CyberWire Daily - Warm wallet pilferage. Advice on reducing the ransomware risk. Regulatory action in the T-Mobile breach. China’s privacy law. FTC refiles monopoly complaint against Facebook. Better MICE traps?
Episode Date: August 20, 2021Pilferage reported from Liquid Global’s alt-coin warm wallets. CISA offers advice on reducing the risk of ransomware. The FCC is looking into the T-Mobile breach, and Moody’s raises questions abou...t the telco’s risk management. China passes its own version of GDPR. The FTC refiles its monopoly complaint against Facebook. Caleb Barlow on 3rd Party Breach Notifications and finding out if your information is being traded on the dark web. Rick Howard speaks with hash table member Zan Vautrinot about serving on boards. And the FBI warns that insiders can be recruited for industrial espionage. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/161 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Pilfridge is reported from Liquid's global altcoin warm wallets. Thank you. The CBC refiles its monopoly complaint against Facebook. Caleb Barlow on third-party breach notifications and finding out if your information is being traded on the dark web.
Rick Howard speaks with Hashtable member Zan Votrano about serving on boards.
And the FBI warns that insiders can be recruited for industrial espionage.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, August 20th, 2021. The cryptocurrency exchange Liquid has disclosed that some of its warm wallets had been compromised.
Security Week reports that the approximate equivalent of $97 million has been lost. Security firm Elliptic says that much of the theft, some $45 million,
was of Ethereum tokens, which the thieves are currently in the process of converting to Ether
before they can be frozen. As a precautionary measure, Liquid said it was moving funds to
cold wallets. The exchange has offices in Singapore, Vietnam, and Japan, and it's licensed and regulated by the Japanese Financial Supervisory Authority.
What's the difference between a warm and a cold wallet, you ask?
A warm wallet is readily accessible, securely online, and is used for transfers, trading, and remittances.
A cold wallet is stored offline and is less accessible.
Cold wallets are generally regarded as more secure than warm ones. The U.S. Cybersecurity and Infrastructure
Security Agency, that's CISA, has this week issued guidelines for preventing ransomware attacks,
protecting data at risk in such attacks, and responding to a ransomware incident
should your organization
fall victim. The guidelines could be applied by most organizations adapted to their particular
circumstances. For prevention, CISA recommends that every organization maintain offline encrypted
backups of data and regularly test your backups, create, maintain, and exercise a basic cyber
incident response plan, resiliency
plan, and associated communications plan. Mitigate internet-facing vulnerabilities and
misconfigurations to reduce risk of actors exploiting the attack surface. Reduce the
risk of phishing emails from reaching users by enabling strong spam filters and implementing a
cybersecurity user awareness and training program.
And finally, practice good cyber hygiene by ensuring antivirus and anti-malware software and signatures are up to date.
If you rely on managed service providers, CISA's got advice on how to reduce your risk there, too.
TechCrunch reviews the cost of a ransomware attack as assessed by multiple sources
and finds that the ransom payment itself, if any is even made,
usually comes to less than 20% of the total.
Labor, reputational damage, opportunity costs, and legal obligations
make up the bulk of the bill.
The Wall Street Journal reports that the U.S. Federal Communications Commission has opened an inquiry into the T-Mobile breach,
the first regulatory action in response to that incident.
The FCC says it's coordinating with law enforcement.
An FBI representative told the journal the Bureau was aware of the incident but declined further comment.
Moody's Investors Service, the well-known investment rating firm,
has issued a report on the T-Mobile breach, and while it hasn't announced a credit rating action,
it does offer some comments on the telco's risk management.
Despite the relative strength of the telecommunications sector as a whole,
T-Mobile has faced cybersecurity challenges in recent years. In August 2018, T-Mobile has faced cybersecurity challenges in recent years.
In August 2018, T-Mobile said attackers gained access to the personal details of 2 million customers. That was followed in November 2019, when the company said it had discovered and
shut down unauthorized access to the personal data of its customers. In March 2020, T-Mobile
said attackers gained access to both its employees
and customers' data, including employee email accounts. While other U.S. mobile carriers have
disclosed cyber incidents in recent years, none has done so as frequently as T-Mobile.
The repeated incidents raise questions about T-Mobile's cyber risk governance and management practices.
China has passed its long-anticipated data privacy law, the Personal Information Protection Law.
It closely resembles, the Wall Street Journal says, the GDPR.
It's likely to restrain corporate data collection,
but is expected to have essentially no effect on government surveillance.
CNBC sees the law as part of a general tightening of Beijing's regulation of the tech sector.
The U.S. Federal Trade Commission has filed an amended version of its anti-competitive practices complaint against Facebook. The 80-page complaint is rich in historical detail,
as is perhaps fitting for a revised complaint, whose original version a court rejected in June for insufficient evidence.
The acquisitions of Instagram and WhatsApp form the core of the FTC's case that the company has engaged in impermissible monopolistic practices.
