CyberWire Daily - Buggy app delays count in Iowa Democratic caucus. US county election sites ill-prepared against influence ops. Twitter fixes API exploited by fake accounts. NIST on ransomware.
Episode Date: February 4, 2020Iowa Democrats work to sort out app-induced confusion over Monday’s Presidential caucus. A McAfee study finds widespread susceptibility to influence operations in US county websites. Twitter fixes a...n API vulnerability and suspends a large network of fake accounts. NIST’s proposed ransomware defense standards are out for your review--comments are open until February 26th. Ben Yelin from UMD CHHS on rules regarding destruction of electronic evidence. Guest is Alex Burkardt from VERA on how to protect critical financial data beyond the corporate perimeter. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/February/CyberWire_2020_02_04.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Iowa Democrats work to sort out app-induced confusion over Monday's presidential caucus.
A McAfee study finds widespread susceptibility to influence operations in U.S. county websites.
NEC gets around to disclosing a network intrusion incident detected in 2017.
Twitter fixes an API vulnerability and suspends a large network of fake accounts.
NIST's proposed ransomware defense standard are out for your review.
Comments are open until February 26th.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, February 4th, 2020.
Heard who won the Iowa Democratic caucuses yesterday?
Neither have we. Neither has anyone.
Our hard-working editorial staff has been on watch, and they're not seeing anything yet either.
Yeah, sure, President Trump won the Republican contest and a walkover, but incumbents tend to do that.
The story for the Democrats is more complicated, but not in a good way.
The story for the Democrats is more complicated, but not in a good way.
Chaos and debacle are the words the San Diego Union-Tribune,
the Wall Street Journal, and others used to describe the problems counting the party faithful's expression of preference for a presidential candidate.
Those preferences remain unknown as the results are still being counted and checked,
delayed by problems with an app deployed in the caucuses for the first time.
Former Clinton campaign manager Robbie Mook was widely blamed for the problems,
but this seems entirely unfair as he had nothing to do with the app.
It was, rather, built by Shadow, which is affiliated with Acronym,
a Democratic not-for-profit founded to educate, inspire, register, and mobilize voters.
Shadow's app was intended to facilitate quicker, more accurate, and more transparent counting and reporting from the precincts.
The Iowa caucuses in 2016 were very close, with ultimate nominee Hillary Clinton enjoying only a slim victory over Senator Bernie Sanders.
victory over Senator Bernie Sanders. Many Sanders supporters felt the results had been influenced by the party, so the party was determined to avoid a repetition of such controversy
this time around. Thus, today's difficulties are Greek in the classical sense, not the fraternity
row sense, as the candidates all claim various levels of unsubstantiated victory or darkly hint
of chicanery.
The very steps the Democratic Party took to clear up the intra-party suspicion that the game was rigged,
that somebody's thumb was on the scale, have bitten back to bring about the very result they were taken to avoid.
The lessons to be learned for election security in general may be limited.
The Iowa caucuses don't resemble regular voting using machines or marked ballots, but instead represent a precinct-by-precinct set of nearly 1,700 meetings, each of whose result
had long been reported by precinct chairs over the phone. While there were earlier concerns expressed
that the app might be vulnerable to cyber attack, NPR, for example, reported on such concerns back on January 14th,
the prospect the app itself just might not work well enough was touched on more lightly.
There are no reports, we stress, of any form of cyber attack.
That's what the chair of the Iowa Democratic Party said this morning, according to Iowa's WHO-TV,
and most observers seem to agree.
State Party Chair Troy Price said,
We have every indication that our systems were secure and there was not a cybersecurity intrusion.
In preparation for the caucuses, our systems were tested by independent cybersecurity consultants.
As we mentioned, the distinctive way the caucuses are conducted suggests only limited lessons for
election security.
Principle among those would be don't deploy technology in voting
until it's thoroughly tested under realistic conditions.
NBC News reports that a significant number
of precinct captains and caucus organizers
had decided as early as yesterday morning
that Shadow's app was bad news,
not working out as hoped.
It appears, says state party chair Price, that the collection went fine.
The party officials have been able to check it against such backups as paper records.
It was the reporting that collapsed.
Party officials noted unspecified inconsistencies in the data being reported,
which is what led them to slow down and check the information.
And he's confident that
they'll be able to get an honest, accurate count, but it will take some time. Reports from the
precincts are still coming in. While there was little to no evidence of foreign interference
in Iowa, a McAfee study released this morning suggests that local authorities in the U.S.
are particularly ill-prepared to counter the problem of influence operations conducted through compromised county websites.
Fixing the basic failures in website design McAfee calls out wouldn't be a panacea, but it might amount to a good start.
McAfee calls out as elapsed the widespread tendency of many counties to use.com,.net,.org, and.us domains,
which can be purchased without the buyer undergoing any validation.
The.gov domain requires such validation,
and these tend to be used for voting information sites
even where the county has a.gov domain.
