CyberWire Daily - Coordinated inauthenticity in five countries draws action from Twitter. Cryptomining continues. Huawei fights its ban in US Federal court. Notes from CISA’s Cybersecurity Summit.
Episode Date: September 20, 2019Twitter details actions against coordinated inauthenticity in Egypt, the United Arab Emirates, Ecuador, Spain, and China. Tension with Iran remain high, but cyber action hasn’t sharply spiked. The S...mominru botnet installs malware, including miners, and kicks other malicious code out of infected machines. Panda cryptojackers are careless but effective. Huawei says it’s the victim of a bill of attainder. And notes from CISA’s National Cybersecurity Summit. Malek Ben Salem from Accenture labs on the security aspects of facial recognition systems. Guest is Henry Harrison CTO of Garrison on Hardsec, a new approach to security that came out of the UK. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/September/CyberWire_2019_09_20.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Twitter details actions against coordinated inauthenticity in Egypt,
the United Arab Emirates, Ecuador, Spain, and China.
Tension with Iran remains high, but cyber action hasn't sharply spiked.
The Sma Minru botnet installs malware, including miners, and kicks other malicious code out of infected machines.
Panda cryptojackers are careless, but effective.
Huawei says it's the victim of a bill of attainder.
We learn all about hardsec security that's come out of the UK.
And more notes from CISA's National Cybersecurity Summit.
From the CyberWire studios at DataTribe, I'm Dave Bittner
with your CyberWire summary for Friday, September 20th, 2019.
Twitter this morning announced six new datasets concerning information operations.
As the platform puts it in the announcement,
Per our policies on platform manipulation, we have permanently suspended all the below accounts from the service.
The campaigns were as follows.
273 accounts operated from Egypt and the United Arab Emirates by the private company DotDev were removed from Twitter.
Four thousand two hundred forty-eight operating from the UAE alone were also suspended.
The tweets from both accounts addressed various regional issues, mostly involving negative stories about Qatar, Yemen, Iran, and Oman, and expressing some degree of support for Saudi policies.
Six accounts from Saudi Arabia, a small group, as Twitter acknowledged,
were suspended for misrepresenting themselves as independent journalistic outlets
when, in fact, they were simply amplifying Saudi state media.
265 accounts in Spain operated by Partido Popular were spamming and retweeting
in ways designed to increase
engagement. Twitter banned these for falsely boosting public sentiment online, a rather opaque
description for activity that appears in a report that describes itself as a dedication to
transparency, but we'll let that pass. Hashtag manipulation and retweet spam earned some 1,019 accounts in Ecuador a ban.
The campaign was linked to the PAIS Alliance political party
and was conducted largely by fake accounts set up in the interest of spreading notes
about President Moreno's administration.
Finally, Twitter published information about 4,301 accounts based in China.
This is a second round of the very large sweep of 200,000 accounts conducted last month.
Their goal was to sow discord about the ongoing protests in Hong Kong.
Twitter, like Facebook, seems more comfortable and indeed effective
when it's dealing with coordinated inauthenticity
than when it's attempting more direct forms of content moderation.
Tensions between Iran and its regional rivals continue to run high
after strikes against Saudi oil production facilities
that have been widely attributed to Tehran.
The U.S. has announced tighter sanctions
and is making certain preparations with countries in the Gulf region,
notably Saudi Arabia.
Iran is showing signs of heightened activity in cyberspace,
Fifth Domain quotes U.S. CISA Director Krebs is saying at the National Cybersecurity Summit this
week. That Iranian activity, however, hasn't risen as much as might have been expected.
The observed op tempo is lower, for example, than it was in the wake of Iran's destruction
of a U.S. Global Hawk surveillance drone earlier this summer.
In the ebb and flow of cybercrime, right now cryptojacking is flowing,
this despite premature declarations that miners were now passé.
Guardacor has been tracking the propagation of the Small Minru botnet,
noted for its use of EternalBlue for its high reinfection rate
and for its installation of a variety of malicious tools, including Monero miners.
