CyberWire Daily - Cyber Sitzkrieg. Waiting for the Bears to show up (and ready to set the Dogs on them). Facebook private messages for sale.
Episode Date: November 2, 2018In today's podcast, we hear that people are asking if that lull in Chinese cyber operations was just a strategic pause. Huawei's on a charm offensive. People are seeing plenty of Russian trolling, but... election hacking proper continues to be quiet. Another strategic pause? US Cyber Command is said to be ready to respond to any election cyberattacks swiftly and in kind. And if you want to hear what people think about 80s techno-pop, a dark web souk will sell you the relevant Facebook messages for just one thin dime apiece. Malek Ben Salem from Accenture Labs on blockchain use in election security. Guest is Shannon Morse, host and producer at Hak5.org. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/November/CyberWire_2018_11_02.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Was that lull in Chinese cyber operations just a strategic pause?
Huawei's on a charm offensive.
People are seeing plenty of Russian trolling, but election hacking proper continues to be quiet.
U.S. Cyber Command is said to be ready to respond to any election cyber attack swiftly and in kind.
Later in the show, we've got my conversation with Shannon Morse from Hack5.
And if you want to hear what people think about 80s techno pop,
a dark web market will sell you the relevant Facebook messages for just one thin dime apiece.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, November 2, 2018.
The lull in Chinese cyber attacks during the previous U.S. administration
and the early days of the current one
appears to have amounted to a phony peace,
a zitzkrieg, if you will.
Carbon Black's recent quarterly threat report
has led some to conclude that the lull was a period of learning and development
during which the PLA and the Ministry of State Security
took lessons from Russian operations.
Now it seems, as Ars Technica puts it,
Beijing has taken the gloves off.
Much of the Chinese cyber offense
still seems directed at industrial espionage,
as recent U.S. indictments of some of their operators would indicate,
but increased tensions over trade
and over Chinese attempts
to encroach on international waters in the South China Sea
raise the probability of other uses of cyber attack.
The Five Eyes generally remain suspicious of Chinese hardware manufacturers,
with a particularly hard scowl being directed from the Australian and American eyes.
Huawei is continuing its charm offensive,
seeking to reassure leaders in Canada and Australia
that they've got nothing to fear, security-wise,
from letting Huawei hardware into their 5G network build-outs.
There may be a partial explanation for terse warnings of cyberattacks targeting Iran.
Bleeping Computer says, based in part on reporting by Israeli outlet Hadashat,
that Iranian infrastructure has recently been afflicted with a Stuxnet-like strain of malware.
Evidence remains thin, so these reports must be regarded as preliminary,
especially given the infections that have been named,
which seem more like spyware incidents as opposed to ICS malware installations.
Turning to the U.S. midterm elections,
people are noticing the readiness of voters
to swallow fake emails and catfishy profiles.
What's surprising about this is the surprise,
as if everyone thought that the electorate
was critical and sophisticated in the ways of persuasion,
as if no one had ever heard of P.T. Barnum's observations on the birth rate of suckers.
It's one per minute, in case you've forgotten.
Trolling aside, and there's no shortage of that,
observers are wondering where the Russians are in the U.S. midterm elections.
The bears have been relatively quiet,
which leads nervous commentators to breathlessly
predict a big surprise for next Tuesday's voting. Among the scarier speculations are corruption or
denial of service attacks on voter registration databases that would effectively turn people away
from their polling places, or even a takedown of significant portions of a power grid that would also disrupt the election.
U.S. Cyber Command seems to be ready to retaliate in kind against any Election Day cyber attacks.
National Security Advisor Bolton said this week that any such retaliation would be short of war,
but what those restraints might amount to in practice is difficult to say.
Russian information operations may have been more effective at home than abroad.
Apparently, conventional wisdom among Russians is that the U.S. will experience a second civil war by 2020.
Celebrities and businesses sometimes come to take too much stock in their own press releases.
The same might happen with trolling and statecraft, too.
