CyberWire Daily - Huawei accused of abetting domestic surveillance in Africa. Cyber gangs adapt and evolve. Prosecutors indicate they’ll add charges to “erratic.” Bluetana detects card skimmers.
Episode Date: August 15, 2019Huawei accused of aiding government surveillance programs in Zambia and Uganda. Cyber gangs are adapting to law enforcement, and they’ve turned to “big game hunting.” They’re also adapting leg...itimate tools to criminal purposes. US Federal prosecutors indicate they intend to add charges to those Paige Thompson already faces for alleged data theft from Capital One. And there’s a new tool out there for detecting gas pump paycard skimmers. Malek Ben Salem from Accenture Labs on transparency and community standards online. Guest is Taylor Armerding from Synopsis on the projected employment shortfall in cyber security. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Huawei is accused of aiding government surveillance programs in Zambia and Uganda.
Cyber gangs are adapting to law enforcement and they've turned
to big game hunting to do it. They're also turning legitimate tools to criminal purposes.
U.S. federal prosecutors indicate they intend to add charges to those the alleged Capital One
bank hacker faces. And there's a new tool out there for detecting gas pump pay card skimmers.
detecting gas pump pay card skimmers. From the Cyber Wire studios at DataTribe,
I'm Tameka Smith sitting in for Dave Bittner with your Cyber Wire summary for Thursday,
August 15, 2019. The Wall Street Journal reports that Huawei has embedded technicians in the governments of Zambia and Uganda to help those governments organize and operate extensive domestic surveillance programs.
The company has been working to gain a commanding presence in African markets.
Meanwhile, Huawei denies any wrongdoing.
A Huawei spokesman told the Journal the company never engaged in hacking activities in a statement.
It goes on to point out, quote, Huawei rejects completely these unfounded and inaccurate
allegations against our business operations. Our internal investigation shows clearly that
Huawei and its employees have not engaged in any of the activities alleged. We have neither the
contracts nor the capabilities to do so, end quote. Huawei has long been suspected of operating as a willing adjunct of Chinese intelligence and security services.
The journal does not say that the operations in Zambia and Uganda were directed by Chinese intelligence,
nor does it argue that there is anything about Huawei's technology that made it particularly adaptable to surveillance.
that made it particularly adaptable to surveillance.
But The Washington Post notes the lessons seem to be that Huawei is willing and able to work with repressive regimes.
Chinese security services have established a template for repressive surveillance
against its own Tibetan and Uyghur minorities.
It may be that this template is now being exported.
Accenture's report on trends in cybercrime suggests the possibility
that criminal gangs are adapting their tactics to avoid detection and apprehension. Gangs like
Fin7, the Cobalt Group, and the Contact Crew are increasingly turning to what Accenture calls
big-game hunting. Their attacks are growing highly targeted towards their victims. The gangs are
using not only custom malware, but also commodity
attack tools traded on the black market. The higher-end criminals, Accenture concludes,
are adapting legitimate tools like Metasploit, Cobalt Strike, and Meterpreter to illicit purposes.
It's also noteworthy that some of the gangs, including Fin7, have survived the arrest of
some of their ringleaders and continue to prosper.
There's an attack defense seesaw, and for now, the attack side seems to be rising.
New research points out that in 2020, there will be more positions in cybersecurity than people with the skills to fill them.
Taylor Armording, who writes about this topic for Synopsys, a software company, says his
focus is on cybersecurity and privacy.
How important are credentials in the cybersecurity field, especially when you start talking about a
forecasted shortfall? I would say they are important, but they're not as important as
other things. In fact, there was a blog post on a site called Indeed that was saying one of the problems with job postings is
that they tend to demand credentials that aren't really necessary. You know, I would say that you
need some tech training and that sort of stuff, but you can be trained on the job. And then besides
that, once you have done some work, credentials come with experience, I guess you'd say.
Once you have done some work, credentials come with experience, I guess you'd say.
