CyberWire Daily - Election security and influence operations. Hacking the Fleet. Undersea cable competition. 5G worries. Calls to rein in Big Tech. UN report outlines North Korean cyber crime (there’s a lot of it).
Episode Date: March 13, 2019In today’s podcast, we hear that election interference concerns persist around the world. Governments seek to address them with a mix of threat intelligence and attention to security basics. A US ...Navy report says the Fleet’s supply chain is well on the way to being pwned by Chinese intelligence. Undersea cables are a center of Sino-US competition. The European Parliament warns about the Chinese threat to 5G infrastructure. More calls to rein in Big Tech. And the UN looks at North Korea and sees massive cyber crime. Emily Wilson from Terbium Labs with a look back at the Equifax breach. Guest is Dr. Wenliang (Kevin) Du from Syracuse University on his SEED labs and the importance of hands-on training in cyber security. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/March/CyberWire_2019_03_13.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Election interference concerns persist around the world.
Governments seek to address them with a mix of threat intelligence and attention to security basics.
A U.S. Navy report says the fleet's supply chain is well on the way to being pwned by
Chinese intelligence.
Undersea cables are a center of Sino-U.S. competition, the European Parliament warns
about the Chinese threat to 5G infrastructure, more calls to rein in big tech, and the U.N.
looks at North Korea and sees massive
cybercrime. From the Cyber Wire studios at Data Tribe, I'm Dave Bittner with your Cyber Wire
summary for Wednesday, March 13th, 2019. Election interference concerns have continued to receive attention in several countries.
Indonesia is the latest nation to say that its elections are coming under attack by Russian and Chinese actors.
The interference Jakarta claims it's seeing runs from influence operations to the creation of ghost voters.
Investigations into voter fraud are underway since those ghost voters
are fictitious persons created for the purpose of directly affecting results. The reasons for
the reported interference aren't fully clear, but at least one of the objectives appears to be
disruption and an attendant erosion of trust in civic institutions. And the creation of ghost
voters suggests that at least one of the threat actors is
interested in pushing particular electoral outcomes.
The Swiss Post e-voting system, whose vulnerability to backdooring was revealed this week, has
its users scrambling for mitigations.
The system is widely used in a number of jurisdictions around the world.
Some of them, like the government of New South Wales in Australia,
are looking to ensure security by air-gapping the systems.
The issue arises from the system's mixnet,
which is designed to prevent votes cast from being linked to individual voters.
Unfortunately, the system is open to manipulation in ways that could alter vote tallies.
Unfortunately, the system is open to manipulation in ways that could alter vote tallies.
India is preparing for a national vote and authorities there, CNN reports,
are concerned that social media will become fully weaponized by contending factions and possibly by external actors.
In India, weaponization is a particularly sharp metaphor.
Facebook in particular has been used to organize violence
along social and religious lines.
The U.S. House of Representatives is holding hearings
on election security this week.
The Department of Homeland Security's Cybersecurity
and Infrastructure Security Agency Director, Christopher Krebs,
is testifying today.
His prepared remarks echo what we heard from him last week at RSAC
2019. CISA sees considerable benefit from its ongoing engagement with state, local, territorial,
and tribal authorities. The testimony suggests a commitment to a strong ground game, informed by
threat intelligence, but concentrating on getting the security basics right.
informed by threat intelligence but concentrating on getting the security basics right.
Venezuela's power crisis continues.
Disputed President Maduro continues to blame U.S. hacking for outages,
and he's ordered U.S. diplomats expelled.
The U.S. had already announced its withdrawal of diplomatic staff, so the Chavista leader's order has an air of,
you can't quit because you're fired.
so the Chavista leader's order has an air of you can't quit because you're fired.
The U.S., Senor Maduro says, conducted a demonic electromagnetic attack to turn the power off in most of the country.
But Maduro's hacking story finds relatively few takers.
Most observers acknowledge that taking down a power grid by cyber attack is certainly possible
and that doing so is in all likelihood
within the capabilities of any number of cyber powers. But they also think that Venezuela's
tottering infrastructure needed no such push to bring it down. There's also the question of motive
and national strategy, and neither of these seem to fit the U.S. attack Maduro insists the U.S.
has made. But Venezuela's current agonies are
instructive nonetheless. They show the widespread suffering a long-lasting interruption of electrical
power can impose. Consider loss of lighting and its effect on public safety, or loss of
refrigeration and its effect on food storage. An account in Wired of the difficulty of a black
start, that is, bringing a dead grid back online, illustrates the consequences of infrastructure collapse.
Load balancing is particularly tricky, and a lack of understanding of what caused the outage in the first place renders a black start even harder.
China, by the way, has expressed its concern that Venezuela may have come under cyber attack and has offered to restore the country's power. Even if help shows up, it won't be an easy task.