Bleeping Computer points out that Smominru goes to some trouble
to remove rival malware strains from the machines it infects.
Cisco's Talos unit has been following Panda,
a cryptojacking group that's been around for some time.
Its OPSEC is still poor, but it continues to evolve new functionality
that has netted the crooks about $100,000 so far.
Researchers at security firm Wandera found two malicious apps in Google's Play Store.
Both are selfie filter apps that also serve up adware.
Sun Pro Beauty Camera and Funny Sweet Beauty Camera,
the two apps in question, enjoyed more than a million and a half downloads.
Wanderer reported them to Google, which has ejected them from the Play Store.
Huawei is making the case in a U.S. federal court this week that sanctions against the company
amount to an unconstitutional bill of attainder, the Wall Street Journal reports.
This argument is similar to the one Kaspersky unsuccessfully raised against its own ban from U.S. federal networks.
A bill of attainder is an unconstitutional punishment imposed on a legal person by legislative action as opposed to a court.
It seems unlikely that Huawei will enjoy any more success with this argument than Kaspersky did.
The Cybersecurity and Infrastructure Security Agency's second annual National Cybersecurity Summit wraps up today, just outside Washington, D.C.
In a keynote delivered Wednesday, CISA Director Chris Krebs outlined what the new agency has achieved since it was set up last year.
Krebs cited a number of directives and
executive orders that have been passed, and he pointed to the series of indictments against
threat actors around the world. As an example of the effectiveness of these measures, he said that
quote, indictments of the SamSam ransomware actors have stopped SamSam ransomware attacks worldwide.
He cited these achievements in the course of advocating what amounts to a whole-of-nation approach with strong cooperation between government and the private
sector. Krebs stressed the growing importance of cooperation between the public and private
sectors in defending against threats. Quote, the government's not going to solve this problem
alone. This is a national problem set, end quote. Krebs wants to prepare for a large-scale cyber attack before it happens.
Relating such an event to a natural disaster,
he said, we know how to prepare for hurricanes
because we know what happens when a hurricane hits.
We don't have that level of knowledge when it comes to a cyber event.
But he said the spate of ransomware attacks
against government targets this summer
came pretty close to a large-scale event. One of the threats CISA is preparing for is the possibility that ransomware could be deployed
against voter registration databases during the 2020 election.
One sort of private sector contribution Krebs would discourage, however, is FUD,
fear, uncertainty, and doubt. He pointedly asked the cybersecurity industry to stop selling fear.
He acknowledged that it's an effective marketing tactic,
but said we need to remove the hysteria
and have measured and reasonable conversations about threats,
particularly those surrounding election security.
The threats to infrastructure are undeniably real,
but self-interested alarmism doesn't help.
It only serves to drive down voter confidence. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members
discover they've already been breached.
Protect your executives and their families
24-7, 365 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Malek Ben-Salem.
She's the Senior R&D Manager for Security at Accenture Labs.
Malek, it's always great to have you back.
I wanted to touch base with you on the news we've been seeing lately when it comes to facial recognition systems.
I wanted to get your take on where are we, what's the technology, where do things stand?
Yeah, so facial recognition technology has spread widely over the last decade, especially due to advances in big data, deep convolutional networks, and the graphics processing units,
or GPUs. And we see them being used widely. You know, most people know them from social
networking platforms where pictures or people's faces get tagged. They're used for, you know, to spot missing people,
to catch slackers who lie about the hours they spend in the office.
Most recently they've been deployed at, I believe, the Hyderabad airport. So you can use your face now as your boarding card. So the, you know, the uses
continue to be, to grow, thanks to the advances in computational power and to deep learning,
but there are issues with the technology itself. What kind of concerns are you tracking?
Well, there's obviously the privacy concern.
The fact that these technologies are being used everywhere, not necessarily with people's
consent.
As a matter of fact, just last week, one school was fined in Europe because it used facial
recognition systems to track the presence of students
in the school.
So this was in Sweden and about a 20,000 euro fine was issued against this school because
of that use.
