CyberWire Daily - Hacktivism, auxiliaries, and the cyber phases of two hybrid wars. Challenges of content moderation. Cyberespionage in the supply chain. Don’t buy all the hype, but do fix your Linux libraries.
Episode Date: October 12, 2023Hacktivists join both sides of Hamas's renewed war. Disinformation and content control in social media. Storm-0062 exploits an Atlassian 0-day. Curl and Libcurl vulnerabilities. Betsy Carmelite from B...ooz Allen on how to expand and diversify the Cyber Talent Pool. Our guest is Kuldip Mohanty, CIO of North Dakota. And some further reflections on hacktivism and the laws of war. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/195 Selected reading. False Alarm of Hezbollah Aircraft Infiltration Underlines Israeli Concern of Multi-Front War (FDD) Israel-Hamas conflict extends to cyberspace (CSO Online) Hamas-Israel Cyber War Escalates: What We Know So Far (Technopedia) Israeli Cyber Companies Rally as Digital, Physical Assaults Continue (Wall Street Journal) X promises 'highest level' response on posts about Israel-Hamas war. Misinformation still flourishes (AP News) Europe gives Mark Zuckerberg 24 hours to respond about Israel-Hamas conflict and election misinformation (CNBC) Elon Musk Is Shitposting His Way Through the Israel-Hamas War (WIRED) Facebook video of Biden prompts probe into Meta content policy (Financial Times) MIDDLE EAST : A CYBER ARMS RACE (CYFIRMA) Storm0062 exploits Atlassian 0-day. (CyberWire) Curl and Libcurl vulnerabilities. (CyberWire) Ukraine at D+595: Sabotage in the Baltic Sea. (CyberWire) A Hacktivist Code of Conduct May Be Too Little Too Late (OODA Loop) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Activists join both sides of Hamas's renewed war.
Disinformation and content control in social media.
Storm 0062 exploits an Atlassian zero-day.
Curl and lib-curl vulnerabilities.
Betsy Carmelite from Booz Allen on how to expand and diversify the cyber talent pool.
Our guest is Kuldeep Mohanty, Chief Information Officer of North Dakota.
And some further reflections on hacktivism and the laws of war.
I'm Dave Bittner with your CyberWire Intel briefing for Thursday, October 12th, 2023.
We begin with some cyber news from the war in the Middle East. Activist groups whose principal interests lie elsewhere have joined one side or the other in the war between Hamas and Israel. Techopedia
offers an updated account of who's in action. The best known groups are the Russian auxiliaries
Kilnet and Anonymous Sudan. The mission they've been given is fundamentally one of influence and harassment.
The war in the Middle East is seen in Moscow as an opportunity to distract Western supporters of
Ukraine, ideally to reduce their tangible support of Kiev's war effort. Palestinian and Islamist
groups have also lined up with Hamas. The Indian cyber force, normally preoccupied with Pakistan and other South Asian
states in tension with India, has come in on the side of Israel, claiming to have taken down Hamas
sites and other pages belonging to Palestinian authorities. The confirmed cyber attacks have
so far been nuisance-level defacements and distributed denial-of-service attacks.
Within nuisance-level defacements and distributed denial-of-service attacks,
claims of successful cyberattacks on infrastructure remain for the most part unconfirmed hacker bragging.
One volunteer group acting for Israel functions as an augmentation to intelligence services.
The Wall Street Journal reports that the Israel Tech Guard,
formed by workers in the country's cybersecurity sector,
has been concentrating on the labor-intensive work of looking through online content
to seek to identify and locate Israelis taken hostage by Hamas.
The volunteers are also working to secure online tools that contribute to public safety,
like the Red Alert app compromised in the early hours of Hamas's assault.
Much of the disinformation circulated in the course of the war in the Middle East has been produced in the interest of Hamas,
and most of it has circulated in social media.
X, formerly known as Twitter, has come under more criticism than other platforms, CNN reports.
has come under more criticism than other platforms, CNN reports.
Disinformation and incitement have run through X,
and many observers regard this as a foreseeable result of X's recent dismantling of its content moderation safeguards.
