CyberWire Daily - DPRK hackers quieter in the run-up to the Kim-Trump summit. Russian EW. Cryptocurrencies and crime. Law firm social engineering. Dodgy World Cup Wi-Fi. Bad AI, a time-traveler's poly.
Episode Date: June 5, 2018In today's podcast, North Korea still seems to be leaving American IoT networks more-or-less alone, for now, however actively they're hacking elsewhere. Everything old is new again, at least with ...Russian EW. Cryptocurrency crime is a worry everywhere. A look at law firm hacks shows the counselors could use the help of some street-savvy hotel detectives more than a tech-savvy perimeter security solution, although that wouldn't be bad, either. Beware of letting World Cup Wi-FI be an own-goal. Apple's latest updates seem privacy friendly. Thoughts on AI, and the polygraphing of a time traveler that sounds totally legit. David Dufour from Webroot on new roles for security, and how that impacts hiring and education. Guest is John Dickson from Denim Group on securing voting infrastructure. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The DPRK still seems to be leaving American networks more or less alone for now,
however actively they're hacking elsewhere.
Everything old is new again, at least with Russian EW.
Cryptocurrency crime is a worry everywhere.
A look at law firm hacks shows the counselors could use the help of some street-savvy hotel detectives.
Beware of World Cup Wi-Fi.
Apple's latest updates seem privacy-friendly.
We've got some thoughts on AI and the polygraphing of a time traveler that sounds totally legit.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, June 5th, 2018.
Covalite, the North Korean Internet of Things hacking group, seems to have grown quiet with respect to American targets during the run-up to the June 12th Kim-Trump summit.
Covalite, tracked by industrial cybersecurity specialists at Dragos, is said to share considerable infrastructure and malicious code with the Lazarus Group, also known as Hidden Cobra.
Cobra. NATO members, and the U.S. in particular, find themselves relearning Cold War lessons about Russian electronic warfare capabilities. Russian electronic warfare operators have long enjoyed a
reputation for deploying advanced, effective capabilities. The amount of attention the U.S.
has paid to those capabilities has tended to wax and wane with operational concerns.
Those concerns are high now,
especially with the recent demonstrated ability of Russian EW operators to affect U.S. platforms
operating in and around Syria. The big picture, and this has been a big picture for some decades,
is that the Russian military works hard to integrate EW capabilities across their force,
and that they do so in ways
intended to secure an asymmetric advantage over Western, especially U.S., opposition.
Russian authorities are said to share Western concerns over the increasing rate of criminal
attacks on cryptocurrencies. An official spokesman of the Ministry of Internal Affairs says the
problems they're seeing are related to the challenges of tracking the alternative currency's ownership,
the relative difficulty of blocking their transactions, and their attractiveness to fraudsters,
all of which should sound familiar.
There were no specific mentions of our two favorite altcoins, Voppercoin and Dogecoin.
The New York Law Journal took a look at trends in social engineering and concluded that law firms are surprisingly easy marks.
It's not as if Blofeld or Goldfinger or some other high-tech bond villain is hacking in.
by the kind of petty grifters who, if they weren't working online,
would be selling you really genuine merchandise out of the trunk of their car on some corner in Tribeca or Soho.
Anyone attending World Cup events this summer should be aware
of the significant risk Wi-Fi hotspots present.
Maybe better to leave your phones off, football fans.
Apple's latest round of updates are regarded as markedly friendly to user privacy.
macOS Mojave and iOS 12 both include features designed to block secret trackers,
and a feature being tested for iOS 12, USB Restricted Mode,
is designed to impede Celebrite's unlocking tools the FBI and others have used.
The Safari browser also has new features designed to impede ad trackers.
Voters in eight U.S. states head to the polls today to cast ballots in their primaries,
and the security and integrity of those elections is of concern to officials and citizens alike.
John Dixon is a principal at security firm Denim Group,
and he offers his thoughts on election security.
