.
The bad apps contain hidden iframes that link to malicious domains,
and while it's good they've now been purged,
it seems those apps weren't in much position to do damage anyway.
Poland's CERT had
sinkholed the malicious domains back in 2013. So bravo Google, but bravissimo CERT Polska.
The Cloudbleed bullet also seems to have been dodged, despite the initial angst with which
news of the bug was received. Cloudflare says after investigation that the vulnerability was
triggered 1.2 million times,
but that they found no evidence of malicious exploitation.
Cloudbleed had the potential to do a great deal of damage, so this is welcome news.
Cloud Flare is taking steps to check its code.
The company has engaged Veracode to perform a third-party audit of Cloud Flare's software.
Cloud Flare's investigation was conducted over 12 days and
concluded that there's no evidence that passwords, paycard information, or other sensitive data was
compromised, as had been widely feared. Industry reaction to Cloudflare's report seems mixed but
generally positive and relieved, and so we're content to call this one a dodged bullet.
And Slack is getting unmixed good reviews for their swift patching of a vulnerability,
another potentially serious one, that exposed user tokens to compromise.
They responded to the report in about half an hour and had a fix-out in five hours.
A Detectify researcher reported the vulnerability under Slack's bug bounty
and has received $3,000 for his work.
vulnerability under Slack's bug bounty and has received $3,000 for his work. Slack credits the bug bounty program with helping to keep its business collaboration tools safe and secure.
Had Slack not closed the vulnerability so quickly, a great deal of sensitive and casual chat could
have been compromised. And in electronic business communication, remember, the casual is always the sensitive. If you don't believe us, ask Sony.
Amazon has identified the cause of the S3 server outage that rendered large swaths of the Internet unavailable Wednesday.
It turns out to have been a command entry error during debugging.
An operator, whom Amazon takes care to identify as an authorized operator
this was no hack by either an inside or outside threat,
intended to remove some capacity temporarily, which is a routine practice.
Unfortunately, a typo caused the command to remove far too much capacity,
as so many users in North America saw to their chagrin.
Amazon is working on procedures to prevent a recurrence.
In industry news, Symantec has opened a venture arm. It's been given the helpfully obvious name
Symantec Ventures and is expected to serve as a kind of M&A on-ramp for its parent company.
Yahoo's exit by sell-off to Verizon is concluding with whimpers as opposed to what could have been
pleasing bangs.
The Yahoo board's investigation of the company's breaches is finding fault and imposing costs on executives.
In a gesture of responsibility, CEO Mayer has asked the board that her bonuses be distributed among employees.
Those bonuses are thought to be worth about $16 million in cash and equity grants,
which curiously is about what Yahoo believes it's spent so far in legal fees and the cost of investigation.
Returning to good news, if you were among those afflicted by the Dharma strain of ransomware,
ESED and Kaspersky have verified that decryption tools posted by independent researchers are in fact good.
You can find those tools and other helpful material at nomoreransom.org.
The controversial Vossener cyber arms control regime's future looks shaky.
Many in the security industry have been concerned that it would criminalize innocent,
indeed essential, vulnerability research and inhibit beneficial trade in legitimate security products.
The current U.S. administration is thought to be cool at best toward Vassaner, but in
fairness, its predecessor was also pretty double-minded on the accord itself, having
put forward and then revoked implementation plans.
China warns of the dangers of cyber conflict.
The Chinese Ministry of Foreign Affairs piously notes the interconnection of interests we see in cyberspace
and expresses hope that nations will be led by enlightened self-interest
to forego the grand illusions of cyber-military supremacy and victory in cyber conflict,
concentrating instead on administering this new global commons for the common good.
Perhaps the People's Republic will convene an international conference
devoted to ways of building confidence and making cyber war unthinkable.
Perhaps those new artificial islands in the South China Sea
could provide a venue for such negotiation.
Finally, we end today on a serious note
as we mark the passing of industry leader Howard Schmidt,
who died this week at his home.
Schmidt had not only been a CSO at Microsoft and a CISO at eBay,
but he also served as an advisor to both President George W. Bush and President Barack Obama.
He led industry groups, wrote influential works on cybersecurity,
and perhaps most important of all, served as a thoughtful, loyal mentor to a generation of security professionals.
Our condolences to his family and friends as the industry remembers a life well lived.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber, that's Vanta.com slash cyber for a thousand dollars off. Expectations, Academy Award-nominated Amy Adams, stars as a passionate artist who puts her career on hold
to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
Light Pictures. Stream Nightbitch January 24 only on Disney+. Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of
solutions designed to give you total control,
stopping unauthorized applications,
securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default-deny approach
can keep your company safe and compliant.
can keep your company safe and compliant.
Joining me once again is Emily Wilson.
She's the Director of Analysis for Terbium Labs.
Emily, welcome back.
Tax season is looming large ahead of us here, sooner than later.
And in terms of the dark web, that means that certain types of data start showing up.
Yeah, definitely.
And glad to be back.
It is definitely tax season.
I don't know about you, but I've been trying to find a few receipts.
So, yeah, no, some information does become more popular around tax season.
You know, certain things, people aren't really trying to buy W-2s the other part of the year.
This is now definitely when the marketing is more interesting.
In addition to the W-2s that go up for sale, though, some of the data that's around the rest of the year is also really useful. You know, we see W-2s. I know of at least one vendor who's
selling EINs, these employer identification numbers. You think about the state driver's
license databases that are up for sale. That kind of information is definitely helpful.
driver's license databases that are up for sale, that kind of information is definitely helpful.
But the things that I find interesting are there are kind of children's social security numbers up for sale on some of these markets. And when you think about what you're going to use that for,
I mean, really, you're going to claim dependents, right? So somebody else may be claiming your kids.
