In today's podcast, we hear about the Paradise Papers, a trove of documents obtained from a Bermuda law firm that contain details not only about wealthy tax avoiders, but about investments as well. Kaspersky says that its antivirus software did, after all, copy files that weren't viruses. (But they were still bad files.) US Senate Majority Leader McConnell says tech companies should help the US retaliate against nation-states' cyberattacks. Dale Drew from CenturyLink with a call for introspection when considering cyber defenses.
Dave Bittner: [00:00:01:05] Remember you can become more than just a listener of the CyberWire podcast, you can become a supporter. Visit patreon.com/thecyberwire and find out how.
Dave Bittner: [00:00:13:00] The Paradise Papers, obtained from a Bermuda law firm, contain details not only about wealthy tax avoiders, but about investments as well. Kaspersky says that its antivirus software did, after all, copy files that weren't viruses. But they were still bad files. US Senate Majority Leader McConnell says tech companies should help the US retaliate against nation-states' cyber attacks.
Dave Bittner: [00:00:40:18] A few words about our sponsors at E8 Security. If you've been to any security conference over the past year, you've surely heard a lot about artificial intelligence and machine learning. We know we have. But E8 would like you to know that these aren't just buzz words. They're real technologies and they can help you derive meaning from what an overwhelmed human analyst would see as an impossible flood of data.
Dave Bittner: [00:01:01:23] So go to e8security.com/cyberwire and let their White Paper guide you through the possibilities of these indispensable emerging technological tools. Remember, the buzz about artificial intelligence isn't about replacing humans, it's really about machine learning, a technology that's here today. So see what E8 has to say about it. And they promise you won't get a sales call from a robot. Learn more at e8security.com/cyberwire. And we thank E8 for sponsoring our show.
Dave Bittner: [00:01:39:00] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Monday, November 6th, 2017.
Dave Bittner: [00:01:49:12] The long anticipated and much-feared document dump from Bermuda's Appleby law firm, specialists in offshoring who cater to very high-net-worth individuals, has dropped. 13, 400,000 documents are said to figure in the "Paradise Papers" leak, whose source remains unknown.
Dave Bittner: [00:02:07:06] Appleby has been preparing its clients since late last month for the exposure, which the law firm characterizes as "an illegal hack," not a leak, presumably thereby ruling out document theft by a rogue insider. The law firm began to prepare its response when it was contacted in October by the International Consortium of Investigative Journalists, who sought comment on the documents.
Dave Bittner: [00:02:31:03] Among those mentioned in dispatches are prominent UK public figures, including members of the Royal Family. Of interest to US audiences are documents that appear to show the way investment money from Russian oligarchs, and possibly the Russian government itself, passed into Silicon Valley. The New York Times reports significant Russian investment in both Facebook and Twitter going back as far as 2010, with the money coming from a variety of Russian sources through Yuri Milner. It eventually amounted to a bit more than 8% of Facebook and some 5% of Twitter. As the New York Times points out, there's nothing illegal about Russian entities, even state-controlled ones, investing in US companies.
Dave Bittner: [00:03:13:15] Facebook held its IPO in May of 2012. Twitter went public in November of 2013.
Dave Bittner: [00:03:19:21] The Paradise Papers episode is being widely compared to the Panama Papers leak, in which 11,500,000 documents taken from the Mossack Fonseca law firm were released to the public in 2015.
Dave Bittner: [00:03:32:12] We've received a number of comments on the Paradise Papers from industry experts. They've tended to see the lesson here as one of data security at law firms.
Dave Bittner: [00:03:41:06] Mark Sangster, VP and Industry Security Strategist at cyber security company eSentire drew particular attention to the incident's similarity to the Panama Papers.
Dave Bittner: [00:03:51:00] He said, quote, "The parallels of Paradise Papers to last year’s Panama Papers breach are obvious, however beyond the shock factor of the leaked data itself, what's more alarming is the depth and magnitude of this breach. Law and accounting firms should raise the alarm when it comes to their firm's cybersecurity rigor.