By far, the preponderance of resources and responsibility for elections lies at the state
and typically county level, sometimes at the municipal level. There's a popular misconception
that the hardware of voting machines equals the voting system. I mean, that's just one component of it.
Yes, if you have physical access to a voting machine, as if you would have physical access to any device, you can certainly break them in many cases.
But guess what election officials across the U.S. are good at?
They're really good at detecting one or two people hovering around the backside of a voting machine in a voting area.
I mean, that's what they do.
They minister and watch to see if people are voting correctly.
The likelihood of somebody being able to prosecute a physical attack without being noticed is exceedingly small, I would argue. So the bigger infrastructure, the stuff that worries many and is most certainly
already in play is the voter registration systems of the 50 states plus territories in D.C.
and then also the election night reporting infrastructure. So do you suppose we are
emphasizing the right things then? Are we shining a light in the right areas? Are we focusing our
energy where it's best spent? I would say we're becoming better at it.
If you go back to, I think it was DEF CON last year where there was, you know, researchers attacked and then were able to root six different voting machines.
That was covered all over national press.
And I think that wildly distorts the problem.
First of all, again, these are outdated
and I think non-certified voting systems, if I'm correct there. But more importantly,
the attack scenario was completely not realistic. I mean, again, guys with hoodies, you know,
hovering behind a voting machine is going to get noticed by an election judge.
It's the other parts of the infrastructure that I think we're starting to realize have some of these similar problems that just general web and network infrastructure has.
And the biggest problem is you have at the state level election officials who have really focused on the integrity of the tabulation process and of the integrity of the voting process and systems. It really
driven off of their major event nearly 18 years ago in Florida with the hanging chad.
So much of the improvements that have happened have been about, you know, on the hardware and
system side have been around how do I guarantee the integrity of the vote that's cast and the
process of that vote all
the way up to the Secretary of State and then onward to D.C. if it's a federal election.
The problem we have here is that is one use case, to use an IT term. But the other use case
that we're confronted with now is when you have an active human that is trying to do things and
disrupt and distort and to inject themselves
into this process. And that's a different use case, a different protection case. And so that's
what I think people are starting to realize is much of what was implemented on the hardware side
by the many vendors that are in the space really were aimed at solving that problem, the integrity
problem and the confidence and the ability to tabulate and tally votes and to process those.
This is a different problem and one that takes an entirely different mindset to start to solve.
The hardware problem is substantial and challenging, but that is not the only problem.
substantial and challenging. But, you know, that is not the only problem. Those centralized aggregation points of collection and of voter registration is where many people in industry
now suspect that are the weaker links or the areas that, as an attacker, you're going to
concentrate your efforts. That's John Dixon from Denim Group.
concentrate your efforts. That's John Dixon from Denim Group.
The director of the FBI has warned in congressional testimony that Chinese espionage is a whole-of-nation problem. The U.S. Congress is considering legislation designed to restrict
Chinese intelligence collection. Some of its concerns are over the security implications
that widespread use of devices by Huawei and ZTE
are feared to raise. Other measures of consideration involve the sort of consciousness
raising Congress so often invokes in the executive branch. The measures under consideration would
require regular reports on Chinese intelligence activities. The fact that such activities are
significant is indicated by a recent arrest in Seattle.
The U.S. Justice Department has charged former U.S. Army Warrant Officer and DIA civilian employee Ron Rockwell Hansen
with 15 counts related to spying for China,
including attempting to gather or deliver national defense information to aid a foreign government
and acting as an unregistered foreign agent.
Federal agents picked him up as he was about to board a flight to China.
Mr. Hansen had worked, according to reports, in both signals and human intelligence,
and had some background as both a Russian and Chinese linguist.
Finally, speculation about artificial intelligence tends to follow roughly three paths.
One path, the transhuman road to immortality that will survive even the heat death of the universe,
believes firmly in strong AI and envisions a future in which artificial consciousness becomes not only a reality,
but in effect an emergent godhead in which all of us will participate,
or at least those of us with enough stock in the right Silicon Valley companies.
