CyberWire Daily - The Paradise Papers, tax avoidance, and quiet investments. Kaspersky affair updates. Retaliation against influence operations?
Episode Date: November 6, 2017In today's podcast, we hear about the Paradise Papers, a trove of documents obtained from a Bermuda law firm thatcontain details not only about wealthy tax avoiders, but about investments as well.... Kaspersky says that its antivirus software did, after all, copy files that weren't viruses. (But they were still bad files.) US Senate Majority Leader McConnell says tech companies should help the US retaliate against nation-states' cyberattacks. Dale Drew from CenturyLink with a call for introspection when considering cyber defenses. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The Paradise Papers, obtained from a Bermuda law firm,
contain details not only about wealthy tax avoiders, but about investments as well.
Kaspersky says that its antivirus software did, after all, copy files that weren't viruses,
but they were still bad files.
U.S. Senate Majority Leader McConnell says tech companies should help the U.S. retaliate
against nation-state cyber attacks.
I'm Dave Bittner with your CyberWire summary for Monday, November 6, 2017.
The long-anticipated and much-feared document dump from Bermuda's Appleby law firm,
specialists in offshoring who cater to very high-net-worth individuals, has dropped.
13.4 million documents are said to figure in the Paradise Papers leak,
whose source remains unknown. Appleby has been preparing its clients since late last month for
the exposure, which the law firm characterizes as an illegal hack, not a leak, presumably thereby
ruling out document theft by a rogue insider. The law firm began to prepare its response when
it was contacted in October by
the International Consortium of Investigative Journalists, who sought comment on the documents.
Among those mentioned in dispatches are prominent UK public figures, including members of the Royal
Family. Of interest to US audiences are documents that appear to show the way investment money from
Russian oligarchs, and possibly the Russian government itself, passed into Silicon Valley.
The New York Times reports significant Russian investment in both Facebook and Twitter
going back as far as 2010,
with the money coming from a variety of Russian sources through Yuri Milner.
It eventually amounted to a bit more than 8% of Facebook and some 5% of Twitter.
As the New York Times points out, there's nothing illegal about Russian entities,
even state-controlled ones, investing in U.S. companies.
Facebook held its IPO in May of 2012.
Twitter went public in November of 2013.
The Paradise Papers episode is being widely compared to the Panama Papers leak,
in which 11.5 million documents taken from the Mossack Fonseca law firm The Paradise Papers episode is being widely compared to the Panama Papers leak,
in which 11.5 million documents taken from the Masek Fonseca law firm were released to the public in 2015.
We've received a number of comments on the Paradise Papers from industry experts.
They've tended to see the lesson here as one of data security at law firms.
Mark Sangster, VP and industry security strategist at cybersecurity company eSentire, drew particular attention to the incident's similarity to the Panama Papers.
He said, quote, the parallels of Paradise Papers to last year's Panama Papers breach are obvious.
However, beyond the shock factor of the leaked data itself, what's more alarming is the depth
and magnitude of this breach. Law and accounting
firms should raise the alarm when it comes to their firm's cybersecurity rigor. The Panama
Papers may have been opportunistic, however, it laid a blueprint for these kind of attacks.
It has shown a spotlight on tax operations in the Caribbean, and while the mechanics of the
breach itself have yet to be revealed, it was clearly a targeted attack. Appleby took
appropriate response steps in notifying their clients, but you can't insure this. This class
of events demonstrates why law firms must protect their clients' confidential information.
No amount of cyber insurance, data-backed strategies, nor business continuity planning
can ever put this genie back in the bottle. Law and accounting firms are particularly susceptible to ethical hacking, and really,
every firm should assume they'll be breached, because they will be breached.
These firms house a treasure trove of sensitive data that, when compromised, can result in
sometimes irrecoverable damage.
This attack will have far-reaching impacts for those affected."
End quote.
This attack will have far-reaching impacts for those affected.
End quote.
We also received an emailed comment from Ilya Kolachenko, CEO of web security company Hitech Bridge,
who thinks this looks like a crime, whatever one might think of the high-profile victims.
He observed, quote,
Seems that this is another major hacking case where intruders won't be found and prosecuted.
Notwithstanding the allegations of wrongdoing offshore, a crime cannot be justified by investigation of unlawful activities. Victims
should explore various legal avenues to claim damages which may be quite significant. End quote.
Law firms have become a very attractive target for cyber criminals, in Kolachenko's opinion.
He notes,
He thinks the legal sector may be disposed to rely on legal measures for protection,
and their faith in that kind of defense, he argues, is misplaced.
