CyberWire Daily - GandCrab notes. Make tests, not bans, says GSMA. Content moderation. Takedown of inauthentic accounts. Influence operations. Happy birthday, GCHQ.

Episode Date: February 15, 2019

In today’s podcast, we hear that GandCrab has been scuttling through unpatched holes. Independent testing as an alternative to banning specific vendors as security risks. Big Tech gets some Congre...ssional scrutiny over content moderation. Facebook takes down inauthentic accounts working to influence the Moldovan elections. The Federal Trade Commission is rumored to be queuing up a record privacy fine. Defending forward from disillusioned Bears. And happy birthday, GCHQ. Craig Williams from Cisco Talos on router vulnerabilities. Guest is Amanda Berlin, founder of Mental Health Hackers on her efforts to address mental health issues in infosec. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/February/CyberWire_2019_02_15.html  Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices

Transcript
Discussion (0)
Starting point is 00:00:00 You're listening to the Cyber Wire Network, powered by N2K. Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions. This coffee is so good. How do they make it so rich and tasty? Those paintings we saw today weren't prints. They were the actual paintings. I have never seen tomatoes like this. How are they so red? With flight deals starting at just $589, it's time for you to see what Europe has to offer.
Starting point is 00:00:31 Don't worry. You can handle it. Visit airtransat.com for details. Conditions apply. AirTransat. Travel moves us. Hey, everybody. Dave here.
Starting point is 00:00:44 Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me. I have to say, Delete.me is a game changer. Within days of signing up, they started removing my personal information from hundreds of data brokers. I finally have peace of mind knowing my data privacy is protected. Delete.me's team does all the work for you with detailed reports so you know exactly what's been done. Take control of your data and keep your private life private by signing up for Delete.me.
Starting point is 00:01:22 Now at a special discount for our listeners. private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K. Gantcrab scuttles through unpatched holes. Independent testing as an alternative to banning specific vendors as security risks. Big tech gets some congressional scrutiny over content moderation Facebook takes down inauthentic accounts working to influence the Moldovan elections The Federal Trade Commission is rumored to be queuing up a record privacy fine
Starting point is 00:02:17 Amanda Berlin joins us with her story of helping folks with mental health issues in InfoSec Defending forward from disillusioned bears, and happy birthday, GCHQ. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, February 15th, 2019. GandCrab ransomware is being pushed through a two-year-old hole in the ConnectWise Manage plugin for the Kaseya VSA remote management tool. A patch has long been available, but far from universally applied, and Kaseya is reminding people to update their software and patch.
Starting point is 00:03:00 MSPs are particularly affected, and through them, their customers. MSPs are particularly affected, and through them, their customers. The campaign by unknown hackers came to light this week in a Reddit post whose author, again unidentified, claimed to have infected a small managed service provider. The vulnerability is potentially dangerous because of the administrator access exploitation gives the attacker. Updates are available. Rather than a ban on Huawei or other manufacturers, Reuters reports, European telecommunications providers say they'd prefer an EU-wide security testing system that would address threats as they were found and before they were introduced into 5G networks.
Starting point is 00:03:38 The proposal came from the 800-member trade group GSMA and was made at the Barcelona Mobile World Conference. The argument for testing vendors, as opposed to simply banning certain manufacturers, rests largely on fears that bans would so disrupt the telecommunications supply chain as to not only delay the rollout of 5G by years, but also significantly degrade the performance of existing networks. GSMA is working, it says, on coming up with ways of enhancing existing testing regimes. Those include testing by independent operators, third-party laboratories, or 3GPP itself, the 5G standards body.
Starting point is 00:04:18 Huawei thinks this is a pretty swell idea and would be happy to participate. It remains to be seen whether an enhanced testing system would prove sufficiently reliable, thorough, and convincing to allay concerns about Chinese espionage that run strongest in the Five Eyes, but that are spreading in EU governments as well. Big tech continues to receive pressure over content moderation. U.S. Representative Adam Schiff, a Democrat of California, sent Facebook CEO Mark Zuckerberg a letter requesting that the social network remove anti-vaccination content from its platform.
