CyberWire Daily - Iran complains, threatens, and spies. Election Day cybersecurity notes.
Episode Date: November 6, 2018In today's podcast, we hear that Iran has accused Israel of a second Stuxnet, claiming the attack was thwarted, and threatening retaliation. Nor is Tehran neglecting domestic surveillance of its own: ...Persian Stalker is involved with some pretty suspicious greyware. It's Election Day in the US, and officials are cautiously optimistic work to secure the voting will be successful. Concerns about information operations persist, and people continue to work to distinguish them from good-old-fashioned American confident chatter. Ben Yelin from UMD CHHS on the FBI using Google location data to nab crooks. Guest is Victor Danevich from Infoblox on the challenges on managing higher ed networks. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/November/CyberWire_2018_11_06.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Iran accuses Israel of a second Stuxnet,
claims the attack was thwarted, and threatens retaliation.
Iran's not neglecting domestic surveillance of its own.
Persian stalker is involved with some pretty suspicious grayware.
It's election day in the U.S.,
and officials are cautiously optimistic that work to secure the voting will be successful.
Concerns about information operations persist,
and people continue to work to distinguish them from good old-fashioned American confident chatter.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for
Tuesday, November 6th, 2018.
Rumors of a second Stuxnet were reinforced yesterday when Iran's telecommunications minister accused Israel of having attacked Iran's telecommunications infrastructure.
The minister said the attack was unsuccessful and, according to Reuters, vowed retaliation.
Another senior Iranian official had last week said tersely that Tehran had found a new version of Stuxnet
apparently installed in some phones.
This is apparently the attack the telecommunications minister is referring to.
It's worth noting that this needn't be taken as implying
that Iranian defenses have detected and blocked another Stuxnet variant.
Stuxnet, which came to light in 2010,
was directed at disabling centrifuges used to
refine uranium for Iran's nuclear weapons program. It attacked programmable logic controllers,
looking specifically for the Siemens Step 7 software known to have been used at the
Natanz nuclear facility. This latest attack, if it took place, seems to be a different matter altogether.
Spyware and not a campaign to take down an industrial process. So, perhaps Stuxnet 2.0
is best understood as something the Israelis are doing to us.
Cisco Talos Research outlines the activities of Persian Stalker, an Iranian domestic covert
surveillance campaign
that relies on penetrating social networks to keep an eye on possible dissent.
Telegram is a favorite target, with Instagram running second.
Talos calls Persian Stalker's apps greyware,
not quite malware, but perhaps an unwanted program.
It does, after all, perform as advertised.
Sort of.
This seems shyly reticent.
After all, the Telegram clones can often pull a user's contact list,
and the Instagram clones send full session data out to back-end servers.
That seems plenty unwanted to us.
Business Insider notes that observers think Iranian cyber operations
against U.S. oil production capabilities
are a growing possibility as the U.S. tightens sanctions against Tehran.
Security professionals working in higher education face a unique set of challenges,
providing protection to employees and students, critical systems and all of the devices that those students bring with them every semester.
Security networking company Infoblox recently surveyed higher ed security teams
to get a sense for what they're facing.
Victor Danovich is CTO, field engineering, at Infoblox.
I think the most significant thing is that about every 15 weeks or every new semester,
you've got a new batch of people coming in with different types of devices.
And the number of things that are coming in are changing exponentially fast, you know,
in specifically the Internet of Things.
So whether it's a watch, a phone, Alexa, or you've got students bringing in, you know,
PlayStations or, you know, anything like that, sometimes it can get up to four and in some
cases seven devices per student coming in. And every 15 weeks,
there's a new wave of all these different types of devices that are coming in. And the techniques
have to be updated and changed as time goes along. And I think that's probably one of the biggest
differences, you know, versus like an enterprise type approach. Enterprise, you control the type
of device that's out there. In a university, you don't. Can you take us through what were some of the key findings?
One of them was about, you know, 81% of the IT professionals state that securing campuses, right, would become more challenging as time goes on.
And I think for those exact type reasons, it's a, you know, complete new set of devices that are coming in, updated code, changes of things.
complete new set of devices that are coming in, updated code, changes and things. Just when you might think you might have a handle on something, you know, this next batch of students and wave of
equipment starts to come in that can make things a little bit more challenging. Eighty-nine percent
of those indicated that there was some type of substantial increase in the number of connected
devices on their network, most predominantly in the Wi-Fi area. Now, do the folks who are running
these networks on campuses, do they feel like they've got the resources to keep up or are they
constantly in a game of catch-up? Constant catch-up, no doubt. I think, you know, and again,
one of the probably bigger changes are things to think about in enterprise versus higher education.
