Dave Bittner: [00:00:00:10] The CyberWire podcast is made possible in part by listeners like you, who contribute to our Patreon page. You can learn more at: patreon.com/thecyberwire.
Dave Bittner: [00:00:12:19] Ethiopia's government shuts down the country's Internet during a period of unrest. TRITON ICS malware update. The FCC moves away from net neutrality. UK warnings about cable vulnerabilities. When a keylogger isn't a keylogger. Security companies patch some products. Pyongyang likes Bitcoin. More on the NiceHash Bitcoin caper. And, stick 'em up: your Ether or your life.
Dave Bittner: [00:00:42:10] Time for a message from our sponsor, Recorded Future. You've heard of Recorded Future: they're the real-time threat intelligence company. Their patented technology continuously analyzes the entire web, to give infosec analysts unmatched insight into emerging threats. We subscribe to, and read, their Cyber Daily. They do some of the heavy lifting in collection and analysis, that frees you to make the best informed decisions possible for your organization. Sign up for the Cyber Daily email, and every day you'll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. Subscribe today, and stay ahead of the cyber attacks. Go to: recordedfuture.com/intel to subscribe for free threat intelligence updates from Recorded Future. It's timely, it's solid, and the price is right. We thank Recorded Future for sponsoring our show.
Dave Bittner: [00:01:45:19] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Friday, December 15th, 2017.
Dave Bittner: [00:01:56:09] Unrest and fighting in Ethiopia appear to have prompted the government to shut down most of the country's Internet access. Twitter and Facebook have been out since Tuesday; other services are affected as well. Ethiopian authorities have restricted the Internet in the past, explaining it as a form of rumor control. The country's access to the Internet is relatively easy to shut down, as Ethiopia has a single Internet Service Provider, Ethio Telecom, which as it happens is also state-owned. Voice of America offers a helpful contrast: shutting down the Internet in the United States would require the cooperation of more than 2600 ISPs.
Dave Bittner: [00:02:34:14] There are other ways of reaching people: dial-up, international telephone calls, satellite phones, but the ease and familiarity of the Internet are what people have come to depend on.
Dave Bittner: [00:02:45:19] Investigation into the TRITON attack on a Middle Eastern industrial plant continue. FireEye's Mandiant unit is working on the incident, regarded as unusually dangerous because TRITON infects safety systems. A nation-state is widely suspected, with initial suspicion turning toward Iran. CyberX says the unnamed plant is located in Saudi Arabia.
Dave Bittner: [00:03:09:00] In the US, the Federal Communications Commission has canceled the net neutrality policy it had operated under. We're unsure of what the implications of this will be, beyond one implication: cue the lawyers. A lot of litigation is expected to follow.
Dave Bittner: [00:03:24:00] The UK's senior military officer warns that Britain's undersea cables are vulnerable to disruption. He sees them as an attractive target for Russian operators. International cables have been cut, tapped, and otherwise meddled with since the First World War, so we've got about 100 years of proof-of-concept to work with here.
Dave Bittner: [00:03:42:04] Synaptics wants everyone to be clear: that issue with its keypad on HP laptops involved a debugger. Synaptics isn't in the keylogger business, and they'll be taking steps to remove such development tools from their products going forward.
Dave Bittner: [00:03:58:01] In patching news, two security companies have issued fixes for some of their products. Fortinet has patched a credential leaking flaw in its VPN client. Palo Alto Networks also has a patch out, theirs for a hole in its firewall that could permit remote attacks.
Dave Bittner: [00:04:14:03] We've had a lot to say about Bitcoin lately, most of it in the context of bad news, so some preliminary clarification is in order. Bitcoin is used for many legitimate purposes, as well as for the dodgy ones we all too often hear about. Not only do criminals often demand ransom or other payments in Bitcoin, but pariah states have an interest in cryptocurrency as well, because necessity is the mother of invention.
Dave Bittner: [00:04:39:03] Consider North Korea. Its finances crippled by international sanctions, the DPRK seems to be increasingly turning to Bitcoin as a source of badly needed funds. There are some signs Pyongyang may be engaged in mining Bitcoin, but they're also working on the faster payoff attainable by direct theft. Secureworks has been tracking a phishing campaign in which North Korean operators circulated a job opening: CFO for a Bitcoin financial services company based in London. The company was legitimate, but the position announcement was phishbait, dreamed up in Pyongyang using a spoofed source. The goal was apparently to find people engaged in trading Bitcoin who could be induced to open a malicious document that would enable the attackers to harvest their cryptocurrency credentials and then drain their wallets.
