The CyberWire Daily Podcast 1.6.22
Ep 1489 | 1.6.22

Log4j and industrial control systems. Regulators consider the software supply chain. Malsmoke hits an old vulnerability. Social engineering via Google Docs. Call spoofing and robocalls.


Dave Bittner: ICS vendors address Log4j vulnerabilities. Regulators and legislators think about addressing issues in the software supply chain. Ransomware gangs were quick to exploit Log4shell. An old and patched Windows vulnerability is being exploited by the Malsmoke gang. Social engineering of Google Docs users is up. Mr. Klyushin pleads not guilty. Robert M. Lee from Dragos makes the case for salary transparency. Our guest is George Gerchow from Sumo Logic with new approaches for the modern threat landscape. And call spoofing is making robocalls moderately more plausible.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, January 6, 2022. 

Dave Bittner: Industrial control system vendors, like everyone else, have been examining their products for Log4j vulnerabilities, and they've been finding and fixing some. SecurityWeek has a useful and interesting summary of the ways in which the companies are working on the problem. 

Dave Bittner: The companies who found and disclosed issues include ABB, Honeywell, Phoenix Contact, Rockwell Automation, Schneider Electric, Siemens, Sierra Wireless and WAGO. Emerson, Johnson Controls and Moxa are still investigating, but they've published lists of products they've confirmed are unaffected. Inductive Automation, VTScada and COPA-DATA have confirmed to their customers that their products are unaffected. Most of the issues the companies have been finding are related specifically to Log4shell, but some of the other later and lesser vulnerabilities have also been detected and are similarly being addressed. 

Dave Bittner: Regulators and legislators are looking for ways of preempting the next widespread vulnerability and for the required responses and incentives for organizations to do better. U.S. Senator Gary Peters, Democrat of Michigan, chairman of the Senate Homeland Security and Governmental Affairs Committee, said yesterday that the Log4j issues showed the importance of mandatory reporting requirements. Defense Daily quotes the senator, "I remain concerned that we will likely never know the full scope and impacts of this widespread vulnerability or the risk posed to critical infrastructure. Our federal government still lacks the necessary insight to understand the threat facing our nation, protect our networks and impose consequences on malicious hackers," end quote. 

Dave Bittner: Media reactions to the U.S. Federal Trade Commission's advisory about companies' responsibility for fixing Log4j vulnerabilities has focused on the FTC's tough line and the commission's not-so-veiled warnings that businesses would be well-advised to get on with detection, remediation and disclosure, lest they get the Equifax treatment. 

Dave Bittner: The Equifax treatment, for any of us who might welcome a reminder, was a $700 million settlement which it received after what the FTC summarizes as the credit bureau's failure to take reasonable steps to secure its network led to a data breach in 2017 that affected approximately 147 million people. The FTC's reference to Equifax in its statement are a clear signal of how the Commission intends to frame any cases of slack, dilatory response to vulnerabilities that arise in the open source supply chain. 

Dave Bittner: Ransomware gangs have continued to exploit these vulnerabilities where they can, and a recent case indicates that you don't have to be either slack or laggard to be a victim. BleepingComputer reports that the Vietnamese cryptocurrency trading firm ONUS has declined to pay a $5 million ransom hoods demanded in a double extortion scheme. The vulnerability was in the Cyclos point of sale and payment systems server ONUS used. 

Dave Bittner: As an indication of the speed with which the criminals can move on newly available exploits, Cyclos delivered a patch for its systems on December 13, and ONUS promptly applied it. That was just four days after Log4shell was first publicly disclosed, but by then, it was already too late. The hoods had gained access to know-your-customer databases that contained personal information and hashed passwords. 

Dave Bittner: Turning from Log4j, there is another example of risk arising from failure to patch. But in this case, it really was dilatory, although it might be cruel to call it slack. Since November, the Malsmoke gang has been distributing Zloader banking malware via an old Windows flaw Microsoft patched back in 2013, Checkpoint reports. We said it would be cruel to call failure to patch slack because Microsoft made the patch available as an opt-in because of concerns about false positives flagging legitimate installers. 

Dave Bittner: ZDNet spoke to Microsoft about the issue and was told, quote, "we released a security update, CVE-2013-3900, in 2013 to help keep customers protected from exploitation of this vulnerability. Customers who apply the update and enable the configuration indicated in the security advisory will be protected. Exploitation of this vulnerability requires the compromise of a user's machine or convincing a victim to run a specially crafted, signed PE file," end quote. 

Dave Bittner: Microsoft, we note in disclosure, is a CyberWire partner. Applying the patch should protect users from this latest Malsmoke campaign. 

