North Korea turns to cryptocurrency theft. Equifax breach gets worse. Patch Tuesday. Duma says US election hacked.

Dave Bittner: [00:00:00:22] I have good news. I have just started a transaction with a Nigerian Prince who just needs some help parking his money for a little while, and when that's completed it will make the CyberWire completely financially independent! In the meantime, patreon.com/thecyberwire, we could use your support. Thanks.

Dave Bittner: [00:00:20:24] North Korea's stealing all the Bitcoins it can find; the Equifax breach continues to spread: countries other than the US are increasingly involved; we've got some Patch Tuesday notes; the US Director of National Intelligence addresses the Billington CyberSecurity Summit; and did a Russian lawmaker just cop to the influence operations President Putin has so piously denied?

Dave Bittner: [00:00:47:16] Time for a message from the good folks over at Recorded Future. Recorded Future is the real-time threat intelligence company, whose patented technology continuously analyzes the entire web, to develop information security intelligence that gives analysts unmatched insight into emerging threats. When analytical talent is as scarce and pricey as it today, every enterprise can benefit from technology that makes your security teams more productive than ever.

Dave Bittner: [00:01:12:24] We at the CyberWire have long been subscribers to Recorded Future's Cyber Daily and, if it helps us, we're confident it can help you too. Subscribe today and stay a step or two ahead of the threat. Go to recordedfuture.com/intel to subscribe for free threat intelligence updates from Recorded Future. That's recordedfuture.com/intel. We thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:45:23] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, September 13th, 2017.

Dave Bittner: [00:01:57:03] North Korea, hit by international sanctions over its missile and nuclear tests and the explicit threats it's been making against many countries, including, but not limited to, South Korea, Japan, and the United States, ramps up its raids on Bitcoin sources. Bitcoin and other cryptocurrencies are attractive means to accumulate and launder cash that sanctions are designed to interdict. Many of Pyongyang's recent raids have been directed against South Korean Ethereum exchanges.

Dave Bittner: [00:02:27:11] The Equifax breach is proving a horror show, expanding in slow motion. We'll hear a little later from Forcepoint's Chief Scientist, Dr. Richard Ford, but in the meantime it's been known since late last week that the Equifax breach extends to individuals outside the US.

Dave Bittner: [00:02:43:23] The first reports of non-US citizens' data being compromised arrived from Canada and the UK. The number of British subjects thought to be affected is by some estimates as high as 40 million.

Dave Bittner: [00:02:55:18] It now appears that the breach extends to Latin America, at the very least to Argentina. Security firm, Hold Security, has told KrebsOnSecurity that it discovered signs of a large Equifax database in Argentina, that's proven as exposed and unencrypted as the other Equifax databases hackers hit in the US. This may be a case of exposure as opposed to hacking, but, whatever the case may be, it's bad news for Equifax and the consumers whose information the credit bureau has touched. Early indications suggest Argentina won't be the only Latin America country affected.

Dave Bittner: [00:03:33:03] The breach has placed authorities and others on heightened fraud alert. The e-commerce fraud prevention company, Forter, told Yahoo! Finance that it's seen a 15% spike in fraud attempts over the last two months. The evidence is circumstantial, but timing suggests to them that this is connected to the Equifax breach.

Dave Bittner: [00:03:52:14] Equifax will surely take a major financial hit from the breach and its poorly reviewed response. The Ponemon Institute has estimated the credit bureau's probable loss in the tens of millions, but that should be interpreted as a low-end guess.

Dave Bittner: [00:04:07:05] Earlier today I spoke with Dr. Richard Ford, Chief Scientist at Forcepoint, for his take on the Equifax situation.

Dave Bittner: [00:04:15:02] As we record this it is Wednesday, mid-morning here on the East Coast. What do we know about this Equifax situation from a cybersecurity technical point of view?

Dr. Richard Ford: [00:04:26:04] Yes, that's a great question. I think technically there's some confusion about exactly which vulnerability and what happened once the vulnerability was triggered. I think we are pretty sure it was an Apache Struts vulnerability, which is part of their web services, but what happened after that is slightly less clear. So often in these cases that's what happens quite quickly after a breach, there's a lot of lack of clarity as to exactly what happened and how the attacker moved from the initial access to the target they wanted.

Dave Bittner: [00:04:58:16] People are pointing out that Equifax has not done themselves any favors; that it seems that in every turn they've handled things in perhaps the worst possible way.

Dr. Richard Ford: [00:05:08:02] Yes. I think I have a lot of sympathy for them in some ways. When you've sat in one of these crisis war rooms it's like blood is coming out of your eyes; there's a lot of panic that goes on as you try and handle the press, you try and handle your customers, you try and handle your cybersecurity. In that respect, I have sympathy. With that said, I think it's very important for companies to have a crisis management team where you have these plans in the event of a breach, "Here's what I'm going to do, here's the comms plan." In fact, I've worked with companies in the past who have actually sort of done those internal war games, so at the time they have to do it for real, it's not the first time they've ever thought about it.

