CyberWire Daily - GandCrab notes. Make tests, not bans, says GSMA. Content moderation. Takedown of inauthentic accounts. Influence operations. Happy birthday, GCHQ.
Episode Date: February 15, 2019In today’s podcast, we hear that GandCrab has been scuttling through unpatched holes. Independent testing as an alternative to banning specific vendors as security risks. Big Tech gets some Congre...ssional scrutiny over content moderation. Facebook takes down inauthentic accounts working to influence the Moldovan elections. The Federal Trade Commission is rumored to be queuing up a record privacy fine. Defending forward from disillusioned Bears. And happy birthday, GCHQ. Craig Williams from Cisco Talos on router vulnerabilities. Guest is Amanda Berlin, founder of Mental Health Hackers on her efforts to address mental health issues in infosec. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/February/CyberWire_2019_02_15.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Gantcrab scuttles through unpatched holes.
Independent testing as an alternative to banning specific vendors as security risks.
Big tech gets some congressional scrutiny over content moderation Facebook takes down inauthentic accounts working to influence the Moldovan elections
The Federal Trade Commission is rumored to be queuing up a record privacy fine
Amanda Berlin joins us with her story of helping folks with mental health issues in InfoSec
Defending forward from disillusioned bears,
and happy birthday, GCHQ.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary
for Friday, February 15th, 2019.
GandCrab ransomware is being pushed through a two-year-old hole in the ConnectWise Manage plugin for the Kaseya VSA remote management tool.
A patch has long been available, but far from universally applied, and Kaseya is reminding people to update their software and patch.
MSPs are particularly affected, and through them, their customers.
MSPs are particularly affected, and through them, their customers.
The campaign by unknown hackers came to light this week in a Reddit post whose author, again unidentified,
claimed to have infected a small managed service provider.
The vulnerability is potentially dangerous because of the administrator access exploitation gives the attacker.
Updates are available.
Rather than a ban on Huawei or other manufacturers, Reuters reports,
European telecommunications providers say they'd prefer an EU-wide security testing system that would address threats as they were found and before they were introduced into 5G networks.
The proposal came from the 800-member trade group GSMA
and was made at the Barcelona Mobile World Conference.
The argument for testing vendors, as opposed to simply banning certain manufacturers,
rests largely on fears that bans would so disrupt the telecommunications supply chain
as to not only delay the rollout of 5G by years, but also significantly degrade the
performance of existing networks. GSMA is working, it says, on coming up with ways of enhancing existing testing regimes.
Those include testing by independent operators, third-party laboratories,
or 3GPP itself, the 5G standards body.
Huawei thinks this is a pretty swell idea and would be happy to participate.
It remains to be seen whether an enhanced testing
system would prove sufficiently reliable, thorough, and convincing to allay concerns
about Chinese espionage that run strongest in the Five Eyes, but that are spreading in
EU governments as well. Big tech continues to receive pressure over content moderation.
U.S. Representative Adam Schiff, a Democrat of California,
sent Facebook CEO Mark Zuckerberg a letter requesting that the social network
remove anti-vaccination content from its platform.
Representative Schiff cast the matter as a public health issue.
He's concerned about the implications of falling vaccination rates.
Representative Schiff thinks that false ideas about vaccinations risks
gain an aura of authority through repetition online, and he wants to know what Facebook is
doing about it. He applauds the way Instagram has excluded some conspiracies from its platform
and would like Mr. Zuckerberg to get back to him on whether medically inaccurate content
violates Facebook's terms of service, what Facebook is doing to address such information,
whether Facebook accepts paid advertising from anti-vaccine activists,
and if so, how much it takes,
and finally, whether it's preventing searches from returning anti-vaccine results.
Bloomberg says Google received a similar letter.
Facebook responded in a tentatively favorable way,
saying it's looking into the ways it might best combat this problem,
including, for example, reducing or removing this type of content from recommendations,
including groups you should join,
and demoting it in search results,
while also ensuring that higher quality and more authoritative information is available.
Nothing yet from Google,
but that company has already said
it's looking for ways to exclude borderline content
from its YouTube recommendation system.
The vaccine issue will be an interesting one to watch,
especially as congressional forays into content moderation
approach their inevitable First Amendment challenges.
Unlike other borderline content, anti-vaccine sentiment,
while distributed across a broad demographic, tends to be most deeply distributed as an elite
as opposed to a down-market opinion. Facebook's efforts against inauthenticity seem, as they so
often do, to be less problematic than its attempts at content moderation. Most recently, the social
network has blocked a number of such accounts
engaged in influence operations directed toward Moldova's elections.
