CyberWire Daily - Terror, announced and celebrated online. JavaScript sniffer afflicts e-commerce sites. Cryptojacking in the cloud. Perspectives on regulation, thoughts on a pervasive IoT. China’s IP protection law.
Episode Date: March 15, 2019In today’s podcast, we hear that a terror attack against two New Zealand mosques is announced on Twitter and live-streamed on Facebook. A new, unobtrusive JavaScript sniffer infests some e-commerce ...sites in the UK and the US. Cryptojacking finds its way into the cloud. A look at the consequences of regulation, both good and bad. How CISOs will have to grapple with the increasingly pervasive Internet-of-things. And China’s National People’s Congress makes a gesture toward respecting IP, but the world remains skeptical. Craig Williams from Cisco Talos with an update of crypto miners. Guest is Nirmal John, author of the book, “Breach: Remarkable Stories of Espionage and Data Theft and the Fight to Keep Secrets Safe.” For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/March/CyberWire_2019_03_15.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's join delete me dot com slash N2K code N2K.
A terror attack against two New Zealand mosques is announced on Twitter and live streamed on Facebook.
A new unobtrusive JavaScript sniffer infests some e-commerce sites in the UK and the US.
Crypto jacking finds its way into the cloud.
A look at the consequences of regulation, both good and bad.
How CISOs will have to grapple with the increasingly pervasive Internet of Things.
And China's National People's Congress makes a gesture toward respecting IP,
but the world remains skeptical.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday,
March 15, 2019. 49 people are dead in Christchurch, New Zealand, as anti-Muslim terrorists shot up two mosques during Friday prayers.
Police have made four arrests.
Intent to carry out the massacre was announced online shortly before the murders began.
familiar goals of terror and depraved inspiration also linked to a shooter's Facebook page,
where some 17 minutes of the massacre were subsequently live-streamed. It was apparently taken by a camera worn by the shooter, and it included the shooter's own repellent commentary
offered as he gunned down worshippers. Of the four arrests, police have charged one man with murder,
released another after concluding he wasn't involved in the attacks, and continue to investigate the other two.
The inquiry continues amid widespread condemnation of the attacks.
The video has been taken down, and authorities urge anyone who may have it to refrain from sharing. Researchers at security firm Group IB late yesterday reported
that seven online stores, based in the UK and the US,
were infected with a new and evasive JavaScript sniffer
that Group IB calls GMO.
They first discovered the malware on sporting goods site Fila UK.
AT&T's Alien Labs have a report out on how cryptojacking has, like so much legitimate commerce, moved into the cloud.
The infestations have come in a variety of ways.
Some pests are compromising open APIs and unauthenticated management interfaces in order to get into container management platforms.
Others have gone after control panels of web hosting solutions.
AT&T's Alien Labs blog has advice on how to recognize such attempts
and a list of indicators of compromise.
So here's a question.
Does regulation have a downside?
That's one of the issues that was under discussion
at the Johns Hopkins University's annual Cybersecurity Conference for Executives Wednesday.
Regulations' promised upside is clear enough.
It's an analog of public health and public safety measures transposed to cyberspace.
And the usual complaints about regulation, it can stifle legitimate trade,
it can be an indirect form of patronage and rent-seeking, it can be poorly designed,
well, those are also obvious enough. It can be an indirect form of patronage and rent-seeking. It can be poorly designed.
Well, those are also obvious enough.
In a keynote that opened the proceedings in Baltimore this week,
Dr. Phyllis Schneck, managing director of the Global Cyber Solutions Practice at Promontory Financial Group,
began by drawing attention to the well-known principle
that compliance isn't sufficient for security,
still less synonymous with it.
And one problem with regulation is that compliance can lead to unjustified complacency.
But she went on to outline some of the less obvious downsides and upsides.
Schneck offered Regulation of Personally Identifiable Information, PII,
as an example of regulatory insufficiency.
PII is widely regulated, but there's a wealth of other types of data that aren't,
and which, when aggregated,
can be at least as revelatory
as what we commonly think of as PII.
Information such as location data
and buying habits, for example,
can be just as valuable to an attacker
as it is to the companies that collect the data.
One of the problems with regulation,
she said, is that it shows the bad guys what you're not doing, so they can invest their time
and money into targeting areas that are unprotected. Attackers will always be ahead because defenders
have laws that restrict their actions. Attackers can adapt more quickly to new information,
and they're generally more open to sharing information with other attackers.
Operational resilience is the only way to address this problem, Schneck argued. Companies need to
have their recovery strategies set up in advance. She stressed that rehearsal is a necessary
component of resilience. Companies need to ask themselves what they would do if all the lights
went out tomorrow, so that they're not dealing with that question when the lights actually do go out.
