CyberWire Daily - Cyber deterrence? What grid failure looks like (and it needn’t come from a cyberattack). EU complains of Russian info ops. Twitter takes down inauthentic accounts.
Episode Date: June 17, 2019The New York Times reports that the US has staged malware in Russia’s power grid, presumably as deterrence against Russian cyberattacks against the US. South America has largely recovered from a lar...ge-scale power outage that seems, so far, to have been accidental. An EU report claims that Russian information operations against the EU are increasing. Twitter takes down more inauthentic sites. The Target outage over the weekend seems to have been caused by glitches, not hacking. Joe Carrigan from JHU ISI on the GDPR fine of a Spanish soccer league for a spying app. Tamika Smith speaks with Britt Paris from the Data & Society Research Institute on the weaponization of AI. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/June/CyberWire_2019_06_17.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
The New York Times reports that the U.S. has staged malware in Russia's power grid,
presumably as deterrence against Russian cyber attacks against the U.S.
South America has largely recovered from a large-scale power outage that seems, so far, to have been accidental.
An EU report claims that Russian information operations against the EU are increasing.
Twitter takes down more inauthentic sites.
What to make of claims of weaponization of artificial intelligence?
And the target outage over the weekend seems to have been caused by glitches, not hacking.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, June 17, 2019.
Summary for Monday, June 17, 2019.
The New York Times says, in a largely anonymously sourced piece,
that the U.S. has staged implants in the Russian electrical grid to enable the U.S. to impose costs on widely expected Russian misbehavior during the 2020 elections.
This would be battle space preparation as opposed to an attack.
It's worth noting here that the article itself is much clearer
on this than is the headline that accompanied it, which said, U.S. escalates online attacks on
Russia's power grid. The operation would appear to be a deterrent move intended to dissuade Russia
from cyber attacks and influence operations against the U.S. No one in the U.S. government
has had anything to say publicly, and the sources the
Times cites in the article are former and current officials. That's sources on the alleged staging
itself. Plenty of observers have been willing to comment on the record. Precedent for active
cyber operations may be seen in U.S. response to Russian election influence operations in 2018.
in U.S. response to Russian election influence operations in 2018.
Lawfare had a useful summary of presumed cyber command action against the Internet Research Agency,
which President Trump more or less confirmed in a Fox interview back in May.
Others seem similarities to the allegedly planned
but apparently never executed Nitro-Zeus operation
prepared during the previous administration against Iran,
which is said to have been a comprehensive takedown of Iran's infrastructure
in the event Iran's nuclear program brought that country and the U.S. into open warfare.
A report of U.S. staging in Russian power infrastructure comes shortly after Dragos
reports signs that Xenotime, the activity group responsible for the trisis, also called Triton malware,
used against a petrochemical facility in the Middle East, had been seen in the North American power grid.
This activity appeared to be reconnaissance.
FireEye, which discussed renewed Triton activity in April, has attributed the campaign to the Russian government,
specifically to the Central
Scientific Research Institute of Chemistry and Mechanics. If the New York Times has its story
right, the operation it reports would seem to be deterrence. For deterrence to work, the threatened
retaliation must be credible, and the adversary must know about it. If that's the point of any
background discussions with the New York Times,
then mission accomplished. And if this is deterrence, it's worth noting that there's another similarity with classic Cold War nuclear deterrence. The strategy seems to represent a
predominantly counter-value approach. Counter-value deterrence holds something at risk the adversary
values, but which need have no direct military significance.
Counter-force strategies, on the other hand, threaten reprisal against military targets.
The deterrence of mutually assured destruction during the Cold War, which held cities at risk,
was an example of counter-value strategy. It's also worth noting that an attack on
electrical power distribution anywhere harms civilian targets at least as much as it does military ones.
For an object lesson in what a large-scale temporary grid failure looks like, see the weekend's outage in South America.
Argentina and Uruguay were most heavily affected, with effects also felt in Brazil, Chile, and Paraguay.
All have, for the most part, recovered.
The outages do not appear to be the result of a cyber attack,
but some observers have interpreted comments in Argentina's government
that such an attack hasn't been ruled out as evidence of suspicion
and not the normal caution one would exercise
in responding to a question about an investigation that's still in its early stages.
As far as is known so far, the power failures seem to be accidents of the kind that Argentina's
energy minister says happen regularly.
They're remarkable for their extent, but not necessarily for their cause.
Last week, attention was drawn to Facebook's policies toward the removal of deepfake videos.
They had been criticized for not removing a modified video of House Speaker Nancy Pelosi.
That was unflattering.