Dave Bittner: [00:05:45:20] I imagine the folks sitting on the board at Equifax wondering, "What the heck happened here? How could it be this bad and how could we have done this bad a job with our security?" If I'm sitting on a board and I'm trying to ask the right questions to my security team, how can I have assurances that they're actually taking care of business?

Dr. Richard Ford: [00:06:06:04] I think security from the board level is quite tricky, and I think that's a really fantastic question by the way. Boards in general do think about cybersecurity, but there are a few things that can go wrong.

Dr. Richard Ford: [00:06:18:18] Sometimes the information the board gets is filtered or spun and so it's difficult for the board to get full visibility. Then the second thing is I think that boards also face the same sort of cybersecurity fatigue that you and I face. We feel like we're on the hamster wheel of pain, we keep pushing forwards, we're sort of running on that treadmill in place, and so that fatigue can also be quite difficult. I think it's hard from a number of ways for the board to look at the cybersecurity risk because it seems omnipresent.

Dr. Richard Ford: [00:06:47:11] Then so often you don't have that deep expertise within the board to even know what are the right metrics, what metrics should the board be asking for from their companies to say, "Hey, what are the right metrics for measuring cyber?" Do you count instance? Do you count patch rate? Do you count days of risk? These things are difficult, so the lack of metrics, the fatigue and the lack of expertise can become sort of this perfect storm that makes it very difficult for the board to do their job.

Dr. Richard Ford: [00:07:16:13] In the bigger picture, I think one of the take-aways is do we really think that a social security number, a date of birth and a name is enough to identify me in 2017, and the answer's probably not. Therefore, thinking about how we can evolve standards might be more important because, no matter how well folks lock these things down, eventually these kind of breaches are going to happen and if it's not here it's there, if it's not the next place it's the place after, so thinking about ways that we can use technology to enhance identity is quite important. Whether this becomes the inflection point or not, we should be taking a long, hard look at how we do business, how we establish credit and how we establish identity, and how we go about protecting that data. I think that one of the interesting take-aways, by the way, from this breach is that data is an asset, but it's also a liability, because you can't lose something that you don't have.

Dr. Richard Ford: [00:08:07:07] Looking at the whole way that we deal with these pieces of data, how we protect them, and the lenses that we use to look at how data flows throughout our company needs to change. We need to do security a little bit differently, we need to think about how we establish identity, for the purposes of things like banking as well.

Dr. Richard Ford: [00:08:24:24] One of the interesting aspects is this is a highlight that we focus too much potentially on threats. It's about detecting a threat, it's about saying, "Hey, is this packet coming towards me bad," or, "hey, is this piece of software vulnerable? Is it exploitable?" Instead, I think what we need to do is pivot a little bit and enhance those techniques with techniques that look at how data is accessed. If you looked at how that process, whatever process it was that ultimately took that data, it was probably an anomalous access; processes usually don't access that much data, they don't float it off of site. So, re-focusing on what we call the human point and the point of intersection between data access and data storage, how it's used, how it's accessed, can provide another lens that's less reactive, which provides a better way of doing security, it can augment the existing security systems you have, and I think that's quite an important point in this.

Dr. Richard Ford: [00:09:19:15] Working through a purely threat-centric view of the world is sort of yesterday's way of protecting our data and as data becomes increasingly mobile, especially with the cloud, we have to spend more time thinking about how is that data being access and what is the likely intent behind that access?

Dave Bittner: [00:09:35:02] That's Dr. Richard Ford from Forcepoint.

Dave Bittner: [00:09:38:22] Yesterday was Patch Tuesday and Microsoft swatted 82 security bugs, 25 of them rated critical. One of them is a .Net vulnerability that's being exploited in the wild, reportedly to spread FinFisher spyware. The patches also address the BlueBorne vulnerability, whose discovery was announced this week by security firm, Armis.

Dave Bittner: [00:10:01:06] Some of our reporters are down at the annual Billington CyberSecurity Summit in Washington today. The sessions have been interesting and they're discerning a theme that's reappearing in several keynotes and panel discussions: the general erosion of social trust. That includes trust in commerce, banking, government, politics, even ordinary human interaction online. That general erosion of trust that cyberattacks bring about may be their most serious and enduring consequence, going beyond IP theft, losses to fraud, or even infrastructure compromise.

Dave Bittner: [00:10:35:07] Director of National Intelligence Coats was among those who expressed this at his morning keynote. The adversary's fundamental goal is usually to destroy trust. That's especially true of the nation-states and the non-state ideological actors, and even the conventional criminals will take some disruption as gravy on their theft.