The FTC maintains in its filing that Facebook has effectively been a
monopoly since at least 2011. The filing says, in part, quote, Facebook has today and has maintained
since 2011 a dominant share of the relevant market for U.S. personal social networking services,
end quote. The complaint goes on to allege that user metrics provide sufficient evidence that Facebook has attained durable monopoly power in social networking services.
Facebook, which has until October 4th to make its own legal response, understandably calls the FTC's case meritless.
In particular, it objects to what it characterizes as the FTC's capricious efforts to rewrite settled legal decisions.
Quote, were lawful. The FTC's claims are an effort to rewrite antitrust laws and upend settled
expectations of merger review, declaring to the business community that no sale is ever final.
We note that Facebook has tweeted its response. Since the social network doesn't own Twitter,
this seems a nice touch. Protocol has an account of FBI warnings to companies on the ways in which Chinese services pressure and compromise employees into stealing trade secrets.
The account essentially advises businesses to create a version of the counterintelligence awareness programs, long familiar in the U.S. departments most concerned with espionage.
programs, long familiar in the U.S. departments most concerned with espionage. It's not HR's job to catch spies, but maybe it's becoming one of the chief security officers. Even organizations
whose mission is spy-catching stumble, as the FBI did with Robert Hansen, but a bit of sympathetic
and well-constructed awareness training outlining the pressures that foreign intelligence services
can bring to bear on even the upright, the competent, and the well-intentioned, and some reassurance that
the concerns and worries employees might raise will meet a sympathetic and helpful reception
that might do some good. There's an old chestnut in counterintelligence training to the effect that the acronym M.I.C.E. will help you remember why people become spies.
That's M.I.C.E., M for money, I for ideology, C for compromise, and E for ego. Now, those can be
and often are interpreted so elastically that one is tempted to shout, as one of our people heard a
heckler yell at the last counterintelligence
briefing he attended, hell, why does anybody do anything? But you get the point. The letter that's
most important in the context of the FBI's warning to Silicon Valley is the C for compromise,
treachery suborned by the threat of what might happen to the family, whether nuclear or extended, that the employee
left behind. So let organizations be alert, but also sympathetic and helpful.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
On a recent Cyber Wire X episode about how security executives could pursue corporate
board positions, I interviewed Suzanne Vautrano. Suzanne to her friends. She is the president of Kilovolt Consulting, a U.S. Air Force Academy grad, and a retired
major general of the United States Air Force with three decades of experience in space
and cyber operations.
She presently serves as director on several corporate boards like Wells Fargo and CSX,
just to name two.
During the interview, we got off on an extremely interesting tangent
about what it's like to be a board member. We couldn't include it on the Cyber Wire X episode
because it was too long. So we made it a standalone interview for our pro subscribers. And I have to
say, it's fantastic. So we thought we'd provide a sample for our daily podcast audience. Can you
give our listeners a sense
of what it's like to work as a board director?
You've been doing this stuff for a long time now.
Give us the day-to-day.
I think the first thing to understand
is that you're not in charge.
So it's not like being a CEO or a CIO or a CTO
where you direct people
and your words are manna from the heavens
and off they go to do your bidding.
A board member is part of a body that is responsible for a strategic role in the company.
They're responsible for the kinds of things that you would think of as advisory and also ensuring that there's succession planning and a future for the company.
Also ensuring that there's succession planning and a future for the company.
But it's one step removed, what used to be called kind of a graybeards group, but with a very formal responsibility.
So would you say you're more there to provide direction and not to dictate how things should be going?
Is that a fair way to characterize that? Exactly. And ask the right questions and dig deeper and help them dig deeper
as management based on your collective experiences. Think of it that there's a phrase that
they talk to board members about, nose in, fingers out. I love that. Because you are not management.
Yeah, it's great. And occasionally your wrists get in a little bit because there's a specific thing going on.
But generally speaking, you are one step removed, which allows you to look at the bigger picture,
help to see around the corners and bring a diverse set of expertise, not just yours,
but the entire group. So when you ask about workload, think of it a little bit like when
you were going to the university, where for every
class you go to, you're probably going to spend two or three hours studying the materials before
you go. About a week or a week and a half before the meetings, you go through all the materials,
and the intent is to come so prepared that no one has to brief you the charts or tell you what they sent you.
You can now have a conversation with the other board members and with management about the materials they provided.
And maybe even where you can share past experiences.
But it is a conversation.
Matter of fact, if someone comes to the board and reads you the charts, there's kind of a backlash because board members come
prepared and they want to have the deeper discussion. That's the first part. The second
part is that it is very scripted in the sense that there are certain things the board is absolutely
responsible for. So each quarter, as the company puts out the 10Q, the audit committee and the
board is going to be very intensely focused on the numbers, on the audit of those numbers by external,
by the work by internal audit. And then you go into a number of governance matters in terms of
how is the company running? How are you moving forward?
