CyberWire Daily - Stolen Paradise Papers aren't making people or companies look good. Off-year election security. Trollhunting. Notes on the future of cyber conflict from CyCon 2017.
Episode Date: November 7, 2017In today's podcast we hear more on the Paradise Papers, where the optics are looking more Inferno than Paradiso. Off-year elections in the US are on today amid general concerns about, well, somebody d...oing something to them. Trollhunting sometimes brings down the wrong targets. Notes on the future of cyber conflict from CyCon 2017. The Internet's co-inventor says it's time to hold coders accountable for buggy software. Emily Wilson from Terbium Labs with thoughts from a conference in the Netherlands. Wesley Simpson from (ISC)2 making the case that security is a people problem. And Facebook will keep your naughty selfies off the Internet. Really—just upload them to the right place. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
More on the Paradise Papers, where the optics are looking more inferno than paradiso.
Off-year elections in the U.S. are on today amid general concerns about, well,
something doing something to them. Troll hunting sometimes brings down the wrong targets. Notes on
the future of cyber conflict from PsyCon 2017. The Internet's co-inventor says it's time to hold
coders accountable for buggy software. And Facebook will keep your naughty selfies off the Internet.
Promise?
Keep your naughty selfies off the internet.
Promise.
I'm Dave Bittner with your CyberWire summary for Tuesday, November 7, 2017.
As journalists and others continue to sift through the Paradise Papers,
the large trove of documents stolen and leaked from Appleby,
a Bermuda law firm serving high net worth individuals and various corporations.
The optics aren't good.
It's unclear that any laws were broken, except by the unknown parties who obtained the leaked documents by unknown means.
But the appearance of widespread tax avoidance by offshoring wealth is an unpleasant one.
Much comment is drawn by the appearance of prominent public figures, the British royal family, the Canadian prime minister, various British politicians and Russian oligarchs,
U.S. political figures who evidently had to do with Russian oligarchs, and so on. Apple is among
the corporations mentioned in the leaks, and Apple says that its own use of various instruments
available in the Channel Islands were not intended to avoid paying, for example, Irish taxes,
but were in fact an effort to ensure that tax revenues properly went to the United States.
It's election day in most U.S. states.
These are relatively minor elections compared even to the midterm elections that will be held next year,
still more so in comparison to the quadrennial
presidential elections.
But these elections do have effects, and they're also the first regular elections to be held
in the US since widespread concerns about foreign meddling surfaced in 2016.
So state and local election authorities are keeping an eye out for finagling this week.
Manipulation of vote totals and election outcomes are a much-feared potential threat,
but one that seems not to have materialized so far.
Influence operations, on the other hand, have proven more than just a theoretical possibility.
It's generally regarded as beyond question that Russian intelligence services
have worked hard to sow doubt and mistrust around Western institutions, elections in particular.
Thus, social media providers, especially Facebook and Twitter, have been under public pressure to
do something about the use of their platforms for influence operations. The difficulties of
screening for obnoxious opinion have become well known. It's not only extremely labor-intensive
and therefore expensive, but it's also subjective, has difficulty
handling intentionality, and has also put free speech advocates backs up. Troll hunting, on the
other hand, especially when the trolls are sock puppets, catfish, or other fictitious persona,
has seemed more promising. One Russian troll, a fictitious person known on social media as
Jenna Abrams, had around 70,000 followers and a couple thousand friends,
and Jenna Abrams was being used to advance Russian government aims.
There are a lot more like Jenna out there.
And a number of real and innocent people have been booted from social media
because the provider's algorithms or screeners mistook them for trolls or catfish.
Some of those people have had their accounts restored,
but others are still working their way back into the good graces of Menlo Park and San Francisco.
Everybody looks towards, you know, a few folks within the organization to fix everything,
you know, to really be that savior against some of these nefarious activities.
And so really all eyes come on the security teams and the IT teams.
But unfortunately, you know, the majority of these issues, the internal breaches, you know, come from the employees.
That's Wesley Simpson, chief operating officer at ISC Squared.
He maintains that cybersecurity isn't so much a technical problem as it is a people problem.
And most of those are, you know, accidental. They're not doing it on purpose.
They're either sending information external to the company,
exposing some of their data or PII information unknowingly,
or they're just clicking on links. It all just comes down to the basics and some simple education
about how employees should and should not act,
whether they're in the workplace or at home.
And so what are your recommendations for how companies can spread a company-wide culture
of good cybersecurity?