And in response, someone posted a deepfake video featuring Facebook CEO Mark Zuckerberg.
CyberWire's Tamika Smith explores this new era of information warfare.
Jessica Smith explores this new era of information warfare.
When you think weaponized artificial intelligence,
you may remember the movie 2001 A Space Odyssey.
In this specific scene, one of the astronauts, Dave,
is trying to get the machine to let him onto the spacecraft to thwart the machine's master plan.
Do you read me, Hal?
Affirmative, Dave. I read you.
Open the pod bay doors, Hel. I'm sorry, Dave. I'm afraid I can't do that.
No spoiler alert here. We all know that Dr. David Bowman survives, but the rest of the Discovery
One crew aren't so lucky. We are far from this 60s version of this physical machine versus man battle,
but experts say the weaponization of AI is leading the way for a new era of information warfare. Here to talk
more about this is Britt Paris. She's a researcher at Data and Society. It's a research institute
focused on social and cultural issues that come from data-centric technology development.
Hi, Britt. Welcome to the program. Hi, thanks for having me.
You've written extensively about this topic, and most recently you co-wrote an article on Slate
entitled, Beware the Cheap Fakes. Deepfakes are doubling, but they don't have to be high-tech
to be damaging. This was directly related to the AI-generated videos of Facebook CEO Mark Zuckerberg
and House Speaker Nancy Pelosi. Let's start with the technological terms here.
What's the difference between a deepfake and a cheapfake?
So deepfakes are artificial intelligence generated videos of any sort.
And cheapfakes are the types of manipulated videos that have been around forever.
They increasingly rely on free software that allows, you know,
very easy manipulation of
videos through really conventional editing techniques, techniques like speeding up content,
slowing it down, as we saw in the Pelosi video, as well as recontextualizing existing footage
from previous events. I must say, when I watched the video, it was very difficult to tell the
difference of if it was real or fake.
What's the technology that's driving the creation of this type of content?
So with the Mark Zuckerberg example in particular, it was produced by an advertising company named Cani.
produced video with the help of artists in this proprietary artificial intelligence generated video dialogue replacement model that allowed them to take video of Zuckerberg testifying,
I believe it was April of 2018, to take the voice that they had recorded and sort of insert it into
the video of Zuckerberg testifying to Congress last year. With the spread of this new technology, how do we detect what's real and what's fake?
There are a few different things.
So with the Zuckerberg example, primarily looking at, you know, voice replacement technology.
And so you can hear some sort of buzzes and clips where they're going in and changing the voice.
But, you know, whenever it's just sort of a face that is transmogrified onto an existing video,
you can look for things like artifacting or sort of pixelation or blurring
around where the face is inserted into the video.
You can look at whether or not the eyes blink.
Because if you think about it, training data is taken from images
where people's eyes are generally open.
And a lot of
these videos that are produced through artificial intelligence, the eyes won't blink because, you
know, the training data doesn't blink. Generally changing color in the faces of people, you know,
when they're filmed live on video. And that doesn't happen whenever the video is made with
artificial intelligence or made from training data through artificial intelligence methods.
Based on what I've seen with the case with Mark Zuckerberg and Speaker Nancy
Pelosi, it doesn't seem to me that social media companies, including Facebook and Twitter,
etc., they don't seem like they have a set strategy to deal with this.
I know. That's the troubling issue for a lot
of people. Social media really rewards content that is novel, inflammatory, that shows people
doing sort of outrageous things. It rewards that type of content with, you know, large followings
or sort of it allows it to reach large scales. Because, you know,
really what these social media companies are looking for are engagement, clicks, eyeballs,
because, you know, that's what they use to drive their advertising models.
But based on the amount of people that they reach every day, there has to be some moral obligation.
And this is the issue, right? People are trying to press these social media companies for accountability, especially given, you know, the number of
debacles that these social media companies have been responsible for producing and fomenting.
You know, we can think about examples of WhatsApp that is owned by Facebook in Myanmar and India and in Brazil that have led to very negative
consequences, things from inciting violence and even murder to throwing the elections to a far
right candidate in Brazil. So people are calling upon Facebook, Twitter, WhatsApp, etc. in their
role inciting this type of activity. Thank you so much for joining the program, Britt, etc., in their role inciting this type of activity.
Thank you so much for joining the program, Britt, and offering your insight into this topic.
Oh, you're welcome. Anytime. Thanks for having me.
Britt Paris is a researcher at Data & Society.
It's a research institute focused on social and cultural issues
that come from data-centric technology development.
That was the Cyber Wire's Tamika Smith reporting.