An internal report to the Secretary of the Navy outlines the extent to which the U.S. believes
Chinese intelligence services have successfully prospected both the U.S. Navy and the contractors
who support it. The report hasn't been released
to the public yet, and the Department of the Navy hasn't commented on it, but the Wall Street
Journal has, as it said, reviewed the report, and they have an account of its contents.
The report is said to warn that the U.S. is under relentless cyber attack by China,
and that these attacks pose a risk to American military and economic leadership.
The Navy itself, the report is said to conclude, has neglected cyber operations in favor of its
preferred kinetic operations and that it's been particularly slow, perhaps to the point of
negligence, in addressing supply chain risk. The service hasn't heeded warnings that its
contractors and their subcontractors would be targets of Chinese espionage, and so has neglected the threat to the defense industrial base that sustains the Navy's operations.
Huawei posed to infrastructure. The EU seems to have moved toward agreement with the U.S. assessment.
The European Parliament has taken official notice of the threat to 5G networks Huawei and ZTE might pose. Whether this leads to a ban or not remains to be seen. In the U.S., Congress is considering
legislation that would lead universities to exclude Huawei and Russian security firm Kaspersky
from networks
where they might have an opportunity to collect information on sensitive research.
Easily overlooked, perhaps because underwater, is that portion of the telecommunications infrastructure
that takes the form of undersea cables.
Those cables are proving a fresh field for Sino-American competition, as Huawei's efforts to develop a pervasive share in that market draw attention.
Australian authorities have for several years expressed reservations
over Chinese companies' involvement in undersea cables,
and Australia's concerns have regional impact,
as many of the telecoms cables serving southwest Pacific nations connect through that country.
Many of the telecoms cables serving Southwest Pacific nations connect through that country.
Dr. Kevin Du is a professor in the Department of Electrical Engineering and Computer Science at Syracuse University.
Over the past 15 years or so, he's developed over 30 hands-on lab exercises for cybersecurity education.
They call them seed labs.
Those labs are now being used by over 800 schools in more than 60 countries. When I was a student, we did a lot of hands-on work. But when I started
teaching security, I also wanted to do a similar thing because I strongly believe that students
learn better from doing stuff rather than just learning from the slides and the textbook.
So I was looking around. I was trying to find some of the hands-on labs
that I could use.
But at that time, the security was at the beginning stage.
There were not many, actually, labs that you can use.
There were some, but in order to use them,
probably going to spend a whole month
just to learn how to use those labs.
At that time, I was thinking
maybe I can just develop a few.
And for my own class, I wrote a proposal to NSF, get a very small grant. And that's how I get started.
And then three years later, and I said, oh, this is great. I got five labs. And many people actually
like that. My students like that. So how about make the 30? So I started and to build up and I got
another grant. So that grant is a medium-sized grant that allowed me to actually build up the
lab, 30 labs. And initially it was only for my own use, but gradually and I put on the web and
other professors and they also like to use the lab. A few years ago,
I got another grant from NSF allowing me to provide a training workshop so I can train the
other people to use that. I use the money basically to fly in other professors to Syracuse.
So we have a four days workshop. Nowadays, I think that at least 800 schools, I cannot track
everybody, but 800 people told me and they are using the lab.
But there are many schools, they simply use the lab.
They don't tell me, which is perfectly fine.
You don't need to tell me.
Yeah, it's been a big success.
You call these seed labs.
That's S-E-E-D.
And it's been certainly it's spread around the world.
Why do you think this hands-on approach is the way to go?
Because when you do things,
actually the things they are doing is fun.
Cyber security itself is a very fun thing to do, right?
We talk about attack, we talk about the defense.
Students feel this is so interesting.
Why can't I try it on myself?
Of course, without getting myself into trouble.
Now, if you can teach a student how to do this,
and they will understand better how the attack works.
And then in return, they can actually develop a better defense mechanism.
And what kind of feedback have you been getting from the students
who've been taking advantage of these, as well as some of the professors around the world?
Very, very positive.
So students, they told me of those labs
and helped them a lot.
Some of the students, they said,
when they go out for a job interview,
what the companies ask,
and they can immediately actually connect with my lab,
the knowledge they gain from the lab.
Actually, these days,
and some of the students, they told me,
when they go to do an interview,
and those companies,
they just took out some of my seat lab, asked them to work on the labs, and they were laughing.
And we did that in the class.
Yeah.
So that's kind of feedback.
And also from the other professors, the feedback is they all know designing a lab takes a lot of time because it took me 15 years, 16 years to develop these 30 labs so I can share with others.
So if any professor wants to start from scratch, every single lab is going to probably take
them a few months to develop.
So having those labs and they can immediately download my lab and they can use that for
free, that saves them a lot of time.
download my lab and they can use that for free, that saves them a lot of time. So a lot of feedback, they basically
say I saved their time so they can focus on teaching
instead of spending so much time developing the lab that
I have developed. And Syracuse University, of course, we focus a lot
on the education. So if we can teach well, if students
learn from our teaching,
that's definitely aligned very well with the mission of Syracuse University. And from the
deans, from the department, the chair, they're very, very supportive of this project.
