Dave Bittner: [00:00:03] A leaky API may have exposed Salesforce customers' data. TSMC reports a virus in its semiconductor plants. TCM Bank discloses a pay card application leak. Ransomware in Hong Kong. The unbearable, irresistible urge to monetize data. Notes on automotive cybersecurity. Depending on whom you ask, the Bitfi wallet was either hacked or not. And a new goodwill ambassador seeks to repair U.S.-Russian relations.
Dave Bittner: [00:00:38] Time for a moment to tell you about our sponsor, ThreatConnect. With ThreatConnect's in-platform analytics and automation, you will save your team time while making informed decisions for your security operations and strategy. Find threats, evaluate risk and mitigate harm to your organization. Every day, organizations worldwide leverage the power of ThreatConnect to broaden and deepen their intelligence, validate it, prioritize it and act on it. ThreatConnect offers a suite of products designed for teams of all sizes and maturity levels. Built on the ThreatConnect platform, the products provide adaptability as your organization changes and grows. The pioneer in threat intelligence platforms, ThreatConnect provides organizations a powerful cyber threat defense and the confidence to make strategic business decisions. And if you're in Vegas for Black Hat this week, stop by ThreatConnect's booth - number 1414 - to get a demo and see the platform in action. And you can always learn more and get a free ThreatConnect account at threatconnect.com. And we thank ThreatConnect for sponsoring our show. Major funding for the CyberWire podcast is provided by Cylance.
Dave Bittner: [00:01:51] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, August 6, 2018. Salesforce has warned customers that a leaky API may have inadvertently exposed their data. The widely-used customer relations management software provider says it found the problem on July 18. According to Salesforce's disclosure, the leak affected a subset of Marketing Cloud customers who used its Marketing Cloud Email Studio and predictive intelligence products. The source of the issue is thought to be, Salesforce says, a code change the company rolled out in the first week of July. There's been no evidence that the exposed data was illicitly obtained or maliciously used by any bad actors, but of course absence of evidence isn't evidence of absence. Sure, they say that about Bigfoot and remote viewing, but it's true nonetheless. In this case, affected customers would be well advised to take precautions, perhaps heightened awareness to the possibility that their Salesforce data might be used for social engineering.
Dave Bittner: [00:02:57] Late Friday, Taiwan Semiconductor Manufacturing Company, TSMC, shut down operations after it was hit by what's been vaguely characterized as a virus. More information is expected this week. TSMC is a major supplier of chips to Apple. The company did say it was not the victim of a hacker, which might indicate that this issue was either a glitch or the work of an insider. Again, more information is expected soon. Taiwan is often the subject of Chinese industrial espionage and other forms of cyberattack. The preliminary reports have aroused the usual suspicions of the usual suspects, but any attribution would be very premature.
Dave Bittner: [00:03:40] TCM Bank, which provides about 750 community banks in the U.S. with an option to offer bank-branded credit cards, disclosed that a mis configured website exposed data on card applicants between March 2017 and July of this year. The information includes names, addresses, dates of birth and Social Security numbers.
Dave Bittner: [00:04:04] A small number of Hong Kong health care IT systems have been infected with crypto ransomware. There's no ransom demand reported yet, so whether this is a serious criminal attempt or some casual side effect of some other activity is unknown.
Dave Bittner: [00:04:20] The hood who's apparently behind GandCrab ransomware is sore at AhnLabs. The South Korean cybersecurity company recently developed and made generally available a vaccine against his malware. This understandably cut into his profits, and, well, he's upset. He's retaliated by sending Bleeping Computer an alleged zero-day for an Ahn product.
