CyberWire Daily - More action against Iranian influence operations. Tehran's cyberespionage against universities. Counter-value targeting in cyber deterrence. Sino-Australian trade war? Law and order.
Episode Date: August 24, 2018In today's podcast, we hear that Google has put the cats out. Secureworks describes an Iranian cyberespionage campaign targeting universities. That DNC phishing campaign is confirmed to be a false a...larm caused by a Michigan misstep, but almost fifteen million voter records appear to have been inadvertently exposed in Texas. The US tells Russia to knock off the influence operations, and some suggest a counter-value deterrent strategy to tame the Bears. China warns Australia its new government will face trade retaliation for banning ZTE and Huawei. Reality Winner gets five years, and two Minnesota lawyers go away, too. Ben Yelin From UMD CHHS on attempts by the State Department to establish international norms for behavior for cyber. Guest is Theresa Payton from Fortalice Solutions, addressing hype vs reality when it comes to blockchain, AI, and the IoT. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/August/CyberWire_2018_08_24.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Google puts the cats out.
SecureWorks describes an Iranian cyber espionage campaign targeting universities.
That DNC phishing campaign is confirmed to be a false alarm caused by a Michigan misstep,
but almost 15 million voter records appear to have been inadvertently exposed in Texas.
The U.S. tells Russia to knock off the influence operations,
and some suggest a counter-value deterrence strategy to tame the bears.
China warns Australia its new government will face
trade retaliation for banning ZTE and Huawei. Reality winner gets five years,
and two Minnesota lawyers go away, too.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, August 24th, 2018.
FireEye said that YouTube was infested with Iranian front accounts, and yesterday Google took action to terminate dozens of them.
They were channels for the Islamic Republic of Iran Broadcasting, the state-run media outlet that's been under U.S. sanctions since 2013.
The YouTube channels have been fronting for Tehran since at least January 2017.
Google stopped 39 video channels on YouTube, six accounts on its blogger platform,
and 13 accounts on Google+. All of them were connected to the Islamic Republic of Iran broadcasting service.
The YouTube channels had 13,466 views of the inauthentic videos, according to Google.
Iran, like Russia, has said it didn't do nothing.
It is, a member of Iran's UN delegation said,
a nonsensical accusation to say the Islamic Republic is conducting an organized campaign of propaganda.
Iranian facility with information operations predates the Islamic Revolution itself.
It's worth recalling the roll cassette tapes bearing the Ayatollah Khomeini's sermons played in the uprising that deposed the Shah.
There have also been long-running Iranian espionage operations.
The Secure Works Counter-Threat Unit this morning reported its discovery of one of them
by the threat actor they call Kobalt Dickens.
It's an extensive Iranian credential-stealing campaign
that targeted universities across 16 domains with more than 300 spoofed pages in 14 countries.
Australia, Canada, China, Israel, Japan, Switzerland, Turkey, the United Kingdom,
and the United States were among the countries whose universities were prospected.
SecureWorks notes two things about target selection. First, universities can generate
interesting intellectual property and technology that would be attractive to an espionage service.
And second, universities are relatively soft targets,
much more poorly protected than most sectors
that would be of comparable interest.
This week's takedowns by Microsoft, Facebook, Twitter, and Google
suggest that screening for authenticity,
that is, determining that the people who post the content
are who they say they are, at least more or less,
may be a more promising
approach to some of the more troubling forms of influence operations than are more aggressive
attempts to screen for content, trustworthiness, appropriateness, and so on. These have aroused
concerns about freedom of speech and about the potentially monopolistic power of big tech.
Winkling out the inauthentic seems on the face of it less problematic.
The Democratic Party confirmed that its phishing false alarm was produced by overzealous,
ill-conducted red-teaming by the party's Michigan wing. Again, realistic training and evaluation
are good things, but they have to be properly coordinated. Don't just freelance this stuff.
Another election security own goal was reported late yesterday in Texas,
where nearly 15 million voter records were found in an exposed server by a New Zealand breach hunter
who goes by the nom-de-hack Flash Gordon. It's so far unknown who mishandled the data,
but misconfiguration hunters at security firm UpGuard suggest,
on the basis of quick preliminary and circumstantial evidence,
that it may have been the Republican-leaning firm DataTrust.
