In today's Daily Podcast we hear about the spreading Panama Papers tax evasion (or avoidance, or wealth hiding) scandal. US State Department databases may have unpatched vulnerabilities, and PII of Turkish citizens is posted online. We talk to SCADAFence about securing the manufacturing Internet-of-things, and Markus Rauschecker from the University of Maryland Center for Health and Homeland Security tells us about how legal standards are established in cases involving cyber security.
Dave Bittner: [00:00:03:14] Governments around the world open investigations into the Panama Papers and the news organization that published them hints that there's much more to come. US State Department passport and visa databases appear to be vulnerable, but so far there seems no evidence of actual compromise. Turkish citizenship or residency data have been posted online. Israel braces for Thursday's annual Anonymous cyber action on behalf of the Palestinian cause. And there's another guilty plea in the Silk Road case.
Dave Bittner: [00:00:34:06] This CyberWire podcast is made possible by the generous support of Cylance, offering revolutionary cybersecurity products and services that proactively prevent rather than reactively detect, the execution of advanced persistent threats and malware. Learn more at cylance.com.
Dave Bittner: [00:00:57:05] I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, April 5th, 2016.
Dave Bittner: [00:01:03:08] The Panama Papers, leaked either by an insider or by an external hacker, no one is quite sure yet, although most speculation centers on an inside whistle-blower, suggest that Panamanian law firm, Mossack Fonseca, had ties to some 215,000 offshore shell companies. 14,153 names have been linked to the law firm and those shell companies. The general consensus is that their activities were aimed at evading taxes and hiding wealth. The law firm denies any wrongdoing and, indeed, it remains unclear which, if any, laws were broken but the optics, as they say, are very bad indeed. Several governments, including those of Australia, Austria, France, Germany, the Netherlands, Sweden, and the United States have opened formal investigations.
Dave Bittner: [00:01:50:14] As the leaks work their way through the global press, Iceland's government seems to face particular difficulties. The country's prime minister, the finance minister, and its interior minister have all been mentioned in the leaked documents.
Dave Bittner: [00:02:03:14] International soccer is also getting a black eye from the leaks, with FIFA officials and high-profile players appearing connected to various tax evasion schemes.
Dave Bittner: [00:02:13:10] No prominent Americans appear to be named in the leaked documents, but as the New York Times reports, this may say more about US laws governing formation of shell companies than it does about a culture of rectitude. Americans, an economist with the Tax Justice Network, told Fusion, "don't really need to go to Panama."
Dave Bittner: [00:02:32:05] Whatever the outcome of ongoing legal investigations prove to be, the incident should serve as another cautionary tale about the importance, and difficulty, of securing sensitive information. All law firms, whether shady or sunny, should take note.
Dave Bittner: [00:02:47:19] And another thing to note: Süddeutsche Zeitung, which broke the story, said yesterday, in effect, you ain't seen nothing yet. There are more leaks to come. Because Süddeutsche Zeitung commented that more leaks were on the way in response to a question about why there seemed to be no prominent Americans among Mossack Fonseca clients, there's general speculation that such names will appear in a subsequent tranche of data. In the meantime, a Russian government spokesman dismisses the affair as an artifact of US-driven "Putinophobia."
Dave Bittner: [00:03:19:12] This Thursday, April 7th, will mark the Anonymous collective's annual day of cyber protest against Israel on behalf of Palestinian interests. These operations have tended to fizzle in the past, but sites likely to be hit are working on their precautions.
Dave Bittner: [00:03:34:16] Internal audits have determined that a US State Department database with information on more than 290 million passports, 184 million visas, and 25 million US citizens living abroad is vulnerable to compromise. Sources say the vulnerabilities have not yet been addressed, but the State Department says there's no evidence of actual compromise.
Dave Bittner: [00:03:55:10] There is, however, plenty of evidence that one or more Turkish government databases have leaked, as names, addresses and identification numbers of more than 49 million Turkish citizens have been posted online. The worst case is that this is a compromise of the national citizenship database. A somewhat better case is that the information is a compendium of residency databases already leaked some time ago. Investigation is underway.
Dave Bittner: [00:04:21:00] Google issued its monthly patches yesterday. Eight critical vulnerabilities were addressed, among them a fix for a bug being exploited in the wild to root Nexus 5 phones. Zimperium discovered the issue and privately disclosed it to Google on March 15th of this year.
Dave Bittner: [00:04:37:01] In industry news, Dell SecureWorks is preparing for an initial public offering later this month. Investment analysts rate the prospects of the spin-off as shaky. Revenue has been disappointing and there are doubts about the company's ability to stand on its own. IBM continues to lay off workers. Operations in Canada, Europe, and Australia are affected by this round, but more layoffs are also expected in the US. Analysts believe the final tally may reach 14,000 lost jobs in the current fiscal year.