Dave Bittner: [00:04:45] With data drawing the attention of commercial, criminal and intelligence services the way meat draws flies, the U.S. Census Bureau is working to secure its 2020 census, the first one to be fully digital against data theft. The attraction of data and the pull toward the monetization of information would seem so strong as to be virtually irresistible. We heard a strong case for this made Friday at the Billington Automotive Cybersecurity Summit in Michael Chertoff's keynote address. The former secretary of Homeland Security and present head of The Chertoff Group thinks that autonomous and connected cars - that is, the soon-to-arrive generation of vehicles that are even more connected than the ones we drive today - will collect enormous quantities of information that many will find irresistible. That is, many will find the prospect of monetizing such data irresistible. Chertoff pointed out early signs of insurers wishing for more data on how people are actually driving. And he warned that this, in some respects, legitimate interest could lead to unpleasant forms of surveillance and loss of privacy. That criminals, too, would be interested in monetizing that data goes without saying.
Dave Bittner: [00:05:57] Chertoff mentioned Silicon Valley's recent realizations that not everything is ducky with response to the personal information the captains of digital industry currently sweep up. And he suggested that the automotive industry should consider and learn from the experience of Facebook. One wonders the extent to which Facebook itself has fully reflected on and learned from its own experience. Unless Facebook, as Talleyrand is supposed to have said of France's restored Bourbon monarchy, has forgotten nothing and learned nothing, there's an example of that pull in the social media giant's recently disclosed approach to banks. They'd like ways of gaining access to customer financial information through their platform, the better to provide goods, services and an advertising demographic that would be susceptible to rifle shot marketing. The banks are said in The Wall Street Journal's account to be leery of the approach, as well they might be.
Dave Bittner: [00:06:54] Another keynote address at the Billington Summit might give social media pause. Senator Gary Peters, Democrat of Michigan, in an aside during his discussion of coming legislation that would provide a more permissive, more innovation-friendly suite of automotive regulations, observed that it might be time to consider treating some IT firms as utilities, particularly those social media platforms that enjoyed quasi-monopolistic market share. Back on July 24, John McAfee, cybersecurity pioneer, cultural gadfly and sometime candidate for the Libertarian Party's nomination for the U.S. presidency, tweeted the following about an absolutely secure cryptocurrency wallet he was involved with. Quote, "for all you naysayers who claim that nothing is unhackable and who don't believe that my Bitfi wallet is truly the world's first unhackable device, a $100,000 bounty goes to anyone who can hack it" - end quote. He added a version of the traditional poker table smack talk money talks, baloney walks, which we bowdlerize (ph) because we're a family show. Bitfi anted up a quarter million of its own to sweeten the pot.
Dave Bittner: [00:08:04] Anywho, about a week later, it was reported that some guy said, yeah, they hacked it, and there's now a dispute over whether Bitfi was or was not successfully hacked. CNET describes the hackers as led by a self-described IT geek in the Netherlands who uses the handle @OverSoftNL. On Wednesday, he tweeted that he and his chums @cybergibbons - that's Andrew Tierney of Pen Test Partners - and @gsuberland - that's Graham Sutherland - had popped open a Bitfi, which they described as a stripped down Android phone, and they got root access to it. So they wanted to claim the pot, but Mr. McAfee is having none of it because going root doesn't count. We quote - "the press claiming the Bitfi wallet has been hacked - utter nonsense. The wallet is hacked when someone gets the coins. No one got any coins. Gaining root access in an attempt to get the coins is not a hack. It's a failed attempt. All these alleged hacks did not get the coins" - end quote. For it to be a hack in the relevant sense, the hackers needed to get all the coins, which they didn't. Team @OverSoftNL, for its part, isn't buying that either and have denounced the whole bounty as a sham because if getting root access doesn't count as a hack, what does? We're not sure who adjudicates such things, but we're pretty sure some member of the plaintiff's bar has a few ideas.
Dave Bittner: [00:09:32] Finally, in news that will come as a relief to all peace-loving peoples, the BBC reports that Russia's Foreign Ministry has announced the appointment of Steven Seagal as an unpaid goodwill ambassador to the United States. In the capacity, Mr. Seagal, who was granted some form of Russian citizenship in 2016, will work to reduce bilateral tensions between Moscow and Washington that have seen so much play in cyberspace of late. The CyberWire's political science desk, which has long been an admirer of Mr. Seagal, especially his signature role as the Glimmer Man, thinks this appointment a better one than Mr. Dennis Rodman's former association with North Korean leader Kim Jong Un. We await news of an appropriate response from the U.S. State Department.