Starting point is 00:04:54 Representative Schiff cast the matter as a public health issue. He's concerned about the implications of falling vaccination rates. Representative Schiff thinks that false ideas about vaccinations risks gain an aura of authority through repetition online, and he wants to know what Facebook is doing about it. He applauds the way Instagram has excluded some conspiracies from its platform and would like Mr. Zuckerberg to get back to him on whether medically inaccurate content violates Facebook's terms of service, what Facebook is doing to address such information, whether Facebook accepts paid advertising from anti-vaccine activists,
Starting point is 00:05:31 and if so, how much it takes, and finally, whether it's preventing searches from returning anti-vaccine results. Bloomberg says Google received a similar letter. Facebook responded in a tentatively favorable way, saying it's looking into the ways it might best combat this problem, including, for example, reducing or removing this type of content from recommendations, including groups you should join, and demoting it in search results,
Starting point is 00:05:57 while also ensuring that higher quality and more authoritative information is available. Nothing yet from Google, but that company has already said it's looking for ways to exclude borderline content from its YouTube recommendation system. The vaccine issue will be an interesting one to watch, especially as congressional forays into content moderation approach their inevitable First Amendment challenges.
Starting point is 00:06:22 Unlike other borderline content, anti-vaccine sentiment, while distributed across a broad demographic, tends to be most deeply distributed as an elite as opposed to a down-market opinion. Facebook's efforts against inauthenticity seem, as they so often do, to be less problematic than its attempts at content moderation. Most recently, the social network has blocked a number of such accounts engaged in influence operations directed toward Moldova's elections. The inauthentic accounts were said to be spreading fake news, but the grounds for the purge were found in the fact that the identities behind the pages
Starting point is 00:06:58 weren't what they purported to be. 168 Facebook accounts, 28 pages, and 8 Instagram accounts were taken down. Facebook said its review, and they specified it was a manual review, not an algorithmic one, determined that many of these accounts were traceable to Moldovan government personnel, even as they represented themselves as neutral fact-checkers. The hot-button issues in the election include mandatory instruction in the Russian language and possible unification with Romania. In general, at issue is the direction of the country's future, whether it will lean west or east.
Starting point is 00:07:34 Privacy concerns are coming to a head for Facebook. The Washington Post says the U.S. Federal Trade Commission is negotiating a multi-billion dollar settlement with Facebook over privacy lapses. Facebook says it's talking to the agency, but not much else, and the FTC isn't saying anything at all for public consumption. The Federal Trade Commission opened its investigation of Facebook's data handling record after the Cambridge Analytica affair came to light last year. The fine, if it's as large as the anonymized close to the negotiations think it will be,
Starting point is 00:08:06 would set a new record. The biggest fine Silicon Valley has paid to settle a federal privacy beef was the $22.5 million tab Google ran up back in 2012. Both U.S. Cyber Command and the Department of Homeland Security say that election influence and interference remain matters of concern. Cyber Command took a very restrained victory lap before the Senate yesterday, as its head, General Paul Nakasone, explained to questioners that defending forward, as the new U.S. strategy is called, involves taking active measures in cyberspace against those who would muck around in elections.
Starting point is 00:08:43 Homeland Security's Christopher Krebs, who leads the department's Cybersecurity and Infrastructure Security Agency, took strong exception to reports in the Daily Beast that CISA was giving up on election security. Not at all, Krebs said. In fact, they're doubling down against what they regard as a real threat. According to CNN, the U.S. Democratic National Committee's security chief has told potential presidential candidates that you don't have to actually declare your candidacy to become a hacker's target. While this sounds like something from Captain Obvious,
Starting point is 00:09:16 the point probably is worth making. Hey, politician, you don't have to ride a bus on a listening tour of Iowa or New Hampshire to attract the attention of the Bear Sisters. There's some insight into how the Bears see the world of information operations in an essay published earlier this month by Vladislav Surkov, an aide to President Putin and big numero in Russian policy circles. He decries what he calls the illusion of choice as a kind of con game paid by Americans and similar riffraff. It's more P.T. Barnum than the Cleocenes of classic Athenian democracy.
