The CyberWire Daily Podcast 3.6.20
Ep 1039 | 3.6.20
Misconfigured databases, again. Vulnerable subdomains. Dark web search engines. Troll farming. An update on the crypto wars.
Transcript

Dave Bittner: [00:00:04] Virgin Media discloses a data exposure incident, another misconfigured database. Microsoft subdomains are reported vulnerable to takeover. A dark web search engine is gaining popularity and black market share. Researchers find that Russian disinformation trolls have upped their game. The crypto wars have flared up as the U.S. Senate considers the EARN IT Act. Tech companies sign on to voluntary child protection principles. And Huawei talks about backdoors. 

Dave Bittner: [00:00:38]  And now a word from our sponsor, ExtraHop - securing modern business with network detection and response. Cloud-native is a buzzword, but it's also a direction. IDC predicts that 70% of enterprise applications will be developed cloud-native by 2021. It's time for security teams to adopt the same agility and speed as their DevOps counterparts so they can secure multicloud deployments and enterprise IOT at scale. ExtraHop helps organizations like Home Depot and Wizards of the Coast detect threats inside their hybrid and cloud environments up to 95% faster and respond 60% more efficiently. Investigate an attack with ExtraHop in the full product demo of cloud-native network detection and response available online at extrahop.com/cyber. That's extrahop.com/cyber. And we thank ExtraHop for sponsoring our show. 

Dave Bittner: [00:01:37]  Funding for this CyberWire podcast is made possible in part by McAfee, security build natively in the cloud for the cloud to protect the latest like containers, to empower your change-makers like developers and to enable business accelerators like your teams. Cloud security that accelerates business. It's about time. Go to mcafee.com/time. 

Dave Bittner: [00:02:00]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, March 6, 2020. 

Dave Bittner: [00:02:09]  Virgin Media has disclosed a data incident in which some personal information belonging to about 900,000 customers was exposed. The company says it's taken steps to close the breach, which it attributes to an inadvertently misconfigured marketing database. The exposed data included what Virgin Media characterizes as limited contact information - that is, names, home addresses, email addresses and phone numbers. The company says no pay card information was compromised. 

Dave Bittner: [00:02:40]  The alert service Vulnerability claims that more than 600 Microsoft subdomains are susceptible to takeover. Forbes notes that while no exploitation has been seen in the wild, a proof of concept is out. Microsoft says it's working on a fix. 

Dave Bittner: [00:02:56]  Prompted by last month's U.S. federal indictment of alleged Bitcoin mixer Larry Harmon, Digital Shadows is tracking a dark web search engine - Kilos - that's gaining black market share. It comes with an Ask Me Anything page on Reddit, and the search engine administrator has also introduced a live chat feature to better serve Kilos users. As Digital Shadows looks at the service's probable future, that future looks bright in an appropriately dark sort of way. The researchers write, quote, "Kilos' growing index, new features and additional services combined could allow Kilos to continue to grow and position itself as a natural first stop for an increasingly large user base, whether it's to find and purchase illicit products, search for specific vendors, look for reviews or stay up-to-date on current news and updates on markets and forums." 

Dave Bittner: [00:03:50]  Super Tuesday may have gone off without much incident, but a recently released study by New York University's Brennan Center for Justice thinks the U.S. ought not relax its guard. The researchers concluded that disinformation operations directed against the 2020 election began last year and that the operators behind the IRA troll farm have returned, using many of the same accounts. The study finds that the trolls have gotten better at impersonating candidates and parties and are prepared to go beyond the simple amplification tactics seen so far. It will be interesting to see how successful exposure and blocking of such accounts will prove to be. Facebook, for one, seems to be devoting considerable attention to identifying and stopping coordinated inauthentic behavior. How Menlo Park and others do against the current versions of the St. Petersburg troll farms will be worth watching. 

Dave Bittner: [00:04:42]  The crypto wars have returned in a big way with the introduction of the EARN IT Act in the U.S. Senate, WIRED reports. Nominally a measure directed against child exploitation, opponents from an unusually broad ideological spectrum see it as a roundabout way of subverting encryption. Since no thinking person is likely to be actually in favor - at least, publicly - of child exploitation and abuse, doing something to protect the children has long been a reliable way of seeking support for a broad range of policies. It's worth noting that the crypto wars have been going on for a long time. Institutionally, in the U.S., the Justice Department has long provided the paladins of the anti-encryption forces, during the previous administration, former FBI Director Comey being the public face of what he characterized as responsible encryption within a framework of ordered liberty. That role now seems occupied by Attorney General Barr. 

