Comments on the Deloitte breach. SEC Commissioner talks to the Senate. Sonic breached. Vulnerable stock-trading apps. Russian influence operations shift their focus.

Dave Bittner: [00:00:00:01] We've got some great Patreons, in fact we had some folks from the national hockey league players association security team in Baltimore recently and we got together with them, you can see that picture on our Patreon page, at Patreon.com/thecyberwire, check it out.

Dave Bittner: [00:00:16:20] Deloitte continues to investigate it's breach saying little, but other people are talking. The SAC tells the senate it's deeply concerned about its own breach. Popular iOS and Android stock trading apps are found vulnerable. Sonic drive ins have sustained what looks like a pretty big breach. Russian influence operations against the US are turning towards local Government religious groups, civic associations and others at the grass roots.

Dave Bittner: [00:00:48:17] Time for a message from our sponsor Recorded Future, threat intelligence enthusiasts will be joining Recorded Future in Washington DC this October 4th and 5th, this annual conference now in it's 6th year brings together the analyst and operational defenders who apply real time threat intelligence to out innovate the adversaries, so come and meet the Recorded Future team, they love chatting with new and old friends, Recorded Future cordially invites it's customers, partners and all threat intelligence mavens to RFUN 2017. Share tips, insights and challenges, improve your analytical skills, hear from industry leaders and learn from the best. We'll be there too, we're going to be podcasting from the event on the 5th. Find out about the latest threat intelligence techniques and best practices. Register now at Recordedfuture.com/rfun. That's RFUN and we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:50:02] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, September 27th, 2017.

Dave Bittner: [00:02:00:20] Deloitte continues to say little about its breach, maintaining its position that a few clients were affected. Outside observers think the incident involved failure to use multi factor authentication on an admin account. They also think earlier reports that Government organizations were affected seemed to have been inaccurate. We heard from experts at Vasco Data Security and Virsec systems who offered their views on the incident. Vasco's John Gunn thinks massive leaks of pay card information and social security numbers have flooded the black market, to the extent that these commodities have become devalued. There's a glut on the market, Gunn told us in an email, "what we will see now is a continuing rise in attacks on other sources of confidential data that can profit attackers. Material information that could be used, for example, for insider trading or to yield trade secrets is now, much more attractive than mere credit card number theft. Firms such as Deloitte that have troves of sensitive, non public information that could be used for illegal trading activity will find themselves increasingly in the cross hairs of sophisticated hacking organizations."

Dave Bittner: [00:03:06:04] William Leichter of Virsec commented that "what's critical is to react quickly and close the window of opportunity to limit damage. If Deloitte had set up a security system for a client that didn't detect a breach in more than six months they would be fired or worse."

Dave Bittner: [00:03:21:14] We asked Mr Gunn and Leichter some follow up questions first Deloitte has said that only six customers were affected and these only in relatively minor ways, are there any indications the breach may have been more wide spread or more serious? Gunn said, "My guess is that the hackers were likely seeking confidential or inside information that they could use for gain in stock trades or for blackmail purposes. It would be very challenging to make a reliable estimate of how many parties may have been affected. If none of the information taken had any value then the answer is 0."

Dave Bittner: [00:03:55:16] Leichter had a different take and he sees the slow response as telling both in the case of Deloitte and in that of Equifax, he said, "Deloitte has not acted like this is a small or trivial breach, even if only six of their Fortune 500 clients were affected, this still could represent tens of thousands of records, multiple sources have reported that email servers and administrator accounts were compromised, and the damage could be extensive. But the lack of transparency and slow response from Deloitte, Equifax, and other breached companies creates frustration, confusion and more distrust."

Dave Bittner: [00:04:31:02] We asked about reports that credit card information may have been lost, that seemed to be an almost reflexive aspect of early reporting on the breach. It's not clear what was lost, beyond emails but Gun pointed out the unlikelihood of Deloitte clients paying with credit or debit cards, "this was not a traditional attack, like the ones that we see against retail organizations with massive pools of consumer payment information."

Dave Bittner: [00:04:54:08] Finally, we asked them whether they had any insight into why it took so long for this breach to become public, Deloitte has apparently known about it for a few months. Gun things the delay is unsurprising. He said, "corporate network breaches are not like a physical break in, you don't walk in one day and see a broken door and glass all over the floor." So Deloitte hasn't necessarily been stone walling, sometimes it simply takes a while. As Gunn explained, "It can take many months of complex forensic work to confirm that a breach occurred and to determine the extent of the intrusion and possible damage." Leichter thinks there are lessons here for public policy, he said, "there is a fundamental problem with most disclosures of public breaches, while there are breach notification requirements in 47 states there are not strict rules on time lines and how much needs to be disclosed. Many companies fall back on disclosing as little as possible and waiting as long as possible to hopefully manage the fallout. But as we've seen in many cases, the fallout is usually worse, if companies delay disclosure and consumer data can be exposed for long periods without their knowledge, we need to look at the new European GDPR rules, which require notification of any serious breach to authorities within 72 hours."

