CyberWire Daily - A quick look at the state of spam. Phishing for power grids. Industrial espionage. Free and command economy versions of social control. Lessons from JTF Ares.
Episode Date: November 26, 2018In today’s podcast we hear that Emotet ramped up for Black Friday—beware of the spam. Social engineering and the power grid. Industrial espionage resurfaces as an issue in Sino-American relation...s. Huawei remains unforgiven in Washington. China’s emerging social credit system. Bottom-up social control in the US: first they came for the dogwalkers. Making a Dutch book on social media. Russia tightens Internet laws. The US Army learns some lessons, in a good way, from Joint Task Force Ares. Joe Carrigan from JHU ISI, wondering if we have a cyber skills gap or a shortage of courage. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/November/CyberWire_2018_11_26.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Hello, everyone.
A quick reminder that in addition to our daily podcast,
we also publish a daily news brief that you can subscribe to
and have delivered via email every day.
It's a great companion piece to the daily podcast with dozens of links to all the day's cybersecurity news.
So do check it out and subscribe over on our website.
That's thecyberwire.com.
It's the Cyber Wire Daily News Brief at thecyberwire.com.
Thanks.
Emotet ramped up for Black Friday, so beware of the spam.
Social engineering and the power grid.
Industrial espionage resurfaces as an issue in Sino-American relations.
Huawei remains unforgiven in Washington.
We talk about China's emerging social credit system.
Bottom-up social control in the U.S.
First they came for the dog walkers.
Making a Dutch book on social
media, Russia tightens internet laws, and the U.S. Army learned some lessons in a good way
from Joint Task Force Ares. From the Cyber Wire studios at Data Tribe, I'm Dave Bittner with your
Cyber Wire summary for Monday, November 26th, 2018.
Emotet ramped up phishing attacks last week. Its Black Friday spam delivered malicious XML files with a.doc extension, and this, as WeLiveSecurity points out, is a bit of a departure for this
criminal enterprise. Phishing is, of course, a matter of great concern to consumers during this
season.
It's important to recall, however, that this particular form of social engineering is also a preferred tactic of threat actors who've gone after power grids.
ICS security firm Novetta is reminding people that the hackers who took down portions of the Ukrainian power grid
started with phishing.
The recent Liberty Eclipse exercise conducted on Plum Island,
New York, indicated that there are ways of restarting a power distribution system that's
been taken down. It's called a black start. And Control Global's blog points out that the exercise,
while small, seems to have yielded scalable results. But Control Global also urges further
work to see whether such recovery would
be possible in the event of censor compromise. The U.S. trade representative has taken official
notice of more Chinese hacking as trade tensions intensify. This is widely regarded as placing
China in breach of the agreement made during the Obama administration to cut back industrial espionage.
The U.S. is urging its allies on security grounds to steer clear of Huawei.
Huawei, which some see as caught in the middle of a trade dispute,
professes itself surprised by this unfavorable treatment by American authorities,
but the U.S. security warnings seem to be gaining some traction.
To stay with news affecting China,
the city of Beijing plans to bring each of its 22 million citizens under a social credit system,
aggregating and scoring each individual's actions and reputation.
If you've been behaving and are well thought of, life will be easier.
If not, you'll be unable to move a step, as Bloomberg's report puts it.
The capital city's program is the forerunner of one envisioned for the country as a whole,
a kind of mark of the beast as reconceptualized for big data.
Imagine a panopticon mashup of a credit bureau, a moderated Twitter mob,
a Yelp for human beings, and traffic cameras. One of the social
debits that will cost you, like points on a life license, is failure to clean up after your dog.
And it's not just Beijing either. Recently, a prominent business leader, Dong Mingzhu,
she's the president of China's leading maker of air conditioners, was publicly shamed in the city of Ningbo for asocial behavior.
At three and a half million people,
Ningbo isn't in the big leagues of China's cities, but still large enough.