That's Dr. Kevin Du from Syracuse University. You can find his free seed labs online.
You can find his free Seed Labs online.
Microsoft's patches yesterday addressed 64 issues, 17 of which Redmond rated critical.
Two of the patches fixed zero days exposed recently by Google's Project Zero.
A report to the UK's Treasury doesn't directly advocate breaking up big tech companies, but it's not good news for them either.
The report advocates returning control of individual persons' data to the individuals themselves,
and this is regarded as posing a direct threat to the business models of companies like Google and Facebook.
Finally, not all nation-state hacking is either sabotage or espionage.
Sometimes it's just plain theft.
That's the case with North Korea.
A report commissioned by the United Nations Security Council
finds that Pyongyang is using cybercrime as a principal mode of sanctions evasion and revenue enhancement.
The DPRK follows the fashionable money.
The report says a lot of its efforts have gone into compromising coin miners and cryptocurrency exchanges.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with
Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews,
and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform Thank you. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Emily Wilson.
She's the VP of Research at Terbium Labs.
Emily, great to have you back.
We are going back and revisiting
some stuff about Equifax, which has popped up again in the news recently. What's the latest?
We are going back to Equifax, and I think, unfortunately, we're going to keep going back
to Equifax for a while. What got my attention was a story from Yahoo talking about some legislative agenda that Congress is looking to kick off now in this new term, kind of revisiting the Equifax question.
And this is the credit reporting agency question. It's a question about, you know, having done enough in the wake of the Equifax breach.
What got my attention was a quote from Maxine Waters, who's now coming in to head the House Financial Services Committee, saying that the Equifax question isn't closed.
She's going to come back to this and it's not done yet and we're going to see this continue to be brought up.
So my question is this.
What does that look like?
If we're talking about revisiting the Equifax question, if we're talking about going back and making sure more is done,
are we talking about justice? What does justice look like in this? Are we talking about
amends, making amends in this case? We talk a lot, you know, and we hear a lot about
how we are moving forward as a country toward better data privacy or better data regulations.
You know, in December, there were, what, 15 senators who introduced the U.S. data privacy or better data regulations. You know, in December, there were, what, 15 senators who
introduced the U.S. data privacy law that they want to try and push through here. But what does
that look like in practice? What do we want that to be? How do you measure damage to begin with?
How do you measure damage? How do you, you know, when something like this happens, if you have
something like an Equifax where the issue is broad broad and far reaching and not just because the number of people, because it's a it's a credit reporting agency.
It's a it's a required service.
Effectively, is it enough to to chastise?
Is it enough to fine?
Is it something where you want to put individuals in in jail for this?
Are we talking about prevention?
individuals in jail for this? Are we talking about prevention? Are we talking about making payments to people who have been harmed by this as some sort of payback for their damage? Or is it,
you know, I saw a piece this morning actually from the Tech Target blog and the title stuck with me.
Are U.S. hacker indictments more than justice theater? Is this theater? Is this performative? And not
because people don't intend for it to be impactful. I think people intend for this to actually make a
difference, but are we going to get there? What does that look like? Well, and I mean, over on
the Grumpy Old Geeks podcast, we joke, you know, sadly about how no one ever goes to jail. No, of course not. Because
we wave our hands and we find some way to decide that it's not an individual's responsibility,
that there needs to be better oversight. There needs to be more consistent practices. There
needs to be more education and more support. And I'm not saying that to be dismissive of those things.
Those things are important, but we have to at some point do better. We have to at some point
make an example of someone. And again, when it comes to something like Equifax,
it's not like you can just opt out of the credit reporting agencies.
Right, right. Which is an interesting thing in an era where we are focusing on privacy, to have this system that we depend upon that you cannot opt out of.
great, okay, that means that no one can open a new line of credit,
but your information is still valuable.
The information they have on you, that category of lifetime data,
there's very useful information here.
There's information that identifies you.
There's information that you need to transact with the world.
And we're talking about these big behemoth organizations that,
you know, I'm sure have phone trees 20 minutes long and don't seem to be doing too poorly as a result of this.
Because again, it's the next level of too big to fail.
Yeah. Well, it's interesting to see that some legislators still have their eyes on this.
And perhaps long term, something good will come of it.
Thanks for bringing it to our attention. Emily Wilson. solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions
designed to give you total control, stopping unauthorized applications, securing sensitive
data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default deny approach can keep your company safe and compliant.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly
evolving field, sign up for CyberWire
Pro. It'll save you time
and keep you informed. Listen for us
on your Alexa smart speaker, too.
The CyberWire podcast is proudly
produced in Maryland out of the startup studios
of DataTribe, where they're co-building
the next generation of cybersecurity teams
and technologies. Our amazing
CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. but also practical and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.