Arm your security team.
The week that was.
Facebook discloses a breach.
Facebook disclosed Friday morning that it had been the victim of a cyberattack (ZDNet). According to Facebook CEO Mark Zuckerberg, the company discovered Tuesday that attackers had obtained access tokens that could get them into roughly fifty-million people's accounts. The vulnerability the hackers exploited has been patched—it involved the "View As" feature, and arose during upgrades made in July of 2017. The investigation is still in progress, of course, so there's not even a preliminary attribution. Facebook has involved law enforcement, and they want their users to know that they regret the attack. The news has already prompted calls for more regulation (TechCrunch).
Who’s Using a Cloud Browser? You might be surprised...
Chinese influence operations.
President Trump at the UN this week complained of Chinese interference in elections. The White House clarified with a list of propaganda and influence operations that are generally and uncontroversially attributed to the Chinese government, which caused some to sniff that this hardly amounts to "interference" in the strict sense of the word (Washington Post). Fair enough, although it's not clear that the St. Petersburg troll farmers of the Internet Research Agency are engaged in anything more than that either, and they've attracted plenty of stick.
In any case, Congressional Democrats would like an intelligence briefing on the matter (TheHill). Many regard the US shot across China's bow at the UN as a volley in the trade war between the two countries (Atlantic Council). EclecticIQ has published an overview of threats to elections that, while focused on the US midterms, also takes a broader view. They note that there's good reason to believe Chinese operators have worked to influence recent elections in Cambodia, for one.
Create a culture of cybersecurity awareness with Coachable Moments.
Campaign security: Putin on the Ritz.
For all the public action and woofing by legislators and state election authorities in the US, many political campaigns themselves seem to have slid into a state a learned helplessness about the possibility of securing themselves against hackers. It's difficult and it can be pricey (Olympian).
DefCon's Voting Village came to the US Capital this week, and their demos have been busily scaring people about election security (Ars Technica). Some dismiss it as showboating, but a number of experts think the Voting Village is on to something (Cipher Brief).
Optimize your security teams with threat intelligence.
Novichok investigation update.
Both of the men British authorities hold responsible for the nerve agent attack in Salisbury have so far been known by their pseudonyms, "Ruslan Boshirov" and "Alexander Petrov." Boshirov has now been identified (Times). He's GRU Colonel Anatoliy Chepiga, an officer thrice deployed to Chechnya during seventeen years' service as a Spetsnaz goon (TheHill). He was also awarded the order Hero of the Russian Federation in 2014 "by decree from the Russian President" for "peacekeeping," which probably means hybrid warfare against Ukraine. Chepiga's alma mater, the Far Eastern Military Command School, has his name and the award up on their memorial wall: his name is to the right of their statue of Marshall Rokossovsky (Bellingcat). It's worth noting that Hero of the Russian Federation is by custom awarded personally by the Russian President, the way the US Medal of Honor is also normally presented by the US President. This would seem to deprive President Putin of some deniability he's hitherto claimed. "Alexander Petrov" has yet to be identified.
2017 cyberattacks proved more numerous, sophisticated, and ruthless than in years past.
Consequences of terror attack in Iran.
Last weekend's horrific murders at a parade in the Iranian provincial city of Ahvaz have aroused Iranian public opinion (Foreign Policy). Tehran blames the Saudis, the UAE, and the US for the attack (Deutsche Welle). These countries deny any involvement (Reuters). Cyber conflict follows international conflict (CNBC), and increased Iranian cyber operations are to be expected.
Siri, where can I safely buy a pizza?
People have been noticing that Apple's Siri is suggesting debunked, conspiracy theories in Safari search results (Buzzfeed). This isn't because such theories are generally believed around Cupertino—although the skepticism about vaccination widespread among wealthy Californians might give one pause (Atlantic)—but rather because search algorithms are (inevitably?) imperfect. There's also evidence fringe types are gaming the results: they try to own more obscure search terms, thereby driving traffic toward their preferred results (Data and Society). "Data voids," researchers call these interstitial opportunities.
Twitter will attempt to establish a policy against "dehumanizing" speech, that is, speech that denigrates certain classes of humans as other-than-human: as insects, vermin, demons, monsters, etc. (WIRED). The social media platform explains how it develops its policies (WIRED), and will take input from anyone, beginning immediately (TechCrunch).
The attraction of machine learning has also drawn enterprises in swiftly without, many say, due consideration of the technology's implications for data handling, privacy, and so forth (Infosecurity Magazine). And everyone who likes content moderation also likes artificial intelligence for the help it would seem to promise (Forbes). The challenge is training AI to avoid our own flaws, biases, and blindspots, which promises to be comparably difficult to child-rearing. "Don't be like me, child; be better than me!" That work? Didn't think so.
An American GDPR, coming to a Congress near you?