The inauthentic accounts were said to be spreading fake news,
but the grounds for the purge were found in the fact that the identities behind the pages
weren't what they purported to be.
168 Facebook accounts, 28 pages, and 8 Instagram accounts were taken down.
Facebook said its review, and they specified it was a manual review, not an algorithmic one,
determined that many of these accounts were traceable to Moldovan government personnel,
even as they represented themselves as neutral fact-checkers.
The hot-button issues in the election include mandatory instruction in the Russian language
and possible unification with Romania.
In general, at issue is the direction of the country's future, whether it will lean west or east.
Privacy concerns are coming to a head for Facebook.
The Washington Post says the U.S. Federal Trade Commission
is negotiating a multi-billion dollar settlement with Facebook over privacy lapses.
Facebook says it's talking to the agency, but not much else,
and the FTC isn't saying anything at all for public consumption.
The Federal Trade Commission opened its investigation of Facebook's data handling record
after the Cambridge Analytica affair came to light last year.
The fine, if it's as large as the anonymized close to the negotiations think it will be,
would set a new record. The biggest fine Silicon Valley has paid to settle a federal privacy beef
was the $22.5 million tab Google ran up back in 2012.
Both U.S. Cyber Command and the Department of Homeland Security say that election influence
and interference remain matters of concern.
Cyber Command took a very restrained victory lap before the Senate yesterday,
as its head, General Paul Nakasone, explained to questioners that defending forward,
as the new U.S. strategy is called, involves taking active measures in cyberspace
against those who would muck around in elections.
Homeland Security's Christopher Krebs,
who leads the department's Cybersecurity and Infrastructure Security Agency,
took strong exception to reports in the Daily Beast that CISA was giving up on election security.
Not at all, Krebs said. In fact, they're doubling down against what they regard as a real threat.
According to CNN, the U.S. Democratic National Committee's security chief
has told potential presidential candidates
that you don't have to actually declare your candidacy to become a hacker's target.
While this sounds like something from Captain Obvious,
the point probably is worth making.
Hey, politician, you don't have to ride a bus on a listening tour of Iowa or New Hampshire
to attract the attention of the Bear Sisters.
There's some insight into how the Bears see the world of information operations
in an essay published earlier this month by Vladislav Surkov,
an aide to President Putin and big numero in Russian policy circles.
He decries what he calls the illusion of choice as a kind of con game paid by Americans and similar riffraff.
It's more P.T. Barnum than the Cleocenes of classic Athenian democracy.
And if you're one of those suckers born every minute, of course you're going to learn and mistrust your leaders and your institutions.
Russia, by way of contrast, is not in the grip of such an illusion.
Instead, Mr. Surkov says, it's a nation founded on authentic, sound understanding of historical processes.
Bogus choice is dashed to pieces when it encounters a deep and enduring nation.
That's one way of looking at it.
And finally, we were so distracted by Cupid's arrows and Aphrodite's pajamagrams yesterday
that we almost forgot many happy returns to GCHQ.
The oldest of the Five Eyes celebrated her 100th birthday yesterday
and Her Majesty herself laid a tastefully encrypted plaque
at the organization's original home, Watergate House,
near Sharing Cross in London, to mark the occasion.
So happy birthday to Auntie I from all of us stateside.
A quick reminder, this Monday, February 18th, is President's Day,
and as is our custom on U.S. federal holidays,
we won't publish either the Daily News Briefing or our daily podcast.
Both will be back as usual on Tuesday.
Enjoy the holiday if you're here in the U.S.
Unless we're all dashed upon the rock of historical inevitability,
we'll see you again Tuesday. if you're here in the U.S. Unless we're all dashed upon the rock of historical inevitability,
we'll see you again Tuesday.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation
to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews,
and reporting,
and helps you get security questionnaires
done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Craig Williams.
He's the director of Talos Outreach at Cisco.
Craig, it's great to have you back.
Your team has been tracking some vulnerabilities in a particular brand of router.
Bring us up to date here.
What do we need to know?
Well, what I'd like to talk about today is a little bit of research that Jared Riddle and Carl Hurd found.
Basically, we were looking at a TP-Link TLR600 VPN broadband router, and we did find some issues that were concerning.
broadband router. And we did find some issues that were concerning. When it comes to devices in this space, often while they may be written really well from a performance perspective,
some of the things that can be overlooked just from a time to market perspective can be things
like protocols. Have they been secured? Have people fuzzed all the interfaces? Have they found
all the bugs, in other words? And so we try to help vendors, we try to
help software that we rely on find these issues, and then we work with them to get the issues fixed.
