CyberWire Daily - Allegations and information operations. Iridium group may have compromised Citrix. Sino-American trade and security conflicts continue. Fashions in trolling.
Episode Date: March 11, 2019Venezuela sustains power outages, and the regime blames hackers and wreckers. The opposition says it’s all due to the regime’s corruption, incompetence, and neglect. Citrix loses business document...s in what might have been an Iranian espionage operation. Huawei’s suit against the US gets some official cheering from Beijing. The US warns against Chinese information operations. And Russian troll farmers turn to amplification. Daniel Prince from Lancaster University on the importance of Cyber Design. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/March/CyberWire_2019_03_11.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Venezuela sustains power outages and the regime blames hackers and wreckers.
The opposition says it's all due to the regime's corruption,
incompetence and neglect.
Citrix loses business documents
in what might have been an Iranian espionage operation.
Huawei's suit against the U.S. gets some official cheering from Beijing.
The U.S. warns against Chinese information operations.
And Russian troll farmers turn to amplification.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, March 11th, 2019.
Venezuela, since the middle of last week, has suffered from an ongoing series of power grid failures.
The widespread blackouts, President Nicolas Maduro told supporters Saturday,
had been largely fixed. That apparently is incorrect, as reports of continued power outages continue. But the cause the current regime assigns the blackouts is interesting.
President Maduro, the legitimacy of whose government is disputed by the country's National Assembly,
has blamed them on U.S. cyberattacks, aided and abetted with sabotage committed by internal wreckers.
The opposition to Maduro and the Chavista regime, on the other hand,
blames corruption, incompetence, and deteriorating infrastructure.
Most outside observers, including the states belonging to
the Lima Group, seem to think that the opposition probably has it right. The Lima Group, formed in
2017, represents a hemispheric attempt to manage a peaceful resolution to the crisis in Venezuela.
Its members currently include Argentina, Brazil, Canada, Chile, Colombia, Costa Rica, Guatemala,
Brazil, Canada, Chile, Colombia, Costa Rica, Guatemala, Guyana, Honduras, Mexico, Panama,
Paraguay, Peru, and St. Lucia. The Lima Group has recognized the interim presidency declared by the National Assembly of Juan Guaido. While a cyber attack is surely a possibility,
it seems unlikely. The specific allegation, evidence for which Maduro's regime says it
intends at some point to refer to the UN,
is that U.S. cyber operators induced generator failure at the Guri hydroelectric dam, and the wreckers did it too.
Venezuela's failing state has a history of irregular power delivery, although four days is a long stretch even by recent standards.
It's unlikely in the extreme that the blackouts have any causes
beyond what the opposition has called out,
corruption, incompetence, and collapsing infrastructure.
The situation is a tragic one.
The opposition says that the Maduro regime is responsible for deaths
that have occurred as power failed in hospitals and other critical installations.
For its part, the Maduro regime denies that any deaths have occurred
and that in any case the opposition is responsible for them.
We think this story is worth your attention, however,
not mainly for its political or humanitarian dimension, as important as those are,
but because it illustrates two recurring issues we see
where cyber matters intersect or at least accompany kinetic effects.
First, it's a sad illustration of why critical infrastructure is so critical.
A developed country is highly vulnerable to long-term disruption of power distribution.
Most developed countries can cope with the sorts of shorter blackouts caused by, for example, storms.
But extended outages or repeated instances of shorter outages
have much more serious effects that cascade across a nation's life.
Thus, if one were inclined to dismiss concerns about the possibility of cyber attacks on
power generation and distribution as idle alarmism, think of what Venezuela is suffering
now.
That it's almost certainly not the result of sabotage or hacking is beside the point.
Look at the effects and consider the possibility.
In the language of risk management,
hacking down a power grid may be a relatively low-probability event,
but it's a high-consequence one.
In this context, it's worth mentioning that there are recent warnings
that Triton malware is still circulating, possibly in new forms.
That attack code was used against petrochemical plants, but the principle remains the same.
Second, as one looks at the Maduro regime's claims and the opposition's counterclaims, one sees an information operation in progress.
It seems the opposition's evidence is far stronger, and we'd be willing to
bet that the regime won't be able to produce any of the evidence of hacking it says it's going to
bring to the UN. From this hack that wasn't, it's almost pleasant to turn to a hack that was.
Although it too is a misfortune, it's not accompanied by the degree of suffering Venezuela
is undergoing this week. Citrix, the software company whose
offerings, particularly in remote work solutions, have become familiar in both the private and
public sector, disclosed Friday that it had sustained a data breach, probably accomplished
through a password-spraying attack. The FBI has the matter under investigation, and Citrix is
working to contain and mitigate the consequences of the breach.
Some six terabytes of what are being called business documents were accessed by the attackers.
Researchers at the firm ReSecurity think the actor responsible was Iran's Iridium Group,
generally thought to be a state-sponsored espionage unit.
Citrix is preparing various forms of assistance for and disclosure to its customers.
U.S. authorities continue to warn of the threat of both Chinese penetration of infrastructure
and of Beijing's attempts at influence operations. U.S. National Security Advisor John Bolton says
that Manchurian chips are a possibility and a good reason to keep Chinese hardware out of infrastructure.
For you kids who are younger than Mr. Bolton, Manchurian chips is an allusion to the 1962 movie The Manchurian Candidate, in which the son of a prominent American political family
was brainwashed during captivity in Korea to become an assassin, deployed and triggered
under the control of Red China. And that, of course, is not what you want in your 5G devices.
Much of the concern over hardware centers on manufacturer Huawei,
currently suing the U.S. government and federal court
with the hearty approval of the Chinese foreign ministry.
