The CyberWire Daily Podcast 9.11.17
Ep 431 | 9.11.17

Everything Equifax, with some notes on German election vulnerabilities and an update on the Crackas With Attitude.

Transcript

Dave Bittner: [00:00:00:24] We know a lot of you value the CyberWire and that it helps you do your jobs better and we hope you'll check out our Patreon page at patreon.com/thecyberwire and become a regular supporter. Thanks.

Dave Bittner: [00:00:14:18] All things Equifax, as the credit bureau deals with its breach, and the lawyers and Wall Street wind up to deal with the credit bureau. The Chaos Computer Club says it's found major flaws in German election software. Moscow seems to have done a lot of catphishing in social media during the last US campaign season. Best Buy boots Kaspersky's security products from its big box stores. And a Cracka With Attitude gets five years in Club Fed.

Dave Bittner: [00:00:46:22] Time for a message from our sponsor, the good folks over at Recorded Future. You've heard of Recorded Future. They're the real time threat intelligence company. Their patented technology continuously analyzes the entire web, to give infosec analysts unmatched insight into emerging threats. We subscribe to and read their Cyber Daily. They do some of the heavy lifting in collection and analysis that frees you to make the best, informed decisions possible for your organization.

Dave Bittner: [00:01:12:17] Sign up for the Cyber Daily email and every day you'll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. Subscribe today and stay ahead of the cyber attacks. Go to recordedfuture.com/intel to subscribe for free threat intelligence updates from Recorded Future. It’s timely, it’s solid and the price is right, and we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:50:17] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore, with your CyberWire summary for Monday, September 11th, 2017.

Dave Bittner: [00:02:01:00] We begin today with some updates on last week's Equifax debacle, by general consensus the most serious data breach to come along in years. In terms of numbers affected, it's smaller by an order of magnitude than the Yahoo! breaches of 2016, but those affected mostly Yahoo! User credentials.

Dave Bittner: [00:02:18:14] The Equifax breach, which at 143 million individuals hit is big enough, includes a great deal of sensitive personal information: names, Social Security account numbers, dates of birth, and addresses. Large subsets of those individuals also had their credit cards exposed. Some 209,000 card numbers were lost, and other personal information like driver's license numbers and records of credit disputes was taken from 182,000 people.

Dave Bittner: [00:02:47:09] Once you take out children and those who don't participate in the labor market, the 143 million total, a little less than half the US population, is enough to cover the vast majority of adults who would be in a position to seek credit. So anyone who has a credit card, a home loan, in many cases even a bank account, can consider themselves at risk. Much of the coverage of the breach is misleading in that it says Equifax customers were the victims of the data theft, but the individuals whose information was stolen were for the most part not customers of Equifax, but rather people whose credit Equifax was rating for the institutions that are its actual customers: banks, credit managers, and so forth.

Dave Bittner: [00:03:28:23] The consensus advice experts are giving to those affected, which would probably include you, if you're listening to this, is to put a freeze on their credit. The US Federal Trade Commission has some advice available on how to do this, which you'll find at consumer.ftc.gov. Go to the FTC's blog on the site and select the entry called The Equifax Data Breach: What to do.

Dave Bittner: [00:03:52:18] Equifax incident response, particularly its public communications, have been widely excoriated. KrebsOnSecurity calls it a dumpster fire, and that's the general assessment. The 41 days between discovery and disclosure strikes most as far too long. To be sure, it takes time to evaluate a security incident, and no-one would want to send out disclosures and alerts on the basis of every wayward false positive. But it's difficult to see 41 days as falling within any reasonable standard of timely notification.

Dave Bittner: [00:04:24:23] Here are two benchmarks in US state law and regulation that may provide context. Georgia's breach notification law reads as follows: any person or business that maintains computerized data on behalf of an information broker or data collector that includes personal information of individuals that the person or business does not own, shall notify the information broker or data collector of any breach of the security of the system within 24 hours following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

Dave Bittner: [00:04:59:05] And New York State's Department of Financial Services, in its regulations that began to come into effect at the end of last month, gives covered entities no more than 72 hours to report once they've determined that a cybersecurity event has occurred.

Dave Bittner: [00:05:14:19] Security experts are already reporting a spike in online fraud of the kind normally associated with such breaches. One bit of dark web criminal activity that popped up within hours of Equifax's disclosure has, however, begun to appear bogus. A ransom message appeared from some person or persons claiming to be the Equifax hacker. They said, "We need to monetize the information as soon as possible," and demanded 600 Bitcoin from Equifax (roughly $2.5 million) by September 15th. If the credit bureau failed to pay, the authors of the ransom note said they'd post the stolen data, minus the credit card numbers, online. But these people, whose accounts have been suspended by their hosts, appear to be opportunistic grifters and not the real hackers after all. Investigation continues.

Dave Bittner: [00:06:05:02] Speculation about how the hackers got in centers on an Apache Struts vulnerability, although which vulnerability and how it may have been exploited remains unclear.

Dave Bittner: [00:06:15:16] Equifax's stock price continues to drop. It fell more than 13% on Friday; this afternoon it's down by about 10%. The share prices of its two principal competitors, Experian and TransUnion, also took an initial tumble on Friday, but appear to be recovering today.