And then we talk to the public about the issues that people know to apply the patch.
And in this particular one, we were able to find some reasonably severe issues. We were able to
find several remote code execution issues and some information disclosure issues. Now, the good news here is that we were able to work successfully with TP-Link
and get these issues addressed relatively quickly.
And so what this means is if you, you know, you might be hearing us on the podcast
and you might think, oh man, I think my little gray box is TP-Link on the side.
Well, not a big deal, right?
If it does, go look at your box.
If it says R600 VPN, then you need to figure out a
way to update the firmware on it. Now, I know this can sound challenging, right? When people say
update the firmware, a lot of people might think, oh my gosh, how do I do that? Right. It's dark
magic. Right. Exactly. So the first thing you do is you get the box and you stab it six times. No,
I'm just kidding. You usually just need to go to your router's login page. So typically it'll be something like, you know, 192.168.0.1
and it'll have a login portal.
Well, with any luck, you can log into that
and look for something that says updates
and click it over to automatic mode.
Use the hard-coded credentials
that they've conveniently provided for you.
You know, if not, I'm sure there's a sticker on the box
and you can just go get it off of there.
Sure, sure. You know, if not, I'm sure there's a sticker on the box and you can just go get it off of there. Sure, sure.
You know, speaking of, I did want to talk about another thing too.
You know, I think when it comes down to IoT, a lot of people don't realize that things like password reuse are so common.
Multiple vendors tend to reuse the same passwords.
If you think about the number of routers that use admin, admin, it's a catastrophically
alarming amount.
So please, users, never set that as your password.
Yeah, I mean, is it fair to say step number one with any of these devices is go in there
and change the password?
Absolutely.
You know, I would even say, first thing, change the password.
Second thing, go over to updates, see if there's an automatic setting.
The reality is most of these home devices, well, they have QA teams, right? And the QA team
may not be finding every single zero day in the device, but I bet they're pretty good at testing
the actual quality of the product and the overall functionality. And so for me, you know what,
I would prefer to have my device secure itself so that an attacker can't take control of it
and install something like Mirai, then, you know, gamble with, well, do I want to test it first?
Do I want to give them a week or two to patch it?
I would prefer that my device be secure.
Right.
So the risk of having some sort of, I don't know, substandard update come through
that could affect the device, brick it, or affect performance,
that's probably lower than the risk that you assume when you don't do the updates.
Absolutely.
And especially if you're buying name brand devices.
I think that's really what you pay for when you pay for a brand that you recognize,
when you pay for a brand that's from a large, stable company. Chances are they don't want a bad product representing their brand, and they're going
to try and find these issues. Now, does that mean if you pay more, you can get a
bulletproof router?
Obviously not, right? There's no such thing as 100% hack-proof software. Anybody who says that is misleading you. But what it does mean is that there's going to be a team of developers
that work on the product. They're going to be there after you buy the product,
and they're going to maintain the product and help ensure that it's a quality product for the lifetime of the product.
Now, the lifetime will end.
You can't have a 20-year-old router
or a 10-year-old router and think it's fine.
That's the world we live in.
I could see somebody with a good old dial-up modem
think, why do I need one?
There's probably vulnerabilities in
that chip architecture that are going to be hard to exploit because we don't even remember what
they were. Right. Yeah. A lot of our parents, I suppose, are probably in that if it ain't broke,
don't fix it category. But you just can't think that way these days. Right. And this is especially
true for things that are from niche vendors. Right. Which may be something that, you know,
if you're at a very small ISP, that may be something that's appealing to them. And then if those issues
aren't patched quickly, it could put you at risk. Yeah. All right. Well, good advice as always.
Craig Williams, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. My guest today is Amanda Berlin.
She's Senior Security Architect at Blue Mira,
but today she joins us to share the story of the nonprofit she started, Mental Health Hackers.
It's a group of InfoSec professionals dedicated to helping others in the industry deal with mental health
issues, either their own or those of loved ones. I was asked to do my first keynote at B-Sides
Nashville, and I kind of wanted, like all my talks prior were technical topics, right? And I
had never done a keynote before, and I thought I kind of want like a TED Talk-ish topic, right?
More high level. And then at the time, there were some suicides that had just happened like in InfoSec.
Come to find out, it is way more of an issue than I thought it was.
I just gave that talk, gosh, probably 14, 15 times last year because people just kept on asking me to come talk about it.
because people just kept on asking me to come talk about it.
So it went from that to I felt like I could be doing more,
rather than just the 20 to 100 people that come and watch the talk.