In an enterprise, you control the devices, you kind of can control the flow of how things happen within your environment. In a university,
you can't. So keeping up is this every 15-week type cycle. And it kind of really starts to make
you think about, you know, your approach to training, your team, your staff, everything
else that's going along, you know, with it, the tools, the technology, the scanning, your staff, everything else that's going along with it, the tools, the technology,
the scanning, the types of devices, my discovery capabilities, anything along those lines
is in constant change and flux. Yeah. One of the things that your study highlighted was this
notion of the real problem with insider threats. What did you find there?
With the insider threats can come in, I think, in a lot of different areas and folds.
With insider threat, you come in with an infected device and the student may or may not know it
could even be a campus lab piece of equipment. It could be, you know, an IOT type device that
might've been infected with something. It could have been an know, an IoT type device that might have been infected with something.
It could have been an actual staff or some type of employee. The type of threat then begins to propagate malware within the network in an uncontrolled fashion. So what are your recommendations?
I mean, how can these network defenders get on top of this? I think there's a bunch of different
things they can do. And I think probably the most important from a higher education, you know, IT type person that's trying to service the network is discovery of the type of tools.
And these are things that continue to change, you know, on a very, very rapid basis.
In terms of discovery, what classification?
I mean, you can use things like DHCP, fingerprinting to find out the type of device.
But the whole focus here is about really understanding the type of device that's on your network and the type of threat that be out there.
The second kind of component with them is take advantage of your vendors and different types of tools to understand how to protect a better network. in the case of Infoblox, for us, it's DNS, and implementing blacklists and taking, you know,
the time to say, or to be able to check, you know, DNS queries as they exit your network,
you know, whether or not they're, you know, part of a malware type network or some type of
reason that they shouldn't be accessing, and either type, provide some type of blocking or
control, at least alert or notification of this type of activity.
The next step, right, and this is kind of the big change I think that's occurring in there,
it's just not simply implementing blacklists or some type of level of control,
but it's now starting to focus on the closed loop process of making that happen.
So not only just providing the blacklist, having your users leverage your network to be able to check those types of things,
but then taking that information, passing into some further processing it, learning from the type of discoveries,
an activity that might be going on within your network, and then being able to apply some kind of corrective action or policy to be able to address that.
What's changing, though, very, very simple, common old technique, you know, for a closed loop cycle and providing feedback.
But what's changing right now is just the amount of data and malware and threats and different things that are going on.
And you can't just simply come in on a Monday morning, you know, grab a cup of coffee and start working through some, you know, alerts or different logs.
It's changing at the speed of light.
you know, alerts or different logs, it's changing at the speed of light. And you need artificial intelligence, some type of machine learning to be able to understand those patterns, to be able to
apply it, to be able to fine tune your policies that says, okay, out of these 10,000 some threats
that have just come in or alerts that have come in, which ones are most important that I need to
be able to do some type of blocking? What's hurting, you know, my organization, what's consuming That's Victor Danovich from Infoblox.
It is, of course, Election Day in the U.S., and so far there are no reports of any unusual interference in the voting.
As Wired notes, measures taken to secure the election have been unprecedented,
and while there are surely
lessons to be drawn and improvements to be made, officials seem cautiously optimistic about
cybersecurity of the midterms. Should there be evidence of serious foreign interference,
everyone thinks U.S. Cyber Command is loaded for bear. They've got keyboards and connectivity at
Fort Meade, and they're not afraid to use them.
Concerns about influence operations persist, with Facebook saying last night that it had blocked 115
accounts for coordinated inauthenticity. This formula seems to be a winning one for Facebook.
They can credibly claim to be enforcing transparency and not engaging in viewpoint censorship.
There's some dissatisfaction with how Facebook's advertising transparency tool is working, and some senators have asked the social network to buck up the tool's performance.
Twitter says it's ready, but the New York Times says the service remains infested with bots.