John Forte, deputy executive for Johns Hopkins University
Applied Physics Laboratory's Homeland Protection Mission Area,
delivered the closing keynote.
He spoke to the proliferation of interconnected devices,
transportation, health care, buildings and cities,
education, public safety, are increasingly automated,
and CISOs are going to need to deal with that trend soon.
IoT devices will be used to assist in countless tasks,
and all of these devices need to interact with each other.
The challenge is getting them to interact securely and building them so they can't be hacked.
Borte said that the traditional consideration for a CISO is aligning the risk to the mission
In the future, however, CISOs will increasingly need to become business strategists
What CISOs need to start doing today is designing open, resilient, zero-trust architectures
mastering the supply chain and enhancing automation and the use of AI
Forte noted that we're currently in the very beginning stages of
artificial intelligence. Agence France-Presse reports that China's National People's Congress
has approved a law said to be intended to inhibit government agencies from forcing foreign companies
to give proprietary technology to their Chinese partners in joint ventures. The bill also makes
a gesture in the direction of establishing
mechanisms for adjudicating disputes over intellectual property among Chinese and
international partners. The measure is widely seen as a peaceful gesture in the direction of
Washington, as Sino-American trade negotiations enter what appears to be their endgame. But few
observers think the law will have much of an effect on Chinese conduct
with respect to intellectual property.
While the American Chamber of Commerce in China did say that the last-minute efforts
are appreciated, it also regretted that the new law addresses just a small slice of the
overall set of concerns our members have about the uneven playing field foreign companies
encounter in China.
On balance, that seems to be the international reaction.
Too many loopholes and uncertainties remain for those who would do business in China.
Perhaps it's the thought that counts.
Agence France-Presse, by the way, helpfully, if sourly,
calls the National People's Congress China's rubber-stamp parliament.
The vote in the National People's Congress was 2,929 for it,
8 against it, and 8 with nothing to say.
That's a pretty big rubber stamp.
Must need quite a stamp pad. Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached. Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io. And joining me once again is craig williams he's the director of talos outreach at cisco
craig great to have you back um i wanted to check in with you this time about where we stand when
it comes to crypto miners well so you know one of the things that we always suspected is that
you know as the cryptocurrency markets continued to soften,
you know, a lot like the other economies, that we were going to see some sort of impact in the behavior of the attackers using that as a preferred payload. And so we looked in our
telemetry. Obviously, we have telemetry from our customers who decide to opt in. And funnily enough,
I made a fun mistake. I noticed a little bit of a dip in November. And so I talked to Nick
and Nick and I were talking about the theory and we agreed that, hey, yeah, there could be something
to this. Let's dive in. And? Well, it turned out the day I was looking at was Thanksgiving.
So for those of you outside of the United States, that's when we all quit work and go eat turkey for a while.
I think we may have just gotten a little glimpse in your personal life there as well, Craig.
Yeah.
And so it turned out that we were able to prove that, yes, the tiny little window I saw absolutely happened.
All right.
But when you looked at it from an overall perspective, that was really
just a temporary dip. So in fact, we basically confirmed the opposite of our theory. Not only
is cryptocurrency mining continuing relatively steady, previous infections are also being
maintained. Yeah, it's interesting because I've seen stories recently about how on the legitimate mining side of things, you know, some of the graphics cards manufacturers have been lowering their forecast expectations for earnings in large part because of the dip in the profitability of mining.
Absolutely. And so, you know, naturally, I think it's normal to assume that, hey, maybe that will carry over into the threat landscape. But I think what we were able to determine was that because the risk is so low and the barrier to entry is zero because the kits are just out there littering the internet, that it doesn't matter how low the price goes.
Until there's something that's even lower risk with a good payout, people are going to continue using these tools for the foreseeable future. Yeah. And it's also interesting that I guess as far as these things go, this one can
have a low impact on the end users. Lots of folks have crypto mining going on and might not even
know that it's happening. Well, so that's an interesting discussion. I'm glad you brought
that up. So, yeah, I've heard that argument a lot. And I think there is a kernel of truth to it,
right? Yeah. You know, if you have cryptocurrency argument a lot. And I think there is a kernel of truth to it, right?
Yeah.
You know, if you have cryptocurrency mining going on, well, your network's not going to
go down immediately.
You know, your data is not going to be held hostage.
Right.
And you can probably carry on with business as usual for a while.
You know, the big flashing red lights need to be if you have a cryptocurrency mining
on your network, that's just what you're aware of,
right? You've left the door unlocked somewhere and you know that people are going through it.
