CyberWire Daily - Whole Foods breached. Illusion gap and Windows Defender. Exposed AWS S3 buckets. Equifax incident response. Reality Winner proceedings.
Episode Date: September 29, 2017In today's podcast, we hear that Whole Foods has been breached—if you've been to the taproom, look to your credit cards. An illusion gap could help bypass Windows Defender, says Cyber Ark. Microsof...t says don't sweat the small stuff. A Mac firmware issue may be giving users a false sense of security. Equifax is offering a lifetime of free credit freezing, but observers are dubious. A study suggests there are still a lot of improperly secured clouds out there. ISIS and the Taliban resume their inspiration operations online. David DuFour from Webroot on the difference between Artificial Intelligence and Machine Learning. Guest is R.P. Eddy, coauthor with Richard Clarke of the book Warnings: Finding Cassandras to Stop Catastrophes. And alleged NSA leaker Reality Winner remains in custody, at least for now. Thanks for listening to the CyberWire. One of the ways you can support what we do is by visiting our sponsors. Recorded Future's user conference RFUN 2017 comes to Washington, D.C. , October 4th and 5th, 2017, bringing together the people who put the act in actionable intelligence. If you’d like to learn more about how small nuances in how artificial intelligence and machine learning are used can make a big difference, check out E8’s white paper If you want to execute at machine speed, doesn’t make sense to see what the algorithms a good machine runs on can do for you? Check out sponsor Cylance . Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Whole Foods has been breached.
If you've been to the taproom, look to your credit cards.
An illusion gap could help bypass Windows Defender, says CyberArk. Microsoft
says don't sweat the small stuff. A Mac firmware issue may be giving users a false sense of
security. Equifax is offering a lifetime of free credit freezing, but observers are dubious.
A study suggests there are still a lot of improperly secured clouds out there.
ISIS and the Taliban resume their inspiration operations online.
And alleged NSA leaker Reality Winner remains in custody, at least for now.
I'm Dave Bittner in Baltimore with your CyberWire summary for Friday, September 29, 2017.
Whole Foods disclosed that it's been hit with a breach that exposed customer pay card data.
This is the second breach of a retailer to come to light this week.
The other disclosure earlier this week involved the breach of Sonic's drive-in restaurants.
Whole Foods says the breach was limited, affecting only transactions at the tap rooms
and sit-down full-service restaurants found in some of their stores.
They also stressed that the breach did not affect their new corporate parent, Amazon,
which purchased the upscale grocery chain on October 28th of this year.
The breach was detected and reported by an unnamed third party.
Researchers at security firm CyberArk have found an illusion gap technique that could
enable attackers to bypass Windows Defender.
an illusion gap technique that could enable attackers to bypass Windows Defender.
The technique essentially creates a pseudo-SMB server that presents a benign file to Windows Defender for inspection instead of the actual malicious payload the attackers are causing to execute on the victim machine.
Microsoft says the danger is exaggerated.
It's possible it could work, but, says Redmond, you'll have to click through lots of warnings to fall into the illusion gap.
CyberArk says that when it reported the problem to Microsoft,
Microsoft said that what CyberArk was describing was really a feature request and not a vulnerability,
and so they forwarded the information to engineering.
Microsoft told the Register that, quote,
The technique described has limited practical applicability.
told the Register that, quote,
the technique described has limited practical applicability.
To be successful, an attacker would first need to convince a user to give manual consent to execute an unknown binary
from an untrusted remote location.
The user would also need to click through additional warnings
in order to grant the attacker administrator privileges.
Should the attacker successfully convince a user
to carry out the manual steps mentioned,
Windows Defender Antivirus
and Windows Defender Advanced Threat Protection will detect further actions by the attacker.
Researchers at Duo Security have released results from their inquiry into Mac firmware vulnerabilities.
They conclude that a large number of systems, including some running the most recent versions
of macOS, are susceptible to exploitation.
Evidently, the extensible firmware interface, EFI, in many devices,
was not actually installing the security updates users thought they'd applied.
Duo notes that firmware exploitation isn't easy and requires a relatively high level of sophistication on the attacker's part,
but the vulnerability is nonetheless a serious one.
Some observers think it likely the problem extends into the Windows and Linux worlds as well.
At midweek, Equifax's interim CEO has offered people affected by the company's breach a free
lifetime credit freeze, with the ability to lock and unlock at will. A number of observers say that
sounds good, but they doubt Equifax will be able
to pull it off. New York's Department of Financial Services has subpoenaed the credit bureau as it
continues to dig into the incident. If you've wondered at the number of breaches connected
with unsecured data exposed in the cloud, Sky High Networks' research has a partial explanation.
The company's studies have led it to believe about
7% of AWS S3 servers worldwide are exposed because their users have simply configured them improperly.
ISIS and the Taliban have each released new inspirational pieces online,
as reverses on the ground push the terrorist organizations into cyberspace.
The Taliban videos feature,
among other things, clips of President Trump calling Afghanistan a complete disaster.