Dave Bittner: [00:10:24] And now, an open letter from your dedicated SOC analyst. Our team works around the clock, yet we're being flanked on all sides and can't get in front of threats fast enough. If we had a theme song, it would be "The Roof Is On Fire." Speaking of fire, each attack is more sophisticated than the last, and our current operations aren't advanced enough to keep up. Our team is already stretched thin, and companies keep poaching our talent pool, affecting our level of trade craft. We need help and fast. On the metro, I heard an ad from a company called LookingGlass Cyber Solutions. They have, as a service, security solutions built upon 20 years of experience, proper security chops and the infrastructure to support security teams like ours. It's time the good guys scored a point. Learn more at lookingglasscyber.com.
Dave Bittner: [00:11:24] And joining me once again is Rick Howard. He's the chief security officer at Palo Alto Networks. He also heads up Unit 42, which is their threat intel team. Rick, welcome back. I had a term come across my desk recently that I wasn't familiar with. It was superforecasting, and I thought this was something that I could check in with you on. Bring me up to date here. What are we talking about?
Rick Howard: [00:11:45] Well, we're talking about risk analysis or risk assessment. And I picked up superforecasting because of a book I read a couple years ago. It's called "Superforecasting: The Art and Science of Prediction" by Philip Tetlock and Dan Gardner, OK. And I love - these guys have been writing about forecasters of things, OK? And how does that apply? It applies to the intelligence community. It applies to business, assessing a risk and all that. And the reason Dr. Tetlock got interested in this back in the early 2000s was that, you know, he was watching CNN, and CNN rolled out a pundit to talk about some issue. And they rolled him out because he got something right once in his career, but he's been wrong ever since, OK? Every time he's predicted something after that, it's been wrong, right (laughter)?
Rick Howard: [00:12:31] So Dr. Tetlock gets angry at this, and says, I wonder if we can measure this. How come we don't keep score for, you know, pundits who forecast things? So he brings in three groups - an intelligence community, the academic community and a group he called the soccer moms. Now, they weren't really soccer moms. They were, you know, older people who had time to solve problems. And he gave them 500 really hard problems to forecast, things like will President Putin get assassinated in the next three years? What's the probability of that, right? And he graded him over five years. And who do you think wins this big contest?
Dave Bittner: [00:13:06] I'm going to go out on a limb here and say soccer moms.
Rick Howard: [00:13:09] Yeah, I think I buried the lede.
Rick Howard: [00:13:14] They did by 40 percent, OK?
Dave Bittner: [00:13:15] Wow.
Rick Howard: [00:13:16] I mean, 40 percent, and there's lots of reasons for that that Dr. Tetlock talks about in his book, but there's a couple of things I got out of that book that I wasn't doing in my own risk assessments, right? And the first one was you have the time bound your predictions. You just can't go to your board and say, you know, I think we might get hacked. Sure, OK, that's going to happen. But if you change the question and it says I think the probability of us being hacked in the next three years is, you know, 2 percent, that's a different problem, all right? So that's the first thing I learned from all this.
Rick Howard: [00:13:47] And as I was going through that book and a couple of other books that have taken up the banner here - and those two books are "Measuring and Managing Information Risk: A FAIR Approach" by Jack Freund and Jack Jones and "How to Measure Everything in Cybersecurity" by Doug Hubbard and Richard Seiersen. These guys have all gotten on the bandwagon with Dr. Tetlock about how to be more precise in how you assess risk, right? And so after reading all these things, I've realized that I've been doing this wrong for 25 years, OK? What - and most of us do it this way. We create these heat maps, these risk heat maps with, you know, down the X axis is how likely is something to happen and on the Y axis is how impactful it's going to be.