UpGuard notes that it found a similar exposure at the company DeepRoot Analytics,
which sourced much of its information from DataTrust.
U.S. National Security Advisor Bolton is calling for Russia
to knock off its attempts to influence U.S. elections. Coincidentally or not, an Atlantic
Council think piece reminds everyone of the Panama Papers and suggests that if you want to deter
Russian cyber operations, a sound counter-value retaliatory strategy would be to go after the oligarch's bank accounts.
The Panama Papers were the take of a 2016 incident
in which the hack of a law firm that specialized in offshore financial transactions
revealed information about the ways in which influential wealthy Russians were moving money around.
A St. Petersburg cellist, one Sergei Roldugin,
A St. Petersburg cellist, one Sergei Roldugin, was noted to have received more than $2 billion from the Russian government and various oligarchs.
Mr. Roldugin is a childhood friend of this guy Vladimir Putin, and he's widely believed to have been holding the swag for his old buddy.
Offshore money, anonymous offshore money, the Atlantic Council argues, is vital to President Putin's hold on power.
If it were no longer safe, even if it were no longer anonymous,
that would be a serious matter,
and one the Russian government would be more likely to take seriously
than it would, say, some sanctions that cost a lot of little people their jobs and livelihoods.
Not all Russian trolling is aimed at election influence.
A great deal of it is devoted to inciting mistrust and fomenting misery.
A good example going on now may be seen in Russian social media accounts
systematically flacking anti-vaccine conspiracy theories,
especially the claim that measles, mumps and rubella vaccine causes autism.
Among the crueler impostures on offer from Moscow and St. Petersburg
is a false story that the vaccine left three-quarters of a Mexican village's children
either dead or hospitalized.
China promises trade retaliation against Australia
for excluding Huawei and ZTE from its coming national 5G network.
Such retaliation will be a new government's problem.
Malcolm Turnbull is out as Australia's Prime Minister,
replaced by his ally Scott Morrison in a Liberal Party vote.
The decision to keep the Chinese manufacturer's devices out of the new network
were prompted by security concerns.
devices out of the new network were prompted by security concerns.
NSA alumna and leaker Reality Winner was sentenced to five years in a federal prison yesterday.
She had entered a guilty plea to charges related to leaking highly classified material to a news outlet. That outlet wasn't named in the charging documents, but it's widely and credibly believed
to be the intercept. The sentence of five years
and change is believed to be the stiffest one a U.S. court has ever handed down in a case of
leaking to journalists. At her sentencing, Ms. Winters said she accepted responsibility for,
quote, an undeniable mistake that I made, end quote. She went on to tell the judge,
I would like to apologize profusely for my actions,
which she characterized as a cruel betrayal of my nation's trust in me.
Ms. Winner, you will recall, was identified quickly by federal investigators
on the basis of dots in the printed copy of the document she passed to The Intercept,
which showed them to intelligence officers in an attempt to corroborate their authenticity.
The dots led to the printer, and the network logs led to Ms. Winner. showed them to intelligence officers in an attempt to corroborate their authenticity.
The dots led to the printer, and the network logs led to Ms. Winner.
And finally, two creeps in Minneapolis, both lawyers, it's sad to say, have copped guilty pleas related to adult content creation and extortion. They made adult video nasties,
put them up on various BitTorrent sites, noted who downloaded them, and then sent an extortion demand to those whose curiosity got the better of them.
Pay $3,000 or be humiliated in court.
The two created shell companies to operate as copyright plaintiffs.
The miscreants, may their names live in infamy and infamy only, are Paul Hansmeyer and John Steele,
both now debarred and awaiting sentencing. Thank you. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Ben Yellen. He's a senior law and policy analyst at
the University of Maryland Center for Health and Homeland Security. Ben, welcome back. We had a
story come by from CyberScoop. The title was
The Latest Attempt by the State Department to Set Behavior Norms, written by Sean Lingas.