Dave Bittner: [00:04:09:04] "[The] Panama Papers may have been opportunistic, however it laid a blueprint for these kinds of attacks. It has shone a spotlight on tax operations in the Caribbean, and while the mechanics of the breach itself have yet to be revealed, it was clearly a targeted attack. Appleby took appropriate response steps in notifying their clients, but you can't insure this. This class of events demonstrates why law firms must protect their clients' confidential information. No amount of cyber insurance, data back strategies, nor business continuity planning can ever put this genie back in the bottle.
Dave Bittner: [00:04:43:21] "Law and accounting firms are particularly susceptible to ethical hacking and really, every firm should assume they'll be breached, because they will be breached. These firms house a treasure trove of sensitive data that when compromised can result in sometimes irrecoverable damage. This attack will have far-reaching impacts for those affected," end quote.
Dave Bittner: [00:05:03:16] We also received an emailed comment from Ilia Kolochenko, CEO of web security company High-Tech Bridge, who thinks this looks like a crime, whatever one might think of the high-profile victims. He observed, quote, "Seems that this is another major hacking case where intruders won't be found and prosecuted. Notwithstanding the allegations of wrong-doing offshore, a crime cannot be justified by investigation of unlawful activities. Victims should explore various legal avenues to claim damages, which may be quite significant," end quote.
Dave Bittner: [00:05:37:15] Law firms have become a very attractive target for cybercriminals, in Kolochenko's opinion. He notes, "Hacking of their clients is quite costly, will likely be detected and investigated, and almost certainly will cause very serious counter-actions," end quote. He thinks the legal sector may be disposed to rely on legal measures for protection, and their faith in that kind of defense, he argues, is misplaced. He said, quote, "Many law firms still carelessly rely on the law for data protection, but this is in vain. Paucity of financial resources and lack of qualified personnel preclude law enforcement agencies from investigating and prosecuting the vast majority of crimes committed in digital space. This creates a very dangerous atmosphere of unlawfulness and impunity in the Internet, undermining trust in the government and its ability to protect our society," end quote.
Dave Bittner: [00:06:29:13] Perhaps, he suggests, now is a good time to begin thinking about regulating data security in the legal sector. Quote, "Their data deserves at least the same level of protection as data of companies under PCI DSS or HIPAA compliance. Otherwise, visiting attorneys will become very risky," end quote. And, of course, no one wants that.
Dave Bittner: [00:06:52:18] Kaspersky says its security software copied files that did not pose a threat to the systems it was protecting, a development that doesn't look good for Kaspersky. CEO Eugene Kaspersky denied in an interview with Reuters that there's any impropriety in this. The files copied may not have contained malicious code, but the non-malicious files were, he said, part of larger, "suspicious" files. This is unusual. Typical industry practice is for antivirus software to leave files that aren't viruses alone, not to pull in other files that may allude to tools or contain clues about hacking. Many of its commercial partners seem to be cutting Kaspersky loose. The company has removed the names of sixty-seven "Tech Partners," including Amazon and Microsoft, from its corporate website.
Dave Bittner: [00:07:41:12] The US Senate Majority Leader, Senator McConnell, Republican from Kentucky, says Google, Facebook, and other tech companies should help the US retaliate against Russia for attempts to influence US elections in 2016. The Senator said, during a weekend interview with MSNBC, quote, "What we ought to do with regard to the Russians is retaliate, seriously retaliate. These tech firms could be helpful in having us, giving us a way to do that," end quote. So, marque and reprisal? We doubt it. Defense contracting? Well, probably.
Dave Bittner: [00:08:21:03] Now I'd like to tell you about a new White Paper from our sponsor Delta Risk. More than 90% of companies are using the cloud. Although the benefits are clear, moving to the cloud comes with new and unique security challenges. In the White Paper, Understanding The Challenges Of Cloud Monitoring And Security, Delta Risk cloud security experts outline the key methods organizations can adapt to gain clearer visibility into their network and critical assets.
