CyberWire Daily - Facebook in Myanmar. Supply chain seeding attack update. Election hacking. NCSC reports. EU prepares sanctions (Russia feels ill-used).
Episode Date: October 16, 2018In today's podcast we hear about social networking for genocide in Myanmar: Facebook takes down the Army's inauthentic and inflammatory pages. The supply chain seeding attack from China remains dubiou...s. Probes of US election infrastructure, and black market offers of voter databases, are reported. GCHQ sees cybercrime as a chronic threat, but state-sponsored cyber operations as an acute problem. EU prepares sanctions against a big country to the east. And farewell to Paul Allen, departed this life yesterday at the age of 65. Mike Benjamin from CenturyLink with an update on the Satori botnet. Guest is Larry Sjelin, Director of Game Development at the Center for Infrastructure Assurance and Security, discussing the Cyber Threat Defender card game. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/October/CyberWire_2018_10_16.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Social networking for genocide in Myanmar.
Facebook takes down the army's inauthentic and inflammatory pages.
The supply chain seeding attack from China remains dubious.
Probes of U.S. election infrastructure and black market offers of voter databases have been reported.
GCHQ sees cybercrime as a chronic threat, but state-sponsored cyber operations as an acute problem.
The EU prepares sanctions against a big country to the east.
And farewell to Paul Allen, departed this life yesterday at the age of 65.
From the Cyber Wire studios at Data Tribe, I'm Dave Bittner with your Cyber Wire summary for Tuesday, October 16, 2018.
for Tuesday, October 16, 2018.
The New York Times is reporting in horrific detail on how Myanmar's military used social media, mostly Facebook,
to incite genocidal violence against minority Rohingya Muslims.
The operators, believed to number around 700,
resorted to the usual tools of information warfare in social networks,
inauthentic identities and inflammatory posts of bogus news stories.
The goal has been to inflame the Buddhist majority against the Rohingya Muslim minority
and to excite mutual suspicion between the groups,
all designed to lead toward the destruction of the Rohingya.
Yesterday, Facebook took down 13 pages and 10 accounts
for engaging in coordinated inauthentic behavior on Facebook in Myanmar.
The pages and accounts seemed, the social network said, to be independent voices interested in entertainment, beauty, and general information,
but they were in fact run by Myanmar's military.
According to Facebook, about 1.35 million unique people followed at least one of these
13 pages.
Facebook came under criticism early this year for the use Myanmar's army made of its platform.
It banned senior army officers back in August, but it didn't match the inauthentic accounts
until this month.
Part of the problem is Facebook's pervasive presence in Myanmar,
where the New York Times says its dominance is such that it's commonly confused with and
identified with the internet as a whole. This has led tragic credibility to the bogus stories
of massacre and outrage the army has concocted to foment Buddhist outrage against their Muslim
countrymen. The misuse of Facebook is raising more calls for content moderation.
It may also lead to more complex considerations
of what any platform's near-total hold on a significant section of the Internet
means for information control and manipulation.
You may be familiar with the Center for Infrastructure Assurance and Security,
that's CIAS, for their leadership in cybersecurity competitions.
Since 2005, the CIAS has been developing and conducting competition programs to help educate, train, and prepare individuals for the information assurance workforce.
They've also developed the Cyber Threat Defender card game, which teaches middle and high school children the fundamentals on how
to secure a network. They've distributed over 12,000 decks across the world in four countries,
and they're currently operating in over 300 U.S. classrooms.
Larry Shaleen is director of game development at CIAS.
We needed a way to engage students at the youngest levels possible to help try to build this national culture of cybersecurity.
Everybody has a laptop.
Everybody's got a phone.
So everybody needs to start understanding their role in security when dealing with these types of tools.
And so our director here, Dr. Greg White, who is a big fan of the card, collectible card game, Magic the Gathering,
thought that we could somehow teach cybersecurity through a card game.
And so that's how we embarked on this program.
