CyberWire Daily - Election risks—hacking and influence. Chinese industrial espionage spike. Misconfigured project management. Necurs appears briefly. Bogus Fortnite downloads. What they heard in the banya.
Episode Date: August 17, 2018In today's podcast we run through a brief guide to election risks, and the difference between hacking and influence operations. An Alaskan trade mission prompts a wave of Chinese industrial espionage.... Misconfigured project management pages may have exposed Canadian and British Government information. Necurs flared up in a short-lived spam campaign against banks this week. Crooks use bogus Fortnite download pages. Final briefs are submitted in Kaspersky's court challenge to its US ban. Emily Wilson from Terbium Labs on her experience getting certified as a fraud examiner. Guest is Marco Rubin from the Center for Innovative Technology, on the security of UAVs and drones. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/August/CyberWire_2018_08_17.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A brief guide to election risks and the difference between hacking and influence operations.
An Alaskan trade mission prompts a wave of Chinese industrial espionage.
Misconfigured project management pages
may have exposed Canadian and British government information.
NICORs flared up in a short-lived spam campaign
against banks this week.
Crooks use bogus Fortnite download pages.
And final briefs are submitted
in Kaspersky's court challenge to its U.S. ban.
From the Cyber Wire studios at Data Tribe, I'm Dave Bittner with your Cyber Wire summary for Friday, August 17, 2018.
Senator Bill Nelson, a Democrat of Florida, has been saying that his state's election system is under ongoing attack.
The consensus at week's end, as expressed in the Washington Post and elsewhere,
is that the senator's warning is based on a priori probability rather than on specific evidence.
Nonetheless, the states, who under the U.S. system are responsible for conducting elections,
remain concerned about the integrity of the ballot.
36 of the 50 states have now deployed Albert sensors on their voting infrastructure.
An Albert sensor is a relatively inexpensive hardware module
that allows the federal government,
specifically the Department of Homeland Security,
to observe state systems that manage
either voter information or voting devices.
It's thought that DHS may be able to develop quick warnings of attempts to intrude into
the state's systems.
The states also want the feds to loosen up in their threat intelligence sharing.
Forty-four states and the District of Columbia took part in a cyber exercise this week run
by the Department of Homeland Security with participation by the
U.S. intelligence community. The states appear to have gained enough insight into the value of
threat intelligence to decide they want more of it. Some advocate federal standards for the conduct
of elections, perhaps even mandatory standards. This isn't quite federal control of elections,
which is a constitutional and cultural bridge most
informed observers think is better left uncrossed, but it would arguably give the states at least
some useful benchmarks to work toward. MIT's technology review has published a useful guide
to the electoral attack surface. They divide that surface into quadrants. The first, voter registration systems,
assemble and maintain a record of who's authorized to vote,
and these systems find their frontline use at polling places where voters check in.
These systems tend to be old, creaky, accessed by lots of people,
and susceptible to hacking.
The potential risk here is a technically advanced version of a Chicago tradition
of having the dead cast ballots. Alleged tradition if you live in Cook County and are the sensitive
type, but rest assured, Chicago, we still love you. The second involves voter check-in. That's
where poll workers use tablets instead of paper poll books. These network devices are in principle vulnerable to compromise.
A voter might be told, falsely, that they've already voted and can't do so again.
The third attack surface is presented by the voting machines themselves.
These tend to be either optical scanning devices that read and record paper ballots
or direct recording electronic systems for which a paper record may or may
not be generated. There's been some movement away from the snazzier, more convenient, and alas,
more hackable direct recording electronic systems, and back to the paper ballot. But 13 states still
use paperless machines, and five of these use nothing but. Finally, there are the systems that tally and report votes.
These tasks are done on what Technology Review calls
computers using standard operating systems.
It would be more difficult to cook up a desired election result than many seem to think,
but widespread hacking of these systems could certainly cast doubt on results.
There may be one historical case of this being done.
Some suspect that the Russian government deleted essential files
from Ukraine's Central Election Commission in ways that mucked up the 2014 vote.
But in the U.S., there are generally checks on outcomes
done on a precinct-by-precinct basis.