Big Tech's testimony generally was favorable toward regulation, which they seem as bringing clarity and uniformity. A single national privacy law would be easier to deal with than fifty state laws (and throw in two commonwealths, three territories, and a Federal district to boot) (Washington Post). They also like the prospect of regulation reducing their own reputational exposure (Telegraph). Of course, the more onerous aspects of GDPR compliance, like the seventy-two hour breach notification requirement, are less popular. Whatever comes of it in Congress, getting a law through, let alone getting a law right, will be complex and challenging (Washington Post).
Apple pushed out various upgrades to MacOS Mojave with version 10.14 this Monday. Among the bugs addressed were several remote-code execution vulnerabilities (SC Magazine).
After receiving a customer backlash over an enhancement that automated Chrome sign-in, Google has decided to give users an opt-out (TechCrunch).
Crime and punishment.
This Tuesday a Federal judge in Baltimore sentenced Nghia Hoang Pho, formerly of NSA's Tailored Access Operations organization, to sixty-six months in prison (US Department of Justice). He had, last December, taken a guilty plea to one count of of willful retention of classified national defense information. Mr. Pho had taken the material home with him and placed it on his personal computer, a device protected by Kaspersky anti-virus software. Russian intelligence services are believed to have exploited the Kaspersky product to extract the classified files, subsequently leaked as the Equation Group tools by the Shadow Brokers (SecurityWeek). The incident not only disrupted US operations, but led to the Government-wide ban on Kaspersky security products (Radio Free Europe | Radio Liberty). It's a sad story: Mr. Pho is said to have felt he was falling behind at work and took some of it home to get a leg up on his tasks and earn better performance reviews. There seems to have been no question of treason, just negligence with home-brewed computing (New York Times).
Courts and torts.
Acting against a company for deficient cybersecurity, the US Securities and Exchange Commission (SEC) has obtained an agreement from Voya Financial Advisors to pay $1 million in fines over violations of the Safeguards Rule and the Identity Theft Red Flags Rule. The SEC says this is its first enforcement action under the Red Flags Rule (Securities and Exchange Commission).
Uber, the ride-sharing company and cover model for the gig economy, has agreed to pay $148 million in penalties for its 2016 data breach. Fifty-seven million people were affected by the breach, which took on a sleazy sheen amid allegations that Uber paid $100 thousand in hush money to hackers in exchange for their agreement to get it all on the QT. The settlement is the result of a multi-state investigation (New York Law Journal).
The UK's Financial Conduct Authority is preparing to fine Tesco Bank £30 million over the 2016 cyber attack that compromised forty-thousand of the bank's seven-million customer accounts. Tesco is negotiating for a lower fine (Computing).
Qualcomm is suing Apple, alleging that Apple illicitly passed Qualcomm chip designs to Intel (Ars Technica).
Estonia is bringing a suit for €152 million against Gemalto, alleging security flaws forced Tallinn to recall the Gemalto-produced national identity cards last year (Reuters).
Policies, procurements, and agency equities.
The US Cyberspace Solarium Commission, a body being formed on the analogy of the nuclear Solarium that worked out deterrence strategy during the Eisenhower Administration, continues to take shape. The Democrats have appointed two members: Representative Langevin of Rhode Island and former Representative Patrick Murphy (Democratic Leader Nancy Pelosi).
US Director of Central Intelligence Gina Haspel said this week that the CIA was returning to its traditional focus on nation-state rivals, shifting away from its preoccupation over the past decade and a half with transnational terrorism (Washington Post).
The US Congress is prepared to put the Department of Homeland Security in charge of Federal civilian cybersecurity (Washington Post). The Cybersecurity and Infrastructure Security Agency Act of 2017 would make it, formally, the lead civilian agency for cybersecurity.
Michael Brown, former CEO of Symantec, this week became head of the US Defense Innovation Unit (Defense News).
Fortunes of commerce.
It's come to light that US electrical utilities were warned last year that Kaspersky security software represented a potential threat. The North American Electric Reliability Corporation issued a Level 2 cybersecurity warning. As an expert says, "The optics are too bad" (E&E News).
Canada says it thought about banning Huawei gear but decided it doesn't need to, because Canadian security is that good (Globe and Mail).
Change-the-world funds that sprang up in Silicon Valley seem to be withering, apparently because of hubris, inexperience, internal acrimony, workplace misbehavior, and just too much money (TechCrunch).
Symantec's four-month-long investigation of its Norton unit's accounting practices has concluded. The company has determined that, apart from one transaction, it will not need to restate results. The internal investigation was prompted by concerns a former employee expressed (CRN).
Instagram's cofounders have left Facebook, which acquired the social media platform six years ago. They say they're moving on to a new chapter; reports suggest there were conflicts with Facebook over the degree of autonomy Instagram would be permitted (Wall Street Journal).
Thoughts about when a Government CISO should say goodbye to a cybersecurity contractor (Nextgov).