The Ningbo police quickly retracted and apologized for the shaming
when various people pointed out to them that the image that led them to Ding Dong
was in fact just her face on an advertisement plastered to the side of a passing bus.
So they're sorry, and it would be easy to laugh this one off
as just the vicissitudes of still-maturing biometric technology
if it weren't for the way it revealed the extent and ambitions of social control.
Consider this.
The face on the passing bus was interpreted as crossing a street outside the crosswalk and against the light.
That's right, the full technical capability of Ningbo's law enforcement was brought to bear on a jaywalking charge.
Think about that.
It's also, according to multiple reports, a lifelong score,
a bit similar to a U.S. credit score but harder to improve
and more comprehensive in its effect.
As piloted in the city of Rongcheng, you start with a score of 1,000 points.
You can earn some points by, say, donating blood,
but you'll lose them for quarreling with your neighbors or, yes, jaywalking.
Spreading rumors online will cost you
50 points. A good score gets you discounts, free cable channels, and invites to community events.
A bad one can keep you from booking a train ride or getting a promotion at work.
Much grimmer than this is the comprehensive surveillance and control deployed in both
human and technical forms to constrain China's
largely Muslim Uyghur minority in the western part of the country. As Spiegel reports, there
it's not just a matter of getting free cable. For the Uyghurs, suspicion will land you in a
re-education camp. Lest we think that these things are confined to China, or even to authoritarian
regimes in general,
or that a social credit system couldn't evolve from the bottom up, consider Predictim, a screening
service that scans thousands of social media posts to score a potential higher for babysitting or
dog walking services, and again, dogs, we don't know what's up with that, with a risk rating for
a variety of traits parents are
likely to worry about, drug abuse, bullying, harassment, disrespect, or possession of a bad
attitude. The service, according to the Washington Post and its own site, uses advanced artificial
intelligence to analyze a prospective babysitter's social media to derive its scores. How long this is likely to remain
uncontroversial is unclear, and parents are of course entitled, heck they're obliged, to protect
their children. But consider how Twitter's opaque reasons for suspending accounts have aroused
suspicion and mistrust. In any case, analysis of individual behavior online is what's landed Facebook into the parliamentary hot water it finds itself in over in the UK.
Authorities have obtained Facebook internal documents they intend to use in quizzing the social network at hearings tomorrow in Westminster.
They're equally concerned with privacy and providing a platform for proscribed communications, especially terrorist content,
concerns that would seem to be in mutual tension.
Stung by the outing of GRU officers involved in the Salisbury nerve agent attack,
Russia is tightening control over personal information.
A draft law before the Duma would criminalize the unauthorized creation
and publication of databases drawn from official sources.
Another regulation would increase penalties imposed on firms that fail to observe requirements
to delete certain search results, share encryption keys with security services,
or store all data maintained about Russian citizens on servers located in Russia.
General Igor Korobov, director of Russia's GRU since 2016,
has died at the age of 62 after what the Defense Ministry called
a long and serious illness.
His deputy, Vice Admiral Igor Kostyuov,
who's filled in for General Korobov during his illness,
will serve as interim director.
As the BBC mentioned in their account of the change,
Admiral Kostyuf is also known for his earlier role commanding Russian forces in Syria.
The U.S. Army, drawing lessons from participation in Joint Task Force Ares,
is working to push tailored cyber capabilities down to brigade level.
is working to push tailored cyber capabilities down to brigade level.
As Fifth Domain reports, the brigades are likely to see task-organized cyber packages chopped to them based on mission and area of operations.
In U.S. Army practice, the brigade is the tactically interesting level of organization,
and a decision to place cyber operators under brigade control
indicates that the Army thinks it has both the need for
and the ability to use such capabilities on the battlefield.
Watch for this.
If brigades routinely show up for their National Training Center rotations
with cyber teams attached,
and if the opposing force at Fort Irwin shows a credible suite of cyber capabilities,
then you'll know the Army is serious in its intent.