Any of these four families of technology, of course,
could be hit with irritating malicious encryption
or, more probably, distributed denial-of-service attacks.
These are the usual coin of commodity cyberattacks, whether criminal or state-run.
It's worth distinguishing all of these from malicious influence.
Call them, respectively, cyberattack and information operations.
call them respectively cyber attack and information operations.
There's been evidence over the last three years of foreign probing of U.S. state voter databases,
and that would be the reconnaissance phase of a potential cyber attack.
But most of what gets called election hacking involves influence operations.
Here, the famous St. Petersburg and Moscow troll farms sing for their supper,
fomenting odd memes and nasty conspiracy narratives aimed at widening pre-existing fissures in their target's electorates.
This is the sort of activity that's put pressure on social media,
and that pressure is the one that's prompted a civil libertarian backlash about censorship.
Turning to more traditional forms of shadow conflict,
there are fresh signs of Chinese industrial espionage being reported.
Recorded Future late yesterday blogged that much of the online spying
is being staged through Tsinghua University infrastructure.
While taking a look at Chinese government cyber surveillance of Tibetan groups,
the company observed what it called a novel Linux
backdoor called XT4 in use. Their analysis of XT4 led the researchers to discover connection
attempts to a compromised Tsinghua University CentOS server. The operations run through
university infrastructure served economic development as well as domestic security goals.
Those who might be tempted to think that state-directed espionage looks at national
and commercial targets to the exclusion of other subnational governments will be interested to see
the interest Chinese intelligence service took in the government of the U.S. state of Alaska.
Operators targeted Alaskan state government sites, including the Alaska Department of Natural Resources.
Alaskan extraction industries are major exporters to China, selling timber, lead and gold ores, petroleum byproducts, and the biggest category of export, seafood.
A noticeable spike in attention to Alaska appeared after a May trade mission the state sent to China.
They also showed interest in Nairobi UN offices and in the Kenyan ports of authority
and in German automotive manufacturer Daimler AG.
The Intercept reports that snafus on the part of both British and Canadian governments
have exposed a range of sensitive, if not necessarily highly classified information to the Internet.
Various agencies and the two governments misconfigured pages
of the popular project management software Trello
they were using in a way that enabled the compromise.
Among the data exposed were passwords for various government sites.
At midweek, security firm Cofence noted a brief flare-up of phishing attacks against banks
that made use of the familiar NICORS botnet.
The attack surged for a few hours Wednesday, then subsided,
but in that time, Cofence said, some 2,700 bank domains were prospected.
The goal of the phishing appeared to be installation of the flawed Amy
remote access Trojan, often by a maliciously crafted PDF attached to the email. It's not
known why the campaign was as short-lived as it was. Epic Games, makers of the wildly popular
Fortnite, pulled their signature game from Google Play as a business move to avoid Google's 30% cut of downloads,
understandably because that's a lot of V-Bucks by any standard.
Cybercriminals have noticed this
and are using bogus Fortnite download sites
to spread various forms of malware.
Google Play's walled garden may be more chain-linked
than moated stone enclosure,
but it does afford some degree of protection.
If you want to upgrade your skin from Recon Specialist to Whiteout,
well, caveat emptor, and be sure you're downloading the genuine article.
Finally, the U.S. federal government and Kaspersky Lab
have filed their final briefs in the lawsuit Kaspersky has brought
against the government's ban of their products.
Kaspersky argues that the law Congress passed that kicked their products out of the federal marketplace
amounts to an unconstitutional bill of attainder,
punishment imposed by legislative fiat as opposed to the due process offered by a court.
A judicial panel will begin hearing the case on September 14th.
For what it's worth, Bulgaria has recently decided it really doesn't trust Kaspersky either.
Among the more interesting claims being made, not in court, but in the online coffee houses where we get so much of our information,
is that the company is not to be trusted because Eugene Kaspersky goes to the banyan, the sauna, the steam bath, weekly,
and that his banya is also favored by officers of the FSB and the GRU.
Kaspersky himself has called this a lot of hooey,
since he really has no idea who any of the other naked guys are.
And indeed, he may have a point.