Dave Bittner: [00:05:27:02] KrebsOnSecurity has turned up an interesting fact about last week's attack on the Bitcoin mining trading platform NiceHash. The CEO of NiceHash, Matjaž Škorjanc did prison time for his role in creating and selling the Butterfly botnet. He was also instrumental in founding the online forum for criminals, Darkode. He has denied to Slovenian media that he had anything to do with the disappearance of $52 million in Bitcoin from the exchange he runs. His denials were, according to Krebs, "vehement." And we note that he hasn't been accused of anything.
Dave Bittner: [00:06:02:13] And lest we think of cryptocurrency crime as being either tech-savvy, subtly socially engineered, and very white-collar, we should think again. This story arrives courtesy of the Manhattan District Attorney, whose office has announced that it's charged a guy in connection with an Ethereum robbery. One Louis Meza, a New York City resident, has been charged with arranging a stick-up to relieve one of Mr Meza's friends of said friend's valuables. The stick-up man specifically demanded the password to the victim's Ethereum wallet.
Dave Bittner: [00:06:33:14] Here's how it happened. Mr Meza invited his friend, unnamed in public documents, over to Mr Meza's apartment for a meeting. The meeting concluded, and Mr Meza appeared to call a car service to take his friend home. Once the friend was in the car, the driver pulled a pistol and demanded the friend's house keys, wallet, phone, and, significantly, the password to his Ethereum wallet.
Dave Bittner: [00:06:56:09] The DA says that the day after the kidnapping some $1.8 million in Ether cryptocurrency turned up in Mr Meza's personal account, the friend's digital wallet having been relieved of a comparable sum. The DA also says they have video surveillance images from the victim's apartment showing Mr Meza letting himself in with the victim's keys and then exiting with items associated with the victim's digital wallet. Mr Meza, who of course is fully entitled to the presumption of innocence, says he didn't do anything. Still, the Manhattan DA seems to have enough to make this particular episode of Law and Order run for only about 20 minutes, instead of the full hour, including commercials. Again, these are allegations. Anyone mentioned in connection with any alleged crime is considered innocent until proven guilty.
Dave Bittner: [00:07:49:09] Now I'd like to share a message from our sponsor, Nehemiah Security. Fellow cyber security leaders, when your CEO asks department heads for a status update, do you envy your colleagues, like the VP of Sales, or CFO, who only have to pull a report from a single system? Instead of deploying a team of people to check multiple systems, and then waiting for them to report back, do you wish you had a single place to get the information you need to communicate with the CEO? Nehemiah Security is here to put that power in the hands of the cyber security leader. It's time for a quick solution that allows you to go to one place to get the security information you need, quickly, and in business terms your CEO can understand. Nehemiah Security gives cyber security leaders the ability to report cyber risk in terms of dollars and cents. Visit nehemiahsecurity.com to learn more, and get a free customized demo, just for CyberWire listeners. Visit nehemiahsecurity.com today. We thank Nehemiah Security for sponsoring our show.
Dave Bittner: [00:09:00:13] Joining me once again is Emily Wilson. She's the Director of Analysis at Terbium Labs. Emily, we're going to talk today about breach fatigue. I have a lot of thoughts about this, but before I jump in, why don't you tell us what you're thinking?
Emily Wilson: [00:09:12:13] Is it bad to make a joke that I'm tired of this talk? I do have thoughts, just as someone who sees so much data, all day every day, getting leaked, letting people know that there are problems. We were talking earlier about whether it's attacks that are impacting organizations, call it NotPetya, call it WannaCry, or breaches that are impacting individuals, Equifax, or the new updated Yahoo account. The hits just keep coming. It's been interesting to watch, both as an individual, and as someone in this industry. People get worked up about the next new thing, as they should. Equifax was huge! There's nothing else on that scale that we've seen so far, and everyone was rightly outraged, and rightly concerned for a few weeks. But there are no immediate implications, whether for the individuals, or for the parties that were involved in letting this happen.
Emily Wilson: [00:10:18:04] What is going to be the thing that actually starts driving changes? How are we actually going to break through this? What is something that's going to hold the attention of individuals or policy makers? Maybe it is Equifax. Maybe I'm being pessimistic, but I'm feeling pretty pessimistic right now.