Huawei's smaller rival ZTE faces similar suspicion,
but receives less strong, overt official support from Beijing.
ZTE's contract to provide maintenance to Telefonica Deutschland will not be renewed when it ends.
Observers note that there have been complaints about the quality of service,
although Telefonica did not mention these in its announcement.
Other observers see the end of the contract as aligning with Western skittishness over the security implications of relying on Chinese hardware.
To return to U.S. National Security Advisor Bolton in the course of remarks in which he alluded to Manchurian chips,
he devoted considerable attention to what he called Chinese attempts at influence operations, conducted mostly via contacts in universities and think tanks.
This echoes much of what we heard at RSA. China is now spoken of as an information op threat,
along with Russia. Not that the Russian troll farms have been idle. Bloomberg reports that
Russian trolling may have turned to amplification of existing memes, the better to evade hunts for inauthenticity.
So you draw less attention to yourself, presumably, if you simply like or thumbs up someone else's
opinion that, say, the Kree were playing Captain Marvel for a sucker when they got her to fight
with the Skrull, or something like that. And besides, catfish are cheap. When the House of
Zuckerberg whacks down a bunch of trolls,
the Trollmasters of St. Petersburg just conjure up another lot.
It's not quite like the broom in The Sorcerer's Apprentice,
because every whacked hashtag doesn't splinter into ten new memes.
But you get the point.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more. Do you know the status of your compliance controls right now? Like, right now?
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home? Black Cloak's award
winning digital executive protection platform secures their personal devices, home networks,
and connected lives. Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Daniel Prince.
He's a senior lecturer in cybersecurity at Lancaster University.
Daniel, it's great to have you back.
We wanted to talk today about cyber design and the importance of that.
Why don't we start off with some descriptive stuff here?
What are we talking about when we say cyber design? This has really come from some of the work that
I've been doing with my multidisciplinary PhD students who are working in international
relations and technology areas. And one of the things they've been looking at is the idea of
military design. And this is really an emergent movement, trying to understand how innovation
can actually flow through military organizations to
really get to the frontline warfighters. And the interesting thing there is they're really
incorporating design methodologies, so like human-centered design, into trying to understand
the needs and the problems of the frontline warfighters. And it got me to thinking about
the types of challenges that we have
in cyber security in terms of thinking how do we actually design cyber security products
and services and how do we design the actual systems. And I was reflecting on a lot of
my own practice and thinking that actually a lot of the stuff that we do is really taking
existing products and services and taking more of an architectural approach. How do we combine these things together to provide a secure solution
without really thinking about the kind of design methodologies that sit behind that? So
I'm really interested to understand how things like human-centered design and other design
methodologies can really benefit in the very early stages of thinking about how we address
cybersecurity solutions. Yeah, it's really an interesting thing. I mean, I think about things like password managers,
where the less effort required, the more likely I am to use that password manager on a regular basis.
And that's certainly true. I mean, there's been a lot of usability kind of work done by colleagues
such as Angela Sass and others that are around thinking about how security
and usability can go hand in hand. And there's a very famous piece of academic work called Why
Johnny Can't Encrypt, looking at why people don't use, a long time ago, why don't people use PGP
encryption for email. But one of the interesting things about a lot of design methodologies,
it really challenges whether we're asking the right questions. So one of the interesting things about a lot of design methodologies, it really challenges whether we are asking the right questions.
So one of the interesting things that's come from my discussions is this idea that actually
who is the user of security?
Now oftentimes we think it's actually the people that are buying security, but equally
we could turn that question around in its head and say that the attackers are really
the users of security.
What we need to be doing is thinking about how we design, how do we design for the attackers to make it harder for
them, rather than just being easier for the users. So it's this idea that actually design thinking
for this space can actually open up new avenues of conversation and discussion around actually
what are better cybersecurity solutions, rather than just going, well, these are the components that we have and how can we put them together
to produce a cybersecurity solution? Well, let's dig into that, Sam. When you say designing for
the attackers, I mean, what would be exposed to them? How would design affect what they're up to?
Arguably, the attackers are the ones that are actually consuming the security solutions on
a day-to-day basis. They are trying to consume the activities of the firewall in terms of what it actually is doing, for example, in terms
of protecting and preventing malicious traffic going through it. So when we're thinking about
designing an overall solution, are we actually thinking about how the attacker might approach
this particular problem? How the attacker might actually try and breach the security protections that we put in
place. And then it's almost in some ways the reverse, we don't want to make it
usable for the design, for the attacker. And so that changes the
nature of the conversations we have, it changes the kind of the philosophical
nature of how we're designing. And I think it's important to think about the attacker,
as I've mentioned before, as really the root of a lot of the cybersecurity
activities that we undertake so that we can actually prevent escalations in attacks.
Yeah, it's interesting. I wonder, too, what sort of competitive advantage companies who focus on
this, on the importance of design, rather than just what's
under the hood, or I guess in addition to what's under the hood, well, that could be an advantage
for them. Certainly. I mean, you have to just look at classic examples like Apple and Microsoft and
sort of the various corporate walls at that level. And Apple focused heavily on the idea of design
and design thinking and human-centered design.
And we're seeing other large corporates really pushing this idea of design thinking as a way to help to solve some of the more challenging and radical problems that we're seeing in computer science more generally, not just cybersecurity.
It's really important to start that conversation much earlier and really start to use design thinking and design methodologies
to challenge some of the assumptions that we're making
around the technologies that we're using,
the attackers and the way they're approaching us,
and then also the users and the way they're defending.
Daniel Prince, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions
designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
technologies. Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for
listening. We'll see you back here tomorrow. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.