The CyberWire Daily Podcast 11.19.20
Ep 1218 | 11.19.20

Haunted virtual meetings. AWS APIs share vulnerabilities. US Intelligence Community conducts a post mortem on 2020 foreign election interference. Meet the future (a lot like the present, only moreso).

Transcript

Dave Bittner: Hey, everybody. Dave here. Did you know that the CyberWire is the world's largest B2B cybersecurity podcast network? Each month, our popular programs reach over a quarter of a million unique listeners that care about cybersecurity, including some of the most influential leaders and decision-makers in the industry. More than 80% of our audience are part of the decision-making process at their organizations, and more than 70% reported checking out the sponsor's website after hearing an ad. The CyberWire is one of the best ways to grow your brand, generate leads and fill that sales funnel. From the Fortune 10 to emerging startups, we have options to help you reach your goals and to fit your budget. Our podcasts are sold out for this year, but we're now booking 2021 and beyond. Contact us today by visiting thecyberwire.com/sponsors to learn more. And tell them Dave sent you.

Dave Bittner: Ghosts in virtual machines. Cloudbursts in the forecast. The U.S. Intelligence Community is preparing a report on foreign election interference. CISA has a new interim director. A view of the threat landscape from Canada. Caleb Barlow from CynergisTek on reclassifying the internet as critical infrastructure. Our guests are Shai Cohen and Brooke Snelling from TransUnion on building trust in a digital consumer landscape. And a look into the near future.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, November 19, 2020.

Dave Bittner: IBM researchers have found and disclosed a vulnerability in Cisco's widely used Webex video conferencing service. IBM says it's a major user of Webex itself, which is why it looked into the code. The vulnerability amounts to the potential for haunting. Someone could join a meeting as a ghost, unseen among the participants but with full access to audio, video, chat and screen sharing capabilities. The ghost could remain in the form of an audio connection even after being detected and expelled. And the ghost could collect information on meeting attendees - full names, email addresses and IP addresses - without even being admitted to the conference. Cisco has patched the vulnerability, and users should apply the fix.

Dave Bittner: Researchers at security firm Palo Alto Networks have identified a class of Amazon Web Services APIs that are susceptible to leaking AWS Identity and Access Management users and roles in arbitrary accounts. The researchers say the risk of the vulnerability can be mitigated by following sound IAM practices. They may be familiar, but they're nonetheless worth a quick review.

Dave Bittner: Remove inactive users and roles to reduce the attack surface. Add random strings to usernames and role names to make them more difficult to guess. Login with identity provider and federations so that no additional users are created in the AWS account. Log and monitor all the identity authentication activities. And enable two-factor authentication for every user and IAM role.

Dave Bittner: POLITICO reports that the U.S. Intelligence Community is preparing a report on foreign attempts to interfere in the 2020 U.S. elections. An unclassified version is expected to be publicly available in early January. Preliminary evaluations, according to NPR, suggests that foreign election interference was, as a Recorded Future executive put it, a Y2K event. That is a widely feared event that never really materialized.

Dave Bittner: Y2K, for those of you too young or too distracted at the time to recall the late 1990s worries about the millennium bug, was a widely feared problem generally believed capable of disabling computers running legacy software written since the 1960s that identified the year in a date with the last two digits only - so, for example, not 1995 but '95. Once the calendar flipped over to 2000, the concern was the computer wouldn't know that it was the year 2000 and not the year 1900 and that any functions that were keyed to dates would be hopelessly out of kilter and that the effects of the date confusion would cascade throughout systems and networks with unforeseeable consequences, all of them bad.

Dave Bittner: What actually happened was really nothing much. The work to remediate the millennium bug caught some otherwise buggy software, and the money thrown at the problem enriched a lot of retired COBOL jockeys. Good for them, we say. But the widespread problems really never materialized. That seems to have been the case with foreign attacks on the 2020 U.S. election - widely feared, much prepared against and in the end, not enjoying much success. In 2020, the U.S. had two things going for it - an engaged CISA actively working with states and the private sector and a Cyber Command willing and able to engage forward.

Dave Bittner: The US Cybersecurity and Infrastructure Security Agency has yet to update its leadership page. But multiple reports from, for example, POLITICO and CyberScoop say that CISA's executive director Brandon Wales will lead the agency on an interim basis. Director Wales joined the Department of Homeland Security in 2005 and has served there ever since, most recently as a senior career executive and CISA's third-ranking official. His interim appointment is generally regarded as auguring more continuity than change.

Dave Bittner: We're in the season during which cybersecurity firms offer their forecasts for the coming year. We'll be collecting some of those predictions here.

Dave Bittner: Today's include a comprehensive look at the current and future state of cybersecurity from the Canadian Centre for Cyber Security, a look at the evolutionary innovation cybercriminals' techniques are likely to undergo, especially with respect to ransomware, and a warning about the growing prominence of artificial intelligence in threat actors' tactics, techniques, and procedures.