Foreign affairs are influenced by wishful thinking more than one might like to think,
and authoritarian societies that strive to control information
seem, paradoxically, more susceptible to this sort of fantasy blowing back at them.
The BBC reports that tens of thousands of Facebook private messages,
many from accounts based in Russia or Ukraine, are now for sale on the dark web.
The proprietors of this particular market contacted the BBC to boast or to advertise
their possession of data from some 120 million Facebook accounts.
That number seems suspiciously high and has met with cautious skepticism,
but the BBC did have security firm Digital Shadows examine part of the take
and confirmed that 81,000 of the accounts did appear to be genuine.
A crook with the hacker name FB Sailor,
he probably meant to call himself FB Seller, but spelling is hard,
described the offering as follows,
quote,
We sell personal information of Facebook users. Our database includes 120 million accounts,
end quote. The wares went up in the online market back in September. The hackers, who've taken down their page since drawing attention to themselves, were offering the accounts for 10 cents a pop.
As we've noted, most of the compromised data belong to users in
Russia and Ukraine, but there have been a few victims in the U.S., the U.K., Brazil, and some
other countries as well. Some of the private messages are intimate or embarrassing, but a lot
of them seem pretty anodyne, hardly worth a couple of nickels the hoods are charging. Examples the
BBC mentions include vacation photos,
possibly embarrassing, chit-chat about a Depeche Mode concert, sure to be embarrassing,
and complaints about a son-in-law, arguably better kept quiet but hardly surprising.
We're pretty sure Anatoly and Sergei already know what Tanya's and Sonia's moms think of them.
Facebook says it hasn't been compromised and that they think rogue browser
extensions were the source of the data loss. It's contacted the browser vendors and asked them to
boot the bad extensions from their stores. The BBC's consultants think this is a criminal operation,
not something run by the Russian intelligence services. That's certainly how it looks. One of
the crooks' websites, established in, where else,
St. Petersburg, had an IP address that the Cybercrime Tracker Service says has been used
to distribute the LokiBot credential-stealing Trojan. But a few words to the wise. Watch those
browser extensions. Also watch your virtual tongue. Would you like your thoughts about that
recalcitrant, probably dope-sodden layabout son-in-law
to be on the front page of the Washington Post?
Or worse yet, splashed all over Reddit?
We speak purely hypothetically, of course,
since Chad, Lamar, and Randy are no doubt swell guys.
But it does make one think, doesn't it?
make one think, doesn't it? Customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. Thank you. Learn more at blackcloak.io.
And joining me once again is Malek Ben-Salem.
She's the Senior R&D Manager for Security at Accenture Labs.
Malek, welcome back.
Here in the U.S., we are coming up on our midterm elections.
It'll be here before we know it.
And there's been talk about using blockchain for election security.
Bring us up to date here. What do we need to know? There's been discussion about voter fraud in elections and the need to reduce that
or the need to make sure that everybody who can vote is able to vote.
We need to increase the number of people who can actively vote.
And one approach to do that is the use of online voting,
right? But we know that online voting is not very secure. So there's been discussion about
how can we leverage blockchain technologies to provide some of the benefits that online voting
can bring while ensuring that there is enough security and that the integrity
of the elections is preserved. However, I think it's important to know that, you know, some of
the main benefits of blockchain technology, namely that it's distributed and, you know,
it's basically a distributed ledger, that those unique characteristics also, in some cases,
are the roadblocks to adopting that technology for elections.
So, for instance, if we talk about the authentication of users
or the authentication of voters in a Bitcoin's blockchain,
the typical way of using it
is to generate a public address, right?
That acts as a deposit-only account number.
And then you have a secret digital key
that you can use to send Bitcoins over.
If you're dealing with a government election,
that ability to have the voters create their own addresses should not be there, right?
Because you want to make sure that the state and local authorities manage the lists of eligible voters.
If you committed a felony in certain states, you're not allowed to vote for a certain period of time.
