CyberWire Daily - Russian threats and threats to Russia. Cryptojacking wave spreads out from Brazil. Recovering from malware in Alaska and Atlanta. Notes on automotive cybersecurity.
Episode Date: August 3, 2018In today's podcast we hear that the US Intelligence Community warns of Russian threats, again. A criminal spearphishing campaign hits Russian industrial companies. A cryptojacking wave is installing C...oinHive in MicroTik routers. Speakers at the Billington Automotive CyberSecuirty Summit stress collaboration, design for security, and the convergence of cyber and safety. Autonomy and connectivity make these imperative for the next generation of vehicles. Municipalities hit by malware feel the pain. Ben Yelin from UMD CHHS on a NYT story on records being seized from a reporter. Guest is David Spark, cohost of the CISO Security Vendor Relationship podcast.  For links to all of today's stories check out our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/August/CyberWire_2018_08_03.html  Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2ishing campaign hits Russian industrial companies. A crypto jacking
wave is installing CoinHive in micro tick routers. Speakers at the Billington Automotive Cyber
Security Summit stress collaboration designed for security and the convergence of cyber and safety.
And municipalities hit by malware feel the pain.
Feel the pain.
From the Cyber Wire studios at Data Tribe, I'm Dave Bittner with your Cyber Wire summary for Friday, August 3rd, 2018.
The U.S. intelligence community has reiterated warnings about a clear and present threat of Russian cyber activity directed against both elections and infrastructure.
Those same agencies and the White House have pledged what they characterize as a vast government-wide effort to protect the coming midterm elections against foreign interference.
General Nakasone, who leads both NSA and U.S. Cyber Command,
indicated that both of his organizations will be involved in that effort.
indicated that both of his organizations will be involved in that effort.
Kaspersky Lab reports a criminal campaign against roughly 400 Russian industrial companies.
It begins with highly targeted spear phishing designed to induce the victims to install remote administrative tools on their systems.
A large crypto-jacking effort is also underway.
A large crypto-jacking effort is also underway.
Trustwave and Census.io report that more than 170,000 micro-tick routers are infected with the CoinHive crypto-miner.
Ground zero of the campaign appears to be in Brazil, but the infestations are thought to be spreading rapidly.
Users of micro-tick routers should look to their systems.
The second Billington Automotive Cybersecurity Summit is running today.
The two morning keynotes were delivered by Michael Chertoff, CEO of the Chertoff Group and former Secretary of Homeland Security, and GM President Daniel Amann, who expressed optimism about the benefits of connected and autonomous vehicles.
who expressed optimism about the benefits of connected and autonomous vehicles.
They argued that cybersecurity designed in from the beginning would be essential to securing those benefits,
as would effective cooperation across the sector.
Chertoff said we shouldn't overlook the implications of connectivity for data privacy, the data being requested of cars and drivers by insurers, for example, could amount to intrusive surveillance.
One need look no farther than Facebook to see the possibilities of a serious consumer backlash.
He also warned of the potential for terrorist exploitation of weaknesses in connected vehicles.
He said, quote,
It's not too much of a leap to consider that some small terrorist will decide it's easier to hack a vehicle and control it as a weapon, end quote. He closed with remarks about regulation, which will, he says, be inevitable,
and will be better if industry anticipates it with voluntary standards.
When it comes, he argued, it should be based on outcome and effects,
and should not involve micromanagement.
It should be based on outcome and effects and should not involve micromanagement.
The Safety Act, designed to encourage investment in competent and capable counter-terror technologies,
in his view represents a good legislative model.
It might be worth extending this law to the auto industry.
GM's direction for the future may be summed up as electrification, connectivity, and autonomy.
Amon framed automotive cybersecurity as an issue that's converged with safety.
It's also, in his view, a sector-wide issue. He said, quote, failure by any one company will be regarded by the public as failure by all, end quote. Thus, cybersecurity must be a matter for cooperation across the industry.
In this, he reiterated a long-standing GM theme.
The company says it won't treat cybersecurity as an area in which it seeks competitive advantage.
