Dramatically reduce the cost of FedRAMP, other compliance frameworks with automation
A new white paper details how automation techniques empower organizations to achieve FedRAMP in half the time of traditional methods and at significantly reduced costs. Learn how the demands of compliance are being transformed by automation, saving organizations of all sizes money, time, and redundant effort—download the white paper explaining the benefits of new automation techniques pioneered by Coalfire and AWS.
The Week that Was.
April 27, 2019.
By the CyberWire staff
Sri Lanka's terror bombings, missed signals, investigation, and rumor control.
ISIS has claimed responsibility for the Easter massacres in Sri Lanka. A statement published by the jihadist organization’s news agency Amaq says the bombings were retaliation for last month’s massacre of Muslims at a New Zealand mosque, and were intended to kill Christians (New York Times). Sri Lanka's government believe the attacks were the work of local jihadists, acting with foreign support. Fears of radical inspiration and dangerously inflammatory rumor led authorities to block social media. The death toll stands at two hundred fifty three, down about a hundred from earlier estimates (Washington Post).
Police have identified at least eight of the nine suicide bombers. One is believed to be the radical imam, Zahran Hashim, whose online sermons advocated extermination of unbelievers. He died at the Shangri-La Hotel in Colombo (BBC). Three were members of one of the country's wealthier families; the family patriarch is among those who've been arrested (Washington Post).
Authorities blame the domestic jihadist group National Tawheed Jamath (NTJ) for the attacks. The group hasn't claimed responsibility, but the government says NTJ planned a second wave of attacks that didn't come off (CNN).
Controversy in Sri Lanka persists over how clear warnings of an imminent attack could have been so generally overlooked. This isn't a matter of missing subtle clues, but of local police not paying attention to an alert passed through official channels. Foreign intelligence services, notably India's, are also said to have warned Sri Lanka that jihadist violence was in the works (New York Times). Tourists have been warned that more attacks are possible (Times).
A Look at Cybersecurity Effectiveness Through the Eyes of Industry Leaders
The subject of cybersecurity effectiveness has been a head-scratcher for decades. Do boards and business leaders understand the risks? Is security improving, barely keeping up with threats, or falling painfully behind? And if what has kept us secure has stopped working, what do we need to do to fix it? Brian Contos, CISO of Verodin, and his guests explore these questions and more on the Cybersecurity Effectiveness Podcast. Listen to the latest episode here.
The Christchurch Call would exclude extremist content from the Internet.
New Zealand prime minister Jacinda Ardern is finalizing a pledge to eradicate terrorist and violent extremist material from online platforms, following the Christchurch mosque massacre last month, which was livestreamed on Facebook by the gunman. The pledge, known as the "Christchurch Call," will focus on practical action to prevent this content from proliferating online. Ardern said this is a "global issue" that "requires a global response," and she says she's had "really positive" conversations with the CEOs of Facebook, Twitter, Microsoft, and Google about the matter. Ardern is partnering with French president Emmanuel Macron in the effort, and the two will host a summit in Paris next month to call on other countries and tech companies to commit to the pledge (Guardian).
Have Your Users Made You an Easy Target for Spear Phishing?
Many of your organization’s email addresses and identities are exposed on the internet, and are easy for cybercriminals to find. With email’s enormous attack surface, cybercriminals are able to launch potentially devastating social engineering, spear phishing and ransomware attacks on your organization. Try KnowBe4’s Email Exposure Check Pro for free today, and see how you can identify the at-risk users in your organization by crawling business social media information and hundreds of breach databases.
Another ransomware incident in the manufacturing sector.
Another manufacturer, Aebi Schmidt, a manufacturer of airport maintenance and road-cleaning equipment with operations in many countries (including the US) has been disrupted by ransomware. The multinational Swiss company's systems went down on Tuesday, with its European operations hit the hardest. TechCrunch reports that systems responsible for manufacturing were affected, as well as the company's email system, but the full extent of the attack is still unknown. It's not clear what type of ransomware was used. There's been initial speculation by outsiders that it might have been LockerGoga, the ransomware that interfered with operations at Norsk Hydro, which of course is possible, but at this stage such conjectures are based only on a priori probability. Aebi Schmidt has said little publicly, beyond telling TechCrunch that their Windows devices were hit, and that they've sent some employees home temporarily while they're recovering from the attack (SC Media).
Earn Your Master’s in Cybersecurity from Georgetown
Looking to advance your cybersecurity career? Check out Georgetown University's graduate program in Cybersecurity Risk Management. Ideal for working professionals, our program offers flexible options to take classes online, on campus, or through a combination of both—so you don’t have to interrupt your career to earn your degree. You'll leave the program with the expertise you need to effectively manage risks and navigate today’s increasingly complex cyber threats. Explore the program.
Instagram's password compromise is much worse than had been thought.