Maybe you know what one person who went through the door is doing. Maybe they're crypto mining
quietly in the corner, but you have no idea who else has come through that door and what data has
gone out that door. And so I think while it's true that the crypto mining itself is not that damaging, right?
And yes, sure, there's some power loss and maybe slightly higher expenses around that. But I think
the real risk is that the doors open and any attacker who wants and can find it can come
through that door and cause additional damage. Sort of a canary in the coal mine, if you will.
Exactly. Yeah. All right. Well, good insights as always. Craig Williams,
thanks for joining us. Cyber threats are evolving every second and staying ahead is more than just
a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
My guest today is Nirmal Jain.
He's a journalist living in India and author of the book Breach,
Remarkable Stories of Espionage and Data Theft and the Fight to Keep Secrets Safe.
Dave, I think one of the fundamental problems we have right across the world, frankly, is the
gap in knowledge between and awareness, frankly, between the people who are in the cybersecurity business and the normal person on the street.
I think that particular issue is a little more acute in India because of the fact that you have got hundreds of millions of people who are coming on board onto the digital bandwagon for the first time.
And these are people who do not have any reference point when it comes to, you know, the idea of digital
security. Can you give us an idea, what is the situation that folks find themselves there in
India when it comes to cybersecurity and protecting themselves? There are two or three different
strands to this question. One is in the context of corporates, right? In that context, I think, you know, one of the things that I've tried to bring out in the book, and this is primarily aimed at that kind of audience.
What I've tried to bring out is the fact that it is individual mistakes often that bleed into breaches.
It is silly things like sharing of passwords, for example, or clicking on the wrong link, which starts a domino of things happening in the background.
The other thing as a larger view is the fact that a lot of these instances can actually come down through simple awareness programs, frankly.
I think there are people who are making mistakes. Those are the silly kind of mistakes where you click on something, divulge numbers to the bank account numbers and ATM pins and all that to people who call.
It's mostly low-level stuff that's happening right now.
And that is what is worrying about, as I said,
when you have hundreds of millions of people
who are coming on board onto the digital world,
it is the low-level stuff that's actually creating much of the issue.
Now, as you're getting feedback on the book, as people are reading it, are there any of
the stories that they're coming back to you and they're saying, wow, this was a
particularly remarkable one? Yes, I think one of the
stories that I've narrated, in fact, the first chapter itself,
is of a top Indian businessman. He's one of India's
richest men, you know.
And, you know, he's a very powerful man.
And this guy was, you know, the victim of a phishing email back in 2011.
The fact that somebody as powerful as him could be the victim of something like that,
I think that itself shows the gravity of the situation, right? And I think that's the feedback
that I got when I told people, when people came back to me about after reading the book,
you know, some of these instances and some of the simplicity of the ways in which the
breaches happened. That's something that stood out for most people.
Are there any things in particular about India that you find unique to that country,
to that part of the world, that might be different from what we're used to here in the United States?
I think broadly notions of things like privacy. We have, I think, culturally a different kind of makeup and outlook on things like that.
And that has a direct impact on cybersecurity.
I think there is a culture of sharing, which is a little more overt compared to countries in the West.
The more information that is out there, the easier it is for people to, you know, for malicious actors
to capitalize on it, right? So I think one of the fundamental issues is our, you know, willingness
to overshare. The center of the cybercrime universe has been other countries over the years,
but I think as India grows further and as the population becomes more and more
digitized, I think, you know, there would be crimes would and is actually, in fact, taking off
in a big way. I mean, the sheer numbers, right? I mean, 1.2 billion people in a country that itself
gives militias, those who have malicious intentions,
a great market.
What is especially worrying is the fact that,
you know,
this is a market where awareness is low.
So that's a,
that's a great combination,
right?
While the ticket sizes themselves say,
you know,
in a banking heist might be smaller.
The fact that it's easier work for malicious actors,
I think that is something that stands out for me in India.
What do you hope people take away from the book?
Folks who've read it, what are some of the lessons you want them to take from it?
One of the fundamental things that I want people to take away is that it could happen to you.
I think we in India, we often think that bad things happen to somebody else.
And therefore, there is a reluctance to take responsibility and invest in whether it's in terms of training, you know, an organization or in terms of building the right technology to protect yourself.
I think I want people to be a little more skeptical.
I think a little more skepticism in how they interact with the digital world around them would go a long way.
That's Nirmal Jhaan. He's a journalist and author of the book Breach,
remarkable stories of espionage and data theft and the fight to keep secrets safe.
Thanks for having me. of Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious,
but also practical and adaptable.
That's where Domo's AI and data products platform comes in. Thank you. insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.