The ISIS audio, no video for this one, purports to show the elusive ISIS leader al-Baghdadi
repeating his familiar theme that the U.S. is growing weary of the war of attrition his
jihadists are waging. Al-Baghdadi, if it's indeed him, so far the audio is unconfirmed and there haven't been
reliable sightings of him since November of last year, also praises North Korean nuclear
threats and sees nothing but good as having come out of the bloodshed in the cities he
enumerates, Mosul, Raqqa, Sirte, Ramadi, and Hama.
All of these ISIS has either lost or is in the process of losing.
As its physical territory shrinks, ISIS is expected to move its center of gravity to cyberspace.
Turkish hacktivist group Aslan Neferler Tim claimed responsibility for Wednesday's takedown
of sites belonging to Denmark's Ministry of Immigration and Ministry of Foreign Affairs.
The attacks were apparent retaliation for the immigration minister's remarks,
praising Kurt Westergaard's famous cartoon depicting the Prophet Muhammad wearing a bomb
as a turban. Some Ministry of Information sites remained inaccessible as late as yesterday.
Alleged NSA leaker reality winner has petitioned to be released from pretrial confinement,
but federal prosecutors want her to stay put.
They quoted a number of the statements she's sent to have made to the FBI special agents who arrested her,
expressing her hatred of America, prompted by environmental outrage and triggered by her co-workers watching Fox News,
and denying she removed the classified material she's
alleged to have given to The Intercept, while she explained at the same time how she smuggled
it out.
Her desire for release is said to be connected with her dietary restrictions being unmet
in confinement.
She keeps both vegan and kosher.
The prosecutors call her a flight risk and a highly attractive target for recruitment
by foreign intelligence services. Many in and around the U.S. intelligence community have called for a serious overhaul to
the security clearance process. Most of the calls for reform have centered on the potential
continuous monitoring offers as a better, less expensive, and faster alternative to the current
practice of regular reinvestigation. But as recent cases of leaks seem to suggest,
the problems may run deeper than any easy technical fix can reach.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose,
and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies, like Atlassian and Quora,
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1, dollars off. on hold to stay home with her young son. But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself. Based on the acclaimed novel,
Night Bitch is a thought-provoking and wickedly humorous film from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is David DeFore.
He's the Senior Director of Engineering and Cybersecurity at WebRoot.
David, welcome back.
You know, we talk a lot about machine learning and artificial intelligence.
Let's just start with some basics here.
Explain to us, what's the difference?
Hey, thanks for having me back, David.
And yeah, this is pretty near and dear to my heart. ML is a subset of artificial intelligence,
ML being machine learning, of course. And people do use them interchangeably. And I feel like I've lost that war. So around the office, I don't bother. But let's start with AI. AI is the field of trying to build technology so that it acts and behaves
like something we know, like a human. Or maybe you want to build something that acts like a cat
or a dog or something. But it's actually trying to behave in a way that mimics behaviors or the
semblance of intelligence of some living thing. Those of us who are old enough may remember the old ELISA program.
That's exactly right.
And then machine learning is, in fact, a subset in the field of AI.
But machine learning itself is focusing on building algorithms and models that consume data
and analyze that data in a way that it can then learn from that data,
make decisions about that data that maybe a human just from a sheer capacity perspective would not
be able to see. So it provides potentially insight into large data sets that a human would not be
able to do on their own just from the volume.
What would be the thing that would make machine learning cross into being pure, true AI?
What you would potentially do, your AI unit, let's say it's a robot, is gathering volumes and volumes of data.
And the whole AI component is trying to, let's just pretend like you're trying to make it act like a human.
Its objective is to act like a human. And so it has all this feature functionality to mimic humans
and know how to speak or how to respond. But the machine learning component of that would be to
build models that take the input, potentially, let's say your question that you would say to
the AI unit, the machine model would then analyze that question and try to determine the proper response, hand it back to the AI unit, which would then say that response.
I see. So the machine learning is taking care of things under the hood, but the AI is the part that makes you think that you're talking to an intelligent being.
That is exactly right.
Well, interesting stuff as always.
David DeFore, thanks for joining us.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company
safe and compliant. My guest today is R.P. Eddy. He's co-author, along with former White House National Security Council veteran Richard A. Clark,
of the book Warnings, Finding Cassandras to Stop Catastrophes.
The book examines those who made dire predictions, were largely dismissed, but were later proved right,
along with current experts in a variety of fields who are now making consequential predictions yet to be verified or disproven,
as well as a framework for determining the likelihood that a modern-day Cassandra deserves a second look.
We realized that not only was Dick and those of us who were working on Al-Qaeda and Bin Laden
pre-911, you know, largely ignored before 9-11, but that there was a whole series of
other people in the world that had the same phenomena happen to them. And it turns out in Greek mythology, there's a character named
Cassandra who suffered the similar fate where she predicted disasters. And in this instance,
she foretold the fall of Troy, her hometown, and no one believed her. She saw it perfectly and no
one believed her. And of course, the city burned to the ground and she got to watch that happen. And that frustration and that that kind of curse, the curse of Cassandra, became something that was a little fascinating to us.
fact there are Cassandras, I guess, is noteworthy. But if I can't help you find the next Cassandra,
the next accurate predictor of doom, I'm not doing my job. So we didn't have a clue if they had things in common. So Dick and I split chapters. He would talk to one Cassandra.
