Two new things to worry about: how long it takes to read the fine print, and bed bug disinformation.
Dave Bittner: DDoS activity during the Hamas-Israeli war. An insurance firm suffers a cyber incident. Recent arrests in cybercrime sweeps. Ukrainian hacktivist auxiliaries compromise customer data at Russia's Alfa Bank. How long does it take to read the fine print? Microsoft’s Ann Johnson from Afternoon Cyber Tea speaks with Noopur Davis about building secure tech from the start. Our guest is Antonio Sanchez of Fortra on the challenges of having too many tools. Ann Johnson from Afternoon Cyber Tea talks with Noopur Davis about building secure tech from the start. Antonio Sanchez of Fortra shares cybersecurity challenges for enterprises including why having too many tools creates too much complexity. And hey, Marianne–don’t let the bedbugs bite.
Dave Bittner: I’m Dave Bittner with your CyberWire intel briefing for Tuesday, October 24th, 2023.
DDoS activity during the Hamas-Israeli war.
Dave Bittner: Cloudflare has published an overview of distributed denial-of-service (DDoS) attacks during the present Hamas-Israeli war. Attacks against Israeli targets dwarfed attacks against Palestinian websites by a factor of ten.
Dave Bittner: The firm's observations showed negligible DDoS activity against Israeli sites in the weeks preceding the war, but with a sharp spike on the morning of October 7th, when Hamas began its attacks. That activity peaked on October 8th, falling off until another surge on the 20th. The initial attacks "targeted websites that provide critical information and alerts to civilians on rocket attacks." Since then the attacks have concentrated on news and media sites, with some 56% of DDoS operations targeting these.
Dave Bittner: Cloudflare sees that pattern of target selection as representing an emerging style of hybrid war. The firm observed, "We saw the same trends when Russia attacked Ukraine. Ukrainian media and broadcasting websites were highly targeted. The war on the ground is often accompanied by cyber attacks on websites that provide crucial information for civilians."
Dave Bittner: After news media in frequency of targeting came the software sector (34%), followed by financial services, with government administration websites placing fourth.
Dave Bittner: DDoS against Palestinian sites also surged after Hamas's initial attacks, although not nearly with the volume that was directed against Israeli sites. In this case, however, the most targeted sector was financial services, with almost 76% of attacks directed against banks. "The Internet industry" came in second, sustaining 24% of DDoS activity. Media production websites came in a very distant third, with less than a percentage point.
Dave Bittner: So again, DDoS and defacement of vulnerable websites seem to have become the defining elements of wartime hacktivism.
Recent arrests in cybercrime sweeps.
Dave Bittner: Let’s take a moment to look at some high-profile arrests of alleged cybercriminals around the world.
Dave Bittner: The Associated Press reports that China’s Ministry of Public Security has brought back several thousand of the country’s citizens who were working for Chinese cybercriminal syndicates in Myanmar. Many of those brought to book were forced to work for the gangs, and it’s unclear how they’ll be dealt with by the Chinese justice system.
Dave Bittner: According to the Independent, Singapore have arrested twelve people between the ages of 17 and 40 for alleged involvement in social media scams.
Dave Bittner: The Spanish National Police have arrested 34 suspected members of a cybercriminal operation that ran a wide variety of scams. BleepingComputer reports that sixteen raids across five cities led to the seizure of “firearms and hand weapons, four high-end cars, 80,000 euros in cash, and computers hosting a database with information on four million people.”
Dave Bittner: We observe that the predilection for fancy, expensive cars seems to mark cybercriminals as representing, as a class, cases of arrested development.
Dave Bittner: The Register reports that a 31-year-old Moldovan man who allegedly ran the cybercriminal marketplace E-Root has been extradited from the UK to the US to stand trial for charges of “conspiracy to commit access device and computer fraud, wire fraud conspiracy, money laundering conspiracy, access device fraud, and computer fraud.”
Dave Bittner: And finally, Europol has released details of that international operation that disrupted the RagnarLocker ransomware gang. “In an action carried out between 16 and 20 October, searches were conducted in Czechia, Spain and Latvia. The ‘key target’ of this malicious ransomware strain was arrested in Paris, France, on 16 October, and his home in Czechia was searched. Five suspects were interviewed in Spain and Latvia in the following days. At the end of the action week, the main perpetrator, suspected of being a developer of the Ragnar group, has been brought in front of the examining magistrates of the Paris Judicial Court. The ransomware’s infrastructure was also seized in the Netherlands, Germany and Sweden and the associated data leak website on Tor was taken down in Sweden.”