He said, Many law firms still carelessly rely on the law for
data protection, but this is in vain. Paucity of financial resources and lack of qualified personnel
preclude law enforcement agencies from investigating and prosecuting the vast majority of crimes
committed in digital space. This creates a very dangerous atmosphere of unlawfulness and impunity
in the Internet,
undermining trust in the government and its ability to protect our society.
End quote.
Perhaps, he suggests, now is a good time to begin thinking about regulating data security in the legal sector.
Quote, their data deserves at least the same level of protection as data of companies under PCI DSS or HIPAA compliance.
Otherwise, visiting attorneys will become very risky.
End quote.
And of course, no one wants that.
Kaspersky says its security software copied files
that did not pose a threat to the systems it was protecting,
a development that doesn't look good for Kaspersky.
CEO Eugene Kaspersky denied in an interview with Reuters
that there's any impropriety to this.
The files copied may not have contained malicious code,
but the non-malicious files were, he said,
part of larger, suspicious files.
This is unusual.
Typical industry practice is for antivirus software
to leave files that aren't viruses alone,
not to pull in other files that may allude to tools or contain clues about hacking.
Many of its commercial partners seem to be cutting Kaspersky loose.
The company has removed the names of 67 tech partners,
including Amazon and Microsoft, from its corporate website.
The U.S. Senate Majority Leader, Senator McConnell, Republican from Kentucky,
says Google, Facebook, and other tech companies should help the U.S. retaliate against Russia
for attempts to influence U.S. elections in 2016.
The senator said during a weekend interview with MSNBC,
quote,
What we ought to do with regard to the Russians is retaliate, seriously retaliate.
These tech firms could be helpful in having us, giving us a way to do that. End quote. So, mark and reprisal? We doubt it.
Defense contracting? Well, probably. Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers
to learn more. Do you know the status of your compliance controls right now? Like, right now?
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining us once again is Dale Drew.
He's the Chief Security Strategist at CenturyLink.
Dale, welcome back.
You know, when it comes to cybersecurity, it's easy to point fingers,
but you wanted to make the point today that perhaps it's worth looking inward.
Exactly. It's position, heal thyself, right? And I think sort of the point here is that
what we've been seeing is we've been seeing not only consumers, but businesses sort of take steps
to deactivate security controls within their infrastructure, de-install antivirus systems,
non-install patching. And so, you know, I've spoken to a large group of people and I,
you know, pointed the finger at them and said, you are the reason cybercrime is so successful.
You're not following security practices. You're clicking on phishing email, you're hitting reboot later when a patch is ready
to be installed, and you're making it easier for the bad guy to compromise your system.
In fact, if you look at some of the recent, you know, very high, highly public attacks that have
occurred, take Equifax as an example, they haven't occurred because of highly sophisticated sort of
movie-ready attacks, but they're taking advantage of a lapse in simple cybersecurity practices.
The lack of patching, the lack of monitoring, and the lack of simple password management.
You know, admin-admin continues to be a very popular username and password pair.
We think that you just have to take care of the basics.
I mean, there's a lot of very sophisticated attacks occurring, but a majority have to take care of the basics. I mean, there's a lot
of very sophisticated attacks occurring, but a majority of them are happening through the basics.
I also think, you know, for the most part, security is boring. You know, real security is
boring. It's really about monitoring your ecosystem, ensuring that you check all of your systems to
ensure that they're in compliance with your policies and your practices and standards, to ensure that patches have been
properly deployed, that you're scanning your systems. It's the basic fundamentals that are
becoming more critically important because those are the things that sort of act as
key bridges to breaking into the vast majority of your ecosystem.
If real security was filmed as a movie, it'd be the most boring movie in the world.
And then the other point I'd say, you know, sort of related to this,
is that there was a recent study done by Gartner on IT security spending.
And, you know, the basic conclusion was,
is that if you were not spending more than 4% to 7% of your total IT budget to protect the company, you're really doing the company a disservice.
So companies who don't have the resources to make bigger investment in security should really look to outsourcing their basic security components to third parties, cloud service providers or managed security providers.
They've got the staff.
They've got the capability. They've got the staff, they've got
the capability, they've got the certifications to be able to handle those basics. And so it might
be time to solve the inward problem by also looking outward. All right, Dale Drew, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. give you total control, stopping unauthorized applications, securing sensitive data, and
ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company
safe and compliant.
And that's The Cyber Wire. We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Thank you. you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.