What's going on here? What's the State Department trying to accomplish?
So Congress, basically dating back to the last couple of years of the Obama administration,
has been very concerned that we don't have an international strategy to avoid the type of cyber attacks that have plagued us in the past few years,
specifically some of the high-profile ones. In the private sector, we had Equifax.
In the public sector, we had the Office of Personnel Management within the federal government.
So the Trump administration has proposed a broader set of consequences that the government can impose on adversaries to ward off cyber attacks.
This is a document that was unclassified recently, and it calls for the U.S. to work with our allies to inflict swift, costly and transparent consequences on those governments that use significant malicious cyber activity to harm U.S. interests. Part of that is
clearly identifying the malicious activity that exists that we're seeking to deter. And part of
it is developing a separate strategy for each of our cyber adversaries. So we're going to have to
take a different approach when it comes to Chinese hackers versus Russian hackers or North Korea.
Chinese hackers versus Russian hackers or North Korea. And I think it'll take a specific set of objectives to deal with each of those threats. One thing that's worth noting is that even though
this directive has been written by the State Department, there's still a major leadership void
in terms of our diplomatic efforts on cybersecurity. The department has been without a cybersecurity
coordinator for 10 months. The deputy assistant secretary has been serving as the top diplomat,
but this is a confirmable position in the United States Senate. The president has been behind on
state department nominations basically since his inauguration. And without the sort of strong
leadership that comes from a department head, I think not only will the report have less teeth
because it's not going to be backed by the full weight and force of the department, but it sends
a signal to our allies that it's not necessarily a priority for us. I think that's very concerning.
Yeah, I was going to ask, you know, how much of this is simply putting
our potential adversaries on notice of saying, rather than necessarily having teeth behind it,
saying, hey, you know, we've got our eyes on you. Yeah, I mean, I think that's a huge part of it.
And obviously acknowledging the problem is the first step. And that's another instance,
I think we've talked about this in the past, where the Trump administration separates a little bit from Trump himself, who, even though he, under his administration, has formulated a pretty cohesive cybersecurity strategy, the president himself often undermines it by, for example, dismissing Russia's electronic interference with our 2016 presidential election.
electronic interference with our 2016 presidential election. So yeah, I mean, it's a way of putting our adversaries on notice that we're focusing on the problem. And it's an olive branch to our
allies that we're willing to work with them to root out these threats. But it is just a statement
of policy. And, you know, without strong leadership, it's going to remain simply
a document in the State Department and not something that's really changed our international
efforts. And a noticeably understaffed State Department at that. Absolutely. And I would
know this is not the only department within the Department of State that's understaffed. I think
certainly diplomatic outposts have been ravaged since the early days of this administration. We've lost a lot of our top diplomats, and this is
a particularly tough area to be without leadership because it's such an emerging threat. We've seen
the consequences of malicious foreign actors instituting cyber attacks within the United
States. So I think leadership is needed now more than ever. All right. Ben Yellen, thanks for
joining us. Cyber threats are evolving every second and staying ahead is more than just a
challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe
and compliant. My guest today is Teresa Payton. She's CEO at Fortalis Solutions,
a cybersecurity consulting company, and co-founder of DarkCubed, a cybersecurity consulting company, and co-founder of Dark Cubed, a cybersecurity product company.
She's a former White House CIO and was recently featured on the CBS television series,
Hunted. She's also one of the keynote speakers at the upcoming 2018 ISC Squared Security Congress,
which is taking place October 8th through the 10th in New Orleans.
CyberWire is proud to be a media sponsor of that event.
With all technology, whether it's new inventions in the Internet of Things,
artificial intelligence, machine learning, and blockchain,
they're really revolutionizing how we conduct business,
but they're not 100% fail-safe.
And really, it's going to be up to businesses and the user to trust but verify.
And it's going to be up to the security community to really come up with the right designs
to design for the layman.
And that is something really missing right now.
And it strikes me that some of these things, as they grow in popularity,
things like blockchain, cryptocurrency, certainly artificial intelligence, they kind of become the flavor of the month and there's a cluster
of activity around them. And I can't help but wondering if we do people a disservice
with all of the hype that they generate. I love the kind of saying of, is it hype or reality?