Dave Bittner: [00:10:55:17] Speaking of adversaries and disruption, a prominent member of the Russian Duma crows about influence operations. Vyacheslav Nikonov appeared on a Sunday political talk show in Russia, Sunday Evening with Vladimir Solovyov. He wanted to sneer at what he called declining American power. As Mr Nikonov put it, "American intelligence missed it when Russian intelligence stole the President of the United States.”

Dave Bittner: [00:11:22:14] Well, President Putin has roundly denied any influence operations, still less election hacking so, for Mr Nikonov's sake, we hope President Putin isn't a regular viewer.

Dave Bittner: [00:11:39:24] Now, I'd like to tell you about some research from our sponsor, Cylance. Good policy is informed by sound, technical understanding. The cryptowars aren't over. Cylance would like to share some thoughts from ICIT on the Surveillance State and Censorship, and about the conundrum of censorship legislation. They've concluded that recent efforts by governments to weaken encryption, introduce exploitable vulnerabilities into applications, and develop nation-state dragnet surveillance programs will do little to stymie the rise in terrorist attacks. These efforts will be a detriment to national security and only further exhaust law enforcement resources, and obfuscate adversary communiqués with a massive cloud of noise. Back doors for the good guys means back doors for the bad guys, and it's next to impossible to keep the lone wolves from hearing the howling of the pack.

Dave Bittner: [00:12:30:05] Go to cylance.com and take a look at their blog for reflections on surveillance, censorship and security. We thank Cylance for sponsoring our show.

Dave Bittner: [00:12:45:12] Joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute. Joe, welcome back. I saw an article come by on Ars Technica. It was about a call for the FTC to scrutinize a company called Hotspot Shield. This is a VPN service and there are some folks who are alleging that they are intercepting traffic.

Joe Carrigan: [00:13:07:21] The Center for Democracy and Technology?

Dave Bittner: [00:13:11:06] Yes. They did a 14-page filing and, basically, they're saying that Hotspot Shield, which is a free VPN service, is collecting data and channeling you to advertisers and so forth.

Joe Carrigan: [00:13:25:20] What kind of VPN service, Dave?

Dave Bittner: [00:13:27:14] Free.

Joe Carrigan: [00:13:28:11] Free! If you don't pay for something on the internet, you are the product.

Dave Bittner: [00:13:33:09] That is correct.

Joe Carrigan: [00:13:34:18] That's important for everyone to remember. Facebook, you are the product. Facebook isn't the product, the product is you and all the marketing and advertising that can go to you. I have a Facebook account and I'm okay with that. When you start getting into these VPN services, though, this is a service that's purporting to say, "We'll keep your information private." But they're free, so they have to monetize this service somehow and how they're monetizing it, allegedly, from what this report is saying, is from intercepting HTTP requests and then targeting ads towards the people who are using it.

Dave Bittner: [00:14:13:10] There's not necessarily anything wrong with that if that's what you agree to going in, when you sign up for the service.

Joe Carrigan: [00:14:17:11] Correct. If you agree to that, that's right. I use a VPN service that I pay for annually and it costs me, I think, $35 a year to use the service, and I don't think that's a very high price for what I get. I did some research on which VPN service to use and there are a number of them out there that cost about the same. I can't plug one, being from a university, but this one had pretty good marks and has demonstrated to me that they're really interested in keeping my information and traffic secure, especially since at home I'm a Verizon user. There's been recent changes in FCC policy that now allow Verizon to do what this VPN service is being accused of doing here, and that's to collect my data and target marketing towards me. That really does rub me the wrong way because here I am paying Verizon a certain amount of money every month for the internet, television service and phone service, and that's somehow not enough, they need to sell my traffic information. Yes, I use a VPN at home and I use one that I pay for so that my traffic remains my own business.

Dave Bittner: [00:15:31:02] Yes, and I think when people hear VPN they assume that what comes with it is a certain amount of privacy and the point here is?

Joe Carrigan: [00:15:41:12] It depends! It absolutely depends on what you're engaging in.

Dave Bittner: [00:15:45:24] Like you said at the top, if it's free they're making money somehow.

Joe Carrigan: [00:15:49:14] They are making money somehow.

Dave Bittner: [00:15:51:01] Right. Joe Carrigan, as always, thanks for joining us.

Joe Carrigan: [00:15:53:13] It's my pleasure, Dave.

Dave Bittner: [00:15:56:12] That's the CyberWire. For links to all of today's stories, along with interviews, our glossary and more, visit thecyberwire.com. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com.

Dave Bittner: [00:16:14:10] Thanks to all of our supporters on Patreon. If supporting us on Patreon is just beyond your means, well we understand, but we hope you'll take the time to leave us a review on iTunes. It's another way you can help support the show and it really does help people find us.

Dave Bittner: [00:16:27:14] The CyberWire podcast is produced by Pratt Street Media. Our Editor is John Petrik, Social Media Editor is Jennifer Eiben, Technical Editor is Chris Russell, Executive Editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.