Let those of us who are certain we've never been to the banya with a couple of GRU colonels cast the first Vyanik.
But don't give the Bansheek your password either.
Comrade. account executives to join us on the cutting edge of technology. Here, innovation isn't a buzzword.
It's a way of life. You'll be solving customer challenges faster with agents, winning with
purpose, and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings
automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning
digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members
discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Emily Wilson.
She's the Director of Analysis at Terbium Labs.
Emily, welcome back.
You recently got certified.
You have a CFE credential.
Tell us what that is and why you went after that.
Yes, my very first credential and maybe my last.
I have to tell you, seven months of prep was a big time commitment, but it was worth it.
So I am now a certified fraud examiner.
Look out, fraudsters, I'm coming for you.
It was a good experience and one that I went after because I find myself seeing part of the fraud life cycle.
And I wanted to understand the full fraud life cycle.
I'm seeing information on sometimes the front end and the back end.
I'm seeing data that's being put up for
sale, data that's being traded, techniques and tactics that are being discussed. And I see how
these frauds are being committed. And so I understand what I see most often and what I
think is most important. But I wanted to take a step back and put myself in the shoes of someone
who's dealing with this kind of fraud every day, and particularly in an industry that is still
dealing with, frankly, a lot of actual
paperwork. How does this work? How does this apply? How are people thinking about this?
And what I found is that all of the same pieces of this that I'm seeing, all of the things that
fraud professionals are dealing with every day, these are all the same things. And so I think
there's an opportunity here to begin to bridge that gap between security and data trade and account exposure and templates and guides and tactics to commit fraud and bringing that to fraud professionals and saying, if you're wondering where they're going and how they're approaching this and how they're getting around systems, this is how they're doing it. If you want to know how data is being traded and why all of these accounts are being taken over in batches, here's how it's
happening. Here's how it works. Fraud professionals are dealing with a lot of different issues. The
speed of payments, issues with identity and authentication. They're dealing with
good old-fashioned loan fraud and check fraud. And I'm seeing components of that. And now I understand how they're thinking about it.
And so we can work together to figure out
how we can bring all of this together
and how we can maybe stop some fraud.
Yeah, it's interesting to me how the fraud investigators,
it's sort of, it's cybersecurity adjacent, I suppose.
I mean, is that a fair way to describe it?
Absolutely, it's adjacent. It's running in parallel and it overlaps, but no one,
it's like a Venn diagram no one knows about yet.
Describe to me, you go, you sell this to your boss at Terbium. You say,
this is something I want to pursue. What was the value proposition for them?
It's picking up experience in another industry and one that is beginning to
recognize, you know, I saw this recently at a fraud conference I was at, one that's beginning
to recognize the value of data and the impact of exposed data on the work that they are doing every
day. And so it was a chance to say, this is where it's going. This is actually where it already is
happening. And the industry is starting to recognize that they're starting to see it right. The dark web is coming up in conversations
at fraud conferences in the same way that malware and phishing and ransomware are coming up. This
is starting to be part of the conversation. And I want to be a part of that. I want to understand
how people are thinking about it and how they're approaching it. I saw this as an opportunity to
do that. And I have to tell you, the community has been very open. This is a collaborative set of
professionals who recognize shared problems and are looking for shared solutions. And I think the
security community could stand to learn from that. That's an interesting insight. Emily Wilson,
thanks for joining us. Thank you. worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and securely. Visit ThreatL Marco Rubin. He's Senior Investment Director at
the Center for Innovative Technology, that's CIT. Our conversation focuses on CIT's desire to explore
and invest in technologies and innovations that improve the security and safety of unmanned aircraft and drones.
We're looking at both consumer-grade drones as well as commercial and institutional-grade drones.