Maybe I could create a space for people to go and talk about. So you mentioned earlier the mental health and wellness village that you ran.
Take us through what was going on there.
What did folks get out of it?
The idea was, you know, for that quiet space at the conference.
So a lot of times I'll have panic attacks like two or three days into a conference because,
like I said, I'm sitting at home alone all the time.
And then I'm just surrounded by people 24 seven for a couple
days. And it's, you know, it overwhelms my system. And I just go back to my room and I chill out and
I calm down or whatever. And I just realized, you know, in most of these conferences, you know,
there's villages for everything. And everything's always so busy and so loud that I thought it would
be cool to have just like chill, like quiet music place you can go and kind of hang
out. And it kind of grew from there. So we did this fidget table where there was like all of
the different things you see online and some new ones that I had found of just stuff to play with.
We had people come in and do like paracord crafts and essential oils and all that kind of other things that people can do sometimes
for mental health. And then we had therapy dog. I also had a lot of volunteers want to speak about
things. So we split it up in between actual like real conference presentations, you know, where you
sit and you watch people do slides and talk and then discussion groups.
So all of those went super well. And then the majority of the money actually went towards massage therapists. We had four massage therapists come in all day Saturday and just do chair
massages for anybody that wanted to come in and get them. All of it was really, really well
received. And we just want to like grow that more and provide that kind of stuff to more
conferences. Are there particular aspects of InfoSec and the people that it attracts and the
conditions under which folks are working that make this a particular issue? Oh, definitely.
When I was doing a bunch of research that I was doing, and I never thought I'd ever read this many medical journals, I found it's called the Savannah IQ Interaction Hypothesis. It basically talks about how people with higher intellect and IQ tend to have more mental health issues. And then with that mental health issues, they also tend to self-medicate more. Pills, alcohol, prescription, non-prescription drugs, whatever. It amazed me. A lot of the work that we do, we're kind of, I mean, a lot of us are isolated, right? Like I work from home. I don't really have a whole lot of interaction with people. So you kind of lose, you know, you feel isolated. You feel like there's nobody else that are going through the same thing that you are. And then you're just like stuck behind your keyboard forever without of things, that they can come to their employers and say, you know, I need some assistance here or, you know, we need health care that provides for these sorts of things?
I've heard some awesome stories from people that are actually have full blown mental
health wellness programs going on in their company. I think there's a lot more openness with
at least it seems like a lot of the startups. Because I mean, if you've ever worked for a
startup, they're freaking crazy, right? You're working nonstop, and you're super passionate
about whatever you're doing. Otherwise, you wouldn't be working nonstop and you're super passionate about whatever you're
doing. Otherwise, you wouldn't be working for a startup. It seems like a lot more of them care,
whereas the institutions that have been around for a while might not necessarily.
What are your recommendations for folks who may be sitting back and thinking that maybe
they're dealing with something? They have some anxiety, some depression, some of the other things we've described here, but they're hesitant to come out
and talk to anybody about it. Where do they begin? What sort of resources are available that they can
start down a path of healing? There's so much. There is so much out there that I didn't even
realize, you know, until I started looking at this kind of stuff. You know, the National Suicide Prevention Line has, you know, if you need someone right now, you can call them.
You can chat with them online.
Like, I hate calling people on the phone.
So I don't find people if they want to just chat with them in a DM or whatever.
But there's places like NAMI, which is the National Alliance on Mental Illness, that has a whole bunch of information as well.
And you can kind of learn more and, you know, they'll provide like coping techniques.
Right. So there's there's different stuff that works for every person with every level of any mental health, whatever they have.
whatever they have, right? Because just because you have panic attacks or depression or bipolar schizophrenia, whatever, doesn't mean, you know, you're completely broken. You know,
all of our mental health is important, whether you have something or not. But there's way more
than that. You know, there's a whole lot more coping mechanisms that you can use. And then
there's definitely like professional help. One of the things that we talked about in the village that we ran, we had somebody come and
talk about all the stigmas of going to a therapist and kind of what it's actually like to go to a
therapist and the difference between psychiatry and psychology and therapy. So it's just, you
know, learning about it. I think that even if you don't have
something, I guarantee you someone you know does. And that's when communication, you know,
also comes into play. That's Amanda Berlin. You can find out more about mental health
hackers by visiting their website. It's mentalhealthhackers.org.
And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed. Listen for us on your Alexa smart speaker too. The CyberWire
podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're
co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire
team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Thanks for listening. We'll see you back here tomorrow. Thank you. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your
role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.