EDGAR hack enabled illicit stock trades? Equifax tweets phishing url to troubled inquirers. Kaspersky ban clarified.

Dave Bittner: [00:00:01:07] We hope you'll check out our Patreon page, at patreon.com/thecyberwire, and remember at the $1,000 a month level, I will come to your house and read the CyberWire to you personally. Alright, maybe not, but there are all sorts of other benefits you can check out there. We hope you'll do it. Thanks.

Dave Bittner: [00:00:22:02] The SEC gets hacked, and someone might have made a lot of money. Equifax tweets send inquirers to a phishing site. Investigation into the Avast caper suggests a state intelligence service's hand. The Department of Homeland Security clarifies its ban on Kaspersky products. And chatbots turn spiritual.

Dave Bittner: [00:00:47:24] It's time to take a moment to tell you about our sponsor, Recorded Future. So attention threat intelligence enthusiasts, the first week in October consider heading to Washington DC and joining Recorded Future and the rest of your community for RFUN 2017. It's this October 4th and 5th. Share experiences, insights and best practices; learn from exclusive presentations by threat intelligence thought leaders; and you can be the first to know - get a sneak peak of new Recorded Future product features and the company's development road map. Meet others like you; people who understand that cybersecurity depends upon actionable intelligence. Network with your information security peers to learn how others apply threat intelligence, powered by machine learning. RFUN is the place to be if you're a threat intelligence enthusiast. If you attend, say hello to us. The CyberWire will be podcasting from the floor on the 5th. Register now at recordedfuture.com/RFUN. That's RFUN, and we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:59:05] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner, in Baltimore with your CyberWire summary for Thursday, September 21st, 2017.

Dave Bittner: [00:02:10:07] Late yesterday the SEC announced that it had been hacked, and that the hackers may have been able to use the fruits of their labors to execute illegal trades.

Dave Bittner: [00:02:19:07] The US Securities and Exchange Commission discovered last year that there had been unauthorized access to its EDGAR reporting system. EDGAR, an acronym standing for Electronic Data Gathering, Analysis, and Retrieval, is the SEC's central collection and distribution system for the various filings public companies are required to submit. There appeared at the time to be little to worry about. That changed yesterday, September 20th, however, when the SEC said that EDGAR had been compromised by a "threat actor." The Commission revealed that it concluded last month—that is, in August 2017, that an intrusion into EDGAR seems to have been used for illegal stock trading. It's not yet know how large that trading was, or how large the illicit gains were, but it could represent a very significant incident.

Dave Bittner: [00:03:10:04] The disclosure appeared in a long statement by the SEC chair outlining the ways in which cyber security and resilience are important to the SEC and the sector it regulates, and describing the Commission's initiation of an assessment of its cyber risk profile. The relevant passages may be difficult to find, so we quote them now: "Notwithstanding our efforts to protect our systems and manage cybersecurity risk, in certain cases cyber threat actors have managed to access or misuse our systems. In August 2017, the Commission learned that an incident previously detected in 2016 may have provided the basis for illicit gain through trading. Specifically, a software vulnerability in the test filing component of our EDGAR system, which was patched promptly after discovery, was exploited and resulted in access to nonpublic information. We believe the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk. Our investigation of this matter is ongoing, however, and we are coordinating with appropriate authorities."

Dave Bittner: [00:04:18:06] The statement is long and mostly concerned with all the ways the SEC is shoring up its cybersecurity as it works to drive down risk. The emphasis in the statement on implementation of the NIST Framework suggests that part of what's going on here was prompted by the President's Executive Order.

Dave Bittner: [00:04:35:04] There are other security issues that have surfaced during the SEC's cyber risk assessment. Some may have involved data corruption. The Commission's Division of Enforcement has investigated and filed cases against individuals who are believed to have placed fake SEC filings on EDGAR in order to profit from resulting market movement.

Dave Bittner: [00:04:54:19] A number of the issues are old ones, brought out to illustrate what sort of risks the Commission is looking into the SEC's Inspector General found in a 2014 internal review that some SEC laptops that might have contained nonpublic information couldn't be found. The IG also found a few cases in which SEC personnel transmitted nonpublic information through non-secure personal email accounts.

Dave Bittner: [00:05:19:19] The SEC has come in for scrutiny with respect to its cybersecurity before. There were reports in 2014 that access to EDGAR had enabled speculators to run trades shortly before material information was posted to the service. The intervals were short, matters of seconds, but that's enough time to earn some illicit money.