X does retain what Wired characterizes
as a remnant of Twitter's trust and safety team,
and that remaining team says it's working to reduce
the amount of demonstrable misinformation in circulation on X. They've struggled to do so,
and a great deal of obvious disinformation continues to emanate from X premium accounts.
European Commissioner Thierry Breton wrote to X to warn the platform that its failure in this respect may constitute
violations of the European Union's Digital Services Act. The Verge reports that Elon Musk,
X's proprietor, asked for clarification and said after an exchange with Breton,
I still don't know what they're talking about. That's the kind of thing Wired calls poop posting, although they
don't use the word poop. Monsieur Breton also wrote Meta, asking CEO Mark Zuckerberg to ensure
that Facebook and Meta's other properties take a close look at their own wartime content moderation.
Reuters quotes the letter as saying, in part, I would ask you to be very vigilant to ensure strict compliance with the DSA rules on terms of service,
on the requirement of timely, diligent and objective action following notices of illegal content in the EU,
and on the need for proportionate and effective mitigation measures.
Meta told CNBC,
After the terrorist attacks by Hamas on Israel on Saturday, measures. Meta told CNBC, Our teams are working around the clock to keep our platforms safe, take action on content that violates our policies or local law, and coordinate with third-party fact-checkers in the region to limit the spread of misinformation.
We'll continue this work as the conflict unfolds.
moderation have concentrated with, it should be said, some commendable diligence, intelligence,
and good effect on exposing coordinated inauthenticity. That's had a positive effect in unmasking and quieting state-run disinformation channels. Whether it will work as well against the
individual hot wars like the one now being waged in the Middle East remains to be seen.
hot wars like the one now being waged in the Middle East remains to be seen.
Earlier Facebook experience with inter-ethnic violence in South Asia suggests that Meta will probably have to increase fact-checking and direct content moderation.
In other news, Microsoft warns that the nation-state threat actor Storm0062
has been exploiting a broken access control vulnerability affecting
Atlassian's Confluence data center and server products since September 14th. Security Week
reports that the threat actor is conducting cyber espionage for China's Ministry of State Security.
It's a well-prepared campaign designed to compromise and exploit a software supply chain.
It's a well-prepared campaign designed to compromise and exploit a software supply chain.
As usual, apply updates according to vendor instructions.
In full disclosure, we note that Microsoft is a CyberWire partner.
The latest version of the Linux Curl project has been released,
fixing two vulnerabilities affecting the Curl tool and the libcurl library.
One of the flaws is a heap-based buffer overflow vulnerability that could lead to remote code execution.
CyberScoop notes that the severity of the flaw
may have been overhyped before its release
since the vulnerability can only be exploited
under very specific circumstances.
Nevertheless, the vulnerability merits attention.
Johannes Ulrich, Dean of Research
at the SANS Technology Institute, noted, this is only a valid exploit if you take unvalidated data
and create an HTTP request via a SOX5 proxy to a host name created from the unvalidated data.
My recommendation is to upgrade without haste. I rate the probability of this happening in actual code as very low.
If you accept data, not validate it, and just blindly pass it to libraries like Curl,
you will likely have other problems that are easier to exploit.
So, there's no need for panic, but the vulnerabilities are just some of those things that will require attention.
OODA Loop takes a look at an essay by officials of the International Committee of the Red Cross
titled, Eight Rules for Civilian Hackers During War and Four Obligations for States to Restrain
Them. The essay proposes extensions of international humanitarian law to wartime hacktivism,
and OODA loop thinks the recommendations may have amounted to too little and arrived too late.
The author, Emilio Esayo, sees several reasons why a commendable attempt to civilize hacktivist conduct will fall short of expectations.
First, it's a purely voluntary ethical code.
Second, the notorious difficulty of attribution of cyberactivity
will make it difficult to hold hacktivists to any code, voluntary or not.
And finally, it's difficult to imagine what unbiased party
might serve as an arbiter of an ethical code.
Misconduct is in the eye of the beholder.
The criticism is in some ways well taken. There may be more room for optimism than the OODA loop piece allows. First,
as the critique itself acknowledges, the ICRC officials who wrote the rules for hacktivists
are not naive. They're aware that the laws of armed conflict are imperfectly observed and enforced
Russia's war against Ukraine provides ample evidence of that
But their proposal shows how the principles behind the laws of war
and international humanitarian law might be applied to action in cyberspace
Proportionality, discrimination, and avoidance of unnecessary suffering
all have obvious relevance.