Worries about the elections have been focused largely upon a well-established record of
Russian online propaganda directed at simple disruption. That's disruption in the sense of
exploiting fissures in the targeted society with a goal of exacerbating mutual mistrust and eroding
confidence in civil society and government institutions. According to Politico, other observers note that when it comes to trolling,
irresponsibly, and so on, Americans do just fine on their own without foreign help,
thank you very much.
So in this case, as Pogo Possum said a half century ago,
we have met the enemy, and he is us.
The enemy often is.
enemy and he is us. The enemy often is. You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to
evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Ben Yellen. He's a senior law and policy analyst from the University of Maryland Center for Health and Homeland Security. Ben, it's good to have you back.
This was an article that came by from Forbes, from Thomas Brewster was the author here,
and it was titled, To Catch a Robber, the FBI Attempted an Unprecedented Grab for Google Location Data.
Describe to us what's going on here.
So this is a very interesting case.
The FBI was conducting an investigation into a number of robberies that took place in the Portland, Oregon area.
And they made what was an unprecedented request of Google, specifically for people who use Google Maps devices. And they
requested information, identifying information on all users of that software who were present
in the location of these robberies. And these are known as reverse location warrants. So it's just a
general authorization to identify everybody who was in a given area within reach of a cell tower
that could be identified. And I think they gave a radius of like three miles or something,
which is actually a relatively wide radius when you're talking about four separate locations
across the city of Portland. So the question, of course, is, is this constitutional, particularly the fact that there's no individualized
suspicion here? I mean, how could, when our Fourth Amendment requires a level of specificity,
the government obtain a warrant to just collect information on everybody? This is a question that
the Supreme Court has not answered. In fact, in the Carpenter case that came out this year, they explicitly declined to extend
their holding to these types of searches. So, you know, the FBI doesn't have particularly clear
guidance on this. In this case, Google, for whatever reason, whether they wanted to protect
their reputation or they weren't able to obtain the proper information, basically just never complied with the warrant,
eventually became a moot issue because the government was able to find the criminal suspect without the use of that reverse search. But I think we're going to find a situation in the future
where somebody is going to be convicted of a crime because they were encapsulated in a search.
And it's a very fundamental Fourth Amendment principle
that every search has to be supported by probable cause,
which has to be augmented with a level of specificity
that a particular person was in a particular location
committing a particular crime.
Even though you could make a case
that these searches are reasonable
to protect
public safety and that people are willingly sharing their location information to Google
a third party so they don't have a reasonable expectation of privacy in that information,
I think you're still going to have that concern of these sweeping warrants that will end up
capturing critical information from completely innocent
people. So I think it's definitely an issue we're going to have to look out for. This ended up not
being the case that would make it through our court system because the government was able to
obtain an arrest without this data. But we're going to have that case soon. And it's going to
be interesting to see how it turns out. Yeah, it's fascinating to me because on the face of it, as an armchair observer of these sorts of things, it's hard for me to
imagine someone going in this direction because it seems so, you know, you can't go in front of
a judge and say, hey, listen, the crime was committed here. I'd like to search the whole
neighborhood. Yeah, I mean, it's I think it runs
afoul of our most basic Fourth Amendment principles. That's actually what the ACLU
said about this case. Our Fourth Amendment comes from our heritage, our English heritage,
where it's great scholars took great offense at the idea of general warrants, where the government
or the king without any sort of specificity would go into a person's
house and see what they could find. And, you know, that led to potential tyranny because you had
some sort of authority figure, not with any level of actual suspicion, doing their best to dig up
evidence of a crime. And that's sort of what this sounds like. I mean, it's obviously a different
iteration of it. But when we're talking about our most cherished Fourth Amendment principles, I mean, particularity when it comes to warrant applications is so incredibly fundamental.
I think is a valid argument.
You know, I still think it could be an unreasonable search and seizure.
And I think particularly because it runs afoul of our critical Fourth Amendment principles.
Yeah. All right. Well, time will tell. We'll see how it plays out.
It's interesting that, you know, that it's sort of inevitable that this is the kind of thing that we'll have to run through our legal system. I suppose that's the way it's supposed to work.
Absolutely. I mean, I think this it's supposed to work. Absolutely.
I mean, I think this is on a collision course with the Supreme Court,
specifically since the court mentioned this issue
in the Carpenter case.
You know, it's obviously on their minds.
So, yeah, I mean, I think this is something
we have to follow closely.
All right.
Ben Yellen, thanks for joining us.
joining us. worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant. and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.