One of the things we really try to promote is to build in that enterprise mindset of
having a cyber culture.
And it really needs to be part of the daily lexicon within an organization.
And it shouldn't only be spoken in
the security teams or the IT teams. It really should be part of all teams in all departments,
even so far as being a regular agenda item on staff meetings. It's not a one and done. You
can't just roll out your annual security awareness training and then check that box and say, we're done. This needs to be continual. It needs to happen, you know, throughout the year.
It needs to be something that you can track, something that you can measure and be transparent
about it. You know, show the employees how they're doing, show them what they did good and show them
what they did wrong and show them how to correct it. So you've really got to embrace the entire population of an organization. And every organization really needs to become
a security organization. And that's really getting down to the basics and working with
every individual and every team about making that tie on how they really contribute to creating
that cyber culture. Do you have any recommendations for how to put effective incentives in place?
I hear a lot of people say that, you know, my bonus is not based on how I do with my
cybersecurity.
Yeah.
Yeah.
So what you're getting at is really at the crux to make this thing successful in the
organization.
People work on and people march towards those things that they're measured against. And it's usually typically their goals at the end of the organization. People work on and people march towards those things that they're
measured against. And it's usually typically their goals at the end of the year. And that usually has
to do with some type of financial reward, a merit or bonus, depending on how well they performed
against those goals. So in order to change those types of behaviors and align those behaviors
against the culture that you want, which is an improved security cyber mindset,
you've got to create goals at the company level around cybersecurity
on what are some specific improvements and targets
that you guys want to have as an organization.
And being able to push those out down to every single employee
to help align those behaviors, to move the organization together
down that path that you want to be able to accomplish.
You know, I think about, you see at manufacturing organizations, they'll have a sign out on the
shop floor that says, you know, it's been X number of days since we've had an accident here
in the shop. Do we need those sort of signs in the break room that says it's been X number of
days since we've had a cyber breach?
You know, I'm not going to say that's off the table. I will say that, you know, companies have to figure out, one, how to make this less mysterious and really get this into being a true part of their culture that they really see how they tie back into it. So you've got to have that transparency.
And one of the fun ways you can do this within companies is through these internal fish me
exercises. So I'll give you an example. So our security team, every month, they do these mock-up
emails and they send them out company-wide. That could be anything from a free cup of coffee or a free mail or a gift card.
And they do a really good job at making it look exactly like that company that they're trying to mimic.
And then they measure.
They measure, okay, how long does it take the people to click it?
How many people clicked it?
Is it coming down from a specific team or department? And so month over month, we hopefully are starting to see that we're getting better at it, as well as we're able to see, okay, what types of emails, what types of links are we continually clicking on? And then having to bolster our education around those particular scenarios.
And there's always Bob in accounting who clicks on everything, right?
Yes. No matter what, you could put the biggest sign out there,
do not click on this link, and Bob's still going to click on it.
And that's Wesley Simpson from ISC Squared.
SCICON is meeting in Washington, D.C. today and tomorrow, and the Cyber Wire is attending.
Organized by the U.S. Army Cyber Institute and NATO's Cooperative Cyber Defense Center of
Excellence, the conference's theme is the future of cyber conflict. Today's morning keynotes
stressed some familiar themes, the reality of the cyber threat, the growing importance of
cyberspace as an operational domain,
the increasing rate of change, the centrality of artificial intelligence to future cyber operations,
and the importance of collaboration.
None of this is news, but it's interesting to see the continuing consensus they express.
A few highlights worth mentioning include Army Cyber Command's Lieutenant General Paul Nakasone's characterization of data as the new high ground, the new key terrain.
The U.S. Army, he said, is working to push cyber capabilities to forward deployed forces.
An important sign of this is the degree to which the Army now gives brigade combat teams cyber elements to use in their regular rotations through training centers.
And that is news.
Military capabilities don't become real until they're exercised, and this is as clear a signal
as any that the U.S. Army is serious about pushing cyber operations down to the tactical level in the
battle space. Internet co-inventor Vint Cerf also spoke, and he said he was determined to be the
bearer of bad news. We aren't winning.
Cerf argued that we've overlooked or simply disregarded some approaches to better security
that have been well known for some years, hardware-enabled security among them.
Above all, he sees a quality problem in software
and says that we're unlikely to realize serious improvement in safety and security
until we begin to impose liability and consequences for
bad practices. There must be a price to pay for doing a bad job, is how he summed it up.