Dave Bittner: Security firm Avanan today warned of an increase in criminal exploitation of Google Docs. The attempts, which increased markedly last month, often proceed by posting comments to a Google Docs file which they then send to their intended mark. Comments show only the display name, not the email address, which makes it easier for the attacker to lull the victim into viewing and opening the content. 

Dave Bittner: Avanan recommends these precautions. Users should be encouraged to cross-reference email addresses when they receive Google Docs comments to ensure they are legitimate. If they're unsure, they should reach out to the legitimate sender and confirm that they indeed sent the document. It's always a good idea to follow some standard good practices, like inspecting links and looking for such telltale signs of social engineering as odd diction and nonstandard grammar. And use protection that secures the entire suite, including file-sharing and collaboration apps. 

Dave Bittner: Researchers at Talon this morning published an overview of the risks web extensions posed for users. Grammar and spelling checkers, password managers, ad blockers and other extensions tend to require extensive permissions, and those permissions in turn can be abused by malicious versions of the tools. 

Dave Bittner: Vladislav Klyushin, the Russian tech oligarch who faces charges in the U.S. over alleged trading on nonpublic information obtained by hacking, was yesterday denied bail by a U.S. federal magistrate in Boston, Newsweek reports. Reuters says Mr. Klyushin pleaded not guilty. His attorneys maintain that the charges are trumped up and that the U.S. wants Mr. Klyushin in custody to extract what he knows about Russian attempts to interfere with the 2016 U.S. elections. 

Dave Bittner: And finally, complaints about robocalls to the U.S. Federal Trade Commission increased by 25% over the past year, Reuters reports. Automation permits the scammers to operate on a large scale, and more widespread use of spoofing has lent the calls more initial plausibility than they would otherwise enjoy. So maybe the caller ID looks right, but when you hear that distinctive bloop - well, you know what you're dealing with. 

Dave Bittner: Let's do a bit of a thought experiment here. Imagine an organization with IT and security departments. Got it? OK. Now let's combine those two departments. Still with me? All right. One more thing - we're going to put the security folks at the helm and have IT report to them. Still with me? George Gerchow is chief security officer at Sumo Logic, and his team has adopted this very model. 

George Gerchow: When I first got started in this industry, security always came up through IT 'cause everything was about availability, and then you would roll out applications, critical or not, and then bolt security on afterwards. And I think that model has proven to be broken over the years, and we've seen an emergence over the last two or so that - while availability still matters 'cause, of course, everyone has to be able to access your services, that with supply chain attacks, ransomware and everything else that's gone on, security has to seamlessly be embedded into that availability. And so it just makes sense now to have sort of security leading the charge with designing these applications and how they're rolled out from the very beginning. 

Dave Bittner: And so how does that play out for you and your team there at Sumo Logic? 

George Gerchow: Yeah. So luckily enough, Dave, IT now reports into security at Sumo Logic, which, again, is, you know, part of the trend that we're seeing. And so we collaborate from the beginning, you know? So from the very start, whenever it's a, you know, IT business application or a SaaS-based productivity app or even in our AWS infrastructure, we design it, build it together, and we try to work in as much of an agile fashion as possible, meaning get out of the way. 

Dave Bittner: How do you approach this from a cultural point of view? I would imagine there are many organizations who, you know, considering an idea like this, would think to themselves, oh, my, we're going to have ourselves a little turf war here. 

George Gerchow: Bingo. You kind of just really hit the crux of this whole thing. Well, it really starts off with security and how we have to change, you know? So I'll give you two examples. The first one is, I think typically security folks have a background of being more naysayers, kind of blocking innovation because the nature of our job, wanting to make sure that all the I's are dotted and T's are crossed, when having it do that on the back end is tough. And so what we have to do now is shift left ourselves and really start adopting more of a development mentality and start moving faster and embedding security into the culture of that innovation. 

George Gerchow: The second example I'll give you is a culture of transparency and self-reporting in a safe place. When I first came up, I came up in IT - just to get that out there. And whenever I saw a security person coming when security first got started, I would run because I was like, oh, man, I don't want to talk to these people. They're scary. They're going to get me in trouble. And we really changed that at Sumo Logic and other places as well, too, to where people can feel safe when they make a mistake, let us know. We'll resolve the issue, mitigate it from happening moving forward, but then not report it up to their management unless obviously it's a trend and a repeatable pattern we're seeing. When you do things like that, it empowers every person to take security seriously and then also just open up those lines of communication, so it's very much a cultural shift. 

Dave Bittner: Now that you're on the other side of this for a little while, I mean, what are some of the benefits that you all are tracking here? Are there any unexpected things that have come out of this, sort of turned out to be net positives? 