Starting point is 00:09:52 And if you're one of those suckers born every minute, of course you're going to learn and mistrust your leaders and your institutions. Russia, by way of contrast, is not in the grip of such an illusion. Instead, Mr. Surkov says, it's a nation founded on authentic, sound understanding of historical processes. Bogus choice is dashed to pieces when it encounters a deep and enduring nation. That's one way of looking at it. And finally, we were so distracted by Cupid's arrows and Aphrodite's pajamagrams yesterday that we almost forgot many happy returns to GCHQ. The oldest of the Five Eyes celebrated her 100th birthday yesterday
Starting point is 00:10:31 and Her Majesty herself laid a tastefully encrypted plaque at the organization's original home, Watergate House, near Sharing Cross in London, to mark the occasion. So happy birthday to Auntie I from all of us stateside. A quick reminder, this Monday, February 18th, is President's Day, and as is our custom on U.S. federal holidays, we won't publish either the Daily News Briefing or our daily podcast. Both will be back as usual on Tuesday.
Starting point is 00:10:59 Enjoy the holiday if you're here in the U.S. Unless we're all dashed upon the rock of historical inevitability, we'll see you again Tuesday. if you're here in the U.S. Unless we're all dashed upon the rock of historical inevitability, we'll see you again Tuesday. Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology. Here, innovation isn't a buzzword. It's a way of life.
Starting point is 00:11:23 You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers to learn more. Do you know the status of your compliance controls right now? Like, right now. We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
Starting point is 00:11:58 More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows
Starting point is 00:12:17 like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Starting point is 00:13:01 Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io. And joining me once again is Craig Williams. He's the director of Talos Outreach at Cisco.
Starting point is 00:13:39 Craig, it's great to have you back. Your team has been tracking some vulnerabilities in a particular brand of router. Bring us up to date here. What do we need to know? Well, what I'd like to talk about today is a little bit of research that Jared Riddle and Carl Hurd found. Basically, we were looking at a TP-Link TLR600 VPN broadband router, and we did find some issues that were concerning. broadband router. And we did find some issues that were concerning. When it comes to devices in this space, often while they may be written really well from a performance perspective, some of the things that can be overlooked just from a time to market perspective can be things
Starting point is 00:14:15 like protocols. Have they been secured? Have people fuzzed all the interfaces? Have they found all the bugs, in other words? And so we try to help vendors, we try to help software that we rely on find these issues, and then we work with them to get the issues fixed. And then we talk to the public about the issues that people know to apply the patch. And in this particular one, we were able to find some reasonably severe issues. We were able to find several remote code execution issues and some information disclosure issues. Now, the good news here is that we were able to work successfully with TP-Link and get these issues addressed relatively quickly. And so what this means is if you, you know, you might be hearing us on the podcast
Starting point is 00:14:55 and you might think, oh man, I think my little gray box is TP-Link on the side. Well, not a big deal, right? If it does, go look at your box. If it says R600 VPN, then you need to figure out a way to update the firmware on it. Now, I know this can sound challenging, right? When people say update the firmware, a lot of people might think, oh my gosh, how do I do that? Right. It's dark magic. Right. Exactly. So the first thing you do is you get the box and you stab it six times. No, I'm just kidding. You usually just need to go to your router's login page. So typically it'll be something like, you know, 192.168.0.1
Starting point is 00:15:27 and it'll have a login portal. Well, with any luck, you can log into that and look for something that says updates and click it over to automatic mode. Use the hard-coded credentials that they've conveniently provided for you. You know, if not, I'm sure there's a sticker on the box and you can just go get it off of there.