But beyond the privacy concerns, facial recognition systems, just like any machine learning systems,
reflect the data that they get trained with.
And because a lot of the data that they were trained with was not reflective of entire
populations, they end up with having biased results. So no matter how accuracy improvements
they've been able to achieve overall across, you know, the widest population, for certain
demographic groups, they don't perform as well, which makes them not reliable. So if we think about uses in law enforcement, for instance, to match certain faces with people of interest or people who have committed crimes before, then it has been noted that certain demographic populations are more likely or people from those demographic populations are more likely to be
matched to the phases of interest. Yeah, it seems like that's a high-risk
proposition there, where that's a situation where it's really important to get it right.
Yeah, absolutely, absolutely. And that is why we need to take a look back at the data sets that are used to train these facial recognition systems,
to address this biased problem, address this false positive problem when dealing with watch lists.
Now, is this something that you think as time goes on, the reliability is going to improve?
Or are we ever going to see these get to the point where we feel like we can trust them?
I think so. I think the technology will continue to improve.
For instance, we know that up to this point, these systems have had difficulty distinguishing twins, but they can be complemented with certain
techniques so that they're able to distinguish the faces of twins. For instance, by looking at,
you know, pores within the twins' faces and, you know, computing the distances between those pores, they may be able to get
additional information or build additional discriminative power between the faces of
twins.
Other things that can be leveraged is how the people walk, if we're not just looking
at the face of the person but at the entire
video of a person walking or moving, then we're able to improve the accuracy of these
algorithms and these systems that way.
All right. Well, it's something that'll continue to develop and certainly merits
keeping an eye on. Malik Ben Salem, thanks for joining us.
Thank you, Dave.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of
solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default- default deny approach can keep your company safe
and compliant. My guest today is Henry Harrison. He's Chief Technology Officer at Garrison,
a company that offers secure isolation technology using a technique called hardsec.
We asked Henry Harrison to explain what hardsec is, what it's good for, and where it came from.
If you go back like two decades ago and you looked at that kind of national security space in the world's kind of leading nations,
then really pretty much the only cybersecurity tool they trusted was air,
and they didn't trust any of the software that was around.
But obviously, just using Air as your approach to cybersecurity is incredibly inefficient and causes all manner of business problems.
So a lot of effort has gone in within that community of looking at looking into technologies that they would be able would be willing to trust.
looking into technologies that they would be able, would be willing to trust.
And hard set basically is the, it comes from one key insight, which is that the reason that exploitation of vulnerabilities in software is such a problem is because of the very nature
of software.
It's because software is a concept that's based around the Turing machine.
You have these hardware platforms that are essentially universal Turing machines, and
they'll do absolutely
anything you want them to,
provided you give them
the right software.
And that's also the great,
you know, the great opening
for an attacker.
So if you can trick
the software that's running,
you can get the Turing machine
to do what you want it to do instead.
And the, you know,
the objective with HardSec
was to say, well,
how can we do
the strongest way of doing security
is to use non-Turing machine approaches, to use less sophisticated digital logic, the simple state
machine, simple combinatorial logic to implement security controls, at which point we don't have
that inherent vulnerability issue that we've got associated with software. And, you know,
that's not, in some ways, that's not a new thing, right? Because, you know that's not in some ways that's not a new thing right because uh you know processor manufacturers have been building you know core security features like memory isolation and nxbit
and um vm support and so on using non-turing machine logic inside their hardware but the
inside of hardsec was that we could make all that field programmable by using a different type of
silicon device called a field programmable gate array or an FPGA. I mean if you'll forgive me I'm reminded of
the original Pong arcade machine which my understanding is was was hardwired to
to play Pong and only play Pong. You couldn't you know reprogram it to play
Pac-Man or asteroidseroids or anything else.
It was circuits soldered together on a board to do only that one thing.
Is that the sort of thing we're talking about here?
Well, so that's certainly true, that Pong is very, very secure, right?
As you say, it's only going to play Pong.