Dave Bittner: [00:08:47:04] You can get your copy of the White Paper by visiting deltarisk.com/white papers-cloudmonitoring. Delta Risk LLC, a Chertoff Group company, is a global provider of cybersecurity services to commercial and government clients. Learn more about Delta Risk by visiting deltarisk.com. And we thank Delta Risk for sponsoring our show.
Dave Bittner: [00:09:15:05] And joining us once again is Dale Drew. He's the chief security strategist at CenturyLink. Dale, welcome back. You know, when it comes to cybersecurity it's easy to point fingers but you wanted to make the point today that perhaps it's worth looking inward.
Dale Drew: [00:09:29:08] Exactly. It's physician, heal thyself, right? And it-- and I think sort of the point here is that what we've been seeing is we've been seeing not only consumers but businesses sort of take steps to deactivate security controls within their infrastructure. De-install antivirus systems, not install patching, and so, you know, I've spoken to a large group of of people and I pointed the finger at them and said, you are the reason cyber crime is so successful. You're not following security practices. You're clicking on phishing email. You're hitting reboot later when a patch is ready to be installed and you're making it easier for the bad guy to compromise your system.
Dale Drew: [00:10:15:09] In fact, if you look at some of the recent very highly public attacks that have occurred, take Equifax as an example, they haven't occurred because of highly sophisticated sort of movie ready attacks, but they're taking advantage of a lapse in simple cybersecurity practices. The lack of patching, the lack of monitoring and the lack of simple password management. You know, admin admin, continues to be a very popular username and password pair.
Dale Drew: [00:10:45:00] We think that you just have to take care of the basics. I mean there's a lot of very sophisticated attacks occurring but a majority of them are happening through the basics. I also think for the most part security is boring. Real security is boring. It's really about monitoring your ecosystem, ensuring that you check all of your systems to ensure that they're in compliance with your policies and your practices and standards, to ensure that patches have been properly deployed, that you're scanning your systems. It's the basic fundamentals that are becoming more critically important because those are the things that sort of act as key bridges to breaking into the vast majority of your ecosystem. If real security was filmed as a movie, it'd be the most boring movie in the world.
Dale Drew: [00:11:35:00] And then the other point I'd say, you know, sort of related to this, is that there was a recent study done by Gartner on IT security spending and the basic conclusion was that if you were not spending more than 4% to 7% of your total IT budget to protect the company, you're really doing the company a disservice. So companies who don't have the resources to make bigger investment in security should really look to outsourcing their basic security components to third parties, cloud service providers or managed security providers.
Dale Drew: [00:12:07:04] They've got the staff, they've got the capability, they've got the certifications to be able to handle those basics, and so it might be time to solve the inward problem by also looking outward.
Dave Bittner: [00:12:19:15] All right, Dale Drew, thanks for joining us.
Dave Bittner: [00:12:24:08] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you through the use of artificial intelligence, visit cylance.com.
Dave Bittner: [00:12:37:13] A reminder that I take part in a regular security segment on the Grumpy Old Geeks podcast. You can find that wherever all the normal podcasts are found, just search for Grumpy Old Geeks.
Dave Bittner: [00:12:47:24] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Social media editor is Jennifer Eiben. Technical editor is Chris Russell. Executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.
Copyright © 2020 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
Artificial Intelligence & Machine Learning. This technology is popping up in everywhere in cybersecurity. Aside from sounding cutting-edge, what does it mean? What value does it add? Find out exactly how cool AI and machine learning are, and how small nuances in how each is used can make a big difference from E8, at e8security.com.
Delta Risk LLC, a Chertoff Group company, provides managed security services and risk management consulting to clients worldwide. Founded in 2007, Delta Risk offers expert knowledge around technical security, policy and governance, and infrastructure protection to help organizations improve their cyber security operational capability and protect business operations. Learn more at deltarisk.com.