The ICRC officials also point out that hacktivists could legitimately be considered,
under some circumstances, to have forfeited their non-combatant status. The two officials
propose eight rules for hacktivists, but they outline four obligations, and we emphasize
obligations that states have with
respect to the hacktivists acting in the state's interest or operating from within the state's
jurisdiction. So, the extension of the laws of armed conflict the ICRC suggests isn't either
idealistic or unenforceable in principle, international law evolves with war itself. That's as true today as
it was in Nuremberg in 1946, and the prosecutors got some convictions there. One of them, deliberate
spreaders of malicious information should note, was entirely for incitement to genocide.
to genocide.
Coming up after the break, Betsy Carmelite from Booz Allen on how to expand and diversify the cyber talent pool. Our guest is Kuldip Mahanty, Chief Information Officer of North Dakota.
Stick around. Do you know the status of your compliance controls right now?
Like right now. We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies,
access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
I recently had the privilege of being a guest and speaker at CyberCon 2023,
a cybersecurity conference hosted at Bismarck State College in North Dakota.
Before the trip, I had heard that North Dakota had adopted an innovative whole-of-state approach to cyber. To learn more about that,
I sat down with Kuldip Mahanty, Chief Information Officer for the state of North Dakota.
Security is a role that we in the state believe that it has to have a whole-of-state or whole-of-
government approach. And the reason for that being, this is a responsibility from the state
government that we need to own discharge the duties that it
takes to deliver that robust approach then the posture that is required to do threat hunting
or remediation of vulnerabilities or preparing that detection response approach from a whole
of state allows us to be consistent across all agencies should there be a situation
that we have to deal with in future. With our centralized organization, it also allows us to
have one central IT capability and security has to be a central capability because security is
everyone's job. We got to enable that education training across the board and that's kind of the
whole of state security approach where we're starting with education, empowerment, understanding, and the deployment in a centralized way that allows
us to know the threat hunting and the threat detection, and then provide the response and
remediation plans as and when it shows up. What are the practical implications of that?
I mean, when we look at North Dakota as a state, you have
pockets of sort of centralized population, but then there's a lot of folks dispersed over a wide
area. What does that mean for you and your responsibilities to protect them?
Yeah, if you think about, you know, the composition of our state is very rural in nature.
With rural, it comes with a lot of understanding or lack thereof in terms of what
internet connectivity means, how easy it is to get framed in phishing attempts or ransomware
attacks or what have you from a data loss perspective. And many of our rural communities
do not have the ability to even jump in and understand what security threat is. So with that
whole of state approach, we have been
good at developing the education, developing that broadband connectivity to allow people to connect
to internet, but also having our stage net infrastructure, which brings everything together,
having the threat hunting at the place where everybody connects through, allows us to be more
responsive. Whereas net, let's not just leave that responsibility back to the citizens.
We have a responsibility for the state
and how do we discharge that in a more meaningful way?
Yeah, here at the conference,
the presentation that you gave,
I was impressed with some of the stats that you shared
about how far ahead North Dakota is
when it comes to connectivity,
to not just connecting people, but making
sure that it's meaningful, that they have the speeds that they need to participate in
today's community.
I'm curious, are there things that are specific to North Dakota that present specific challenges?
And are there things that are specific to North Dakota that also provide certain opportunities
for someone in your position?
Great question, Dave.
I mean, the way I would address that
is because we're rural in nature,
the challenges are more about
it doesn't impact them so they don't care
or they shouldn't care, right?
Knowing that dynamic, how do we get in front of it?
So being small and being very dispersed, it also is nimble for us
too. We can move mountains pretty quickly. Because of our density in certain larger metro areas,
such as Bismarck or Fargo or Grand Forks, there are a lot of smaller communities.
And knowing the fact that getting that outreach out there to smaller communities, starting to educate folks around what cyber can mean and the events like CyberCon or Cyber Madness that we do for high school students to bring that early awareness and cybersecurity and its importance and how it impacts everybody's life.
Because that kid that comes to Cyber Madness competition goes and talks to the community or talks to the parents and then word spreads.