Dave Bittner: [00:14:32] Right.
Rick Howard: [00:14:33] And we rate these risks that went from - anywhere from 10 to 150 things, things that could potentially go wrong in our enterprises, right? And we rate them high, medium or low or red, yellow and green, and then we sort them by color. So the red, you know, drifts up and to the right and the green sinks down and to the left. That's why they're called heat maps. But if anybody in my leadership chain would have said, gee, Rick, why is this one red versus yellow, you know, I might have said something like, blah, blah, blah, 25 years' experience, trust me, give me money, right? So - and admittedly that has worked many of the times, but, you know, at 25 years down my career, I'm thinking that there's got to be a better way to do this, right? And it turns out there is. If you read these books, you will find a couple of things, OK, that we need to be changing in how we think about risk in our own enterprise, all right?
Rick Howard: [00:15:27] And the first one is risk is a measurement of uncertainty, OK? And it is a high-confidence probability that we can calculate. It doesn't have to be high, medium and low. And it turns out that there's a ream of research that shows that qualitative heat maps like the one I just described is just bad science, all right? And the reason it is is that your definition of what high probability is is different from what my definition of what high probability is. Even if I tell you that high probability is between 90 and 100 percent, your cognitive bias is going to do what you think it is and don't go by what the rules are. So we need to throw that entire model out completely, all right.
Rick Howard: [00:16:10] And then the second one is that all risk measurements should be time bound, OK? So we should be saying things like what is the likelihood of a certain cyber event happening in the future, OK? So there's a difference then, OK? And you would say things like what is the probability that your organization will experience a material breach in the next three years? That's the kind of question we should be asking ourselves. And instead of the word likelihood, you use the precise mathematical term probability. Now, don't get freaked out on me, OK? I'm not going to try to explain probability and stats this morning.
Dave Bittner: [00:16:44] That's good.
Rick Howard: [00:16:45] (Laughter) 'Cause I won't be able to, all right (laughter)? But at least it's a more precise term, right? And so instead of saying a cyber event is going to happen in the future, you say material breach, and material is important because not all breaches are that big of a deal, all right? If some bad guy hacks my website, you know, I'm going to be embarrassed a little bit, but it's not material to my organization. However, if a different bad guy comes in and steals my intellectual property, you know, I might get fired, all right? So it has to be material to the business. And thirdly, OK, it should say - instead of saying that sometime in the future, it's got to be some time-bound thing like I talked about before. All right. So you might be saying, geez, Rick, OK, how do you get all those numbers? If it's going to be mathematically precise, where am I going to get all this math? Aren't you just making it up anyway? Well, it turns out there are some mathematical tricks you can do to give yourself some more precision. Now, you've heard of things like Bayes algorithm and Monte Carlo simulations.
Dave Bittner: [00:17:47] Sure.
Rick Howard: [00:17:48] Yes. OK. Now, they sound really scary. They're not that hard. OK. They really aren't. Even I can figure it out. You can do most of this in a spreadsheet, all right? And so I'm saying that we should change our minds about how we are assessing risk and give it some more precision going forward. Now, I did all this - I got all this together. Me and the co-author of "How to Measure Anything in Cybersecurity," Mr. Seiersen, wrote a white paper and presented this at the RSA Conference a few months ago. So if anybody's interested in all that, I can give you a lot more detail. Just hit me up, and I will pass it along to you.
Dave Bittner: [00:18:23] All right. That's certainly stuff to think about. As always, Rick Howard, thanks for joining us.
Rick Howard: [00:18:28] Thank you, sir.
Dave Bittner: [00:18:33] And that's the CyberWire. For links to all the stories mentioned in today's podcast, check out our daily news brief at thecyberwire.com.
Dave Bittner: [00:18:42] Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor VMware, creators of Workspace ONE intelligence. Learn more at vmware.com.
Dave Bittner: [00:19:08] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe, and I'm Dave Bittner. Thanks for listening.