The study also finds that a little less than half the county voting sites
even use HTTPS encryption.
So, fixing these issues would be no panacea,
but if one thinks, for example, of the large number of successful ransomware attacks
and website defacements local governments in the U.S. have sustained over recent years,
it's difficult to feel entirely happy about how resilient official voting information sites would
be to a campaign that aimed simply at disruption.
There's a common, oft-used security metaphor which describes your digital valuables safely protected by castle walls, and maybe even a moat full of crocodiles. Hungry ones.
But these days, thanks in large part to so many business services and functions moving to the
cloud, things are a good bit more fuzzy. Alex Burkhart is vice president of field engineering at Vera, and he describes how
to protect critical financial data beyond the corporate perimeter. Where a lot of people run
into trouble is when they're working on very sensitive things like deals, like deal documents.
You know, there used to be this thing known as secure deal rooms, where people come together,
they work in these centralized repositories on deal documents relating to secure financials, and then they leave those documents in that room and they're supposedly secure.
Well, what tends to happen is if you're working on a really sensitive deal, everyone wants in on it.
And being able to revoke access to files once you've determined a partner is no longer the one you want to work with is exceptionally powerful and isn't something that people even really realize exists.
And that's why I love talking about the problem.
When you apply the notion of, if I'm handing you a dollar, Dave,
I have to physically have contact with you, and we have to transfer that dollar.
And I know who you are, and I've met you once before.
But in the internet, that doesn't really exist, right?
So are we relying on a central server somewhere
that's taking care of these encryption keys and permissions and so on?
Yeah, fundamentally, what we've done is we've added all of the infrastructure
on the back end where people don't even need to see it
that introduces the typical controls you would expect
for an interpersonal file sharing interaction
where on the back end we figure out, is the person who they say they are,
have you, the person sharing the file, allowed someone to have access to it?
And are they doing things you're not supposed to be doing with it?
And you get an audit list of everything that's going on with that.
And you get to see, at the end of the day, do they try to access the file again if you provoke their access?
So it's a lot of things that people just assumed weren't possible that we've now introduced into a platform.
And really, all the end user has to do is right-click to protect the file.
After that, we handle the rest, which is pretty cool.
Yeah, but I was going to ask you about how do you make sure that you're not introducing a lot of friction?
Because I would imagine if someone sends me a document in order to see it,
especially if they're trying to get business from me or pitch something to me,
I don't want there to be any additional friction there.
How do you crack that nut?
Well, that's one of the things
that everyone's trying to solve.
And there have been numerous companies
that have started and haven't been successful
or have tried and failed in this industry.
What I think, you know,
Vera is doing really, really well
is we understand that friction is the enemy of business.
And in the security space, period, people will ultimately make the decision to forego security owner the ability to grant access and remove it in a very simple way by assigning it to an email or by leveraging their existing authentication provider, it turns the tables on what people thought they had to do in order to regain access to their files.
You know, when people approach me as a security professional and trying to figure out how to solve a problem, a lot of times wonder like alex why is what you're doing at vera different or even interesting or why are you
pitching this to me and the answer is it's not really a pitch i don't even feel like it wouldn't
be fun to work at a company if you're not solving a real problem and what i think is most interesting
about what this company is doing is we're taking a topic super complex which is encryption and we're
taking authentication we're taking these these two discrete and difficult to manage items
that everyone knows of
but really kind of hates
whenever they're applied together.
And we're trying to show people
that you can regain access to your files
or you can have the benefit of applied cryptography
and still get work done.
And when that marriage occurs,
you actually see the best of both technologies.
That's my opinion.
That's Alex Burkhardt from Vira.
Japanese electronics giant NEC disclosed Friday
that its networks had sustained an unauthorized intrusion
by parties unknown in 2016.
The incident was discovered in 2017
with remediation continuing into 2019.
The company says no sensitive data were lost,
but it doesn't explain why the disclosure was made now.
Twitter said yesterday that a network of fake accounts
had been exploiting its API to match usernames with phone numbers.
Twitter says it's fixed the vulnerability with the API
and suspended the fake accounts.
Twitter wrote on its privacy site,
quote,
We observed a particularly high volume of requests
coming from individual IP addresses
located within Iran, Israel, and Malaysia.
It is possible that some of these IP addresses
may have ties to state-sponsored actors.
End quote.
And finally, we close with a somber, respectful note
as we mark the passing of one of the last of the Second World War's code talkers.
Flags of the Navajo Nation are at half-staff to honor Joe Vandiver, Sr.,
who served in the United States Marine Corps in the Pacific,
where he and his colleagues' native language
served as the basis of a tactical code that the enemy never broke.
Rest in peace, Marine and Semper Fi. Thank you. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous
visibility into their controls with Vanta. Here's the gist. Vanta brings automation to
evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for a thousand dollars off. And now a message from Black Cloak. Did you know
the easiest way for cyber criminals to bypass your company's defenses is by targeting your
executives and their families at home. Black
Cloak's award-winning digital executive protection platform secures their personal devices, home
networks, and connected lives. Because when executives are compromised at home, your company
is at risk. In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Ben Yellen. He's from the University of Maryland Center for Health
and Homeland Security. Ben, I wanted to talk about an article that came by.