The other path sees AI as an incipient Skynet,
ready to off-board human beings as superfluous nuisances.
Along the way, we'll see mass unemployment, slavery and spice mines, and so on,
and it won't matter what your portfolio looks like.
And now, thanks to MIT,
we have a glimpse of this dystopian second way. They've created a malevolent AI they call Norman,
in an apparent homage to the psycho killer from Hitchcock's Psycho. Norman was trained on the
Danker memes from the creepier precincts of the internet. The Media Lab calls him, unkindly we think,
the world's first psychopath AI.
It's their own fault, we say,
because they're the ones who turned him loose
to be trained on Reddit.
But wait, you ask, what about that third way?
That one that sees AI as more A than I,
useful but also troublesome
in that typically ambivalent and backward-striking way
most human-created technology has. All right, fine. If that time traveler with a Birmingham
accent who recently passed a polygraph administered by some paranormal researchers in the UK is right,
this is more or less what we're in for. You miss the time traveler? Well, here's the skinny straight from
the year AD 6491, which is at least four millennia more credible than the last guy who passed the
poly. He was only from the year 2030. Anywho, the time traveler, one Mr. James Oliver, says that
climate change had made the world warmer, so it's less comfortable, maybe, but not lethally so. But on
the bright side, there's like this interplanetary UN, where planetary leaders keep interplanetary
peace. Also, the aliens we're going to meet over the next couple millennia won't be a lot more
interesting than the jokers we deal with every day. He's stuck here in the present because his
time machine broke, and he's hoping his buddies read all this stuff and come back for him.
a buzzword. It's a way of life. You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is David DeFore. He's the Senior Director of Engineering and Cybersecurity at WebRoot. David, welcome back. As we see upcoming regulations and a continued emphasis on cybersecurity, we're seeing some new roles when it comes to security. And then additionally, the training that people need in universities and things like that
to be able to come in and build products that actually help prevent threats or detect threats of that nature.
So there's quite a lot going on right now.
So can you give me some specific examples?
What kinds of things are folks spinning up these days?
Well, one of the biggest things, and I know we hear about this a lot, so please let's remember I'm on the engineering side, not on the sales and
marketing side. AI and machine learning. I cannot underscore the need in the industry for folks
who are trained and well-qualified in building solutions with that in it. Because we're trying
to get past the hype of saying we've got AI or we've got machine learning. And what we need are those people that are really well trained in how to implement those solutions
such that products use them most effectively.
And that is not something you just learn overnight.
There's a lot of work involved in understanding how to build those models,
build machines that consume data,
and then understand how to pull and analyze that data to build effective machine learning tools.
Yeah, and I think we're also seeing that besides the traditional computer science pathway,
that there are lots of other roles within cybersecurity.
Folks coming up through school or looking for perhaps a new career, they can take advantage of those needs.
That's absolutely right. And, you know, we are looking across the board at different types of
folks in the industry from, you know, mathematicians, people who understand human
behaviors. We're seeing a lot of them get involved with the machine learning folks to be able to
develop, you know, user-based stuff. Totally not being my normal snarky self here,
we need a lot more technical PR,
technical marketing folks to come out
to be able to really educate the consumer and the industry
because a lot of us engineers
aren't really good at communicating that.
You meet people with that technical background
and understanding, but in all types of fields.
Don't let the technical stuff scare you away from perhaps pursuing a career that's related to cyber.
That's exactly right. And right now, there's really not a better place to be
than getting involved in cybersecurity in some way. And another thing, David, that a lot of people,
once you're in the industry, you realize actually helping people. And that feels pretty good, too.
No, it's a great point. David DeFore, as always, thanks for joining us.
Thank you for having me, David.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total
control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
Listen for us on your Alexa smart speaker too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Ivan, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, Thank you. measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your