How are you looking at it from an external perspective?
And certainly compensation and professional development and succession planning are always
on the table.
And then either regularly or at a singular meeting each year, depending on which board, there's going to be a
very deep strategy discussion that involves the baseline assumptions that management is working
with and the strategy that they want to move forward for the next year or five years that
becomes a very key discussion for the board. Every meeting after that is measuring how are we moving along that strategy
or do we need to make adjustments?
Is there some, in our military terms, branch and sequel that we need to adjust to
or on-ramp and off-ramp based on something that's externally changing or internally changing?
That's Zan Voturno, a regular visitor to the CyberWire hash table.
You can hear my interview with her about how security executives
can become board members on the CyberWireX podcast.
And you can listen to my complete interview with her
about what it's like to be a board member on the pro side
of the CyberWire service.
You can find both interviews at the CyberWire.com website.
And we'd like to thank Zan for being on the show.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're
thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping
unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And I'm pleased to be joined once again by Caleb Barlow. Caleb, it's always great to have you back.
I want to touch base with you today on third-party breach notifications. I think we've seen some shifts in that realm, and I was curious what you and your team are tracking there.
Well, Dave, if you went back five or ten years, you know, and you'd be doing security research
and you'd find victims, you know, not that you get excited there were victims, but you,
you know, your team got together and said, all right, we've got to notify these victims.
We've got to get on it.
You get people on the phone.
You try to call them up and go, hey, I'm so-and-so, you've been breached.
And they'd say, thank you.
And you give them the information, the IOCs, thank you, and you've given me information,
the IOCs, and you try to protect the good guys. Not anymore. Everybody's done with that.
Well, I mean, here's the problem, right? Doing breach notification now is really hard.
People don't know how to take this inbound ingest. You know, sometimes they're, you know, they come up with a legal front of, who are you? Why are you telling me this?
You know, kind of denial, denial, denial.
And in a lot of cases, it's almost impossible to track down who do you even notify at a
company.
It's to the point now where we're seeing large companies actually ignore victim data in their
research, purposefully not crack it open because they're worried
somewhere in their contracts they might have a requirement to notify their customers.
We're even seeing this with law enforcement to a certain degree, where law enforcement
may come across dark web research.
Nobody's running to notify victims anymore.
And I think this is a real sea change in what we've seen because it's too much work and
it's too hard to get a hold of people.
And frankly, even when you tell them, sometimes they push back and they're not nice about it.
What's the solution here?
I mean, is this something where you engage with somebody who does threat intelligence to keep an eye on the dark web for you?
I think that's a component of it.
I think that's a component of it. I think having relationships with law enforcement in your community, with intel agencies But if you don't know anybody, nobody's going to call.
I'll give you an example, Dave.
We had a situation where somebody called me up, and it was a situation at a hospital.
And it's like, hey, look, I don't know anybody there.
You guys are in lots of hospitals.
Can you help me out?
Because, you know, this thing's about to happen, and it's not going to be good.
I was like, absolutely.
So, you know, we had contact information.
We called up. We notified them, and then we get yelled at. We got yelled at because, you know,
you shouldn't be the one telling us. Why isn't so-and-so telling, like, all right, well, sorry,
I tried to do a good thing. I had another situation. Yeah, it's a no-win. It's a no-win. Or I had
another situation where it was a university and, you know, we didn't know who to
call. So we called their IT help desk and they didn't know what to do with it. They transferred
us to the public safety department where we spent like an hour on the phone talking with a campus
safety officer about a ransomware incident that was about to happen. And, you know, these are the
types of challenges you get into. And why I think what you have to recognize as the potential receiver of this
is to make sure, one, you've got the relationships,
you've got somebody looking at your,
you know, kind of your six on this,
but also have a way to receive this data
where somebody is going to be willing to call you.
Yeah, it strikes me too,
that if you're getting a cold call from someone,
there's every reason to be wary
that they might be a scammer.
They might be a scammer. They might be the bad guy. But here's the point. Have you trained the
people on your help desk so that when they get this call at two o'clock in the morning,
they actually know the questions to ask? Doesn't mean they need to give something away to a scammer,
but at the very least, they ought to have a script of what to ask. What's your name?
What's your contact information? Who's your manager? What company are you with? I mean,
really basic stuff of how to gather that information and then move it on up the flagpole.
Mm-hmm. No, it's good advice for sure. All right, Caleb Barlow, thanks for joining us. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Don't forget to check out this weekend's Research Saturday and my conversation with Tomaslav Perichin from Reversing Labs.
We're discussing their research, Third Party Code Comes With Some Baggage.
That's Research Saturday. Do check it out.
some baggage. That's Research Saturday. Do check it out. Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Puru Prakash, Justin Savie, Tim Nodar, Joe Kerrigan, Kirill Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard,
Peter Kilby, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. Your AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.