Joint Task Force Ares, you'll recall,
is the U.S. Cyber Operations Task Force deployed against ISIS and similar groups.
If Fort Leavenworth would like to tell us more about the lessons the Army believes it's learned,
we're all ears.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose,
and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for
security, but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members
discover they've already been breached. Protect your executives and their families 24-7, 365
with Black Cloak. Learn more at blackcloak.io.
Learn more at blackcloak.io. Nice conference and came back with some interesting things to share. What do you have for us this week?
Yes.
The one I wanted to talk about this week was the closing keynote from Raj Samani.
He's a bigwig at McAfee.
Okay.
And one of the things he said that resonated with me was we don't have a cybersecurity's skills gap.
What we have is a courage shortage.
Go on.
Meaning that companies are not willing to take
the risks they need
to go out and find the people
that can possibly
fill these positions.
And he says that there are people
out there who can fill
these positions.
And this is something
I've been saying for a while now,
is that when a company starts
looking for a cybersecurity professional,
you can't put a job posting up that says we have an entry-level cybersecurity position and you have to have a CISSP to be considered.
Right.
Okay.
A CISSP is not an entry-level credential.
You have to have five years of experience to have that credential, to even hold the credential.
If you think about how
long cybersecurity has been a career field, right? Maybe 15 years, right? Somebody who is in the
career for five years is not entry level. Somebody who's been in this job, in this career for two
years is no longer entry level. Entry level is going to have to start meaning entry level,
no experience required. Fresh out of college. Fresh out of college, maybe not even college.
Yeah.
But I have an idea.
Okay.
And I'd like to share it.
Okay.
If you are a company and you're looking for cybersecurity talent at the entry level,
I make this suggestion to you.
Talk to your vendors who sell you your cybersecurity products and tell them,
we're having a hard time filling entry level positions.
And here's what I'd like you to do.
I'd like you to give me seats for training for free,
your most basic training for free,
so I can distribute that to people who might have an aptitude for your product.
And if they have a training and an assessment test,
or if there is another test, like maybe a prometric test that you can go and you can sit for the test, possibly that can be some cost that could be absorbed by the employee.
But then you put an ad in the paper that says entry level cybersecurity, no experience necessary.
and when the interviewees come in, you tell them that you're going to give them this course,
which they're going to take on their own time, and they're going to take a test,
and if they pass the test, you're going to give them a job.
And the job is only guaranteed for like six months, right? And it's a low-paying job, maybe $15 an hour.
There are people out there, I think, who will jump at this opportunity.
They would love to get into the field of cybersecurity.
There's no shortage of people telling other people
that cybersecurity is the place to be.
There's no shortage of people that want to get into this field.
What there is a shortage of is companies
that are willing to invest in employees
who might be able to fill the roles.
Yeah.
I hear this all the time.
People reach out to me on Twitter and other social media things,
and they say, how do I get this?
It's catch-22.
Right.
I want to get into the field, but everybody's saying in order to begin in the field,
I have to already have five years of experience in the field.
This is why we have the gap.
Right, and that's the thing.
And yet they're saying, companies are saying, we can't find anybody to hire.
Well, I'm not saying you lower your standards.
I'm saying you've got to look in other places that you haven't traditionally looked.
There are quality people out there who want to have these positions.
They just don't have the five years of experience that you're looking for.
These could be the best people out there.
So you assess whether or not they're good enough by right, by having them take some kind of assessment test
and training. Give them a few
months on a trial basis. Give them a few
months on a trial basis, and who knows, you may find
the next cybersecurity superstar.
Alright, well, it's an interesting
possibility. I mean, for sure
there needs to be some creative
solutions to this problem. That's correct.
And this is just a cursory, you know,
brainstorming idea. I mean, I'm not saying that I have the complete and total answer. You're going to have
to spend a little bit of time, come up with a plan. Yeah. But here's a skeleton for you. Right,
right. All right, Joe Kerrigan, thanks for joining us. My pleasure, Dave.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today
to see how a default deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.