Facebook's email snafu is reminding people of the earlier password compromise its Instagram subsidiary experienced (HackRead). The social network discovered that hundreds of millions of Facebook users' passwords were being stored in plaintext on its internal development servers. The company initially said the problem affected tens of thousands of Instagram users as well, but that number was bumped up to "millions" on Thursday, a gain of two orders of magnitude of pain. It's not clear that these were compromised, but it's still unnerving.
TechCrunch and others pointed out that Facebook's apology, posted Thursday morning, may have been easily overlooked amid the interest in the release of the Mueller Report an hour later. The company also made the announcement by updating the old blog post from March, rather than releasing a new statement (Forbes). Many observers took this as an attempt to obscure or downplay the news.
Did you know that 91% of data breaches started with spear phishing?
With spear phishing being one the most successful ways to compromise an organization, IT experts highly recommend regular phishing tests as an additional security layer. Phishing your own users is as important as antivirus and a firewall. It’s also a fun and effective best practice for patching your last line of defense— your users. Find out today if your users are Phish-prone™ with KnowBe4’s free phishing test.
US Federal Trade Commission scrutiny of Facebook.
The Federal Trade Commission is increasingly looking at personal sanctions for Facebook's CEO, Mark Zuckerberg, the Washington Post reported early Friday morning. The FTC is investigating the company to see if it violated its 2011 agreement with the FTC to shore up its privacy practices. Regulators are examining Mr. Zuckerberg's past statements on privacy to determine if can be held personally responsible for a breach of this agreement. The thought of fining Mr. Zuckerberg himself has also gained support from some lawmakers, with Senator Richard Blumenthal saying such a measure "would send a powerful message to business leaders across the country." Facebook seems to believe it will receive a big fine from the FTC, perhaps up to $5 billion, and the social network told investors Wednesday that it had set aside $3 billion in anticipation of such a settlement. The company's share price seemed little affected, rising on strong earnings (Wall Street Journal).
Facebook's record of privacy mishaps is having an impact on its reputation. A poll by Threatpost found that 75 percent of security professionals express mistrust in the company. Such mistrust extends to related philanthropic and educational endeavors. The online learning platform "Summit," funded by the Zuckerberg family and developed by Facebook engineers, is facing growing resistance in schools across the country from students, parents, and teachers who say the technology leads to health problems stemming from too much screen-time and isolation from peers (New York Times).
On Thursday it was revealed that the social network was drawing fresh scrutiny from regulators in Ireland, Canada, and New York State (TechCrunch).
Bots, trolls, and the news cycle.
SafeGuard Cyber has kept an eye on the bots' reactions to the Mueller report's release on April 18th, and they've emailed us that they've seen a retrospectively unsurprising spike in bot activity. Specifically, they saw a 286% increase in Russian bot and troll activity on Twitter when compared to April 17th. They also found a rise in the overall number of unique bots and trolls: 48% from the previous day. "Mueller" was much on their mechanical minds: the hashtag #mueller saw a 5000% increase in its usage. The top five hashtags were #mueller, #muellerreport, #trump, #barr, and #russia. SafeGuard sees this as an instance of the bots' remaining "dormant until a particular topic or event...aligns with their disinformation campaign."
Crime and punishment.
MalwareTech, that is, Marcus Hutchins, took a guilty plea last week in a US court. He could face up to ten years in prison (ZDNet). His case has been controversial in that he had been hailed as something of a hero for finding the WannaCry kill switch. Unfortunately he also wrote and sold malware, specifically the banking malware Kronos, before turning to white hat research, and that's what drew the attention of US prosecutors. He's a British citizen, and there's been some ritualistic grumbling across the pond about the British Bulldog becoming a Yankee Lapdog. More seriously, however, is the kind of reduced capacity defense he himself cited in extenuation and mitigation. He regrets that he acted like a jerk, but then he was, after all, a teenager, and he's learned and grown since (TechCrunch). He's received some sympathy on those grounds, but most observers seem to believe that distributing Kronos requires some expiation.
Courts and torts.
Sentiment rises for antitrust action against Big Tech, and especially against Facebook. A paper by technology entrepreneur Dina Srinivasan, summarized at the Institute for New Economic Thinking, lays out a series of arguments in support of using antitrust law to bring back competition. Central to Srinivasan's point is the fact that Facebook's behavior changed significantly after the exit of its final competitor in 2014. In the ten years preceding this point, privacy was one of Facebook's marketing points. In 2014, however, the company drastically ramped up its data collection practices, which it then used to cement its control over the social network market (BoingBoing).
Hacking Team had been engaged in a lawsuit against one its former employees. He's now in Singapore, which is where the suit was adjudicated. Hacking Team won, but not much: they're now owed a thousand dollars (Straits Times).
Facebook has filed suit in a US court to shut down a New Zealand-based follower-buying service (TechCrunch).
Policies, procurements, and agency equities.