Autonomous vehicles are poised to bring huge positive benefits in terms of availability, affordability, and safety.
Cybersecurity incidents could halt progress
toward those benefits, which means that customers are best served by industry-wide security
collaboration. During a break, we were able to speak with Robert Anderson of the Chertoff Group.
He said that in his view, most people remained unaware of the advantage attackers enjoy in
cyberspace. This advantage isn't a matter of
superior technical capability, he thinks. Rather, it has two principal sources. First, the criminals,
hacktivists, and intelligence services that constitute the threat groups don't operate under
the sorts of legal or even social restraints legitimate businesses in most parts of the world
do. In this, we heard an echo of what we've heard during a morning panel session
from Jake Belonsky, Supervisory Special Agent in the FBI's Detroit field office.
In the U.S., Belonsky pointed out,
you can't go to the FBI or the NSA and say,
we need this widget, go steal it for us.
In some other countries, notably China, you can. The other
attacker's advantage, Anderson pointed out, was the efficiency of the black market and its success
in commodifying attack tools. You don't have to have any particular technical expertise anymore,
he said, to mount a damaging cyber attack. The means to do so are readily available in the dark web, and these reasons are why it's
so hard to get ahead of the threat. We'll have more coverage of the Billington Automotive
Cybersecurity Summit in upcoming issues of the CyberWire Daily News Brief.
Two attacks on municipal systems are drawing attention. The smaller is the attack Matanuska
Sositna Borough sustained last week in Alaska.
The town has declared that the incident amounts to an official emergency
and is taking various measures to contain and remediate its problems,
including reversion to typewriters for routine tasks like preparing receipts.
The attack included installation of the Emotet Trojan and BitPaymer crypto locker ransomware.
Matanuska Susitna is calling it the biggest attack on a U.S. city or town,
but Atlanta might dispute the claim.
Atlanta's cost to remediate the SamSam ransomware attack it sustained in March
is now estimated at $17 million,
according to a confidential document obtained by the Atlantic Journal-Constitution
and WBD-TV.
The city document indicates that another $11 million will be needed on top of the $6 million
already spent on recovery.
The Journal-Constitution's lead is direct and damning.
Quote,
Taxpayers foot bill for years of neglected network security.
End quote.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Ben Yellen. He's a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security. Ben, welcome back. Interesting story
from the New York Times about the Justice Department seizing the records from a Times
reporter, both telephone and email records. Give us the
background here. What's going on? This is actually, you know, one of the instances where this is more
of a continuation of an effort made during the Obama administration to really hold reporters
accountable for information being leaked to them. And I think it's a major First Amendment concern.
Certainly, the groups that are formed for the purpose of protecting media sources are
very concerned about this, like Reporters Committee for the Freedom of the Press, those
types of groups.
What happened here is this Senate intelligence aide, James Wolfe, has been charged in criminal
court with lying to investigators about his contacts with certain reporters.
And as part of that investigation, the Justice Department has been able to obtain records from the encrypted accounts of some of these reporters.
One of them is actually a New York Times reporter named Allie Watkins.
She had previously worked for BuzzFeed and had broken some major stories based on information she got from Mr.
Wolf. Now, this is a perfectly legal process in a couple of respects. For one, the Justice
Department, while it has guidelines to protect First Amendment rights, also allows for a procedure
in which the communications of members of the press can be collected. And that's under what we call
Section 2703D of the Stored Communications Act. Sometimes that's shorthanded to a D-search.
If you have reason to believe that somebody's electronic, stored electronic communications
will aid in a criminal investigation, you can obtain those records via subpoena through the electronic
communications company. And that's exactly what happened here. The Justice Department went to,
I think it was Google and maybe one other electronic service provider or internet service
provider and was able to obtain those records. Those will be used in the government's case against James Wolfe.