Dave Bittner: [00:10:35:07] I agree. I think there's several things to unpack here. I think part of it is the victim's of this breach may never see any results from it. They may never get affected, they may never get breached. So there's no direct correlation of Equifax got breached, and now all my money has gone. It's not like a banking failure, a savings and loan failure, or something like that. This sort of thing happened, and it's bad. It may hit me, it may not. If it does hit me, do I really know that it was this one that actually hit me? The direct cause and effect isn't there, where people can get really wound up and go to their policy people and say, you let this happen; I demand you fix it. What happened to my money? Or my safety? Or, whatever. What do you think about no-one goes to jail? GDPR is going to happen, this coming next year. And, even with GDPR, big fines, that's great. No-one goes to jail.
Emily Wilson: [00:11:38:08] No-one goes to jail. People have fines, as you mentioned. These fines toward companies, let's remember, not individuals. No-one goes to jail. People lose their jobs. People may be brought before Congress and asked difficult questions, but is anyone being held accountable? This is one of the conversations I was having when I was over in the Netherlands recently. I was talking to people about Equifax and people were saying that they had largely been hearing about it as a huge embarrassment. They asked me if I thought anything was going to happen to the people responsible. It's a little sad, but it was phrased as a joke. It was phrased as a rhetorical question, because they all knew that nothing would happen.
Dave Bittner: [00:12:24:06] These folks, they get brought in front of Congress, they get asked some difficult questions. They suffer through it. Perhaps they resign, they retire early. They still get their golden parachutes. I think there's a general feeling that justice is not done, when we have these big breaches. Generally the companies don't go out of business. So there isn't even that moral hazard of a company failure.
Emily Wilson: [00:12:50:02] I think that contributes to this feeling of breach fatigue, because you're just tired of hearing about some new thing that's impacting you, and you never see anything come to fruition. You mentioned the fact that some of these people are going to be impacted by the Equifax breach. Some of these individuals are going to have a problem, but they're not going to know it's Equifax. There's that lack of closure. But there's also lack of closure on the responsible parties. So it's not even as though you can be outraged and be exhausted by all of this, but then justice is served. Everything just keeps turning.
Dave Bittner: [00:13:26:18] Like you, I don't have any answers. It is frustrating. Hopefully we'll see a day when some of these policy issues need to be taken care of. It's hard for me to imagine what's going to be the thing, as these breaches keep getting bigger and bigger, we say to ourselves, well, this must be the one. And it doesn't ever seem to be.
Emily Wilson: [00:13:49:05] Absolutely; what's going to be the thing? And, also, what does justice look like?
Dave Bittner: [00:13:57:06] Well I wish we had answers. These are important conversations, and I appreciate you taking part in it. Emily Wilson, thanks for joining us.
Dave Bittner: [00:14:09:24] Now a moment to tell you about our sponsor, Roqos. You think cyber security begins and ends at the office? Of course not! And since you're listening to this podcast, we know you know better. Our homes are often an extension of our workplace. More people than ever are working from home, connecting to their corporate networks through the same router that their kids, or maybe their parents too, are using to access Clash of Clans, and watch Jacksepticeye on YouTube. That means it's as critical to secure home Internet access, as it is to lock-down a company network. Roqos Core is the first home router running Suricata-based IPS, with client and server VPN for privacy and remote access, as well as parental controls. Open VPN-based Roqos Global VPN Network allows you to access local content around the world, and you can manage more than one router through Roqos Cloud, too. It's a more connected, safer, and smarter life. Visit: roqos.com and save $75 during their holiday promotion. We thank Roqos for sponsoring the CyberWire.
Dave Bittner: [00:15:24:20] My guest today is Colleen Huber. She's a Product Manager at MediaPro, a company that describes themselves as "learning services company that specializes in the area of information security, data privacy, compliance, and custom online courseware". They recently published the results of a survey of over 1000 finance employees, their 2017: State of Privacy and Security Awareness Report. Colleen Huber joins us to share the results.
Colleen Huber: [00:15:51:13] Our goal is to identify and improve employee behavior across that wide range of risk. We asked respondents a variety of questions based on real world scenarios, and then, based on those responses, we classified them into three different categories. The three categories are three different risk profiles, meaning, privacy and security risk. Those respondents who scored the lowest, followed by novices, and then at the top privacy and security heroes. Those are just based on the percentage of privacy and security where behavior is that the respondent identified.
Dave Bittner: [00:16:27:01] How did it break down? How many people fell into each of those categories?