Google after all decided to send a top executive to testify before Congress (Washington Post). Chief Privacy Officer Ellison also met with Republican lawmakers Friday to address concerns that Google is actively engaged in viewpoint censorship. An interesting claim surfaced this week: apparently it was at the suggestion of Facebook that the Senate turned down Google's offer to send a senior vice president to testify about influence operations three weeks ago. The Senate wanted the C-suite, and Google declined, resulting in a bad, arrogant look for the company (New York Times). There's other trouble brewing in Europe. Controversy over Google's automatic Chrome login may provoke a fresh EU investigation into anti-competitive practices (Telegraph).
Advice to CEOs: lay off the Twitter, especially after a few bong hits (Motherboard).
A US Federal study of the Government's cyber workforce needs is in progress, Agencies have until this coming April to comply with the self-assessment mandated by the Federal Cybersecurity Workforce Assessment Act (Fifth Domain).
A study by (ISC)² suggests that a strong security culture makes hiring and retention of scarce cyber talent easier (Help Net Security). Universities are increasingly partnering with corporations to develop qualified cyber workers for the employment pipeline (Ed Tech). And, of course, people look to the machines for help, as they always will when labor is expensive and capital relatively cheap (Financial Times).
Mergers and acquisitions.
SAIC explains how its acquisition of Engility fits into the company's long-range plans (Defense News).
Investments and exits.
SolarWinds is planning a $500 million initial public offering (Seeking Alpha). Private equity shops Thoma Bravo and Silver Lake had taken the Austin, Texas, headquartered company private in October 2015, when they purchased it for $4.5 billion (CRN).
Dell may be shifting its path back toward being a publicly traded company, and is said to be considering a traditional initial public offering (IPO) instead of the tracking-stock acquisition it had been planning (Wall Street Journal).
Canberra-based security company ArchTIS has begun trading on the Australian Securities Exchange with the ticker symbol AR9. The company's flagship platform is its Kojensi secure content and collaboration software suite, which it offers in both the business-to-business and business-to-government markets (CRN).
Snyk, a UK start-up that offers a vulnerability detection solution for open-source code, has raised $20 million in a Series B round led by Accel and joined by existing investors Boldsmart Ventures and Heavybit (TechCrunch).
Singapore-based Keychain, whose Data Provenance Infrastructure applies blockchain technology to financial services' data security and operational integrity needs, has secured $1 million in funding. The round was led by Monex Ventures and IDATEN Ventures LLC, with participation by three undisclosed corporate investors (Markets Insider).
Mumbai-based security vendor Sequretek has raised a $3.7 million in a funding round led by Unicorn India Ventures, with participation by GVFL and Sharad Sanghi, MD & CEO, Netmagic. The company intends to enter both new verticals and expand to overseas markets, especially in North America, establishing a sales office in the US and an R&D center in Canada (Entrackr).
Source Defense, which offers a prevention solution for web-based supply chain attacks, raised a $10 million Series A round with participation by AllegisCyber, Jerusalem Venture Partners, Global Brain (of Japan) and Connecticut Innovations. The Israeli company will use the funding in part to open offices in the US and Israel in support of an expansive go-to-market strategy (Globe Newswire).
On Thursday DarkTrace announced that it had closed a $50 million Series E round. Vitruvian Partners led the investment, with participation by existing investors KKR and 1011 Ventures. DarkTrace, headquartered in Cambridge, England, and with offices in San Francisco, Darktrace is known for its Enterprise Immune System, which now features advanced protection against email threats and an autonomous response system for incidents in the cloud. The funding places DarkTrace's valuation at $1.64 billion, comfortably within unicorn territory (CNBC).
Nozomi, an industrial cybersecurity leader, has raised $50 million in a Series C round, with participation by Planven Investments, GGV Capital, Lux Capital, Energize Ventures and THI Investments. Nozomi intends to use the funds to increase sales and enter new markets (TechCrunch).
And security innovation.
LORCA, the London Office for Rapid Cybersecurity Advancement, has opened its search for its second cohort. The two big problems they're interested in are, first, finding ways of keeping employees aware of security threats so they can serve as an effective line of defense, and second, developing more effective ways of securing the supply chain (New Electronics).
The 2018 Cybersecurity Breakthrough Awards are out. Check the site for the companies and organizations named in each category.
This CyberWire look back at the Week that Was discusses events affecting Canada, China, Estonia, Iran, Russia, Saudi Arabia, United Arab Emirates, United Kingdom, United States.
On the Podcast
Research Saturday is up. In this week's edition we speak with researchers at FireEye about their investigation of FIN7, a threat actor that targets payment card data in the hospitality industry and elsewhere. FIN7 uses targeted phishing campaigns, telephone vishing and even a convincing front company to work their mischief.
© 2018 CyberWire, Inc.
Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story.