I would talk to the other. And we found not only did they just seem to have a lot in common,
but when we looked at the transcript and listened to the words, every single one of the proven
Cassandras used two sentences, two identical
sentences, almost word for word, even if it was in Japanese. One was, when I discovered this data,
I wanted to be wrong. So I went to my colleagues and said, please show me that this isn't correct.
So that was the first thing. All these guys are data driven and they didn't want this to happen.
Right. And they went to verify their data with others. And in every instance, the other stock analysts, the other seismologists,
the other experts on climate said, you're right. Then the second question or the second thing they
all said was, okay, so then when I took my data and brought it to the decision makers,
I kept saying to the decision makers, why are you ignoring your own data? This is publicly
available data. I'm not making this up. It's not proprietary. So we knew right away there was going to be a lot
of correlation between this Cassandras. And as we dug in deeper and deeper and spent time with these
amazing people, we realized it's not just about the characteristics of each one of those warners.
It's also about what are they warning about? Who's the decision maker? And what are the critics saying?
And so we came up with 24 different characteristics that describe when you basically need to ask
the next question, when you need to dig deeper, when you shouldn't kick that person out of
your office, when you should take their warning more seriously.
And I'll give you a couple that interesting.
We won't do 24, of course.
But one that's fascinating is called the initial occurrence syndrome, we call it.
And effectively, what we're saying there is a lot of these disasters were ignored by decision
makers because they'd never happened before.
Nothing like that ever happened before.
A tsunami never breached a seawall and caused a near nuclear meltdown.
The chairman of NASDAQ never ran a
$65 billion Ponzi scheme, etc. An Arab country never invaded another Arab country, and then
Saddam invades Kuwait. So all these things, everything we talk about hadn't happened before.
And it's very hard for decision makers to believe that something will happen that hadn't happened
before. So one thing is initial occurrence syndrome.
How do you deal with the issue of hindsight being 20-20?
That it's easy to spot your Cassandras in the rearview mirror.
How do you keep from cherry-picking your Cassandras, particularly in the past?
So David, you are the first person asking that question,
and it is the obvious criticism of this book and no one has made it yet.
So congratulations. So thank you very much. Hindsight bias, hindsight bias is a real bias.
Right. And we talk a lot about biases in these books and I've just been waiting for someone to
say, ah, the whole book's hindsight bias. It's a, it's an easy criticism. Thankfully, it's not right.
If we go back and look at the seven people we picked as Cassandras, and there's some we didn't pick for this reason, we believe that they had a series of characteristics
that at least going forward, if we pay attention to these characteristics, we'll know we shouldn't
ignore them. They are proven technical experts. They are data driven. They think differently.
They are questioners. They're asking hard, hard questions.
They have a sense of personal responsibility. It really matters to them that the message get out
there. And finally, all of our Cassanders had this sense of high anxiety. They were going crazy that
they weren't being listened to. So we think those characteristics mean that the folks that we said
should have been listened to in the future, you'll be able to see
them a little more easily. For those of us who are in cybersecurity, I'm thinking of that executive
sitting in their office or that person sitting on the board. What's your advice to them for how to
best handle when people come to them with these sorts of predictions? I think a really important
thing for any leader or any person or any spouse or any
parent or any coach or anyone who's really interacting with other people and trying to
have influence is first this understanding that your intuition is going to fool you time and time
again because you're so bias-driven, right? We are bias-driven animals because 70,000 years ago or 140,000 years ago,
depending on how you want to count the beginning of the current homo sapien brain, biases were
actually useful and helped you survive. Certainly heuristics did. They don't anymore. So number one,
you're going to make mistakes. Number two, realize it's very, very hard to get away from your
intuition and bias. Number three, getting more to the book.
When that person walks in the door and starts telling you you have a real problem,
ask the next question. It's something we've been teaching in the counterterrorism world for years.
Ask the next question. Don't respond from your heart. Respond from your brain and dig a little deeper. And then you start getting in this book and the conclusion, we talk about what do you do?
You don't have to say, all right, you're right.
We're going to change the whole mission of the company and spend billions of dollars on this.
You can begin to increase the surveillance on the risk,
as long as you're specific about what you're looking for, and begin hedging.
Our thanks to R.P. Eddy for joining us.
He is co-author, along with Richard A. Clark, of the book Warnings, Finding Cassandras to Stop Catastrophes.
of some joie de vivre.
Well, look no further, honey,
because Sunwing's Best Value Vacays has your budget-friendly escapes
all the way to five-star luxury.
Yes, you heard correctly.
Budget and luxury all in one place.
So instead of ice scraping and teeth chattering,
choose coconut sipping and pool splashing.
Oh, and book by February 16th
with your local travel advisor or at
sunwing.ca Book by February 16th with your local travel advisor or at... And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.