Starting point is 00:15:44 Sure, sure. You know, if not, I'm sure there's a sticker on the box and you can just go get it off of there. Sure, sure. You know, speaking of, I did want to talk about another thing too. You know, I think when it comes down to IoT, a lot of people don't realize that things like password reuse are so common. Multiple vendors tend to reuse the same passwords. If you think about the number of routers that use admin, admin, it's a catastrophically alarming amount. So please, users, never set that as your password. Yeah, I mean, is it fair to say step number one with any of these devices is go in there
Starting point is 00:16:16 and change the password? Absolutely. You know, I would even say, first thing, change the password. Second thing, go over to updates, see if there's an automatic setting. The reality is most of these home devices, well, they have QA teams, right? And the QA team may not be finding every single zero day in the device, but I bet they're pretty good at testing the actual quality of the product and the overall functionality. And so for me, you know what, I would prefer to have my device secure itself so that an attacker can't take control of it
Starting point is 00:16:42 and install something like Mirai, then, you know, gamble with, well, do I want to test it first? Do I want to give them a week or two to patch it? I would prefer that my device be secure. Right. So the risk of having some sort of, I don't know, substandard update come through that could affect the device, brick it, or affect performance, that's probably lower than the risk that you assume when you don't do the updates. Absolutely.
Starting point is 00:17:07 And especially if you're buying name brand devices. I think that's really what you pay for when you pay for a brand that you recognize, when you pay for a brand that's from a large, stable company. Chances are they don't want a bad product representing their brand, and they're going to try and find these issues. Now, does that mean if you pay more, you can get a bulletproof router? Obviously not, right? There's no such thing as 100% hack-proof software. Anybody who says that is misleading you. But what it does mean is that there's going to be a team of developers that work on the product. They're going to be there after you buy the product, and they're going to maintain the product and help ensure that it's a quality product for the lifetime of the product.
Starting point is 00:17:46 Now, the lifetime will end. You can't have a 20-year-old router or a 10-year-old router and think it's fine. That's the world we live in. I could see somebody with a good old dial-up modem think, why do I need one? There's probably vulnerabilities in that chip architecture that are going to be hard to exploit because we don't even remember what
Starting point is 00:18:09 they were. Right. Yeah. A lot of our parents, I suppose, are probably in that if it ain't broke, don't fix it category. But you just can't think that way these days. Right. And this is especially true for things that are from niche vendors. Right. Which may be something that, you know, if you're at a very small ISP, that may be something that's appealing to them. And then if those issues aren't patched quickly, it could put you at risk. Yeah. All right. Well, good advice as always. Craig Williams, thanks for joining us. Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity.
Starting point is 00:18:49 That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. My guest today is Amanda Berlin. She's Senior Security Architect at Blue Mira, but today she joins us to share the story of the nonprofit she started, Mental Health Hackers.
Starting point is 00:19:39 It's a group of InfoSec professionals dedicated to helping others in the industry deal with mental health issues, either their own or those of loved ones. I was asked to do my first keynote at B-Sides Nashville, and I kind of wanted, like all my talks prior were technical topics, right? And I had never done a keynote before, and I thought I kind of want like a TED Talk-ish topic, right? More high level. And then at the time, there were some suicides that had just happened like in InfoSec. Come to find out, it is way more of an issue than I thought it was. I just gave that talk, gosh, probably 14, 15 times last year because people just kept on asking me to come talk about it. because people just kept on asking me to come talk about it.
Starting point is 00:20:28 So it went from that to I felt like I could be doing more, rather than just the 20 to 100 people that come and watch the talk. Maybe I could create a space for people to go and talk about. So you mentioned earlier the mental health and wellness village that you ran. Take us through what was going on there. What did folks get out of it? The idea was, you know, for that quiet space at the conference. So a lot of times I'll have panic attacks like two or three days into a conference because, like I said, I'm sitting at home alone all the time.