Dave Bittner: Europol adds, “This international sweep follows a complex investigation led by the French National Gendarmerie, together with law enforcement authorities from the Czech Republic, Germany, Italy, Japan, Latvia, the Netherlands, Spain, Sweden, Ukraine, and the United States of America.”
Ukrainian hacktivist auxiliaries compromise customer data at Russia's Alfa Bank.
Dave Bittner: TASS says it never happened, but apparently, no, it actually did. Alfa Bank, Russia's largest private bank, was hit by Ukrainian hacktivist auxiliaries working in cooperation with the SBU. The Record confirmed the attack with the SBU. Alfa Bank is controlled by oligarch Mikhail Fridman, himself under US and EU sanctions in connection with his role in Russia's war economy. The SBU sees such hacktivism as a contribution to its intelligence collection effort.
A hidden opportunity cost of compliance.
Dave Bittner: Do you read all those EULAs, all those privacy policies that pop up around you? Shh, don’t tell anyone, but not all of us do, either.
Dave Bittner: It turns out there’s a kind of rationality on your side, friend. NordVPN sent us a study this morning in which they calculated how much time it would take the regular Joe, the ordinary Jane, to read all that stuff. After a pious bow in the direction of knowing what you’ve agreed to, NordVPN says, “The average privacy policy in the US consists of 6,938 words. A person reads approximately 238 words per minute, which means it would take a little over 29 minutes to read an average privacy policy.”
Dave Bittner: So if you read the privacy policies of the twenty most-visited US websites, that would take you about nine hours. If you read the policies of the 98 or so sites the average person visits in a month, that would take you a full work week.
Dave Bittner: The American philosopher Tom Waits once sang, ‘the large print giveth, and the small print taketh away.” A lot of what it takes away is…time.
This just in: don’t let the bed bugs bite.
Dave Bittner: And, finally, were you a little baffled by the recent furor over Parisian bed bugs? Our European desk was. Come on, they said–worrying about a few bugs is the kind of thing you’d expect from les Anglo-Saxonnes [laze AHN-glow sacks-SON], not from worldly Parisians.
Dave Bittner: It turns out that there’s a story behind this story. The recent overreaction in France and elsewhere to reports of a bed bug infestation may in significant part be due to the planting and amplification of bogus news stories by Russian trolls. The Telegraph reports that French intelligence services have traced the craze to Russian doppelganger trolling, Fake articles that misrepresented themselves as having been prepared by trusted news outlets were circulated in social media.
Dave Bittner: Case zero of this cognitive infestation seems to have been a bogus article said to have appeared in the regional newspaper La Montagne [la mon-TANE], which claimed (falsely) that the bugs were surging because the French government’s embargo on Russian chemical imports had deprived France of effective pesticides.
Dave Bittner: Other phony articles of similar bent were misattributed to the left-wing paper Libération [lee-bear-raht-SEE-own] and the right-wing paper Le Figaro. They're all forgeries and hokum. The bed bugs were never a big deal, and in any case they were around long before France imposed any wartime embargoes on Russia. It’s Russian disinformation. The campaign seems to have been opportunistic: the trolls saw some stories about bed bugs and decided to pick up the meme and run for daylight.
Dave Bittner: So the bed bugs have gone to war.
Dave Bittner: Coming up after the break, Microsoft's Ann Johnson from Afternoon Cyber Tea speaks with Noopur Davis about building secure tech from the start. Our guest is Antonio Sanchez from Fortra on the challenges of having too many tools. Stick around. [ Music ] It's a common refrain to hear CISA's lamenting the number of security tools they've accumulated over time and the complexity that means they have to manage. Antonio Sanchez is principal cybersecurity evangelist at Fortra, and I spoke with him about the challenges enterprises face when they've got too many tools.