Dave Bittner: [00:05:38]  The U.S. Justice Department also introduced a set of voluntary principles designed to control online child exploitation. Computing says that Facebook, Google and a number of other tech firms have signed on. There are 11 principles in total. They aim at getting companies to commit to preventing both known and new abuse from appearing on their services, to suppress advertising for such material, to report abusers and to craft terms of service in such a manner as to exclude child exploitation. They'll particularly target live-streaming, and they'll commit to finding better ways of protecting children online. They'll seek to limit the extent to which search engines throw up exploitative results. And, of course, the companies are asked to commit to cooperation and regular transparent reporting. The document suggests it has ministerial approval in all five of the eyes. It will be interesting to see what the EARN IT Act would do for child safety beyond what conscientious adoption of the voluntary principles would, possibly more reliable evidence-gathering in criminal cases. But that alone seems unlikely to make EARN IT any friends on the other side of the crypto wars. 

Dave Bittner: [00:06:47]  And, finally, Huawei continues its charm offensive with a too-earnest-to-be-slick video in its Twitter feed that offers a sparkling little cadenza on what counts as a backdoor. Some backdoors, it says, are good like those used for lawful interception of traffic. And there's no real cause to be concerned about these because they're used only by duly constituted authority for narrowly defined purposes. That, of course, is a conceptual back door big enough to drive a bus load of Shenzhen operators through. So few commentators seem to have been reassured. Does Huawei have a point about backdoors? Well, sure. But as so often happens, the trees in this particular forest have stories that the forest itself knows not. 

Dave Bittner: [00:07:36]  And now a word from our sponsor, ObserveIT, a Proofpoint company. The greatest threat to businesses today isn't the outsider trying to get in. It's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. Sixty percent of online attacks are carried out by insiders. To stop these insider threats, you need to see what users are doing before an incident occurs. ObserveIT enables security teams to detect risky user activity, investigate incidents in minutes and effectively respond. With ObserveIT, you'll know the whole story. Get your free trial at observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show. 

Dave Bittner: [00:08:28]  My guest today is Sherri Davidoff. Regular CyberWire listeners may recognize her as the protagonist and namesake of Jeremy N. Smith's book "Breaking And Entering: The Extraordinary Story Of A Hacker Named "Alien" (ph). Sherri Davidoff is CEO of LMG Security, and her latest book is "Data Breaches: Crisis And Opportunity." 

Sherri Davidoff: [00:08:49]  I have been in cybersecurity for almost 20 years. And when I started off, I was handling incidents at MIT. I responded to an ad for people who wanted to stay up late and eat pizza and monitor the network. And it has just been amazing to watch the problem evolve, the challenges evolve and then the solutions as well. Back when HIPAA first came out and when it was first enforced in 2005, I was tasked with creating the first incident response policies for the Children's Hospital in Boston and working with other local hospitals to coordinate. So having watched the laws evolve and watched the response processes evolve has been fascinating. And I wanted to take the time to tell those stories, the really deep and fascinating stories about where data breaches came from and what the human dramas are behind them. 

Dave Bittner: [00:09:39]  Yeah, the book really has a lot of breadth to it. You cover a lot of ground throughout. One of the things that caught my eye is this notion that you present that data is the new oil. I found that particularly interesting. Can you describe to us - what are you going for with that? 

Sherri Davidoff: [00:09:56]  Sure. I wanted to find out where did data breaches come from, you know. As an author, you want to start from the beginning. What was the first data breach? And I managed to nail down when the term data breaches came out - and I'll leave that to you to guess - but even before that, you know, the concept of data breaches that happened. And I went back to the '80s. And I found this giant data breach that at - likely that - a giant data breach that had happened in the '80s. I managed to get some FBI files on that, so that newly released information is in the book. And that was with a subsidiary of Dun & Bradstreet. And at the time, Dun & Bradstreet was really excited about information. They said information is the new oil. And at that same time, the Exxon Valdez spill happened. 

Dave Bittner: [00:10:42]  (Laughter). 

Sherri Davidoff: [00:10:43]  And I think that was very poignant, just the fact that those were happening at the same time. And these days, you know, we don't as a society really know how to contain information, how to control information. It's like automobile repair shops 50 years ago, where they were just tossing oil and gas willy-nilly all over the place. The same is true with data. So we're in the early days of information management, still. 

Dave Bittner: [00:11:05]  Well, in addition to all of the really fascinating history that you lay out here in the book, there's a lot of forward-looking stuff as well. I mean, you're looking ahead at some of the potential threats for this coming year and beyond. Can we go through some of those together? What's on your radar as we look to the future? 