Now, what's the relative value of this sort of data compared to something like a credit card number?
I think it depends on how much work you're willing to put into it. A credit card number is going to be a little bit easier to process. I think the labor intensiveness of pulling off
tax fraud, you need to place your bets pretty carefully. And we've certainly seen, you know,
the IRS has said over and over and over again that this is a problem. People, you know, stealing W-2s is a problem.
Filing fraudulent claims is a problem. But it seems like the IRS sort of has been waffles back
and forth sometimes about how secure the system is or not. Yeah, I mean, I think the IRS is facing
its own issues, having its own system secure to say nothing of what they're going to do when people are using
stolen or fraudulent data on their returns, right? You know, last year was not a very good year for
the IRS in terms of keeping their own system safe. So has this kind of fraud, you know,
reached the point where it's the type of thing that you can buy as a service yet? Or is it still,
you're pretty much on your own, you know, rolling your own when it comes to this kind of fraud?
That's a good question. I personally haven't seen any vendors offering up kind of fraudulent tax
returns as part of a dark web service. But I don't know, ask your accountant if they accept Bitcoin.
All right. Emily Wilson, thanks for joining us.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home. Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
My guest today is Melanie Gluck. She's a vice president at MasterCard,
responsible for EMV and contactless technology in North America. We began our conversation
with the credit card
industry's move to chip and PIN cards, or EMVs. The goal behind driving chip into the market,
or EMV is another name for chip cards, is to actually do basically an upgrade of the payment system and start to deliver dynamic, different information with every transaction.
So where the magnetic stripe that we're also used to swiping, when that is issued, it's issued and it's static and it doesn't change.
So it's kind of like the old record albums, whether it's a 6 or 12 inch or whatever.
Those things got programmed and you bought one
and it was the same song over and over and never changed. The mag stripe card was very much the
same way. The same information is on that stripe. There's a real opportunity to combat counterfeit
fraud by making each transaction unique and mag stripe cards can't do that. A chip card, however,
has a piece of hardware on it, which is actually a microprocessing chip. When you layer that with
payment software, you then have the ability to actually make each transaction unique by delivering,
for layman's terms, dynamic data, or more accurately, a digital certificate or cryptogram with every transaction.
There are about 2.7 million locations that are chip active today, which represents about 40% of merchants.
And that number will continue to grow nicely throughout 2017 and beyond.
Can you take us behind the scenes of some of the things that go on to protect our credit cards? I
know, for example, every now and then you'll get a call from your credit card company that says,
hey, we just got an alert that you were trying to buy something in Yugoslavia, and we don't actually think you're there.
It's a great question, and what you're speaking to or asking about really talks about the multiple layers of approaches and tools that can be used to combat fraud and do risk management in the financial industry.
risk management in the financial industry. So the card and this chip is definitely an important piece of fraud protection. But there are very sophisticated algorithms and monitoring that
banks and indeed merchants and acquirers do throughout the ecosystem to pay a lot of
attention to what trends they see. Sometimes it's about you and your spending patterns.
Sometimes it's about other broader trends spending patterns. Sometimes it's about other
broader trends. Are we seeing a lot of small transactions? Are we seeing a lot of, I'll make
things up, green transactions or whatever have you that they stay very attuned to and pay a lot
of attention and build history so they can do modeling and get very nuanced in terms of
recognizing when there are possibly
troublesome transactions happening. When we started talking about those chip cards,
I described them as a piece of hardware with some payment software sitting on top of them,
and the software and the hardware interact together, allowing the generation of the data
for the payment transaction, as well as this digital certificate, this dynamic
information. One of the really important ideas in that is that if you have software sitting on a
piece of hardware, it happens to be on a chip card today, but you can start to really envision how,
well, that piece of hardware doesn't necessarily need to be on that chip card. Perhaps it can be on something else. So when MasterCard looked at rolling EMV out or chip
cards out into the U.S., it was very important to us to think about not just the plastic card,
but the digital environment. What's going to happen with your smartphone? What's going to happen with your
computer or your tablet or your fitness band or your potentially jewelry? There are many other
ways of doing payments that involve other kinds of, I'm going to do sort of air quotes, devices.
People didn't used to think of rings as possibly payment technology, but we've actually been able to leverage that
software in the chip and put it into other things that started most prevalently with smartphones.
As you look at the variety of mobile wallets that are available from Masterpass, that is MasterCard's
mobile wallet, to Apple Pay, Samsung Pay, Android Pay, Microsoft Wallet, and others,
on to moving away from the smartphone, but to a fitness band or a piece of jewelry
that allows you to tap your finger as you go through a turnstile, for instance,
and not pull out either a card or a mobile phone. But again, you come back to needing that software and that chip and placing
them in something. And that's part of the picture. The other part of the picture is really thinking
about what is the payment information that is on that device or on that chip? Can we actually
go a step further and protect the card number by using a substitute value or what we call a token?
So tokenization is something you'll hear a lot about in the payments ecosystem today
because it offers a way to put payment credentials onto a smartphone or that ring, fitness band, etc.
that ring, fitness band, et cetera, have it related to the original card,
but not have that card number placed in any more locations.
So if I lose my smartphone, I don't have to replace my card.
I can get a new smartphone and put a new token onto that smartphone, and my card is still in my hand.
Alternatively, if by chance I was unfortunate and lost the card,
that token on the phone or the ring or the fitness band can stay in my hands
and I can still be transacting while I am getting my new card
because we can map it on the back end and keep that consumer able to transact
and continue about their day-to-day lives
with as little disruption as possible.
That's Melanie Gluck from MasterCard.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.