Colleen Huber: [00:16:31:17] Those people who we classified as risks – meaning that they posed a risk to their company – 19% of those employees fell into that category. Meaning, something like one in five employees. It was kind of scary. So, we know that it takes just one person to put information at risk. But, when we know that's more like 20% of people that's really tough. The novices did better: 51% of the population fell into the area. These folks had a clue on some things, but they had pretty serious gaps in other areas. So, for example, let's say that I know everything there is to know about cyber security; I change my passwords, I make sure that everything is patched, but I let somebody just walk in through the front door, without checking if they have a badge, or if they're authorized to be there. I would probably be classified as a novice.
Colleen Huber: [00:17:26:22] These people, in my mind, are still a real source of concern for an organization. The good news is that about 30% of employees fell into the highest category: security heroes. This means they could usually be trusted to do the right thing. "Usually" is the key word there. This is the second year of our survey, and I expect that we'll do another survey next year, but it's hard to say what's more notable in our findings, the fact that so many people move from novice to hero, or that the number of people classified as "risk" really barely changed at all.
Dave Bittner: [00:17:59:21] Let's talk about that. Year over year, it seems that we are headed in the right direction.
Colleen Huber: [00:18:06:12] Yeah, and I'm really hopeful that we're going to continue to see general improvement in the security and privacy awareness. I really that speaks to the work being done by organizations all over the world, MediaPro included. But there is always more work to be done.
Dave Bittner: [00:18:25:03] Was there any particular area that stood out to you as really needing improvement or attention?
Colleen Huber: [00:18:30:21] About 24% of employees were asked a hypothetical question about controlling access to their organization's property, to their building. 20% of those respondents said that they would hold their office door open for someone who asked to enter, even though they didn't have, maybe, the proper identification. So this is the classic tailgating story. Based on last year's finding, the general public seems to have gotten worse at recognizing these kind of security threats. Last year, only about 19% of respondents let the same person through the door. It's interesting, because we spend so much time talking about phishing and information risk, but keeping the bad guys outside the building is still a pretty big issue.
Dave Bittner: [00:19:21:00] It's notable also because it's not so much a technological solution, as it is just human nature.
Colleen Huber: [00:19:29:02] Right. It's a culture thing. It's like, how do you create a culture in your company where it's okay to stop people from coming in the front door, when people want to be polite to each other. So that act of asking people to check in with security, or to show their badge, can feel awkward. Yet, really big companies do that culture piece of it really well. So we know it's possible, it's just a matter of building that culture into the organization, where it's okay to stop and ask, or to stop and ask to see a badge.
Dave Bittner: [00:20:02:02] Was there anything from the results of the survey that you found particularly surprising?
Colleen Huber: [00:20:07:21] We know that phishing is this hot button issue, and study shows that phishing is the primary cause of data breaches and malware infections. In our survey, when respondents were presented with four emails – they were asked to identify them as phishy, or legitimate – only about 8% of employees proved to be a risk. That's actually really decent, compared to all of the other categories. There's also some real improvement from last year, when it comes to identifying email phishing; 92% of respondents correctly identified an example with a suspicious attachment, 75% last year. What I find so surprising about it, and I want to be optimistic about this phishing number, because it's the best single risk number in our whole survey. Yet, if just one email with a malicious payload gets through, the company's toast, right? Let's just take our 8% number and say that, a company with 5000 employees, each of these employees gets just ten phishing emails a year, and that's ten that slip through both the technical defenses that IT has already put in place.
Colleen Huber: [00:21:26:24] Ten emails for every 5000 employees, that 50,000 emails. And if the fail to recognize rate is only at 8%, that's still 4000 potentially dangerous attachments that get downloaded, or those links get clicked. So it's an area where I still think most companies are going to want to spend a lot of effort, even though the numbers are improving.
Dave Bittner: [00:21:53:15] That's Colleen Huber, from MediaPro. You can check out the complete survey, the 2017 State of Privacy and Security Awareness Report, on their website.
Dave Bittner: [00:22:07:21] That's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you, using artificial intelligence, visit: cylance.com.
Dave Bittner: [00:22:19:24] The CyberWire podcast is proudly produced in Maryland, out of the start-up studios of DataTribe, where they're co-building the next generation of cyber security teams and technology.
Dave Bittner: [00:22:29:15] Our show is produced by Pratt Street Media. Our editor is John Petrik; social media editor is Jennifer Eiben; technical editor is Chris Russell; executive editor is Peter Kilpe. I'm Dave Bittner. Thanks for listening.