So there is a need for some central authority to manage that list of eligible voters,
which basically does not make use of that main property of blockchain as a distributed ledger
where everything is completely distributed, where
every person can join the blockchain, create their own key and be able to, you know, transact.
And we know West Virginia, for instance, has experimented with this.
But again, it's not the classical, you know, blockchain technology, but it's a modified
blockchain-based platform. The set of users that were used in this test or
case study were using biometrics to authenticate through their mobile phones in order to join that
blockchain-based platform. But I think blockchain brings certain properties and components that
may be very useful for conducting online elections. But certainly,
the technology is still not that mature, and it will not be the way we know Bitcoin blockchain,
but it will be certainly a modified version of it, where a lot of the authentication
and the identities are handled off the chain. Yeah, it's interesting, too, because of the way elections
are handled here in the U.S., where they're headed up by the states. So it seems to me like that
provides an opportunity for miniature labs, you know, for the states to experiment with things
on a smaller level and see if they work. And if they do, other states can follow their lead.
Exactly. Before we move on to a nationwide election. Yeah, absolutely.
All right. Well, as always, Malek Ben Salem, thanks for joining us.
Thank you, Dave.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity. Thank you. you total control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company
safe and compliant.
My guest today is Shannon Morse.
She's a host and producer at Hack5.org, famous for their popular YouTube channel, podcasts, pen testing gear, and immersive infosec training.
They've built an impressive community of professionals, students, and hobbyists with a contagious enthusiasm for hacking, security, and all things tech.
I started off really getting interested in computers because I used to build my own
computers as a kid, and I was also obsessed with theater as well. So when I got into college,
podcasting did not exist. Cybersecurity was still a very budding industry. It wasn't even a very
large industry when I was in college. So I went into a completely different major. But after college, I made friends
with the Hack 5 crew. And I didn't have any career path plans at the time. And Hack 5 was just
getting started. And they asked me to join them in Virginia. So I did. And at some point or another,
they said, do you want to try to host a segment? So I did. And at some point or another, they said, do you want to try
to host a segment? So I did. It was a terrible segment. It was reviewing an open source video
game. But they liked it. They thought that it was really cool, even though I was super awkward on
camera. But over time, I've really developed a passion for it. So I'm completely self-taught
in cybersecurity, information security and hacking and making. And I just fell in love with it. So I'm completely self-taught in cybersecurity, information security and hacking and making.
And I just fell in love with it. It took my love of theater and my love of building computers
and allowed me to share it with more than just myself and more than just a small job.
I was able to share it with a multitude of people that subscribe to our channel now.
Take us through what are the things that you cover over on Hack5?
So Hack5 specifically covers information security for professionals and for budding hackers,
people that are interested in cybersecurity but aren't really sure where to start.
We focus on a slew of different playlists that kind of introduce the information to young budding professionals.
So, for example, I've done videos about Linux terminal hacking.
So I've done a lot of command line interface information.
I've done Wireshark tutorials and Nmap and all sorts of different software tutorials.
We also focus a lot on
hardware hacks too. We've built our own products that a lot of professionals use in cybersecurity
now that are even listed in NIST, which is pretty awesome and we're pretty proud of.
But we've been doing podcasts and selling products online for about 13 years now.
The store started up in 2008.
However, the podcast has been around since 2005.
So it's a cool job.
I would not be lying if I said that it's my dream job.
So I'm totally happy and really grateful to everybody that watches it because I'm able to live a dream job right now.
Yeah, well, good for you. You and I met recently for the first time out in Las Vegas at Black Hat
this year. You were one of the keynote presenters at the Diana Initiative. And can you just tell us
what drew you to that? Why did you think it was important to present there?