Antonio Sanchez: Tool complexity is definitely one of the top issues that we hear from CISOs. They get into this predicament because it seems like, I don't know, every year, maybe every couple years, there's a new attack vector or a new vector that's out there that maybe wasn't used before for whatever reason in the IT industry and now it's being used. And whenever something new is being used or leveraged by the IT industry, typically the criminal actors, the bad actors, figure out that they can also leverage whatever the new technology is, the new innovation is, to be able to exploit it for their own nefarious purposes. The cloud is a great example that. Ten years ago, actually longer than that, but once upon a time, the world was entirely on premise. You had your servers in the server closet. You had your storage space in a storage closet, you know, things like SCSI disks and fiber channel disks and all that stuff, lived in, you know, behind four walls in a data center, maybe got replicated somewhere else. And now with the rise of the cloud over the past several years, a lot of that stuff doesn't live inside those four walls. It lives in somebody else's four walls. And so it's a new footprint that is now available for the IT industry, but it's also available for the bad guys, the bad actors, the criminal actors, to be able to exploit as well. So for every new innovation that's out there, there is a new attack vector. For every new attack vector, there's a new tool. And for every tool that you purchase or an organization purchases to address that new attack vector, you end up with tons of tools. In fact, it's not uncommon for us to hear organizations with 50, 60, 70, even over 100 tools. The bigger the organization, usually the more tools in house. And somebody's got to make all that stuff work together.
Dave Bittner: And how do they typically go about that? I mean, it seems to me like that's a lot of balls to have in the air at the same time.
Antonio Sanchez: It is a lot of balls to have in the air at the same time. And what we hear time and time again is that some of the time, the complexity is so great that they'll only be using maybe 2 to 5% of that tool's capability. So there's a lot of unused value from that tool, and now you multiply that by 20, 30, 40, 50, even 100 tools, I mean, that's a lot of expense for not a lot of value being brought back in. Because in many cases, the tools don't actually talk to each other, the tools don't share information back and forth. A lot of times, you have to go to one tool to get insights and then you have to correlate those insights from another tool and take action on yet another tool. So there's several tools that have to be used in order to be able to take some sort of -- and then you have to have somebody that knows how to use all of those tools and make heads or tails out of all of them as well. So it's a patchwork of stuff, for sure.
Dave Bittner: Is there a reticence to retire a tool that's been in service for a while? Are people afraid that, you know, if I get rid of this tool, then, you know, a breach happens, where that tool may have been the thing that could've prevented it, then I'm in a heap of trouble?
Antonio Sanchez: It's difficult to sunset a tool that you yourself were responsible for its initial purchase or procurement or rollout. It becomes a sensitive topic, a sensitive subject, because like, wait a minute, I made the decision to spend whatever it was, $100,000, half a million, $1 million on this tool or on this set of tools to be able to improve the security posture of the organization, and it didn't quite work out. I mean, that's a hard pill for some people to swallow, so they kind of, in some cases, would rather deal with the complexity, you know, to try and save face. You know, what we tend to find a lot though is that organizations that are in new leadership will kind of take that inventory of saying, we have all of these tools, do we really need everything? And then they'll kind of, you know, take an honest look at the tech stack of the organization and say, yeah, well, we probably don't need everything, so let's make some decisions that are going to be best for the organization for the long haul.
Dave Bittner: Is that really a good way to come at this, to establish some sort of cadence for taking a look and evaluating whether or not indeed you need all of the tools that you've signed up for?
Antonio Sanchez: Nowadays, there's a lot of tools that have a lot of overlapping capability. And the hard part is trying to understand is, what am I using this tool for, and is the use case that I have for this tool something that can be done with something else such that I can retire it? At the end of the day, you know, organizations constantly have to evolve their security strategy. And as part of that, they have to take an honest look at themselves and say, you know, is there something that we can look at, some sort of a framework we could look at, of all the things that we use, of all the things that we need, of all the use cases we have out there, and then figure out is there something else within our arsenal, or should we start looking at an investment in something that maybe allows us to be able to retire a large portion of them? So many of the CISOs that we talk to nowadays have goals where the next two to three years they want to reduce their tech stack by, you know, in some cases 50%, even as high as 80%, where they just want to have a handful of partners to be able to move forward with because they're trying to simplify their organization and reduce complexity within their organization.
Dave Bittner: You know, along with that, I think a lot of folks have trouble with their patching programs of trying to come up with a reasonable way to take care of patching in a reasonable amount of time, but still not introduce friction for their users. Do you have any thoughts with that?