Starting point is 00:21:01 And then I'm just surrounded by people 24 seven for a couple days. And it's, you know, it overwhelms my system. And I just go back to my room and I chill out and I calm down or whatever. And I just realized, you know, in most of these conferences, you know, there's villages for everything. And everything's always so busy and so loud that I thought it would be cool to have just like chill, like quiet music place you can go and kind of hang out. And it kind of grew from there. So we did this fidget table where there was like all of the different things you see online and some new ones that I had found of just stuff to play with. We had people come in and do like paracord crafts and essential oils and all that kind of other things that people can do sometimes
Starting point is 00:21:47 for mental health. And then we had therapy dog. I also had a lot of volunteers want to speak about things. So we split it up in between actual like real conference presentations, you know, where you sit and you watch people do slides and talk and then discussion groups. So all of those went super well. And then the majority of the money actually went towards massage therapists. We had four massage therapists come in all day Saturday and just do chair massages for anybody that wanted to come in and get them. All of it was really, really well received. And we just want to like grow that more and provide that kind of stuff to more conferences. Are there particular aspects of InfoSec and the people that it attracts and the conditions under which folks are working that make this a particular issue? Oh, definitely.
Starting point is 00:22:41 When I was doing a bunch of research that I was doing, and I never thought I'd ever read this many medical journals, I found it's called the Savannah IQ Interaction Hypothesis. It basically talks about how people with higher intellect and IQ tend to have more mental health issues. And then with that mental health issues, they also tend to self-medicate more. Pills, alcohol, prescription, non-prescription drugs, whatever. It amazed me. A lot of the work that we do, we're kind of, I mean, a lot of us are isolated, right? Like I work from home. I don't really have a whole lot of interaction with people. So you kind of lose, you know, you feel isolated. You feel like there's nobody else that are going through the same thing that you are. And then you're just like stuck behind your keyboard forever without of things, that they can come to their employers and say, you know, I need some assistance here or, you know, we need health care that provides for these sorts of things? I've heard some awesome stories from people that are actually have full blown mental health wellness programs going on in their company. I think there's a lot more openness with at least it seems like a lot of the startups. Because I mean, if you've ever worked for a startup, they're freaking crazy, right? You're working nonstop, and you're super passionate about whatever you're doing. Otherwise, you wouldn't be working nonstop and you're super passionate about whatever you're doing. Otherwise, you wouldn't be working for a startup. It seems like a lot more of them care, whereas the institutions that have been around for a while might not necessarily.
Starting point is 00:24:36 What are your recommendations for folks who may be sitting back and thinking that maybe they're dealing with something? They have some anxiety, some depression, some of the other things we've described here, but they're hesitant to come out and talk to anybody about it. Where do they begin? What sort of resources are available that they can start down a path of healing? There's so much. There is so much out there that I didn't even realize, you know, until I started looking at this kind of stuff. You know, the National Suicide Prevention Line has, you know, if you need someone right now, you can call them. You can chat with them online. Like, I hate calling people on the phone. So I don't find people if they want to just chat with them in a DM or whatever.
Starting point is 00:25:18 But there's places like NAMI, which is the National Alliance on Mental Illness, that has a whole bunch of information as well. And you can kind of learn more and, you know, they'll provide like coping techniques. Right. So there's there's different stuff that works for every person with every level of any mental health, whatever they have. whatever they have, right? Because just because you have panic attacks or depression or bipolar schizophrenia, whatever, doesn't mean, you know, you're completely broken. You know, all of our mental health is important, whether you have something or not. But there's way more than that. You know, there's a whole lot more coping mechanisms that you can use. And then there's definitely like professional help. One of the things that we talked about in the village that we ran, we had somebody come and talk about all the stigmas of going to a therapist and kind of what it's actually like to go to a
Starting point is 00:26:15 therapist and the difference between psychiatry and psychology and therapy. So it's just, you know, learning about it. I think that even if you don't have something, I guarantee you someone you know does. And that's when communication, you know, also comes into play. That's Amanda Berlin. You can find out more about mental health hackers by visiting their website. It's mentalhealthhackers.org. And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
Starting point is 00:27:05 It'll save you time and keep you informed. Listen for us on your Alexa smart speaker too. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Thanks for listening. We'll see you back here tomorrow. Thank you. data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.