George Gerchow: Massive benefits. Dave, the first one alone is cost reduction. Typically, most organizations have a NOC and a SOC - you know, a network operation center and a security operation center. It's never made sense to me because whenever you have an outage, the SOC gets involved and works for the NOC. Whenever there's a security incident, the NOC gets involved and works with the SOC. And so why not combine those two functions, use the same tooling, use the same single source of truth and try to drive optimization and efficiencies that way? So that was the first really big benefit we saw. 

George Gerchow: The second one was, IT folks are really good at security. And so when you start shifting their mindset to be more security-oriented as they roll out new services, it's just a net-net win for the organization because it's not someone else's responsibility. It's now theirs as well, too. So there's been a lot of wins, and there will be more as we start moving into 2022. 

Dave Bittner: How do you make the case to the powers that be, to the C-suite and the board of directors? 

George Gerchow: That's one of the hardest things to do because they've always looked at it opposite, right? You know, availability is everything and security kind of falls in behind that. But the news itself does that. I always say, Dave, that being in security today is like selling insurance. You know, like, most of the time you're like, hey, look what happened in the news. What if? - you know, and everything else. Now it's everywhere, you know? 

George Gerchow: A CEO is driving in, they're listening to NPR or whatever their station of choice is, and every single day for the first time ever, you see ransomware on the cover of the Wall Street Journal, Forbes, SolarWinds, you know, vulnerability all over the place. So it's naturally starting to feed into their news mechanisms. And then, you know, it really is, again, selling that strategy and saying look what cohesively we can do by combining these two units and baking the security seamlessly into all of our IT functionality. 

Dave Bittner: That's George Gerchow from Sumo Logic. 

Dave Bittner: And I'm pleased to be joined once again by Robert M. Lee. He is the CEO at Dragos. Rob, it's always great to have you back on the show. 

Dave Bittner: You know, I saw on Twitter recently you had a series of tweets where you were sort of outlining some of the policies you have there at Dragos. When it comes to pay transparency, some unusual things going on there and, I thought, interesting insights for our audience. Can you share what's going on there? 

Robert M Lee: Sure. Yeah, we do a lot of things at Dragos that I think are different than other places. I'm sure there's other places that do them as well, so that's not meant as an insult to anybody. But we do a lot of things that, like, people scratch their head at first, and it's turned out really well so far. So yeah, we'll adapt if we do it wrong later. 

Robert M Lee: But even in the very beginning, you know, I would - when we hired our marketing lead, and I would say things like, hey, we're not going to put up a banner that requires somebody put in their email. No, no, Rob. You don't understand. That's how companies do it, and that's how they get leads and things. Like, no, you know what? Just put it up as optional. If people want to do it, that's fine. But I hate that as a practitioner, so I don't want to force that now that I'm in the position that I'm in, right? And so we didn't ever do that. We always did the optional way, and it did even better for us. And we got higher quality leads and all these things. 

Robert M Lee: So along the way, what I tell my employees is we've made a lot of choices that I think are the right choice in the sense that we can stand behind it and believe in it. I don't know that they're the smart choices. So I'm going to answer your question and walk you through some of the things we've done, but in full transparency out to other people running companies and so forth, there's a lot of pros and cons of these things. And I think it's the right choice. Some of them explicitly are not the smart choice. 

Dave Bittner: OK. 

Robert M Lee: And the one that you picked up on first is the pay transparency thing. So we have a career path for every career in the company. And let's say on average they go from, like, Level 1 to Level 10, right? And so there's different positions and structured out what's the roles and responsibilities for that and all that kind of good stuff. And in that career path, you have full pay transparency. So if you're a senior incident responder, you know what the L1 incident responder up to the, you know, V.P. of it makes. It's just fully transparent so nobody has to wonder. 

Robert M Lee: And, you know, it - but you also get to make the right choices for you on, hey, do I want to stick around and get promoted here? OK, well, what's it going to be this year? What's it going to be, you know, the next two positions? OK, well - OK, I can now make an informed choice. Maybe it's not good enough for me, and I'm going to go somewhere else. But maybe it is good, and I'm going to stay, which is one of the cons, right? Like, I think a lot of things happen to favor employers when they should be favoring employees, and then I think it works out better that way anyways. 

Robert M Lee: But with that pay transparency internal, we do the exact same thing externally. So when we have a job description and we post it, we say exactly what the pay is. And part of the benefit is people can opt in or opt out before that conversation even starts as it relates to pay. They can make, you know, sort of informed choices for themselves. And it saves us time not to get to the offer letter perspective and be completely misaligned. 

Robert M Lee: However, one of the downsides is there are other reasons to go to a company than just pay, especially a startup that has equity and the equity is fast-growing and the equity is worth a lot more than people ever really understand when you're not part of a startup. And so we can lose people on the frontend that if we were able to get in front of them and explain what they were going to be getting as their full package, they might actually come on board. I think - again, I rather let them opt out. If it's going to be a pay issue, let them opt out, and that's fine - be transparent. If there's icing on top when you join, then so be it, right? I think that's the better balance. 