The main reason that I wanted to do that is because the longer that I've been a part of this community, not just in the convention aspects or the YouTube aspects, but the community for
information security as a whole, I've noticed that there's a lot of women in the industry,
but a lot of them don't really necessarily have a voice. There's a few of us out there. There's me,
there's Kate, there's Hacks for Pancakes. There's quite a few of us
who share a lot of our opinions and things on Twitter and we do a lot of talks. But
there's a lot of young women who are students, who are young professionals, who haven't necessarily
ever given a talk. They don't have a big voice online like on Twitter or on YouTube. And
they're just trying to start their young professional lives. So having Diana Initiative was really nice because it's informing people that there needs to be more diversity in cybersecurity.
Currently, women make up like 11 or 13 percent.
I forget the exact percentage, but from 2017, it was like 11 or 13 percent of the industry total, which is terrible.
So I was trying to go there and introduce more people to cybersecurity, especially for, you know, the minorities out there.
Not just women, but, you know, people of color and people that are not necessarily white males.
No offense, Dave.
It's okay. None taken.
So, and I would love to see that too, because whenever I work, and I've worked in several
different office spaces up till now, I've worked at a bank, I've worked at a lot of restaurants,
et cetera, et cetera. I've noticed that we grow a lot as an industry, no matter what that industry
is, when you have a whole bunch of different people in
there giving out of the box ideas, and they're able to share their experiences. Because if you
just close yourself off to a very specific type of person, then you limit your ability to grow
as a business. So not only is it really good to have women there just for myself, selfishly, but also for a business because you can be highly profitable when you make your business more diverse.
Yeah, and I was lucky enough to be there when you were giving your presentation and enjoyed it very much.
One of the things that you pointed out was that sometimes by being in the public eye, by being front and center, that made you the target of
some unwelcome attention. Oh, absolutely. Yes. One thing I learned early on when I was doing
video shows on YouTube is that people definitely share their opinions in the comments and people
will share their opinions over email or Twitter, wherever they can find you. And those opinions
will not necessarily be constructive. Sometimes they will be destructive criticism and not
necessarily good positive feedback. You can definitely give constructive feedback, but you
can give it in a positive way so that it influences the person that you're giving feedback to,
to do better in their future.
However, a lot of times I've experienced a lot of destructive feedback that is not necessarily
focused on the content that I'm creating, but is focused on me as a person. For example,
I've had people tell me they don't like how I speak or they don't like that my nails weren't
done one day and I was showing a product off on a camera,
on a close-up camera. There's a lot of strange things that people decide that they want to share
with you. And I've also experienced a lot of harassment too, definitely based on the fact
that I'm a woman, I'm a female in the industry, but also that I'm outspoken too. I'm definitely very outspoken
on Twitter. And, you know, I believe that we all have the right to be outspoken, but I definitely
try to follow that kind of morale of being somebody who brings positive feedback to the
industry and is not somebody who comes in there and attacks all the time. I don't think attacking
people is something that really helps us grow worldwide, you know, as a community. I think that
it definitely helps to be somebody who is a positive influence and who other people want to
look up to and, you know, want to be a part of that kind of group. So yeah, I definitely deal with quite a bit of that kind of
stuff online, but I have learned how to tune it out after 10 years. It definitely helps to have
a lot of friends that are in an industry that I can talk to. So I've opened up quite a lot and
discuss these things with my friends and family and husband, et cetera. But it also helps to, you know, just have that kind of,
I don't know what you would call it, that kind of feedback from your friends and family,
that support group, I guess it would be. Having a support group definitely helps with dealing with
that kind of harsh criticism or harassment online. And also learning how to block and
learning how to filter certain words
definitely helps too.
Right, right.
So you have to have a thick skin,
but in addition,
your technical skills pay off as well.
Yeah, absolutely.
That's Shannon Morse from Hack5.
You should check out all the things they do
over at hack5.org.
There's more to our conversation
that we didn't have time to include in today's program.
We're going to post the complete interview
over on our Patreon page.
That's patreon.com slash thecyberwire.
You don't need to be one of our supporters
to access it, so do check it out.
It's patreon.com slash thecyberwire.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Thanks for listening.
We'll see you back here tomorrow.
Thank you. data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease
through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.