Dave Bittner: [00:05:07:01] Palo Alto expands its partnership with other cyber security companies, as Recorded Future and ProtectWise both join Palo Alto Networks Technology Partner Program. Palo Alto and PwC's Cybersecurity and Privacy practice have also announced their intent to jointly develop a new security architecture for their customers.
Dave Bittner: [00:05:27:11] A Bitdefender study suggests that the greatly expanded attack surface the smart home presents may make the IoT, at least over the near term, a significant consumer security headache. As observers continue to worry about this, we spoke with industrial control system security experts from SCADAFence about threats to manufacturing processes. Yoni Shohet is CEO at SCADAFence.
Yoni Shohet: [00:05:49:15] In the past few years, these networks are becoming more and more connected to external environments and it exposes them to new cyber threats. I think the challenges that are facing SCADA are unique not because of vulnerabilities or zero-days that exist inside specific devices or specific protocols, but more about a general problem that these networks, because they were isolated for so many years, they're far behind what we see today as common best practices inside the IT world.
Yoni Shohet: [00:06:22:04] There might be ongoing attacks that we're just not aware of because some of the companies, and most of the companies, do not have today the proper monitoring and protection capabilities installed inside their environment.
Dave Bittner: [00:06:34:01] SCADAFence's website is scadafence.com.
Dave Bittner: [00:06:39:02] Finally, here's another Silk Road guilty plea. "Dr. Clu," a.k.a. Brian Farell told the Feds before copping his plea, "You're not going to find much of a bigger fish than me." Mr. Farell was Silk Road's 2.0 sysadmin, which is more than krill, to be sure. The big fish will receive up to eight years in a Federal tank.
Dave Bittner: [00:07:04:16] This CyberWire podcast is made possible by the generous support of ITProTV, the resource to keep your cybersecurity skills up to date with engaging and informative videos. For a free seven day trial, and to save 30%, visit itpro.tv/cyber and use the code cyber30.
Dave Bittner: [00:07:29:24] And I'm joined once again by Markus Rauschecker. He's from the University of Maryland Center for Health and Homeland Security. They're one of our academic and research partners. Markus, from a legal perspective, what are the standards that courts look to for cases involving cybersecurity?
Markus Rauschecker: [00:07:44:23] So it's really going to depend on the sector that we're talking about. If we're talking, for example, about the financial sector, courts had the opportunity to look at some legislation that's out there like the Gramm-Leach-Bliley Act, or PCI standards when it comes to payment card industry data security standards. So there'll be some established standards that courts will look to and apply to a case that they're adjudicating.
Markus Rauschecker: [00:08:10:16] Similarly, if we're talking about the healthcare industry, courts will look to HIPAA, the Health Insurance Portability Act, or the new high tech law. But the tricky part is really when we're talking about run of the mill negligence claims, a company will get sued for a data breach, the customer sues that company, claiming that company was negligent in not protecting their data, and then the question becomes what is the standard of care that a court will look to to try to decide this case?
Markus Rauschecker: [00:08:37:15] That's really problematic because, if we're not dealing with an industry where we have established a standard of care, then the court will have to look somewhere else. One area where our legal experts are thinking courts may go is to look to the NIST cybersecurity framework as establishing a set standard of care by which companies and other organizations should be acting when it comes to protecting their network.
Markus Rauschecker: [00:09:02:19] The NIST cybersecurity framework, is a natural direction for the courts to look because of the way that the NIST framework was established. You had thousands of experts from the government, from the private sector and academia come together and really agree to a common set of existing standards, guidelines and best practices in terms of what organizations should be doing to protect a network. So it's really a natural direction for courts to go to try to decide on a standard of care by which a company that suffered data breach should be judged.
Dave Bittner: [00:09:36:17] Markus Rauschecker, thank you for joining us.
Dave Bittner: [00:09:40:18] And that's the CyberWire. For links to all of today's stories, visit the cyberwire.com and, while you're there, subscribe to our popular daily news brief. Our editor is John Petrik, I'm Dave Bittner. Thank you for listening.
Copyright © 2020 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
Cylance is revolutionizing cybersecurity with products and services that proactively prevent, rather than reactively detect the execution of advanced persistent threats and malware. Our technology is deployed on over 4 million endpoints and protects hundreds of enterprise clients worldwide including Fortune 100 organizations and government institutions.
This CyberWire podcast is made possible by the generous support of ITProTV: *the* resource to keep your cyber-security skills up to date with engaging and informative videos. For a free 7-day trial and to save 30%, visit itpro.tv/cyber and use the code CYBER30.
The Johns Hopkins University Information Security Institute provides the technical foundation and knowledge needed to meet our nation's growing demand for highly skilled professionals in the fields of information security and information assurance.