You know, demonstrating that you can do a job is much, much more important than a degree or, you know, some other kind of certificate, certification, things like that. Can you talk a little bit about the forecasted numbers in the shortfall?
the shortfall because in your article here it says that officials estimate that job growth in the sector is going to be at like 30 37 a year at least through 2022 and that's conservative the us
the united states job shortage is an estimated 300 000 jobs in other words unemployment is below zero
which is kind of interesting and worldwide that figures in the millions, supposedly two years from now, one of the
estimates I saw said that two years from now, the worldwide job shortage of skills will
be 3.5 million.
And I think that's because, as I said in that story, the threats are increasing. The bad guys and the tools that
the bad guys use are more sophisticated. So the threats are expanding, they're increasing,
and there's an increasing need for skilled cybersecurity workers. You may be familiar
with the RSA conference, the annual conference out in San Francisco that's probably the biggest
security conference. I went to that for the first time about six years ago, and there were maybe,
I think, 25,000 people. Now there's close to 50,000 people. So it is a
explosively growth industry, I would say. A lot of people who are volunteering in this field
of educating and working with nonprofits to help get the
youth involved. They're saying there is a lack of support in the public school system
and then the education system altogether. Do you have any thoughts on that?
It seems like our legacy educational system is not designed to for rapid response. It kind of gets entrenched in a certain
model, which doesn't mean it doesn't do anything well. It does a lot of things well. But when
something like this happens, you know, you've got a lot of teachers who have tenure and who aren't
going anywhere for anywhere from 10 to 30 years. Meanwhile, the need for tech training for, you
know, for the STEM fields is explosively growing.
It's one of those things that just, it's very difficult. It's like, you know,
one of the images is trying to turn an ocean liner on a dime or something like that. It's just not
geared for rapid response. That said, it does seem like there are all kinds of initiatives
within the industry. There's people who are doing mentoring.
It's happening.
It's just happening in a very diversified and diffuse.
And it's not kind of centered on our educational establishment, which I think will change.
But it ain't going to change real quick, I don't think.
In your article, you mentioned the lack of diversity in this field.
Yes.
How do you suggest that that challenge is tackled?
Part of it, I think, is awareness, like just about anything.
When people become aware of a problem, that's at least a first step, because once they're
aware of it, they at least have a tendency to support or even take some initiatives themselves.
to support or even take some initiatives themselves. I mentioned in the story, a guy named Gary McGraw, for a number of years, had a podcast called the Silver Bullet Podcast. And he
decided, I think it was in 2017, to interview only women. And it was easy to find them. There
were some outstanding female stars in the field. He said, I'm quoting, if you go to your typical panel at a conference,
it's mostly men.
There are women involved who can be role models,
but we need to make sure that schools
aren't set up to discourage that.
You need to encourage minorities.
You need to encourage women.
They're just as smart as the guys are,
but there has been a sense that this is a guy's field
and it must not be because there aren't enough guys to do it.
You need everybody.
That's Taylor Armording from Synopsys.
An update on the case of the accused Capital One Bank data breach hacker.
There's a speculation that Paige Thompson, who went by the online handle Erratic,
was involved in cyber incidents affecting as many as 30 other organizations.
Observers speculated the other incidents may have been exaggerated if they occurred at all.
But this week, prosecutors filed additional court documents
indicating that they had indeed found evidence of those alleged cyber crimes
compromising other organizations.
The Justice Department said most of the compromised files
did not contain personal
information, but they informed the court that they expected to file additional charges in the case.
Thompson remains in federal custody. And some good news for cyber law enforcement.
Credit card skimmers at the bane of gas station customers can now be spotted with a tool called
Blutana. The device is the product of joint research by the University
of California, San Diego and the University of Illinois Urbana-Champaign with technical input
from the U.S. Secret Service. Blutana seems to enjoy a high success rate, but there are legitimate
devices that can look like card skimmers to the scanner. So the system gives investigators
indicators as opposed to conclusive evidence that a skimmer is present on any given gas pump.
That's still valuable.
Blutana helps tell police that they should take a second look.
The research surrounding Blutana suggests why criminals find it worth their while to deploy card skimmers at gas pumps.