So creating that, you know,
angels of information sharing
through these high school kids
and elementary school kids
that allow just to improve that
and the nimbleness comes to the process.
Other thing is our PK20W initiative
is really geared towards driving
cybersecurity and computer science education.
Now you cannot graduate out of high school unless you have cybersecurity and computer science
as two required course curricula in your high school process. And that's something I don't
know how many states do it today, but that's where we're trying to push it from grassroots,
not just a matter of talking about what is the out of possible from a whole of state,
but also change that momentum all the way to the communities. So it becomes a sustained effort and
continues to keep us ahead of the curve. I really think that's worth highlighting in that
whole of state means that you are reaching kids through their whole educational journey.
And that has to really yield good payoffs
for this next generation of citizens who are coming up.
Absolutely.
And if you think about the projection of jobs,
today, as I mentioned earlier today,
there are 71, 73 million jobs are going to be displaced,
but there are 130 million jobs getting created.
So how are you preparing the next generation of talent
to be prepared to face the marketplace
that they're walking into?
Would the job be same as to what we are doing today?
Likely not.
There's a lot of automation,
a lot of artificial intelligence, generative AI,
which is going to take the mundane work out,
which means you're more available
to do more higher value at work.
And how are we training them
to prepare for the next generation?
And that's the call to action for many of the leaders
to really think about what else can we be doing at a state IT level
to enable that education, allow people to see the art of possible,
and also in the same vein, elevate and educate people
to come on the journey and not show a hand up saying,
okay, I'm not willing to go there
because I don't know what to expect out of AI.
The unknown is more scary than making it known.
And our job is to make that unknown
more of a known entity,
whereby there's a lot more willingness
than a lot of refusal.
What are your aspirations?
I mean, as you look towards the future,
you've accomplished a lot,
but I'm sure just in knowing you the brief amount of time I've known you, I think you want to accomplish more before your time here is done.
What are some of the things that are on your list?
The way I would start with the answer, Dave, here is it's about citizens.
It's about businesses that transact in the state.
How do we provide government services and bring that consumerization philosophy back into public sector?
We all as consumers in our personal lives are used to certain kind of experiences, certain kind of behaviors that we see around us.
Why can't we expect that from government?
Why does government have to be so complex?
Why do we have to go and live in a paper-based environment?
And those are the things I think those are areas that we all can aspire to.
It's not going to be a sprint.
It's going to be a marathon.
But if we have the right focus, right mindset, and the right talent,
which happens to be the key to unlocking a lot of the future success,
and an ecosystem of partners who are willing to come together to make that journey happen,
nothing is impossible.
That's Kuldip Mahanty, Chief Information Officer for the state of North Dakota.
Our thanks to him and all of the organizers of CyberCon, especially Conference Chair Troy Walker
for inviting us and being so welcoming. We'll be sharing more from that conference in the coming days.
And I'm pleased to be joined once again by Betsy Karmelite.
She is a principal at Booz Allen Hamilton for Cyber Defense Operations.
Betsy, it is great to welcome you back.
I want to talk today about the challenges that organizations face with hiring and this cyber talent pool, which never seems to be big enough.
What are your thoughts here on this topic?
Just such an important topic to address short-term, immediate, long-term cyber workforce needs. So filling these hundreds
of thousands of cyber job vacancies across our nation is a national security imperative.
And we see the administration making generational investments to prepare our country to lead in the digital economy. And one of the biggest issues we see facing
the cyber workforce is that self-limiting definition of experienced talent. And we need
to increase the points of entries and expand our own surface area for talent discovery so that
we're not putting such a boundary on the four-year degree program is essential and critical.
That's just one entry point into a cyber career.
And mandatory degree requirements often cause those unnecessary barriers to entry for top talent,
excluding many promising candidates who have years or most recent practical experience
working in the cyber field. You know, I hear so many people express their frustration at this,
that the job listings are unrealistic or you need to have five years of experience in a technology that's only been around for three.
You know, those sorts of things.
But that people are getting eliminated by automated systems.
How do folks short circuit that so they get seen by the people who are doing the hiring?