So, for example, on the institutional side, we recently made an investment on the equity side,
the drone technology out of NASA Langley, and that would be serving both government, military, and commercial
markets. So that would be an example of the institutional side. We are looking at investment
opportunities from the consumer, the mass market side, but we're primarily focused on essentially
good investments. And in this area that we're talking about, this convergence of security and
these different platforms is a fairly nascent area, depending upon, you touched exactly the point,
it's more developmental on the commercial side and the consumer side than it is on the governmental
side. So we have to think of it as a more ruggedized kind of platform on the military side,
as you might imagine. It is fairly early for us. So we're just now in the
process of defining that. And for us, one of the areas that's kind of exciting is defining what
experiments look like for security and autonomy. So right now, I would say we are interested in
seeing what other people have to say about what would be an interesting experiment to conduct to
mature the infrastructure, the ecosystem. We were just
discussing earlier today this idea about an experiment to see what it would mean to create
more of a hardened security structure for a commercial drone flying over a heavily populated
area, for instance, and of what interest would that be, for example, to the insurance industry? So those are the kind of things that we're starting to think through.
But quite frankly, there are a lot more smart people out there than are in this building,
and we're looking for ideas to drive that. And we've seen some innovators come up with both
quiet technologies as well as safer technologies that have fail-safe mechanisms. The beauty of it
is we're starting to see a lot of interesting innovation early on in this area.
And it's not just the air segment, too.
It's also in ground vehicles.
We're also seeing it in maritime, where some of the data links to maritime drones.
It's a real issue.
How do you propagate a signal in water versus air?
What are your specific concerns when it comes to security?
Can you describe some of the issues there? The FAA likes to define airspace, both controlled
and uncontrolled airspace. And definitionally, you know, it's the government, if my memory serves me
correctly, they have a series of class A through E airspaces, which are definitionally for controlled
airspaces. And then thereally for controlled airspaces.
And then there's a whole different category for what you would describe as an uncontrolled
airspace.
And so when you're talking about controlled versus uncontrolled airspace, you have different
regulatory structures in place.
One area the government's really interested in is creating a national sovereign airspace.
So imagine you want to be able to fly from point A to B. And what does
that mean if you're flying over from here to Leesburg to another location? You'd like to have
a uniform air control system. And with that comes implications on how you design for reliability.
So to your point, do you want a safe vehicle that has not only security but high reliability in the design?
And there's a real question about deconfliction.
When you get a drone, to your point, it can be easy to operate.
And what happens when a commercial, a professional drone operator or even a helicopter, quite frankly, is at a crime scene or an incident,
and you have just John Q. public operating a drone in the area
and you get into all sorts of potential collision avoidance scenarios so one of the big topics right
now is exactly that in airspace how do you manage deconfliction how do you avoid aircraft a from
colliding into aircraft b and what is the mechanism both policy and technical that that happens and then quite
frankly how do you avoid a malicious attack so it isn't deliberately done right and uh it starts
getting it starts getting to be very complex and then the last thing you want to have happen of
course is you don't want to have city x create its own little municipal rules because they don't
uh want a particular aspect of drone operation over their airspace. So that's the whole idea behind kind of this sovereign airspace concept.
So we create essentially one set of rules to fly from point A to B.
And that's, in my view, what would be really interesting is to get some of the great minds out there in cyber
and start thinking about, hey, what are some experiments we can do in a control setting, which is what some of these platforms that we have here are in the center of excellence and this IIP win that we had with the FAA, which is, hey, we can now test air, ground, sea, and actually, I would even argue, space.
There's a question of how is it, to what extent is a satellite considered an autonomous vehicle,
a low-earth orbiting satellite, for instance.
Right.
And to what extent is there vulnerability from a malicious attack or, you know, so the
same sort of thought process that you see in other systems applies here.
And I think it's kind of an early frontier.
And I know some of the three-letter agencies are concerned about that.
You know, how do you take a commercial low-earth orbiting satellite system and know that the comm links are robust and not vulnerable to an attack?
So you can go a little bit crazy with some of the scenario analysis, but the point is I think there's an opportunity to start defining that in a kind of a control way. So I'm hoping that we can kind of get that message out to the public that says,
hey, you know, we're going to look at these things through our Autonomous Center of Excellence
and now's a good time to start getting engaged with us.
That's Marco Rubin from CIT, the Center for Innovative Technology.
If you think you've got something to contribute, they would love to hear from you.
You can check out their website at cit.org.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing
at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast
of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
teams and technologies. Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri,
Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.