I am curious, you know, I think when we think about cybersecurity, certainly we think about electronic connected devices.
So it's an interesting choice
to make this a completely analog pursuit. Yeah, it's really a low-tech way to teach a high-tech
subject. And one of the things that we are learning through the feedback that we're getting
from the teachers that are using it, plus the students, is that they're able to really kind of
see a network now in front of them as they lay their cards out, their assets and their defenses and the attacks that can threaten them.
They see this now where a lot of students have said, you know, I can hear the teacher lecture all day long, but it didn't really make any sense until I could see the cards laid out in front of me.
So if I'm a school who wants to take part in this,
how can I reach out to get on board? Sure. They can contact us through our website,
which is cyberthreatdefender.com. Schools and teachers can contact us and we'll put them on
our mailing list and we will send them a class set, which is 25 starter decks and 25 booster packs, fully free.
And the way we are able to do this is through sponsorships from individuals and organizations.
There's also a digital version of the game that can be downloaded for free.
It's a nice way to complement the card game in the classroom.
Plus, also students can download this at home and continue to play the game,
continue to learn from it.
We have some new boosters that are coming out.
Really, one of them is focused on personnel,
which is going to teach the students various types of job positions out there,
career field, which will really help get kids interested at an earlier age
in helping to build up the workforce.
That's Larry Shaleen.
He's director of game development
at the Center for Infrastructure Assurance and Security
at the University of Texas at San Antonio.
There's no further evidence for or against the Bloomberg report on Chinese supply chain seeding attacks.
Absence of evidence is of course not evidence of absence, but the story still seems thin.
The lack of corroboration has begun to prompt theories that the whole account was a plant by elements within the U.S. intelligence community,
hoping to make Sino-American relations even worse than they otherwise be.
But as China-watching media outlet SubChina points out, whether Bloomberg has found a
smoking gun or is just chasing ghosts, the damage to already frayed relations has been done.
In the U.S., the Department of Homeland Security notices an increase in election-related incidents.
Quote, numerous actors are regularly targeting election infrastructure, likely for different
purposes, including to cause disruptive effects, steal sensitive data, and undermine confidence
in the election.
End quote.
That's from a department document obtained by NBC News.
Nonetheless, DHS thinks midterm voting will go off relatively unproblematically.
They're working to identify the threat actors and say that the behavior they're seeing,
malicious emails and denial of service attacks mostly, are equally available to state and
non-state actors. Here's some of the activity the security industry is saying it sees.
Security firm Anomaly reports a surge in black market
trafficking of voter records. Working with cybercrime intelligence shop Intel 471,
their researchers found offers on the dark web of some 35 million voter records for sale.
They're being priced by state at costs ranging from $150 to $12,000. The data is said to include
some personally identifiable information
of the sort collected in voter databases, name, address, party affiliation, and registration
history. The states believed to be affected with a high degree of confidence are Georgia, Idaho,
Iowa, Kansas, Kentucky, Louisiana, Minnesota, Mississippi, Montana, New Mexico, Oregon,
South Carolina, South Dakota, Tennessee, Texas, Utah, New Mexico, Oregon, South Carolina, South Dakota,
Tennessee, Texas, Utah, West Virginia, Wisconsin, and Wyoming. The other states may be affected as
well. A few things are worth noting. First, this is a report of a hacking forum offering,
not a report of a set of exposed databases, although Anomaly does say that some researchers
have sampled the offerings
and that they look genuine. Second, while the data may well be illegally offered for sale,
it may not have been illegally obtained. Most states' voter records of this kind are matters
of public record, sometimes with the voters being able to opt out of the records being made public
and with sales by the states restricted to certain categories of buyers.
And third, interestingly, a buyer vaguely described only as high-profile
has been running crowdfunding campaigns to purchase the data on a state-by-state basis.