It's obviously very problematic. Members of the press want to protect their sources,
and they also don't want the government snooping in their information. When the Obama administration
took actions to prosecute leaks and obtained the private communications of journalists,
they were opening a Pandora's box,
especially given that the administration now is certainly more hostile to members of the
mainstream media. It's problematic from a First Amendment perspective. It's problematic from
a journalism perspective. If you fear that your communications are going to be submitted to the
government as part of an ongoing criminal investigation, you might not chase that very important story angle. It's certainly a matter
of great concern. Now, did the Justice Department have to get a warrant here? Did they have to
convince a judge? They do not need a warrant in a traditional sense. You do not need probable cause to, you know, go in front of a court and say that a crime
is being committed or has been committed in order to simply obtain these electronic messages. The
standard is much lower. You just have to prove that you have reasons to believe. So it doesn't
have to be, you know, anything above a suspicion that these texts, that these emails are going to be relevant
to an ongoing criminal investigation.
That's a very low standard.
It's not a high burden for the government to meet.
And even outside of the context of journalism, I think that's problematic to people that
the government can obtain our stored communications without a traditional warrant.
But this is the choice that Congress has made. It has allowed for the government to work directly with communications providers
and compel those providers to turn over information based on simply what amounts
to a reasonable suspicion. If a layperson asked me what's the biggest concern about the government
collecting my emails or my text messages?
I would say that you're vulnerable to searches under Section 2703D of the Stored Communications Act.
It's a very, very powerful government tool, a compliance nightmare for a lot of these tech companies because they get so many de-search requests.
But that's what the law is.
It's been upheld as reasonable by the Supreme Court.
It's something that all of us as consumers of electronic media sources have to be concerned
about. All right. Ben Yellen, as always, thanks for joining us. Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
My guest today is David Spark.
He's the co-host of the CISO Security Vendor Relationship Podcast
and owner of Spark Media Solutions,
which does content marketing for the tech industry.
He joins us to share some of the insights he's gained
in the conversations he's had with CISOs,
specifically when it comes to marketing.
This really comes from the work that I've been doing with security companies.
You know, I own a content marketing agency, and we've been working with tech companies,
security, specifically companies for nine years in particular.
And inevitably, you know, when you're doing any kind of marketing effort, you ask, so,
you know, what's the audience you want to reach?
And everyone, and I don't mean
few exceptions. I mean, everyone, their answer to that question is CISOs, to which my reaction was,
join the club. And then it dawned on me, if every single one of my clients wants to reach CISOs,
then every one of their competitors wants to reach CISOs. And CISOs are probably getting hammered right now.
And so what's the situation with the CISOs?
I mean, is it a firehose of requests and offers every day?
Yeah, I mean, they get sometimes 100 and 200, like just before an event especially,
they could get 100 or 200 requests a day.
And so they've gotten to the point where they go in shutdown mode.
They can't handle it. And there is a mutual dependency between the two groups. They need each other.
That's the vendors and the CISOs. But it's an asymmetrical relationship, meaning that there's
thousands of vendors hammering a very small quantity of CISOs. And so they still need the
help from the vendors. But the way the engagement is going, it's something they physically can't handle.
And so what are some of the mistakes that you see people making when they're trying to engage with CISOs?
Well, one of the most classic ones that got a lot of discussion was the 15 minutes of your time request.
And this one, oh man, everyone sort of jumped on the bandwagon on this.
And I'm sure you've heard this.
I'm sure people have said this to you.
And what this really plays or preys on is the goodwill of the person who's receiving it.
Please give me this person you don't know 15 minutes of your time.
It's not, hey, I'm going to answer all your problems in 15 minutes.
It's more pay attention to me for 15 minutes.
And there's just so much goodwill a CISO can spread around.
And to every single vendor who requests that, it's not much.
And the irony is a friend of mine asked me to do that to a CISO, you know, give me an introduction to a CISO.
He goes, oh, I just want 15 minutes of the time.
And every time I get that now, I just point them to the article that I wrote about that very subject.
I go, I don't think you want to be making that request.
And you'll see that the response to it is not positive.
One of the articles I saw that you wrote was about, it was called Nine Reasons Why Selling Fear Does Not Work on a CISO.
Let's dig into that.
What was that about?