Antonio Sanchez: Absolutely. Well, that's one of the insights that you typically get with a whole bunch of tools is saying, okay, we've got, you know, a vulnerability management program, we have a tool that we use to tell us what are the vulnerabilities that are out there, what are the critical ones that are out there, which ones affect us that are out there? Because I think we're up to like 20,000 vulnerabilities this year, something like that, some ridiculous number again. And you can't do all of them, so you need to have some context around which are the ones that are important to us as an organization to keep our security posture where it needs to be. And in many cases, the action, in most cases, the action item is, well, we have to do patching; we have to patch this server; we have to patch whatever it is that we have out there. And you have to be disciplined about ensuring that you're able to patch when you need to patch, whether that's a recurring schedule where you do multiple patches at once, or something that's critical that you have to do an out-of-cycle patch. But maintaining a strong discipline patching program is one of the what I call the basic blocking and tackling things that an organization can do to reduce the attack footprint of the organization. It's easy to say but it's hard to do. Because in many cases, patching is just one of those things that tends to get deprioritized for more critical type projects.
Dave Bittner: That's Antonio Sanchez from Fortra. [ Music ] Microsoft's Ann Johnson is host of the Afternoon Cyber Tea podcast. And in today's episode, we get a segment of her conversation with Noopur Davis about building secure tech from the start.
Ann Johnson: Today I am joined by Noopur Davis, executive vice president and chief information security and product privacy officer at Comcast. Noopur is responsible for overseeing the full range of cybersecurity and product privacy functions for all Comcast Cable businesses, including all products and services delivered to residential and business customers. Secure by design and secure coding is such an important and overlooked and undervalued part of cybersecurity often, people don't talk about it, right? So knowing you have that background gives you such unique perspectives that others generally don't have.
Noopur Davis: It does. You know, I do find that having that background helps in so many other areas of security. If you sort of know, hey, this kind of action that you take as you're designing a system or as you're building a system, or as you're writing the code, these are the type of vulnerabilities and issues that can lead to. Then let's say you are confronted by a network vulnerability or a configuration vulnerability, or some other, you sort of like go back to that mind map and you've got to go, hmm, I sort of maybe know how this can happen. And knowing how something could possibly happen, I think gives you a better chance of being able to respond to it. I'm not saying you're right 100% of the time, you never are. But I think you have a slightly better chance of knowing what might be the cause.
Ann Johnson: We can't go any further until we talk about data, artificial intelligence, and specifically generative AI and security. So what's your point of view, Noopur; how are you thinking about generative AI and security; what are some of the early use cases you're excited about? And what do you think this innovation is going to do for the industry?
Noopur Davis: So you've asked, you know, a question that is really near and dear. So we have -- in our security program, we have three north stars. And, you know, north stars those, you know, I talked about our mission, north stars are our kind of long-term view of success. And our very first one is build security in. And, you know, this is again, biased, that's my background, that's where we started. And, you know, that program is, you know, in its seventh year and probably one of our most mature north stars. Our second north star is around zero trust environment, you know, we're probably about halfway through that journey. And then our third is around data. And, you know, we have struggled with this, as I think most security organizations do, because we have so much security data, you know, millions of sensors that are, you know, gathering all kinds of information about endpoints and network and identities and network devices. And, you know, we were really struggling on how do you make sense of all of that. And, yes, there is SIMs and there are other ways of analyzing it but, you know, they are very expensive, you can't do long-term analysis with them. So we spent years building a security data fabric. And it's sort of changed the way we do security, I have to tell you. It's just again, still learning, still growing. It's a journey, not a destination. But what the fabric lets us do is we bring in information from all of these sensors, we enrich that with other enterprise and other intelligence. Like, for example, organizational hierarchies, asset systems, authentication systems, badging systems, right? You bring all of this data together with your security data, suddenly you can ask questions that you didn't dare to ask before. So we use that fabric for everything from like continuous controls compliance to machine learning models that will do behavioral analysis and detection and everything in between.
Dave Bittner: That's Ann Johnson from the Afternoon Cyber Tea podcast, which you can find right here on the CyberWire network, speaking with Noopur Davis. [ Music ] And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at the cyberwire.com. We'd love to know what you think of this podcast. You can email us at cyberwire@n2K.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tré Hester, with original music by Elliott Peltzman. The show was written by our editorial staff. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. [ Music ]