By the way, I may have had as my original error sound effect
on my original Macintosh SE30,
the HAL 9000 saying,
I'm sorry, Dave, I'm afraid I can't do that.
The European Commission has produced a report
accusing Russia's government of an extensive social media effort
to influence EU election results. The report concludes that by some indices,
Russian disinformation campaigns have more than doubled since 2018, and that their goal remains
the same, undermining the legitimacy of European democracies, including, of course, that of the
European Union as a whole. Twitter took down some 5,000 inauthentic accounts late last week.
Most of them were being run out of Iran,
although a small fraction were operated from Russia
or by people interested in Venezuela's crisis
and the Catalan independence movement in Spain.
Target suffered a widespread point-of-sale disruption over the weekend.
The retailer says it recovered yesterday and that the incident was an accident,
not the result of a cyber attack or a data breach.
And finally, Bravo Bitdefender.
The company has released a Gantcrab ransomware decryptor.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Joe Kerrigan. He's from the Johns Hopkins University Information Security Institute,
also my co-host over on the Hacking Humans podcast.
Joe, it's great to have you back.
Hi, Dave.
We've got a story from Ars Technica.
This has been making the rounds a big GDPR fine.
This is Spanish Soccer League's app caught eavesdropping on users in anti-piracy push.
Now, before we dig into this story, I have a story to share.
When I was not long out of college, so this would have been back in the early 90s, I suppose,
I had a friend whose job was going around to restaurants and writing down all of the
music that the restaurant was playing and reporting that back to the music licensing
organizations, ASCAP and BMI.
And because at the time, and I believe still today, if you were a restaurant playing music in your establishment, you had to have a license with ASCAP or BMI or both or whatever.
Same with radio stations.
So this friend's job was to go around and basically find restaurants that weren't paying up their licensing fee and reporting back.
And they would get a strongly worded letter from ASCAP or BMI basically saying, you know, you can pay us now or you can pay us later.
And if you pay us now, it'll be a lot less money.
I tell that story because it kind of leads into this story, which is sort of an automated version of that.
Right.
It's an automated version from La Liga.
Yeah.
It's Spain's top professional soccer league.
Okay.
And they have now been slapped with a €250,000 fine for violating user privacy because they're
using a feature kind of like Shazam that listens to music.
Right.
And they're using it to identify pirated copies of their soccer games.
So somebody who doesn't have the rights to play these games in a public place, La Liga
is entitled to their royalties on these games.
Right.
So if I'm a bar and I want to show this to my patrons, I have to pay for that.
You have to pay for it.
Right.
Okay.
But what La Liga is doing here is they released their soccer app and they put in the user's
app the ability to listen to the audio in the room and then they're going to listen
using the same kind of technology like Shazam to see if the sound fingerprint coming out
of a TV matches the sound fingerprint from a game.
They're also going to use GPS to see where the phone is and see if that location has
a license to show that game.
And they didn't let the users know that that was what they were doing, was essentially
operating as spies on behalf of La Liga.
Now, they claim that the fingerprinting technology that they're using only uses a little tiny bit of the audio information and that it's impossible for them to record human voices or human conversations.
Yeah, they're probably not doing that.
That's right.
I find – I still find that hard to believe.
That is not the point.
Yeah, it doesn't matter.
It's like I broke into your house, but all I did was rearrange the furniture.
Right, and cleaned up.
You still broke into my house. Exactly. It did was rearrange the furniture. Right, and cleaned up. You still broke into my house.
Exactly.
It's still breaking and entering.
Right, right.
Now, I'm guessing that it was probably, as always, buried somewhere deep in the EULA that they had permission to do this.
And they'll probably say that when you initially fired up the app, you gave us access to the microphone.
And your GPS server.
And your GPS.
Or GPS system, rather.
So this is what GDPR was supposed to be for, right?
Right.
And this is a GDPR fine, I think.
It is, absolutely.
Yeah.
Yeah.
So I say good for GDPR in this case.
Yeah, I would agree.
This is a win for privacy.
Yeah.
The other sort of thing that troubles me about this is that this is going to be fuel to the fire that our phones are listening in on us.
Right, right, yeah.
Because we've made the point over and over again that in general they're not, but here's a case where they are.
Right, they're absolutely listening in.
Yeah, and that's bad.
I mean, that's what the capability of these things is.
They always had the capability to be listening to you.
Right, and here's a case where somebody actually did it. Right. All right. Well, it's troubling. Joe Kerrigan, thanks for joining us.
My pleasure, Dave.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's
why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses
worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
on your Alexa smart speaker too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, Thank you. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.