Selling fear has traditionally been a successful tactic to sell security products,
period. It just is. And, you know, people could argue this all they want, but individual companies
could probably come to you and to I and say, look at this. I have evidence that this technique
works. So you can tell me to stop selling fear, but I sell more when I sell fear.
But the problem is as you go up the chain of command to the people who are dealing with that fear on a daily basis, for a vendor to reintroduce that is A, insulting, and B, realize they don't know who they're dealing with at that time.
So it's a high level of frustration.
They don't like it and it's just really inappropriate. The one thing that they
should really watch out for, and this really gets every CISO annoyed, is when they use that fear
tactic to sell over the CISO's head and go straight to CEO.
Oh, that drives them crazy.
Really crazy.
So they get it down from the top.
If they're successful in rattling the CEO, the CISO has to mop up the mess.
Exactly.
The idea being, this is a person that I have formed a relationship with, and now you're screwing it up
by selling them fear. Not only do I not want your product, now I hate you. It's like, don't do that
because you're making my life miserable. I mean, my life is difficult enough as a CISO. Now you're
really making it difficult. So let's come at it from the other direction. When you talk to CISOs,
how do they want people to approach them? So this is the one thing that we try to really sell on our podcast is that it is not negativity.
It is a lot. There's a lot of positivity. Yes, we may say stop doing this. But and we talked
about this in the last episode is we try to complement every negative with a positive,
like this is what you should do. So the advice that we get a lot of is just
talk to us. And I go, well, we just want 15 minutes of your time. He goes, well, CISOs are
in public spaces like they're online and every CISO has their space. Sometimes it's not digitally.
Sometimes you've got to meet them in person. And yeah, that takes more time. The one thing that we
hear repeatedly is getting involved in local events, getting involved in local ISSA chapters and local security events are truly the most popular ways to connect with CISOs.
Are there any absolutely just toxic things that you absolutely should not do when you're trying to kick off this relationship?
off this relationship? Well, going back to the selling fear, like the one that sort of set the ball in motion, there was some breach that had come out and he was just waiting for the torrent
of emails that would come in that said, hey, you know, had you had our product, this problem never
would have happened. And you can't make those claims a lot of times or protect all breaches or detect all breaches. It's kind of an unrealistic claim.
So be very, very wary of using the latest attack as a means to instill fear.
But there are positive ways to use the latest attack as a, hey, by the way, I know you're aware of this attack.
say, hey, by the way, I know you're aware of this attack. You should know that our product does this and kind of leave it at that kind of a thing, but not, you know, where are the solution? Like,
we would have stopped this kind of thing. Those claims really infuriate CISOs.
Yeah, it's an interesting perspective. I mean, it seems like the CISO has so many balls in the air
all the time to even, you to even grab some of their attention.
The thing you must not do is waste their time.
Don't waste their time, but don't create unnecessary stress.
I think that's what it's all about.
All this advice is that they don't need additional stress.
They've got plenty as it is.
Reduce their stress.
The classic thing is understand my needs, understand that. Everyone's their stress. And, you know, the classic thing is
understand my needs, understand that. And everyone's like, well, would you just talk to me?
And one of my articles actually goes into how to find out about a CISO's needs when they won't
talk to you, because there's actually a lot of public information that you can do a little
investigative reporting to actually understand it. And this goes into account-based marketing.
And sure, it takes a lot more work.
But a lot of these vendors are selling six-, seven-figure products.
So it's worth it to do that work.
Yeah, do your homework.
All right.
Well, David Spark, thanks for joining us.
Tell us a little bit about the podcast.
What's the best way to find it?
Well, the best way to find the podcast is you can either find it on Security Boulevard, or if you just like to listen to it on your phone or whatever podcatching device you use,
you can search on the CISO Security Vendor Relationship Podcast. But you may not need
to type all that in. I believe if you just type in CISO, it's the number one result.
All right. Great. David Spark, thanks for joining us.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed. Listen for us on your Alexa smart speaker too. The CyberWire
podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're
co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire
team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard,
Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here
tomorrow. Thank you. and data products platform comes in. With Domo, you can channel AI and data
into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com Learn more at ai.domo.com.
That's ai.domo.com.