But nobody wants to return to that world where we have machines that can only play Pong.
We can basically kiss goodbye to decades of innovation
if we try and do that. We're certainly not going to innovate anything more because the economics
don't work, right? We can't go around building special hardware for every job that we need to do.
That's simply not going to work. And that's why hardware level security has historically been
something that has applied to very, very specific things that are universal, right? So for example,
virtual memory protections, that's a tool that's used, right? So, for example, virtual memory protections.
That's a tool that's used by, you know,
all manner of different applications.
And so it's built into processors and it's universal.
We can afford to take the manufacturing cost
of building that into the processors
because everybody uses it.
But it's not a good way to solve a whole, you know,
broader range of security problems
because we just can't justify building hardware for them. And so this trick of using field
programmable gate arrays, FPGAs, really allows us to get the best of both worlds. So you can get the
inherent security that comes from building something that can only do one thing and yet
at the same time achieve the seemingly impossible,
which is to make it actually reprogrammable
so you can have a single piece of hardware
that does multiple different tasks at different times
depending on what logic you tell it to have.
Help me understand how that's not merely shifting the security back a layer.
If you can still program that gate array, right, isn't there an issue there?
Yeah, well, that couldn't have been a better question, because the real key thing about an
FPGA is that you can reprogram it, hence it's called field programmable, but you can only
reprogram it using very specific pins on the device. And so the security architecture for
hardsec says, okay, what you need to do, above all, is take those pins out to a dedicated management interface,
an out-of-band management interface,
so that the FPGA can only be reprogrammed by somebody who's
got access to the management interface
or to a network that's connected to that management interface.
And then if the FPGA is processing inputs that
come from other pins that would be connected to the internet
or connected to a corporate network or whatever, then data that's coming through that physical
interface can't reprogram the FPGA. So what we've done is we've isolated the reprogramming
capability, and then we're able to say, OK, we can apply all manner of restrictions on which
people are allowed to reprogram it, under what circumstances, what monitoring we can do around
them in what physical scenarios, and so on, just as you would with a typical kind of data center
out-of-band management network. So what are the applications for which hardsec is the right choice
and are there applications where it's not the right choice? Yeah, so it's definitely not the
right choice, right, for building your next generation machine learning artificial intelligence platform that requires constant innovation and so on.
We still need to, fundamentally, most things are going to continue to be built using software.
The real role that hardsec plays is above all around input sanitization.
I mean, everybody's used to input sanitization in the context of web development, where we say, OK, well, we need to make sure that sequences are escaped and so on to avoid vulnerabilities like SQL injections.
But actually, there's a much broader scope for input sanitization, where instead of trying to say we're going to detect bad things and stop them, what we do instead is we say, OK, we're going to assume everything is bad.
And then we're going to transform it into a form which we can validate to be good. And that's a pattern, in fact,
that was published by the UK's National Cyber Security Centre, which is part of the GCHQ Intelligence Agency last year. And they call it a pattern for safely importing data. And they talk
about transforming data into a format where it can be verified before you bring it in.
That's applied to all manner of different things.
So it can be applied to structured data,
like REST APIs and JSON schemas, XML schemas.
It can be applied to files.
There are companies out there building that kind of approach
for file sanitization.
Other companies that are doing it around kind of interactive
human interface streams as well. So kind of like video sanitization and GUI sanitization.
And hardsec really plays into that role there where you have data that you're going to assume
is potentially risky. You're going to transform it into a format which is then easy to verify using a hardsec-based platform. And you've then got a really secure way of knowing
that what emerges from that hardsec platform has a very strong guarantee of being safe
and having been sanitized, ready to pass on to your software systems, which of course
have vulnerabilities in them. That's Henry Harrison. He's Chief Technology Officer at Garrison.
And that's the CyberWire. For links to all of today's stories, check out our daily briefing
at thecyberwire.com. And for professionals and cybersecurity leaders
who want to stay abreast of this rapidly evolving field,
sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. ambitious, but also practical and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.