Dave Bittner: The word from Canada is that, quote, "the number of cyberthreat actors is rising, and they are becoming more sophisticated," end quote. The Centre sees the thriving market for cybertools and a growing pool of criminal cyber talent as combining to produce not only more criminal actors but more advanced and aggressive cybercrime. They expect this trend to continue. And while cybercrime is the more prevalent threat to Canadian citizens and, really, people everywhere, the Centre points out the threat posed by the familiar four nation-states who've long troubled the Five Eyes - Russia, China, Iran and North Korea. These, the analysis says, will continue to represent the greatest strategic threat to Canada.

Dave Bittner: With respect to artificial intelligence and machine learning, the warning comes from a report prepared by security firm Trend Micro in collaboration with Europol and the United Nations Interregional Crime and Justice Research Institute. They see several accelerating trends that have already begun - the potential deep fakes bear for fraud and disinformation, vastly improved password guessing, bots successfully impersonating humans in social media and AI-supported hacking. Some of the new threats just over the horizon include successful automation of social engineering campaigns and the use of AI to manipulate cryptocurrency markets.

Dave Bittner: So the view of the future? A lot like today, only moreso.

Dave Bittner: The global pandemic has forced many organizations into facing rapid transitions - enabling their employees to work from home, moving customer transactions online or shifting away from in-person meetings and conferences.

Dave Bittner: The Economist Intelligence Unit and TransUnion recently published a report that highlights digital transformation and which emerging technologies could present challenges for and increase fraud prevention, economic inclusion and consumer privacy.

Dave Bittner: The report is titled "New Dimensions of Change: Building Trust in a Digital Consumer Landscape." Shai Cohen and Brooke Snelling join us from TransUnion. We hear from Brooke Snelling first.

Brooke Snelling: TransUnion decided to partner with the Economist Intelligence Unit in order to survey a group of executives from around the globe - there were over 1,600 executives surveyed - in order to get some feedback on seven main trends that we saw in the areas of digital transformation and things that are happening globally in the world. From those surveys, we came back with kind of three key trends that we were going to focus on and created a global report to really speak to, this is what's happening in the areas of digital transformation, of new things happening in the world at large. And these are the kind of pain points that the executives are feeling. The end results of that survey was one major global report and then 10 individual country reports.

Dave Bittner: Well, Shai, let me switch over to you. Can you take us through some of the key findings here?

Shai Cohen: Yeah, I would say there is, like, three major finding - digital experience and transactions, biometric become a big part or the main part of authentication and using machine learning to actually prevent and detect fraud across all the different data elements that are coming into place.

Shai Cohen: Obviously, we kind of saw a gradual increase in online transactions regardless of the pandemic, but the pandemic kind of dramatically accelerated that. And also, as a result of just more customers transact online, there is also a need, the result to protect, you know, many more transactions. So more a way of defending, provide consumer insight and detect and prevent fraud is also coming into the place. And the good thing that, you know, as transaction is growing overall, we have more tools to kind of, you know, address the needs to prevent and detect fraud.

Dave Bittner: Was there anything coming out of the study that was surprising or unexpected? Let me start with you, Brooke.

Brooke Snelling: Absolutely. I think there was a lot of things that came out of the study that surprised me. One of them was metrics around artificial intelligence, AI and machine learning. It was very interesting to me that 43% of the respondents believe the greatest benefit that AI would have to their organization was in the areas of fraud prevention and security.

Brooke Snelling: And as we kind of were delving into that, considering that really good AI really requires very good data, my favorite metaphor is as though you're cooking. You can have the best chef. You can have the best pots. You can have the best kitchen in the world. But if you're starting out with rotten tomatoes, your soup is going to be terrible. It doesn't matter. So you have to have that really good data and a really good team that knows what to do with the data. You have to have a lot of transactions to train on that data, and that requires resources.

Brooke Snelling: And so I feel like one of the things that we really found in this report was that businesses want this AI. They want to be able to use it for fraud and security, but they're feeling this pain of lack of resources and what is required to be able to use this AI and so to really be able to find those partners that have all that good data, that know what to do with that data to really enable businesses to use it for the purposes of fraud prevention and security in particular.

Dave Bittner: Our thanks to Shai Cohen and Brooke Snelling from TransUnion for joining us. The report is titled "New Dimensions of Change: Building Trust in a Digital Consumer Landscape."

Dave Bittner: And joining me once again is Caleb Barlow. He is the CEO at CynergisTek. Caleb, it's always great to have you back. I wanted to touch base with you about some of the things that we've learned as we've made our way through this pandemic journey and the importance of some of the things that we take for granted, you know, when we're talking about things like critical infrastructure. I know you have some thoughts here.