They realize a profit quickly. A principal investigator on the project wrote, based on the prior figures,
they estimate the range of per day revenue from a skimmer is about $4,200 and on the high end,
an estimate of $60,000. And why gas pumps? For the most part, they're outdoors and unattended,
so installing a skimmer is a low risk, high reward proposition. The U.S. Secret Service
involvement isn't surprising.
While the service is best known for presidential security,
it's primarily responsible for investigating federal financial crimes,
and it's often called in to look into cases of fraud at the gas pump.
And if you're running a business in the United States,
it may be worth the time to get to know your local Secret Service office.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives
and their families at home?
Black Cloak's award-winning
digital executive protection platform
secures their personal devices,
home networks,
and connected lives.
Because when executives
are compromised at home,
your company is at risk.
In fact,
over one-third of new members
discover they've already been breached. Protect your executives and their families 24-7, 365
with Black Cloak. Learn more at blackcloak.io.
And I'm pleased to be joined once again by Malek Benensalem. She's the Senior R&D Manager for Security at Accenture Labs. It's always great to have you back. You and I have been talking about the trip you recently made to RightsCon. And one of the topics of discussion there was how to deal with disinformation campaigns online. What can you share with us. Yeah, so one of the interesting conversations in that conference was about,
you know, freedom of expression on the internet versus censorship, the voices that are asking now
for more control and more moderation of what gets published on the internet. In particular,
after all the disinformation campaigns that we've seen throughout election cycles, for instance,
campaigns that we've seen throughout election cycles, for instance, the video of Nancy Pelosi a few months ago. So the question is, how can we fight disinformation, whether there are any
viable approaches, techniques, and can we do it without censorship, right? Without turning into,
while keeping the internet the way we know it as a platform for free expression.
So what were some of the ideas tossed around?
It seems that there is a consensus that we definitely need to develop standards of internet
transparency and integrity.
We also need to limit space for impersonators.
Existing platforms, anybody can create an unlimited number of accounts in an anonymous manner.
The question is, do we need to have more checks to check that the people creating accounts are
really, you know, physical people as opposed to bots, right, that can start building or propagating information without them representing people in the real world.
So they don't reflect the public opinion in the real world.
Right. But then I suppose there are legitimate needs for anonymity online as well.
Absolutely. Yeah. And that's really one of the advantages of the internet. That gets also, I guess, reflected by the development of platforms like blockchain and
Ethereum, where you see platforms being created that are decentralized, distributed, and people
can join anonymously.
That reflects the need for anonymity.
It's still a trade-off.
need for anonymity. It's still a trade-off. I don't think anybody would say that we need to completely remove the ability for people to interact in an anonymous manner, but limiting
the space for impersonators is what's needed. Limiting that space, meaning checking for bots
that really have more harmful impact. Yeah, I mean, what a challenge to try to have, you know,
community standards when you have truly a global community. Especially as we see also that the
impersonation techniques are changing and are evolving, right? Now you see these bots infiltrating
authentic social groups, right? So it's not like, you know, one bot that's broadcasting
the wrong information on their own, but they're really infiltrating the more closed
groups and domestic social media dialogue. How do you detect that? It's not straightforward,
but I think we need to do more research and come up with some ways of, again,
not completely limiting this, but perhaps limiting the space for these impersonators.
Yeah, it strikes me too that there's one of the things that by automating,
the ability to automate these things, that that enables an asymmetry
that I don't know that we had to deal with before,
that the scale and velocity at which folks who are out there
to spread misinformation and so forth can
do so, it's a different ballgame than it used to be. Absolutely. The automation of the fast
propagation of this misinformation is at an unprecedented scale, but also the automation
of generating misinformation, automatically generating defakes, right? We've never seen that before,
automatically generating videos that mimic a real person, that look really like a real person,
and that are hard to detect in real time. That's an absolutely new challenge, and it will continue
to grow as we make use of, you know, GANs, general adversarial networks to perform
or to build these deepfakes. So it's a challenge that will continue to grow. And we need to work
with the social media companies to come up with some common standards where we can identify
these deepfakes and synthetic data. Interesting stuff for sure. Malek Ben-Salem, thanks for joining us.
Thank you, Dave.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe
and compliant.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing
at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps
tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.