Robert M Lee: But it also has cons. And our competitors will go look at exactly what our salaries are and just do, like, 5k more or 10k more. For me, I'm excited about that - great. Again, if our employees can get better options elsewhere - and then pay is just one of the components - but if they can do better elsewhere, good job. Like, be excited for them. They're your alumni, not - you know, I think a lot of employers look at the people on board and go, oh, they're poaching my people. Well, they're not your people. You know, they're your teammates. But that's OK. They've got - you know, they're adults. Let 'em go make their own life choices. 

Robert M Lee: So anyways, we do a lot of these kind of crazy things where - yeah, pay transparency fully inside and external the company. And there's no negotiations. We'll say, hey, this position pays 120k. That's what it pays. Well, I'd like to negotiate with you at the end. Nope. Started from the beginning and told you, it's a hundred - we baselined everything in the market. We know the 95 percentile of what, you know, that is worth. We're paying at that rate. And if you want it, that's great. Otherwise, we're not getting into these games. 

Robert M Lee: Another interesting thing we do - as I just ramble on - is if we find that we do need to adjust because the market has changed - which it has a couple times here during the pandemic - when we say, oh, well, we need a raise it up, we don't just raise it up for the new people coming in, we raise it up for everybody in that position. So if we decide, hey, we can't find the principal incident responder we wanted 'cause we're not paying market today, then we go and adjust the principal incident responder pay across the board and then go out to the market and try to find that person. So we don't get into this habit of, like, negotiating, pretending that new people are somehow worth more than the people you already have on board. So that's been really cool. 

Robert M Lee: And then the last thing is that we pay everywhere the same. So a lot of companies - and I don't mean this harshly - but they take advantage of the fact that based on location, there's some people around the world that are used to getting paid less. Like, if you build out a company arm or buy a local company or whatever in India, Romania, Ukraine, etc., you can pay a lot less. And so it helps with margins and all these other things. And we - I think that's exploitative to some degree, and we just don't do it. So whatever we pay for that position, we pay the exact same worldwide, regardless. And we just make sure that people get treated fairly. 

Dave Bittner: So because there's a high cost of living in a place like San Francisco or LA or any of those expensive places, the folks who live in less expensive places, they benefit from that calibration there, yes? 

Robert M Lee: That's correct. So yeah. When we hire engineers, as an example, we know we're competing with the Valley. And so we're paying top-end salaries, and they're good salaries, including in the San Francisco Bay Area. But if you're working from - I don't know - where I'm from, Cullman, Ala., and the cost of living is nowhere near as close to San Francisco, you still get the San Francisco base pay. 

Robert M Lee: So we baselined the salary using the available data sets we have. We constantly go through this every about six months. And we generally pay at, like, the 95 percentile, so as top as we can. Sometimes, it'll dip down a little, but generally speaking, in that kind of range. 

Robert M Lee: And then equity, it's the literal top of the top. And we have programs like boxcar programs, which nobody even gets done at a board level. Like, we have very, very generous equity plans. So when we create that listing, that listing for that position is the same everywhere in the world. And, yeah, people in various parts of world benefit greatly from that. 

Dave Bittner: I suppose, too - I mean, this helps with diversity initiatives as well. I mean, you don't end up - you know, we so many times you'll see a woman or a person of color say, hey, I just learned that, you know, half of my team makes twice as much money as I do for the same job. You're getting rid of that hazard as well, right? 

Robert M Lee: Yeah, absolutely. So it doesn't solve - and I know you're not saying that - but it doesn't solve it 'cause then you start to work - look at things like promotion and promotion rates, and there - like, there's so many things you have to dig into to try to really be equitable... 

Dave Bittner: Right. 

Robert M Lee: ...And make sure that biases don't creep into the organization and look at who you're hiring and the diversity of that, but it removes a big barrier for sure. And there's been numerous diverse candidates on the way in that have expressed sincere joy around what we're doing and how we're doing it 'cause even when you're not being biased or exploitative, it just removes any doubt. 

Robert M Lee: And so there's nothing you have to worry about. In other words, you don't think about it. Like, there it is. Everyone's getting paid exactly the same, no questions asked, you know, etc. Then it puts the ownership back on the management team of, let's be thoughtful on how we can be inclusive in promotions and transparent in how we're doing that and similar. So it doesn't by any means fix it, but it removes a significant barrier. And the feedback we've gotten so far has been highly positive on that. 

Dave Bittner: All right. Well, interesting insights as always. Robert M. Lee, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.