Dave Bittner: [00:06:11:14] If you're an employer, no doubt you try to strike a balance between respected your employees privacy and securing your network. In the US Employers have the right to monitor what workers do on company owned machines but nobody likes to think that the boss is looking over their shoulder. Still there are certain kinds of activity that can and should set of warnings. Pornography is an obvious one, but what about radicalization? How can you tell if a network user is simply curious about something they read in the news or on a path towards being brain washed and radicalized? Isaac Cohen is CEO at Teramind and he offers his perspective.

Isaac Cohen: [00:06:47:16] When a position starts by person doing research, essentially, either because they've heard of something or you know, something triggers their desire to learn more about it. And then as they do research, they come to certain websites, certain elements in social media that coach them and sort of brain wash them into that material that they want to brainwash. So obviously it's a big problem. Early detection is extremely important, so you want to tackle the problem at the initial research stage and it's definitely something that educational institutions and even commercial organizations.

Dave Bittner: [00:07:24:04] So give us an overview here, if I'm an organization and my employees are using their systems to search to do research to just, you know read things that they're interested in on their lunch hour or before or after work, what are my rights and responsibilities when it comes to that sort of web browsing?

Isaac Cohen: [00:07:40:12] I would say each country has its own rules and laws governing privacy. What we focus on is employee usage of company computer, company hardware during work hours, that really narrows it down but it's better than nothing and you look at it, objectively that's eight hours of an employees they spend on computers a day so you can still capture a lot of that person's activities for better or worse. You don't have to actively report or monitor anything, I'm not talking about specifically any one software or another but what you can do is just define triggers, so when someone sees the word Jihad or some other relic position keyword on the screen then trigger an alert. Without violating that person's privacy, without monitoring what they do in their private bank account for example.

Dave Bittner: [00:08:32:07] So, how do you differentiate between someone who may just be curious about something, maybe against the thing that they're searching for and is just looking to do some research to, to educate themselves, versus someone who is headed down a slippery slope that you may want to get in the way of.

Isaac Cohen: [00:08:49:16] Well the larger the organization, the easier it is, because a large organization will have a baseline for anomaly detection, right so if you have a 10,000 person organization then nth percent, a very small percentage but whatever will be interested in this type of thing and research this. However, if 3% research Jihad but three people in the organization research it six hours a day then those three people should be under watch or they will be the anomalies so it's not necessarily just a keyword trigger, right, you would also say well where is the key word is it in an outgoing email that might have more weight than just browsing a website and if it's in an email, well how many emails went out to how many recipient? If it's in a website, what was the domain of the website? Was it CNN or was it something in the dark we?. So there are many, many factors you can look at, it's not as simple as a person seeing this keyword on the screen that would trigger lots of false positives and it would lose it's value. If you think about it it's just as sensitive as investigating someone who might research about suicide. It is something that you wouldn't want to tell others, you would want to approach this person in an extremely sensitive way, so you have to mitigate, people get radicalized, people from all walks of life, people get brainwashed, the faster you catch it the less damage you'll have.

Dave Bittner: [00:10:04:09] That's Isaac Cohen from Teramind.

Dave Bittner: [00:10:09:13] Taking a quick look at our CyberWire event tracker, the SANS Technology Institute has an on-line information session September 28th, that's tomorrow where you can learn all about how to earn a Masters Degree in cyber security that's at noon on the 28th. Coming up on the 9th and 10th of October in Krakow, there's an event being held by CyberSec the European cyber security forum, it's called Dealing with Cyber Disruption. ClearedJobs.net is hosting a CyberMaryland job fair on October 11th in Baltimore and UMBC has a cyber security graduate program, information session and that's on October 11th in Rockville Maryland, the International Information Sharing Conference is coming up October 31st through November 1st in Washington DC, it's called Cyber Security is a Team Sport and we here at the CyberWire are pleased to present the fourth annual women in cyber security reception that's coming up Tuesday October 17th here in Baltimore, Maryland. You can find more about all of these events and how to list yours at the CyberWire.com/events.

Dave Bittner: [00:11:09:23] Moving to another big breach story, the US Securities and Exchange Commission told the Senate that while it's deeply concerned, no personal information was compromised. To most observers that was never a concern. Exposure of sensitive material, corporate information was the issue.