Sherri Davidoff: [00:11:23]  Well, we're seeing three big threats for the year 2020. No. 1, cloud breaches have been huge. And that's the last chapter of the book because I felt it was very forward facing. Cloud data breaches build on a lot of the supply chain risks that we've seen. And Capital One is a great example, where there was a simple misconfiguration in Amazon. And you're seeing our society wrestle with these questions about who is responsible. Is it the cloud provider? Is it the customer? There are certainly tools that cloud providers can give you that make it easier or harder to secure your data depending on the interface. And so cloud providers certainly share in that responsibility as well. 

: [00:12:00]  As responders, we find it very challenging to respond to cloud data breaches. There's a lot of ins and outs. And I've laid out a lot of those - a lot of the best practices in my book about what to do if you have a cloud data breach and what are best practices. But there's a lot of ethical questions. Cloud providers are not always forthcoming with the data. Sometimes the data that you want to be able to determine what an attacker got and what they didn't get, sometimes that's not even there in the cloud. So we're really wrestling with these challenges as an industry. 

Dave Bittner: [00:12:32]  What other topics are you tracking? 

Sherri Davidoff: [00:12:35]  Well, we've seen some big changes in ransomware. Over the past few years, ransomware has become an epidemic. And traditionally, ransomwares come in, they lock up your files. And they say, OK, pay us and we'll give you the keys back. While it is true that if they have access to your files, they might also have stolen them, a lot of times, they don't actually steal your files. They don't actually take anything. They're simply interested in locking up your files and holding you for ransom. They don't bother exporting information from your systems. 

Sherri Davidoff: [00:13:03]  So that is sort of, I guess, a silver lining or some good news for anybody who's a victim of ransomware. Because if you pay and if you decrypt your data, there is a good chance that they didn't actually take anything. And you can do a forensic investigation to try to rule that out. 

Sherri Davidoff: [00:13:19]  What we're seeing now is multiple groups that are engaged in large-scale ransomware attacks that has shifted to a different type of extortion. So we saw this, for example, with the city of Pensacola, with the company Southwire. Southwire's a manufacturing company, and they were being held ransom for $6 million. So they said they weren't going to pay that. Presumably they had good backups. Hopefully they were able to recover their data. It did cause some outages. But the criminals, once they understood they weren't going to get their money, they published their data. They started publishing it online. 

Sherri Davidoff: [00:13:54]  And this has become their new business model for the Maze group that holds people for ransom, where if you don't pay to unlock your data, they will publish it. So that's what we call exposure extortion. There are different types of cyber extortion. If you're being held hostage and you're just trying to recover your data back, the availability is gone, that's a situation where you may or may not want to pay the ransom. You can wrestle with that question. 

Sherri Davidoff: [00:14:19]  But if you're being held hostage and someone is threatening you and saying, we're going to release your data unless you pay to keep us quiet, in my mind, an industry best practice, you should never pay that ransom because what is to stop them from coming back to you in six months and saying, hey, pay us again, we actually still have your data? 

Dave Bittner: [00:14:37]  As you were going through and doing the research for the book and you were putting it together, were there any particular things that surprised you, any information that you came upon that really stood out for you as perhaps being different than what you expected it to? be. 

Sherri Davidoff: [00:14:52]  Absolutely. Every data breach I dug into had a deep story behind it. And my goal was to boil that down and to learn from it to provide these practical tips for today's responders. I think every organization needs to have a data breach response plan. So some of the key points that I found are, No. 1, every crisis is an opportunity. And it's important to remember that a data breach is a crisis. Back when you and I first started geeking out back in the day, when someone hacked into a system, that was not considered a data breach. The term data breach didn't even come out until later. And remember, you still have to guess when the term data breaches came out. 

Sherri Davidoff: [00:15:31]  But when I first started at MIT, you know, and Blaster was coming out, Slammer was coming out, all these big viruses, we just cleaned them off of people's computers and moved on as soon as we had those back up and running. And it was only over time that people started to realize, oh, that information could be stolen. So we used to have - the national government came out with a response framework, the NIST Incident Response Life Cycle. And that was really helpful back then. But it's clear that today, data breaches touch every aspect of your organization. 

Sherri Davidoff: [00:16:01]  Every single part of an organization can be touched when Equifax happens, when Capital One happens, whenever any of these mega breaches happens. And even small businesses can go out of business because of a data breach. So we need to start treating them in different ways. And that was my big fundamental finding, that data breaches need to be moved out of the IT department and treated as a crisis. And you have to include them in your crisis management planning systems. Every crisis is an opportunity to learn, to grow and to change. 