Dave Bittner: [00:05:40:03] And Reuters is reporting in an "exclusive" that a Department of Homeland Security report on January 23rd of this year found five critical weaknesses in the SEC's systems. The report was one of DHS's regular scans of Federal networks. It's not known whether any of those vulnerabilities had anything to do with the incursions into EDGAR. The story is developing. Investors and Congress are said to have the jitters, as well they might.

Dave Bittner: [00:06:09:08] Equifax continues to struggle with incident response. Communication through social media has for some time been understood as an important way of getting the story out when an organization is responding to an incident. So it's unsurprising and even commendable that Equifax should have taken to Twitter to get its news out. Here again, however, the execution was flawed. The company's Tweets were telling people concerned about the breach to go to securityequifax2017.com instead of equifaxsecurity2017.com. The correct site, of course, (you've seen this coming, right?) was equifaxsecurity2017.com. The one the Tweets were sending people to was in fact a phishing site set up by a white hat, who was curious to see who would arrive. In this case no damage was done, but the mistake persisted for two weeks, which is an uncomfortably long time to send your stakeholders out into a phishnet.

Dave Bittner: [00:07:05:24] Again, the lesson is plain: if we learn nothing else from Equifax's experience, we should at least learn the importance of incident planning, and of exercising those plans when you come up with them.

Dave Bittner: [00:07:18:01] One of the most asked questions about the Equifax breach is why didn't they simply patch their systems more quickly? For some perspective on that, we reached out to Richard Henderson from Absolute Software, a company that specializes in endpoint security and data risk management solutions. Richard is global security strategist at Absolute.

Richard Henderson: [00:07:38:09] I'm on the fence about this, because on one side, I mean I really think they deserve the lumps they're getting, but on the flip side, I understand how difficult it can be for enterprises to really patch that stuff. The issue was that it was a server side vulnerability issue, and that's a whole different kettle of fish when it comes to vulnerabilities on the endpoint. Typically, with your endpoint devices, you run your Windows update, you patch your applications and, for the most you're good to go. The problem with the server side vulnerabilities, in this case with Apache Struts, which is what we believe the issue was, is that it's embedded in pretty much hundreds if not thousands of custom applications, and a lot of these enterprises, they're building their own custom products to be used inside their networks, and it can be very difficult to update that software or that server side software, because one; the code is complex. The code base is very large. You may not even have the original developers on staff anymore, who developed it and someone else is trying to fix it. You may not even know that it's there.

Richard Henderson: [00:08:39:24] So, I feel for them and maintaining and managing and patching vulnerabilities in customized enterprise software is very difficult, but at the same time, we have to understand that it's not 15 years ago, where most of the software that was created back then was very rudimentary, it was very basic, it was easier to maintain. Everything is connected today. Everything's connected to the Internet, you know, we're making this call over the Internet, your cellphone, your desk phone now. Everything on the back end, it's all connected through IP and that means that for enterprises who aren't taking the idea of vulnerability management seriously, they're leaving giant holes in their network, and that's what happened with these guys. They weren't taking that critical vulnerability seriously enough and that means, either they weren't paying attention, or they weren't giving it the significant level of risk calculation that they should have, or just it fell through the cracks. That's entirely possible, but again, there's no excuses, and I don't think we should accept excuses, but at the same time, it's not an easy battle, but this isn't just a problem with them; this is a problem with a lot of enterprises. There's so many things out there that need to be fixed. They really need dedicated teams whose job it is just to monitor what's happening in the world of vulnerability management and they can sufficiently triage or assess the impact of risk on their environment.

Richard Henderson: [00:10:04:21] I feel for them. I feel really bad for the people down in the trenches, the regular IT staff, the regular security staff, who are really taking it on the chin right now, and whether that's rightly deserved or not, is not really for me to say, but at the end of the day, this company was responsible for maintaining the security of some of our most intimate and personal and critical data. So the onus is on them and other organizations who collect similar data to be able to protect that data in ways that go above and beyond what we consider what is expected and norm. They really had an obligation to protect that data, and I think that's where they fail.

Dave Bittner: [00:10:43:21] That's Richard Henderson from Absolute Software.

Dave Bittner: [00:10:48:06] The supply chain problems that backdoored an Avast product increasingly looks like the work of a state espionage agency.

Dave Bittner: [00:10:56:12] The US Department of Homeland Security has clarified and qualified its ban on Kaspersky. Kaspersky software embedded in other vendors' products is not banned, nor are Kaspersky intelligence and training services.