In the US, the NSA is said to have recommended that its post-9/11 phone surveillance program be scuttled. It's just too costly in resources and (especially) in resources devoted to compliance. And it hasn't proven particularly valuable, either (Wall Street Journal).
The European Union's revised Payment Services Directive (PSD2), which comes into effect in September, will require that online transactions of more than €30 euros (about $33.66) use two-factor authentication, which will create unique authentication codes linking each transaction to a customer and the transaction amount. Consulting firm Aite Group and fraud prevention company Iovation say that while the requirements only specify transactions that take place within Europe, the law could be applied to international merchants. Aite and Iovation believe similar standards will quickly become the norm in the US as a result of the PSD2, since fraud rates will likely rise outside of Europe, and because international companies will have already adopted the payment technologies necessary to comply with the European law (CSO).
The European Parliament has also approved a plan to create a centralized identity database for all non-EU citizens in the Schengen zone, which consists of twenty-six European countries. The database, called the "Common Identity Repository" (CIR), will contain names, addresses, fingerprints, and photos of around 300 million people, which regulators believe will assist law enforcement in tracking terrorists and criminals across borders within the visa-free zone. Asylum seekers, applicants for short-stay visas, and people with criminal convictions in the EU are of particular interest in the compilation of the database, the principal goal of which is the enhancement of physical security (Infosecurity Magazine). Critics of the plan cite potential privacy violations, as well as the fact that such a database will naturally attract hackers. Their objections were summarized last year by the Article 39 Working Party.
Fortunes of commerce.
The Times last Saturday cited a UK source who claimed that the CIA shared intelligence on Huawei complicity in espionage with the other Five Eyes earlier this year. The source said that "the CIA awarded a strong but not cast-iron classification of certainty" to the intelligence (Forbes).
Huawei continues its charm-and-persuasion offensive, opening some facilities to journalists (Guardian). The company may have European telcos over a barrel, at least Qualcomm thinks so: the chipmaker's European chief said that a ban on Huawei gear would put the EU behind the eight ball (Telegraph).
Governments suspicious of foreign technology should ask to examine the products' source code, Eugene Kaspersky thinks. He says companies should follow Kaspersky Lab's lead and open transparency centers in countries around the world where their products can be analyzed to build trust and identify vulnerabilities (ZDNet). But this only works if the products in question hold up under external vetting, as Huawei learned to its cost when it opened source code to the UK's National Cyber Security Centre (NCSC). The NCSC expressed a low opinion of Huawei's security practices. They weren't malign, just extraordinarily slipshod.
Internet-of-things proliferation, especially with the IoT expansion expected to come with 5G, is likely to put further strains on an already tight security labor market (Infosecuriy Magazine).
The US Cybersecurity Reskilling Academy is now accepting applications for its second cohort, and is now open to all Federal employees (Fifth Domain).
Mergers and acquisitions.
Dallas, Texas-based technical professional services firm Jacobs Engineering Group is buying KeyW, an engineering, technology, and cybersecurity company headquartered in Hanover, Maryland (Intelligence Community News). Both companies are heavily involved with the US intelligence community. The deal is valued at $815 million, including KeyW’s $272 million in debt, and will increase the number of employees at Jacobs with top-secret government access by 50 percent (Bloomberg).
Zacco, an intellectual-property software firm based in Copenhagen, has bought cybersecurity startup Lakhshya, which will now become Zacco's Indian research and development center (YourStory).
Cyemptive has acquired consulting service company Adaptive Technology Group. Both organizations are based in greater Seattle. The acquisition comes shortly after Cyemptive's emergence from stealth last month with a $3.5 million investment round (GeekWire).
Scaleups are high-growth start-ups, generally understood to be companies with at least ten employees and an annual growth rate that exceeds 20% a year. They're increasingly valued by incubators and accelerators, as these are the businesses that return value to their early investors. The UK's Tech Nation network announced twenty UK scaleups accepted into its government-funded cybersecurity growth program (UK Tech News).
Virginia-based cyber accelerator Mach37 announced its 2019 spring cohort. The six startups accepted into the program are FortMesa, Aryia, Malwork, Definitive Data Security, Quirk, and Simuna Infosec. FortMesa is a New York-based cyber workforce management company. Aryia developed a privacy-focused smart speaker powered by blockchain. Malwork offers a security assessment platform that matches companies with cybersecurity employees. San Francisco-based Definitive Data Security provides a secure SaaS platform for data management. Quirk, based in California, builds enterprise chatbots using artificial intelligence. Simuna Infosec is a security and risk assessment company based in India (Technical.ly DC).
New York City is determined to become a major cybersecurity hub. The city is funding numerous cybersecurity programs as part of its Cyber NYC initiative, and the city's partnership with NYU's Tandon School of Engineering has resulted in cyber fellowships at a considerable discount for domestic students (CSO).
Today's issue includes events affecting Australia, Canada, China, European Union, Ireland, New Zealand, Russia, Sri Lanka, United Kingdom, United States.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.