This is from the folks at ProPublica, written by Will Young.
The title is, How Corporate Lawyers Made It Harder to Punish Companies
That Destroy Electronic Evidence.
Take us through what happened here.
So back with the corporate governance scandals of the early 2000s,
there were cases where big companies were
illegally destroying evidence and harsh punishments were levied by courts as a result of
civil lawsuits against those companies. We had, and this article mentions, a penalty for the
tobacco giant Philip Morris, $2.7 million for a breach, 250,000 fines against each company's supervisors found culpable.
So those are significant penalties.
There was a law passed in 2006
at the behest of some of these corporations
to change the rules.
As a result of that statute,
there is now what's called a safe harbor provision.
And this protects companies from the consequences of failing to retain electronic files.
As long as companies follow a consistent policy,
when they're informed that they're going to be the subject of litigation,
as long as they make a good faith effort to preserve relevant materials
according to their company policies,
they will not be held liable in court for destroying those electronic
materials. So in other words, if my understanding is correct here, if over the course of my
company's regular data retention policy, there was a sunsetting of data, you know, we get rid
of all of our emails that are older than 10 years old, then that's probably not a problem. But if
a lawsuit comes in and all of a sudden
the message goes out to everybody,
hey, start frantically deleting, delete, delete, delete,
that could raise some eyebrows.
Exactly.
As long as you're following consistent organization-wide policy
and the effort is made in good faith to retain documents
when you're informed that you're facing litigation,
then that safe harbor provision applies. You will not be subjected to punishment.
Okay.
This didn't solve the problem for corporations. There was an incident in 2008 where Qualcomm,
I know them from sponsoring the sports stadium in San Diego, but they are also a chip maker company.
Evidently, yeah.
They were fined $8.7 million for destroying evidence.
This happened to a bunch of different corporations as well.
So some lawyers got together, lawyers representing some of the largest corporations in the country
and also representing the United States Chamber of Commerce.
the country and also representing the United States Chamber of Commerce. And they went through the regulatory process to get a change to the regulations on data retention. And in 2015,
a rule took effect that limited judges' latitude to punish people who destroy electronic evidence.
And this rule, as they quote a retired judge here making this statement,
this rule is sort of backwards. It requires that a litigant who claims the other side destroyed or
didn't keep evidence, they have to prove that whatever was destroyed would have been unfavorable
to the person destroying it. Now, that presents the very obvious catch-22. How do you know it's unfavorable if that data has already been destroyed?
And this is just an absolutely daunting hurdle for litigants.
And usually these litigants will have fancy hotshot lawyers, but they're oftentimes people who use the products produced by these corporations or people alleging some sort of injury as a result
of corporate action. And it's just because of this rule that's very favorable to these
corporations, it's going to be much harder for those plaintiffs to seek relief.
And so how has this played out in the real world? What's been the effect? Are organizations having,
you know, shredding parties? How does it play out?
So the numbers are actually staggering. They have the stats, the receipts to back up how big of a
change this is. ProPublica said that they looked at 900 civil cases involving the deletion of
electronic records. In 2014, which was before this regulation took effect, judges approved 51%
of the motions
to penalize somebody for destroying evidence.
That number dropped to a staggering 19% in 2019,
and that's four years after that regulation took effect.
The same is true for a second category of penalties,
which are largely confined to just fines for these companies.
76% penalty rate
before this regulation took effect and 38% after it took effect.
So all that lobbying literally paid off.
It paid off.
Yeah.
You know, the problem is very few people are paying attention to rules, federal rules of
civil procedure. And the ones who are the people
who are going to benefit from these types of changes. And the U.S. Chamber of Commerce has
the resource to effectuate these kinds of policy changes. And here they were able to do so.
And so in your estimation, you're not a fan of these changes and how they played out.
I generally am sympathetic to plaintiffs in these
circumstances just because at the very least, all the potential evidence that could be relevant in
a case should be maintained. There's no normative reason why companies shouldn't be forced to
retain electronic evidence where feasible. I mean, I think the 2006 rule was actually a decent compromise.
You don't have to go, you know, above and beyond your corporate retention policies.
But unlike the current rules, you're not putting a burden on the plaintiff to prove
negative information that was in those documents when, of course, they would have no
access to documents that have already been destroyed.
Right, right. Yeah, you can't prove a negative.
Exactly. Yeah, right. Yeah, you can't prove a negative. Exactly.
Yeah, interesting.
All right. Well, interesting stuff as always.
Ben Yellen, thanks for joining us.
Thank you.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, Thanks for listening.
We'll see you back here tomorrow.
Thank you. into innovative uses that deliver measurable impact. Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.