Dave Bittner: [00:16:31]  That's Sherri Davidoff from LMG Security. Her book is "Data Breaches: Crisis And Opportunity." 

Dave Bittner: [00:16:38]  And now a word from our sponsor, BlackCloak. Oh, come on, it's not like anybody actually needs this anymore. I mean, executives, in their personal lives, they're doing great. They all have advanced malware detection on all their devices. They're using dual-factor authentication everywhere. Their home networks are rock solid secure. And they never ever use a weak password. As for their families, little Luke and Leia and their significant other? Well, they're pillars in the cybersecurity community, right? Right? Right? Right? Right? You're right. I was dreaming there for a minute. The fact is executives and their families are targets. And at home, they have no cybersecurity team to back them up. Instead of hacking the company with millions of dollars' worth of cyber controls, hackers have turned their attention to the executive's home network and devices, which have little to no protection. BlackCloak closes this gap in your company's protection. With their unique solution, the cybersecurity professionals of BlackCloak are able to protect your executives and their families from hacking, financial loss and private exposure. Mitigate these risks that could lead to a corporate data breach or reputational loss. Protect your company by protecting your executives. To learn more and partner with BlackCloak, visit blackcloak.io. That's blackcloak.io. And we thank BlackCloak for sponsoring our show. 

Dave Bittner: [00:18:05]  And I'm pleased to be joined by Thomas Etheridge. He is the VP of services at CrowdStrike. Tom, it's great to have you on the show. We wanted to touch today on the notion of empowering business leaders to manage their cyber risk. What can you share with us today? 

Thomas Etheridge: [00:18:22]  Thanks, Dave. Great to be back. One of the things that we talk to our customers and prospects about, as well as C-suite executives that we address from a services perspective, is the fact that cybersecurity is one of the top five risks that most businesses face. However, it's one of the least understood from an executive or a board-level perspective. What we see is that most executives and leaders understand what impacts things like, say, the China trade war has on their supply chain. But understanding the impact of a cyberattack and how that would impact the bottom line for most organizations is very challenging. 

Dave Bittner: [00:19:04]  Now, is this a situation where this stuff - the folks in the C-suite, having come up through business school and through their professional careers, you know, this isn't something that necessarily they interacted with all that much? 

Thomas Etheridge: [00:19:19]  Exactly. Most executives do not have the foundational knowledge in their tool belt, so to speak, about these types of risks. They understand geopolitics, global trade flows, macroeconomics. But understanding the risks and impact of a cyber event on their organization, that's not something that's taught in most business schools. 

Dave Bittner: [00:19:42]  And so for you, what is that process like when you're interacting with these folks? Are you serving as a translator? 

Thomas Etheridge: [00:19:50]  One of the concepts we talk to our clients about is the CIA Triad. Looking at risk from a cyber perspective in terms of confidentiality of information, the integrity of the organization and the availability of services and products that the organization may be taking to market. Using this lens to better understand cyber risk is a concept we talk to our execs about all the time. Thinking about what's going on in the market in, let's say, ransomware, how does that impact the availability of those products and services to customers of that organization? 

Thomas Etheridge: [00:20:28]  Looking at data loss and PII and what that impact would be on terms - in terms of confidentiality, those are the things that we try to educate execs and board members on in terms of looking at risk, in terms of the confidentiality, integrity and availability of services that they offer to their clients. Teaching executives about the CIA Triad, making sure that they have a good foundational understanding and provide cyber risk reports broken down by confidentiality, integrity and availability, and being able to track security metrics through that CIA Triad lens. 

Dave Bittner: [00:21:08]  Now, are we at the point now where this is a conversation that is welcome from the board members, I mean, the understanding is that this is part of the day-to-day operations? 

Thomas Etheridge: [00:21:21]  I think most boards are starting to get on board with the concept that cyber risk is certainly one of the top five risks that organizations face. And they are investing in getting educated on the questions that they need to be asking leaders and the staff that run the business, as well as understanding what questions they need to ask of themselves in terms of investments and the redirection of assets to support improvements to cybersecurity preparedness and readiness. 

Dave Bittner: [00:21:54]  All right. Well, Tom Etheridge, thanks for joining us. 

Dave Bittner: [00:22:02]  And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It will save you time and keep you informed. Look for us on your Alexa smart speaker, too. 

Dave Bittner: [00:22:20]  Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at observeit.com. 

Dave Bittner: [00:22:32]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Elliott Peltzman, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here next week.