Dave Bittner: [00:11:10:10] And, finally, Motherboard reports, with appropriate skepticism, a new field for the use of chatbots—spiritual counseling. Researchers at Northeastern University and the Boston Medical Center have been working on a chatbot to take the place of a "palliative care coach." You can set the bot to either spiritual or neutral. The spiritual settings come up in Christian, Jewish, Buddhist, Muslim, Sikh and Hindu. The goal is to reduce people's anxiety in the face of death—a good thing, all things being equal, we suppose. But we can't help thinking of Tay, Microsoft's well intentioned AI based chatbot who quickly developed a set of really bad manners. Tay, call your office—you may have a new career in nursing. Or, what the heck, ministry.

Dave Bittner: [00:12:01:20] As our sponsors at E8 Security can tell you, there's no topic more talked about in the security space than artificial intelligence, unless maybe it's machine learning. But it's not always easy to know what these could mean for you. Go to e8security.com/cyberwire and see what AI and machine learning can do for your organization security. In brief, they offer not a panacea, not a cure all, but rather an indispensable approach to getting the most out of your scarce, valuable and expensive human security analysts. Let the machines handle the vast amounts of data. If you need to scale your security capability, AI and machine learning are the technologies that can help you do it. So visit e8security.com/cyberwire and see how they can help address your security challenges today. That's e8security.com/cyberwire, and we thank E8 for sponsoring our show.

Dave Bittner: [00:13:00:19] And I'm pleased to be joined once again by Emily Wilson. She's the Director of Analysis at Terbium Labs. Emily, welcome back. You know, we were talking about Black Hat. You were mentioning that there was an interesting keynote there, and it was really about sort of staying focused, not chasing shiny objects.

Emily Wilson: [00:13:16:23] Yes, and this is a favorite topic of mine, so I was pleased to see that brought up. I think a good example of this is the recent discussions about the ability to hack our power grids, or other big shiny, scary topics that reasonably would keep you up at night; and the need for the industry to focus both internally and externally about the real problems, and by real problems here, I'm talking about the things that actually cause you an issue day to day. If somebody actually manages to take down the power grid, which is a pretty inflammatory phrase, that would be a real problem. But in the meantime, your employees are being phished and you're reusing passwords and you're not turning on two factor because it's an inconvenience.

Dave Bittner: [00:13:59:03] So is this sort of like people are much more afraid of dying in an airplane crash than crossing the street, but they're much more likely to die when they're crossing the street.

Emily Wilson: [00:14:09:08] It's true, and I think some of that is perspective and some of that is awareness. You can't be worried about crossing the street every time, in the same way that you can't be worried that every time you log into your bank account, that someone's going to steal your credentials. But I think there's a need to be realistic and pragmatic and focused on really targeting the everyday issues that are causing a lot of the problems. You can decide that you want to put a pool in the back yard because you think it'll raise the value of your house, but if you haven't replaced the lock on your front door, maybe your priorities aren't quite right.

Dave Bittner: [00:14:47:14] You make the point that those of us who are in the cybersecurity industry need to sort of drive this conversation.

Emily Wilson: [00:14:53:24] It's true. I think that it's very easy to talk about new, flashy, shiny things, right?We've talked here before about when ransomware has a logo and a theme song, it makes the headlines. And there are important emerging and changing trends to discuss, but it's very easy to get distracted from the day to day reality of what's actually causing problems.

Dave Bittner: [00:15:18:01] And it's also hard to sell those things.

Emily Wilson: [00:15:19:16] Right, there's definitely the buzzword compliance piece of this, right? Everyone wants to check off that list; does it have machine learning? Is it AI? Is it faster than machine time, or whatever? And there's some fatigue over the same things you've heard over and over again. Turn on two factor. Don't reuse passwords. Use a password manager. Talk to your employees about phishing. Don't click on that link. Don't trust what you see. And I think people get tired of hearing it and people also have a sense of, oh, but I know, I know how this works. I'm not going to miss something that obvious. And because of that, people don't want to hear it anymore, and they tune it out and they skip over it because it's much easier to focus on this bigger more abstract concept of a security risk, than you know, the monotony of going through and changing passwords on however many dozens of accounts you have online.

Dave Bittner: [00:16:14:03] So despite all the new scary things coming down the pipe, you still can't take your eye off the basics.

Emily Wilson: [00:16:18:21] I think that's a reasonable way to think of it, and I think that you can worry about every possible eventuality, every one in a 100 million chance, but look at what's actually causing you problems. Look at what's actually putting you at risk day to day, and look at what is actually going to impact your organization now, or you as an individual now. Wouldn't you fix the problems you can fix more easily, instead of worrying about the ones that might never happen?

Dave Bittner: [00:16:45:23] Alright, Emily Wilson, thanks for joining us.

Dave Bittner: [00:16:50:08] And that's the CyberWire. Thanks to all of our sponsors, who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com.

Dave Bittner: [00:17:02:06] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.