Caleb Barlow: Well, today, CISA defined 16 critical infrastructure sectors. And these are - well, honestly, Dave, they're kind of the critical infrastructure you define in a World War II world - right? - energy, health care, communications. I don't know about your household, but my critical infrastructure are things like Zoom, Twitter, email, Comcast, right? Maybe we - now, granted, Comcast is a good example. They actually are a critical infrastructure because they're a communications provider.

Dave Bittner: Right.

Caleb Barlow: But what about Twitter, Dave? If the president of the United States uses Twitter as the primary means to communicate with the populace, whether you agree or disagree with some of the things he says, isn't that by definition critical infrastructure, especially when we now know that a 17-year-old can breach that and tweet other things? Like - and we've all talked about that breach of what could have happened, right? But do we need to think about these other areas as critical infrastructure? And, you know, we don't need to look any further than recent cyberactivity of companies like Zoom, right?

Caleb Barlow: Zoom is how we educate our children right now, how we go to work and how we have parties with friends - all on Zoom today - probably need to rethink about how important applications like that are to us. We talked about Twitter. What about Garmin? Now, here's another interesting example - right? - so in the case of Garmin that went down with a ransomware incident. But what is Garmin used for? Garmin is, for all intents and purposes, a life safety device. It's also, you know, a cool, little thing I wear on my wrist to - you know, to figure out what my workout looks like.

Dave Bittner: Right.

Caleb Barlow: But if I'm an aviator or a mariner, I depend on Garmin for my life. And, you know, maybe we need to rethink these things in a different way, because if that data can be manipulated, if it can be changed, if it can be accessed for ransomware, then there's a pretty good chance you can access this type of data to change it. And I'm not picking on Garmin specifically, but just think about this is an example, right? Now, Dave, I don't know if you know this, but I'm a lobsterman. I'm a big mariner. So - and that happens to be also where I listen to the CyberWire, is while I capture lobsters, right?

Dave Bittner: (Laughter) OK.

Caleb Barlow: But I got to tell you, there are some places I go with my boat that I wouldn't dare to go 20 years ago because there are rocks in certain areas, and I need to know exactly where I am. And if I know where I am, it's great cruising. And guess what? That's where the good lobsters are.

Dave Bittner: Right.

Caleb Barlow: But if I can't trust that, then my whole world changes in terms of how I think about it. And I guess my point here is, maybe there are some due critical infrastructures that we all need to think about coming out of COVID. I mean, the internet is probably the critical infrastructure of all critical infrastructures. And I would argue that, as a country, we don't put the type of thought we need to put into keeping that running like we put into the energy grid or like we put it into hospitals or like we put into transportation. And maybe we need to change our point of view.

Dave Bittner: What would that look like in your mind?

Caleb Barlow: Well, so you get into a tough balance - right? - of, you know, this isn't going, oh, my gosh, bring in the regulators, and lock everything down. But it does mean we need to think about some things in new ways. I mean, probably a great example of this, looking at the Twitter breach as example is, how many employees there actually had access that they could change and post on behalf of one of their clients? Simple separation of duties would have prevented that, right? You know, these various types of security provisions, expectations, third-party audits, maybe in some cases, regulatory formats - and I'm not necessarily saying that's the way to go. But the point is, we've got to stop thinking about Facebook and Twitter and Amazon as social media apps or places where I buy things. We've got to start thinking about these things as the lifeblood of our economy, the lifeblood of who we are, because if they go down, we're down.

Dave Bittner: Yeah.

Caleb Barlow: I mean, what would your life be like during this pandemic, Dave, if you didn't have the internet? You couldn't work.

Dave Bittner: No, I'd probably sleep more (laughter).

Caleb Barlow: What if you didn't have Amazon? Like, how different would your life be right now if you didn't have Amazon?

Dave Bittner: Yeah, I mean, I think these are all - I mean, it's an excellent point and something to be mindful of. I guess I worry that it could be a be-careful-what-you-ask-for situation. Because is it incorrect to say that with being categorized as critical infrastructure, there comes all sorts of regulatory regimes with that?

Caleb Barlow: Well, maybe we need to refine what critical infrastructure is. Maybe it's not about bringing in the regulators. Maybe it's about making sure that we have a contract of trust with these companies that, no matter what, they can protect our data, no matter what, they've got resiliency plans to keep on running. And look, there have been some amazing hero stories in here, too - right? - I mean, not for nothing. But let's give a little kudos to Amazon in this, in that, I mean, think of how much infrastructure runs on their servers - hasn't gone down, still working. I'm still getting my packages at home. And I'm ordering a heck of a lot more than I ever did before, right? I mean, so there are some amazing positive stories in this as well. But we really need to think about how critical different parts of our world are than a past generation. And we've got to flip the switch from World War II thinking to 2020 thinking.

Dave Bittner: All right. Interesting insights, as always. Caleb Barlow, thanks for joining us.

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed because you're worth it. Listen for us on your Alexa smart speaker, too.

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.