Anomaly doesn't attribute the buying or selling to any particular actor,
but they do present it as an example of criminal activity,
and the characteristics
of the data are more suggestive of gangland than of state espionage services. But the case is
ambiguous, and the story is still developing. In the UK, GCHQ's National Cyber Security Center
has warned, as it releases its annual report, that state-sponsored hacking is a bigger problem than
ordinary cybercrime
and that life-threatening cyberattacks can be expected at some point in the future.
The acute threat, as the report issued earlier today puts it, comes from state actors.
The chronic threat comes from criminals.
NCSC Director Martin said, quote,
I remain in little doubt we will be tested to the full as a center and as a
nation by a major incident at some point in the years ahead, end quote. Since the NCSC achieved
full operational capability two years ago, it's defended the realm against, on the average,
somewhat more than 10 attacks a week. The report also includes a shout out to the Five Eyes,
quote, the alliance, now nearly eight decadesDutch push to the EU to adopt clear cyber sanctions
reassures Italy that this isn't necessarily an anti-Russian gesture.
Sputnik is under no such illusions.
The West is after Russia,
and that's where the EU will deploy any sanctions. It does indeed seem likely that the EU will sanction Russia for the GRU's Novichok nerve agent attack in Salisbury, England, and for the
attempted hack of the Netherlands-based International Organization for the Prevention of Chemical
Warfare. Russian officials, of course, deny that anything of this kind took place.
Furthermore, TASS is authorized to disclose that anti-Russian slander is a Western plot
to undermine Russia's good-faith efforts toward international norms of conduct in cyberspace.
It's unlikely that this story will find many takers.
And finally, the tech world, indeed the world as a whole,
bids farewell to Paul Allen, the co-founder of Microsoft.
He succumbed yesterday at the age of 65
to the cancer he'd battled for some time.
Our condolences to his family, friends, and colleagues.
May he rest in peace.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their
controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews,
and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Mike Benjamin.
He's the Senior Director of Threat Research at CenturyLink.
Mike, welcome back.
You wanted to touch today with some updates on Satori.
Bring us up to date.
What's the latest?
Well, as many people have read, the Satori malware is a Mirai-based malware family that targets largely IoT devices,
although one of the updates that we should talk about today is that it's moving a bit beyond IoT devices.
And so the history of Satori is that the actor behind it took the Mirai malware,
which was, we can call it open-sourced, unfortunately, by the individual who authored it.
And this actor made quite a few modifications to it to attempt to obfuscate it, to attempt to make it spread more quickly. And the note that the author should, I hate to say receive credit,
but be known for in terms of this variant, is that he's been very quick to add exploits to
the malware and then make use of them in a rather quick manner.
And so what are you seeing in terms of updates and current exploits?
So the one that we've been watching most recently is attacking the Android debug bridge,
a service that's enabled in certain Android devices that can allow access to the device remotely.
that's enabled in certain Android devices that can allow access to the device remotely.
Unfortunately, the actor has found that a number of devices are on the open internet running the service and has been using it to spread the malware.
And so the actor deploys typically two different variants of the malware,
one focused on DDoS attack and one focused on crypto mining.
And so we've seen both variants attacking the
Android devices in addition to the more traditional appliances like DVRs, webcams,
and other items that Mirai more traditionally targeted. And so what's the best way to protect
yourself against this? Well, it's patch realistically, right? Have an understanding
of what technology is out there, patch it, and set it up by best common practices.
With one exception, the Satori malware has always used well-known exploits.
And while the actor has gotten faster at being able to utilize the exploits to spread their botnet, as an example, we actually saw one of the instantiations of this late last year grow to as large as 500,000 devices.
So the actor has been successful with adding new exploits,
but those were not new items.
The one exception is he did manage to get his hands on
an unknown exploit, a zero-day,
within some customer-premises gear produced by Huawei.
And he used that to build one of his botnets late last year.
All right.
Mike Benjamin, thanks for joining us.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default deny approach can keep your company safe and compliant.
And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. Thank you. next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki,
Gina Johnson, Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo,
you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act
with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.