Dave Bittner: [00:06:33:14] State's attorneys general, including New York's, are opening investigations, as are the US Congress and any number of regulatory bodies. The plaintiff's bar is also predictably queuing up legal action action against Equifax. HackRead reports the suits add up to billions, as one would expect. Even though such large awards of damages are unlikely, Equifax faces some tough legal sledding over the incident.

Dave Bittner: [00:07:00:02] The Chaos Computer Club, a white hat outfit operating from Germany, reports finding vulnerabilities in voting software used in several German Länder. The Federal Republic's sixteen constituent states will hold elections on September 24th. Berlin has been preparing for Russian interference for a year.

Dave Bittner: [00:07:20:00] Facebook's discovery that it had been selling ads to Russian catphish prompts a look by the New York Times, and others, at one prominent influence-operations tactic: the creation of fictitious persona in social media. These were evidently used to cast doubt on the integrity of US political institutions during the last election cycle. Disruption and mistrust were apparently more important than any particular balloting outcome.

Dave Bittner: [00:07:46:13] Kaspersky Lab remains in bad official US odor. It's also taken a hit in the consumer marketplace, as Best Buy announces it will no longer carry the Russian security company's products.

Dave Bittner: [00:07:59:03] And finally, remember the Crackas With Attitude, who doxed various US government officials back in 2015? The second Cracka to cop a guilty plea has been sentenced. Justin G. Liverman, age 25, who used the nom de hack D3F4ULT, has received five years in the big house on a Federal hacking beef.

Dave Bittner: [00:08:24:04] Time to share some information from our sponsor, Cylance. We've been following WannaCry, Petya, NotPetya and other forms of destructive ransomware for weeks. Cylance would like you to know that they can prevent Petya-like ransomware from executing in your system, and they'd also like you to know that they've been doing that since October of 2015. How's that for getting ahead of the threat?

Dave Bittner: [00:08:43:22] Their success against NotPetya demonstrates the benefits of their temporal predictive advantage. CylancePROTECT stops both file and fileless malware. It runs silently in the background, and best of all, it doesn't suffer from the blindspots in legacy defenses that NotPetya exploited to such devastating effect.

Dave Bittner: [00:09:02:12] If you don't have CylancePROTECT, and if you'd like to learn more about how it can defend your enterprise, contact them at cylance.com and find out how their AI driven solution can predict and prevent the unknown unknowns from troubling you, and we thank Cylance for sponsoring our show.

Dave Bittner: [00:09:25:17] I'm pleased to be joined once again by Dale Drew, the Chief Security Officer at Level 3 Communications. You have a really unique view of the internet. There are a lot of things that you see that many organizations cannot, and you wanted to share some pretty sobering statistics with us.

Dale Drew: [00:09:44:17] Sobering is a very good word for it. We have this threat intelligence infrastructure that we use to monitor traffic on our network, and we categorize attacks that we see. What we've seen is a pretty sharp and sustained increase in attacks going through the public internet. Two things surprised us: one, on a rolling average 30 day basis, using the machines that we have set up to monitor the honeypot networks, we see about 750,000 automated attacks per day. We see 15,000 malware sessions per second hitting victims, meaning the level of malware traffic on the global backbone is staggering.

Dale Drew: [00:10:32:14] We see 50,000 phishing emails per second, emails going to potential victims for them to click on and have their computer compromised with malware being delivered to execute attacks. We also see about 8,000 scanning attempts per second, where bad guys automatically scan the network looking for particular exposures that they can compromise to deliver things like malware.

Dale Drew: [00:10:57:06] Attacks are here to stay and are growing. A survey produced by Incapsula indicates that 52 percent of all internet traffic is bot traffic. Of that, about 23 percent of it was helpful botnet traffic such as search engine and feed fetching traffic, and about 29 percent of it was harmful: automated systems scanning for opportunities to compromise and add to botnet traffic. Therefore, just on web traffic alone, more than 50 percent was indicated to be botnet traffic.

Dave Bittner: [00:11:42:20] Looking at these numbers, what are your recommendations for individuals?

Dale Drew: [00:11:47:16] My recommendation is to recognize that bad guys are here to stay and have automated their infrastructure so they can easily find and exploit your weaknesses to gain access to your infrastructure. At Level 3, we scan our public infrastructure six times per second. I audit my system every 24 hours, but the bad guys are looking for weaknesses every six seconds, so the moment we detect a weakness in our infrastructure, an operator makes a small configuration change or forgets to apply a patch in time, I'll find it in 24 hours; the bad guys, however, will find it within six seconds.

Dale Drew: [00:12:34:05] When infrastructure is connected to the public internet and is accessible, you must make sure you have the right practices in place to monitor, not only for compliance of security policy and patches, but also, more importantly, to monitor for potential breaches and compromises.

Dave Bittner: [00:12:56:00] Sobering, indeed, but as always good information. Dale Drew, thanks for joining us.

Dave Bittner: [00:13:03:23] And that's The CyberWire. Thanks to all of our sponsors who make The CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, check out cylance.com.

Dave Bittner: [00:13:16:15] If you find this podcast valuable, we hope you'll consider becoming a contributor. You can go to patreon.com/thecyberwire to find out how.

Dave Bittner: [00:13:24:21] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.