U.S. Army Chief of Staff General Mark Milley closed the morning session with a historical
account of changes in the character of warfare. He thinks we're in the middle of a change comparable
to earlier revolutions in the conduct of war.
Increased visibility and increased precision are producing increased lethality.
The rapid advance in information technology and its swift dissemination into cyberspace as an operational domain
have changed, fundamentally, the way we fight.
And such changes aren't complete until they've produced a fusion of technology, doctrine, organization, and training.
We'll have more on PsyCon over the course of the week.
To turn to other matters, another celebrity, this one described as a professional wrestling diva,
has been embarrassed by the posting of saucy pictures to the internet.
One might hope that since this is a second occurrence, the celebrity's discomfiture is somewhat attenuated.
But this kind of extortion and harassment are a real problem for many.
It's often a coarse form of revenge.
But Facebook now says it may have a solution.
Give Facebook any risque pictures of yourself,
and Menlo Park promises to pull them from the internet when it sees them.
Well, okay then.
But one can't help reflecting that here, as in so many other places,
identity management is all.
As one of our stringers who thinks about these things says,
how will Facebook know the picture is of you, Joe Lunchbucket or Janie Sixpack,
and not someone entirely different?
Like what's to prevent you from claiming to be, say,
Jenna Abrams or even Carlos Danger.
Well, hey, you've got the pictures to prove it, right?
Right.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword. It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's
the gist. Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and
ISO 27001. They also centralize key workflows like policies, access reviews,
and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold
to stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January 24 only on Disney+. And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices,
home networks, and connected lives. Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Emily Wilson. She's the Director of Analysis at Terbium Labs.
Emily, welcome back. You were recently in the Netherlands for a Cybersecurity Week
conference, and you came back with some thoughts that you wanted to share with us.
I was. It was a fantastic week.
A lot of good policy conversations, a lot of interesting pitches and vendor conversations and a lot of investment discussions.
I was conducting an informal poll while I was there, asking people a few different things, depending on who I was talking to,
but about the Alphabay and Hansa takedowns just from a dark web perspective.
But then some questions about Equifax and GDPR. I was interested to see as an American,
how the Dutch and how some of the people from the UK were reacting to Equifax, what they were
hearing about it, how it was being discussed in kind of major news organizations and how it was
being discussed in the industry. The answers were, I suppose I would call them surprising.
How so?
I expected there to be more industry discussion around Equifax and more discussions around the
implications of the breach or the implications of Equifax's security practices. But in fact,
what I heard from most people was that it was being discussed
largely as an embarrassment and more specifically around the executives who had sold stock.
And that's what really was driving the conversations.
And do you suppose perhaps because it wasn't a terribly sophisticated breach and that,
you know, they got hit with a known vulnerability?
Perhaps. I know that some people that I spoke to from the
UK were a little bit more concerned about the potential fallouts. And they were interested to
see over time. You know, I think at that point, we were still waiting to hear exactly how many
people in the UK had been impacted. But really, people were discussing cybersecurity incidents
closer to home, which isn't surprising. There were a lot of conversations about WannaCry on the UK side and NotPetya in the Netherlands.
How much did you see reflected in your conversations what I perceive is a real
difference in attitudes towards privacy between Europeans and Americans?
There's definitely a real difference in attitude toward privacy, both for individuals and also for companies and
definitely at a national level, you know, whether it's discussions around GDPR or using these
incidents as an opportunity to evaluate the role of government or where, you know, investment
spending should be directed, whether it's helping businesses, whether it's building up,
you know, national security infrastructure, definitely different approaches, definitely
different concerns. I think it's going to be interesting, obviously, when GDPR kicks in
to see what the global impact is going to be. That was one of the questions I was asking while
I was there of, you know, again, a number of different people about how people expect GDPR to actually be enforced
and how they expect to see it play out over the next, call it next five years. In particular,
you know, I think we all agree that some major organization is going to get hit hard with some
fines because of lack of GDPR compliance. But what is this going to look like
for smaller organizations? The general consensus was that no one is going to bankrupt a small
company for failure to comply and that there's going to be a lot of leeway. But more than one
person told me, and I think this isn't a surprise, that they expect to see at least one large
organization used to make an example pretty early on after
the legislation is in place. Interesting to note as well that the GDPR regulations do not include
any jail time. They are all fines. They are fines. And, you know, the lack of jail time may be
nice, but the fines are not small, at least not as currently outlined.
No, it's a good point. All right, Emily Wilson, thanks for joining us.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner.
Thanks for listening. but also practical and adaptable. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.