Okay, so we saw some research from Handshake that found that rather solely focusing on a candidate's formal education
or those requirements that you just mentioned, Dave, focusing on skills tripled the number of
qualified veteran tech candidates and resulted in a significant increase in female and Black candidates. So just using that as an example. So I think we're seeing in
one of the strengths of this strategy is really looking at this skills-based assessment and
looking at hiring to skill rather than a formal education. And skills assessments can allow organizations
to look beyond candidate resumes, interviews, and potential biases to measure actual real-world
skills. And I think it's really important to focus on looking at the predictability for strong performance. What is the potential
that the candidate has and the aptitude for these jobs? To your point, and I do a lot of hiring as
well, I may not get that 100% resume or have that interview where the candidate hits every single need in my vacancy. But I'm looking for that
potential for challenging the biases, for groupthink, for hiring for candidates of many
educational backgrounds where we can see that promise and that potential come through in the
future and open the door for that chance.
Is part of this making sure that the organization has the resources to train these people to the position? As you say, someone might not come in perfect, fully baked, but that's okay because
we can train them up and get them up to speed in a decent amount of time.
because we can train them up and get them up to speed in a decent amount of time.
Yeah, and that's where really upskilling and understanding what sort of path we can put somebody on. So a couple things there.
We can see the validity, and the strategy emphasizes this, in a community college degree, two-year degrees, apprenticeships,
rotations throughout an organization to gain exposure to different disciplines in cybersecurity,
and then access to certificate courses. Now, we know certificate courses, you know, aren't the
be-all to end-all, but it does put candidates and existing employees in an upskilling situation where they're exposed to new things,
which could then lead to, oh, I'd like to veer off into this field because it was really interesting and attractive to me when I took that course.
So it can be that spark as well.
What about going outside of the strict cybersecurity field itself? I remember I spoke to someone once who said that he liked to pursue jazz musicians because as jazz musicians, they are skilled at collaboration and at solving problems in real time and that that mindset when applied to cybersecurity he found
was quite successful. I mean, that's an interesting case, but is that the type of
thinking that we should be applying here? Yeah, I know we've talked previously
in other segments, just, you know, where are the angles for problem solving in various education disciplines? You know, I interviewed
and hired somebody in the last year who spoke just passionately about how they were part of
like tech crew in theater and they learned how to operate all like the circuit boards and the
lighting. And they knew nothing about that as a senior in high school or something like that.
And I was like, wow, you figured that out all on your own.
And you probably had to do some technical apprenticeship and training alongside somebody to figure that out and be capable.
So I look for minds like that, too.
I love the jazz musician example.
The strategy also here stresses expanding the surface area of the talent pool by seeking out
veterans, underserved and underrepresented communities, and foreign-born talent to meet
growing workforce demands. So those are starting points as well.
But understanding definitely what are the career pathways
and how can we dramatically and positively impact federal workforce challenges
through also the hiring and pay authorities and reskilling initiatives that,
you know, I just mentioned before. A lot of these careers are not linear ladders that we saw in
earlier decades, broad portfolios of multiple career experiences. I look at my own career,
I would never say that I'm the typical cyber expert. I came out of, you know, undergrad with a liberal arts degree, studied linguistics, foreign languages, you know, but then I look at my career now and I've worked in cybersecurity and commercial, federal, the intelligence community spaces.
And that really provides a different view across a broad range of paths that I can follow, that I can still follow.
So just stressing that that typical cyber expert does not exist.
The best ones come from a wide variety of backgrounds and experiences.
Yeah, absolutely. All right. Well, Betsy Carmelite
is a principal at Booz Allen Hamilton for Cyber Defense Operations. Betsy, thanks so much for
joining us. Cyber threats are evolving every second, and staying ahead is more than just a Thank you. solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default deny approach can keep your company safe and compliant. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com. Your feedback
helps us ensure we're delivering the information and insights that help keep you a step ahead in
the rapidly changing world of cybersecurity. Your feedback helps us ensure we're delivering
the information and insights that help keep you a step ahead in the rapidly changing world of
cybersecurity. We're privileged that N2K and podcasts like the
Cyber Wire are part of the daily intelligence routine of many of the most influential leaders
and operators in the public and private sector, as well as the critical security teams supporting
the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies.
N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, Thank you. with original music by Elliot Peltzman. The show was written by our editorial staff.
Our executive editor is Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.