CyberWire Daily - US DHS Secretary Nielsen resigns. Credential stuffing campaigns. Cryptojacking disrupts a business. A duty of care, online. Tax season scams.
Episode Date: April 8, 2019In today’s podcast, we hear about leadership changes at the US Department of Homeland Security. A look at credential stuffing. Cryptojacking disrupts production at an optical equipment manufacturer.... The British Government moves toward establishing a duty of care that would impose new legal responsibilities on search engines, social media, and others. Tax season scams grow more plausible, and some of them are aimed at rounding up money mules. Rick Howard from Palo Alto networks reflects on the accomplishments of the Cyber Threat Alliance. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/April/CyberWire_2019_04_08.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Leadership changes at the U.S. Department of Homeland Security.
A look at credential stuffing.
Cryptojacking disrupts production at an optical equipment manufacturer,
the British government moves toward establishing a duty of care that would impose new legal responsibilities on search engines, social media, and others.
Tax season scams grow more plausible, and some of them are aimed at rounding up money mules.
From the Cyber Wire studios at DataTribe, I'm Dave Bittner with your Cyber Wire summary for Monday, April 8th, 2019.
U.S. Secretary of Homeland Security Kirstjen Nielsen resigned yesterday.
It's unclear who her successor will be. Her resignation letter said she had, quote,
determined it was the right time to step aside,
and then cited her hope that her successor will have the support of Congress and the courts
in fixing the laws which have impeded our ability to fully secure America's borders
and which have contributed to discord in our nation's discourse, end quote.
The former secretary had been regarded as one of the
administration's most senior officials with significant cybersecurity experience,
and the Department of Homeland Security has, of course, become the government's lead civilian
agency involved in the protection of cyberspace. It's thought likely there will be other changes
in the Department of Homeland Security. Reports this afternoon indicated that the director of the Secret Service will also be departing.
Security firm Akamai has released a study of credential stuffing attacks.
This easily scaled commodity form of attack especially affects media outlets,
gaming companies, and the entertainment sector. Looking back at 2018, Akamai says it observed hundreds of millions of credential stuffing attacks every day.
The barriers to entry are low, and there are even YouTube videos, Akamai notes,
that offer how-to instructions for criminals wishing to enter the field.
As an attack on optical equipment manufacturer Hoya shows, cryptojacking can disrupt production.
The incident began at the beginning of March when employee network credentials were compromised.
The goal of the compromise was to enable the attackers to install coin mining software in Hoya Systems.
They did so, noticeably slowing performance of some of the company's servers.
The slowdown is said to have affected the ability to take orders and manage production
at Hoya plants in Thailand.
British ministers are introducing strict controls over online content.
The Telegraph calls it a victory for the duty of care the paper has been calling for.
The government says the proposed law's goal is the protection of children and other vulnerable people.
The White Paper the two responsible ministers issued explicitly cites the recent attack on a New Zealand mosque
as an example of the kind of online virulence the regulations would help curb.
The White Paper would have Her Majesty's government establish a statutory duty of care
that would require companies to
take more responsibility for the safety of their users and tackle harm caused by content or activity on their services.
A regulator would be empowered to develop codes of practice that would inform compliance with the duty of care.
And who would be legally responsible for this?
The proposed statute would apply to companies that
allow users to share or discover user-generated content or interact with each other online.
That covers, as the authors acknowledge, a lot of ground. File hosting sites, public discussion
fora, messaging services, social media platforms, and of course, search engines. The white paper
announces the government's commitment to an internet that's free, open, and secure, and of course, search engines. The white paper announces the government's commitment to
an internet that's free, open, and secure, and to freedom of expression online. It aspires to
an internet where companies keep their users safe and uncontaminated by criminal, terrorist,
and hostile foreign state activity, and it wants rules and norms for the internet that
discourage harmful behavior. Achieving those together, as several commenters have observed, may be challenging.
Consider the case of Facebook.
It's been found that the social network not only hosted a thriving, active collection of criminal groups
trading in a vigorous hood-to-hood market,
but as Gizmodo points out, the social network's algorithms even made it easy for the crooks to find one another.
Facebook notes correctly that the groups were, for years, in violation of its terms of service and has dismantled them.
Now, it seems as much of a sure thing, and such things can be sure,
that Facebook is not now and never has been interested in cultivating a criminal customer base.
But a criminal customer base assembled itself on Facebook's platform.
The moral seems to be that policing content to maintain an online environment
that's both free and uncontaminated by various nastiness
is by no means a trivial problem.
It's tax season, have you noticed?
We have.
And we notice that, as usual, our finance desk has put off filing their 1040s until the weekend.
And you and I, friends, aren't the only ones who've noticed that April 15th is approaching.
The criminals have also taken cognizance of the deadline.
Researchers at IBM's X-Force find that online criminals are redoubling their efforts as tax season enters its home stretch.
The attackers are showing a propensity to impersonate major payroll and accounting firms, that online criminals are redoubling their efforts as tax season enters its home stretch.
The attackers are showing a propensity to impersonate major payroll and accounting firms,
including Paychex and ADP.
Emails that appear to be from those sources are of course likelier to be taken at face value than emails from, say, Leon's House of Tax Prep Bargains or Deductions R Us.