Dave Bittner: [00:11:26:02] One newly reported breach and it's a large one does involve that co-modified pay card data that weren't the apparent targets of the hoods who hit Deloitte and the SEC. This news comes from the US drive in restaurant chain, Sonic. The breach came to light yesterday as banks traced patterns of fraud to the Oklahoma based chain. Investigation is in its early stages but millions of cards could be affected.

Dave Bittner: [00:11:51:02] IOActive took a look at the security of 21 popular mobile stock trading apps and found them wanting. Many didn't require two factor authentication to access bank accounts, man in the middle vulnerabilities were common and some didn't encrypt traffic.

Dave Bittner: [00:12:08:04] Investigation of Russian influence operations in the US continues, the goal is by now clear. Disruption and erosion of the trust that sustains civil society. There are foreign policy argues signs that Russian information operations are shifting away from national targets and moving toward local governments, associations, religious groups and activists, this is nothing new considered against the background of Russia's history with propaganda.

Dave Bittner: [00:12:36:08] Retrospectives on WannaCry continue to attribute the ransomware or pseudo ransomware to North Korean operators using tools allegedly stolen from NSA. In an information operations display, Russia's Sputnik News strongly connects those tools with the US agency, but passes over in silence how those tools were obtained and released. After all, in influence operations, the important lies need a bodyguard of truth.

Dave Bittner: [00:13:07:08] A few words from our sponsors at E8 Security. If you've been to any security conference over the past year you've surely heard a lot about artificial intelligence and machine learning, I know we have. But E8 would like you to know that these aren't just buzz words. They're real technologies and they can help you derive meaning from what an overwhelmed human analyst would see as an impossible flood of data. Go to E8security.com/CyberWire and let their white paper guide you through the possibilities of these indispensable emerging technological tools. Remember the buzz around artificial intelligence isn't about replacing humans, it's really about machine learning, a technology that's here today. So see what E8 has to say about it and they promise you won't get a sales call from a robot. Learn more at E8security.com/Cyberwire and we thank E8 for sponsoring our show.

Dave Bittner: [00:14:02:20] Joining me once again is Ben Yelin, he's a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security. Ben we saw a story come by via Krebs on Security about a new bill that's trying to improve internet of things security standards.

Ben Yelin: [00:14:18:16] Yeah so this is introduced in the United States Senate it has five parties in support it was introduced by a Republican Senator, Corey Gardner and Steve Daines and it's also supported by Mark Warner and Ron Wyden who are Democrats and the bill will direct the White House office of Management and Budget, OMB, who does Government contracting to develop alternative network level security requirements for devices with limited data processing and software functionality, it requires every executive agency to inventory all of their Internet connected devices in use by the agency, to make sure that the devices can be patched, for example when security updates are available. So that the devices are not hard coated and to make sure that the vendors that they're using are ensuring that the devices are free from all vulnerabilities when they're sold, obviously this comes in the wake of very high profile cyber attacks, most notably on the office of personnel management a couple of years ago. And the bill is supported by basically every relevant group you could think of. This article mentions the senate for Democracy and Technology the Berklett cybersecurity project over at Harvard, the Berklett client center for Internet and society, so it's a widely supported bill at least at this point, obviously, with such an anemic congress we never know the true likelihood of it being an active, but I think the chances are pretty good.

Dave Bittner: [00:15:43:15] And would this apply to purchases by the federal Government itself, so this is really only applying to Government things and not necessarily for example consumer devices?

Ben Yelin: [00:15:53:12] Yeah, so this would apply to Government vendors, meaning when the Government makes a purchase, when they make millions of purchases they would meet to make sure that the devices that are being sold have to have a basic level of security, if it is a device that's in IoT, internet of things device. So this does only apply to Government purchasing, but as we see in all areas of the law and policy, sometimes the Government can really set the standard, when the Federal Government wants to make a change for example, to health policy, some sort of payment reform, they'll do it through Medicare which is a Government program but because Medicare is such a large payer it ends up having a ripple effect on the rest of the healthcare system and I think sort of the same thing is happening here.

Dave Bittner: [00:16:40:18] If the standards for Government vendors are higher, then perhaps the private sector will naturally follow suit, because the Government is such a large purchaser of these devices.

Dave Bittner: [00:16:50:15] Ben Yelin, thanks for joining us.

Dave Bittner: [00:16:54:24] And that's the CyberWire, thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor, Cylance, to find out how Cylance can help protect you using artificial intelligence visit Cylance.com.

Dave Bittner: [00:17:07:12] This CyberWire podcast is produced by Pratt Street Media, our Editor is John Petrik, Social Media Editor is Jennifer Eiben, Technical Editor is Chris Russell, Executive Editor is Peter Kilpe and I'm Dave Bittner, thanks for listening.