And the quality of prose is better too, according to
X-Force. A lot of mass market fraud is pretty implausible on the face of it, likely to fool
the inexperienced and the unwary with come-ons like, agency of U.S. government is suspending
your social security number, or maybe is here your important tax form, open attachment now,
now, now. That's not what X-Force is observing. Instead, they're
seeing fairly well-crafted vectors for trick-bot malware, well-designed to steal banking information.
Where businesses are targeted, X-Force thinks the goal is likely to be direct theft.
Where individuals are targeted, the researchers think, interestingly, that the crook's goal is
to use the victims as money mules through whose accounts they can move ill-gotten cash obtained in other theft. So use email skeptically. Don't
let the crooks make a money mule out of you. And finally, we send our well wishes for a speedy
recovery to Andrew Callett, co-host of the Defensive Security Podcast. Andrew has been
facing some unexpected medical issues,
and we hope he gets well soon,
so he can get back behind that mic with co-host Jerry Bell.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be. Let's create the agent-first future together. Head to
salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies, like Atlassian and and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security
questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Rick Howard.
He's the chief security officer at Palo Alto Networks.
Rick, it's great to have you back.
Something that you are quite
passionate about is the work that you do with the Cyber Threat Alliance. And we wanted to take some
time today to highlight some of the successes you've had there. Yeah, thanks, Dave. Yeah,
I want to take a moment and just kind of punch out the highlight reel because it is an important
thing. And thanks for giving me the time to do that. And for those that don't know what it is,
the Cyber Threat Alliance is an information sharing organization for cybersecurity vendors. About five years ago,
four of us, Palo Alto Network, Symantec, Fortinet, and Intel McAbee, that's back when
Intel and McAbee were the same thing, got together and said, you know, every other commercial
vertical has an intelligence sharing organization. Organizations like the FSISAC for financials, the Automotive ISAC, the Aviation ISAC, the Defense Industrial Base, and a bunch of others.
And members in all those sharing verticals are fierce competitors.
So why is the security vendor community so unique that we can't share in order to support our mutual customers?
The answer, it's not, right?
So we got together to try to figure it out.
We realized that all of us have the ability
to update our own products with new prevention
and detection controls on the fly.
And just an example at Palo Alto Networks,
when unit 42 discovers some new bad guy thing,
we can convert that intelligence
into multiple prevention controls
down the intrusion kill chain
and deliver them to our 60,000 customers around the world in about five minutes.
That is an amazing capability, and all the other security vendors have something similar.
The point is, with the Alliance, when something new is found and shared,
we can deliver prevention controls around the planet for every member in the organization in minutes to hours.
This is orchestration at its best, executed by the security vendor community automatically,
so that our mutual customers don't have to manually deploy their prevention controls themselves.
So this is a true community effort.
It really is, and it was a weird idea at the beginning,
but more and more security vendors are coming online and understanding what we're trying to do.
So we've had new members added every year.
And two years ago, the Cyber Threat Alliance became a nonprofit, and we got Michael Daniel.
He was President Obama's former cyber czar to be the president of the company.
The original four security vendors plus Cisco and Checkpoint became the board members to
it. And so we were off and running. Now, this past year, 2018, we added seven additional members
to bring the total to 21. And the other thing is they're not all US-based. We have Radware from
Israel, NEC from Japan. We're sharing about 75,000 indicators of compromise a day between members, and we are
moving closer to sharing complete adversary playbooks. This is the idea of a sticks package
that contains minors attack techniques and all the associated indicators of compromise
for very specific adversaries. So that's fantastic. The other great success story in 2018,
it just kind of happened organically, is that the members' willingness to share their independent research before going public.
You know all of us write blogs and announce really interesting things so that you can talk about it.
So this happened for the first time this year with Cisco when they released – they were getting ready to release their research on the VPN filter problem.
This is an attack against a bunch of home routers in the world.
So Cisco got us all in a room and gave us the update to their research a couple of days before they went public.
We all went back and updated our products.
And when Cisco finally published their research paper, all of us had protections in place before the world found out about it.
Oh, interesting.
Yeah, so fantastic, right?
And since then, the Cyber Threat Alliance members have executed some 20 other early sharing efforts from all the members whenever we come up with something interesting to talk about.
So help me understand here.
So it makes sure that everybody's ready with the defenses deployed when a public announcement is made. But I suppose there's also a certain element of peer review there as well.
Yeah. And then we can always add on and say, hey, did you think about this? Did you get that right?
So, yeah, it's kind of a check. And these are the smartest cybersecurity intelligence people on the planet, all sharing threat intelligence to the other to make sure that the story is correct. I mean, it's a fantastic mechanism and that just kind of grew
out organically. So we're pretty happy about that. Yeah, terrific. So that's the highlight reel.
Okay. The bottom line to all your listeners is this, please tell your vendors to join,
tell them to call me and we'll get them hooked up. All right. Fair enough. Well, as always,
Rick Howard, thanks for joining us.
Thanks for the update. Thank you, sir.
Cyber threats are evolving every second and staying ahead is more than just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at the cyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast
of this rapidly evolving field, sign up for Cyber Wire Pro. It'll save you time and keep you
informed. Listen for us on your Alexa smart speaker too. The Cyber Wire podcast is proudly
produced in Maryland out of the startup studios of Data Tribe, where they're co-building the next
generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard,
Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.