And so, for example, there are Internet of Things tea kettles out there. And an Internet of Things tea kettle
was looked at by security researchers. They took it into a corporation, they set it up,
and who doesn't love a really great cup of tea? The way the tea kettle works is it's connected
to the Wi-Fi and you can actually on an app in your phone tell the tea kettle you're on your
way into work and it'll boil the water so that you can brew a perfect cup of tea and it won't burn out and it won't overboil.
So it's like the perfect situation. But this Internet of Things tea kettle, it grabbed the
corporate key to the network in order to authenticate. And when the security researchers
set up a rogue Wi-Fi hotspot,
the chatty little tea kettle actually gave up the corporate access to the network.
So that's an example where from a hype perspective, we're integrating these newer technologies
everywhere within corporate infrastructure, not really thinking about it. Who would think a tea
kettle would be the weak link into getting
into your company? We're so focused on the human clicking on links, and we're forgetting about the
tea kettles and the thermostats and the security access to a building. So what are your recommendations
for organizations to get their handle on this, to avoid the hype and to be able to get messages
that are based in reality? This is a really great question.
And so, for example, one of the things I would ask a company to be thinking about is,
as you integrate these new technologies, how do you segregate out those assets that matter to you the most?
Maybe it's your intellectual property.
Maybe you're doing mergers and acquisitions due diligence.
It could be customer data, healthcare data, whatever it is that's really those digital assets that are so important to you.
How are you going to safeguard them or cordon them off from these newer technologies that you have to integrate,
but at the same time, we all know the security is not where it needs to be. And so if you think about a design where you say logically and physically, I'm not going to allow a tea kettle to be the way that cyber criminals access these important digital assets.
So as you look at the landscape of where we are today when it comes to cybersecurity, is there anything that you feel isn't getting the attention
that it deserves? Anything that we're missing? Well, I do believe that with artificial intelligence,
machine learning, and blockchain, all of these still in the infancy to help with security,
but they really will be game changers. But artificial intelligence and machine learning
is already giving us some
promises. So it's moving from hype to actual reality. So one of the things that we're seeing
is you can actually baseline your network traffic. You can baseline all of your user access. And then
you can use artificial intelligence and machine learning to show you those anomalies. Because right now in security
operation centers, over 70% of the alerts that come in are false alarms. So how do we reduce
the false alarms so you don't miss the needle in the haystack? So there are some promises here
where we're moving from that hype to reality, but blockchain is still incredibly complex and expensive to implement. And artificial
intelligence is only as good as the engineer and the requirements that you gave to the engineer.
Do you have any advice for those folks who are on the sales side of things to avoid the hype,
to earn the respect of the people they're trying to sell to? What should their approach be?
to earn the respect of the people they're trying to sell to, what should their approach be?
First of all, study. Really look at what's going on in the marketplace, who's really using these newer technologies, and make the use case. And so relate what you see as far as the early adopters
of this technology to the person you're talking to. So for example, when you look at blockchain,
to the person you're talking to. So for example, when you look at blockchain,
the majority of blockchain implementations have been in the financial services industry as far as anything outside cryptocurrency. So the question is, if you're sitting with a manufacturer,
how do you relate those use cases and the user scenarios to manufacturing. How do you translate that? How do you calculate ROI?
It's still so new. How do you say, well, blockchain's just better, and that's your ROI.
How do you calculate that? Same thing with artificial intelligence and machine learning.
There's really a buyer beware in my mind. So one of the things that I've seen is on the customer service side, lots of companies have moved towards customer service run by AI chatbots.
And their customers love it.
They don't know it's not a human being.
But what they do notice is that these AI chatbots, they're never grumpy.
They always have a good day.
And they always have the answer. But if companies don't have a trust but verify to figure out, well, how is it that these chatbots always have the answer? One company that we work
with was surprised to learn when we asked that question, so they did their inspection,
that the AI chatbots were actually escalating each other's privileges because the engineer
had been told, we want the chatbots to be self-learning,
contextually aware, always have the answer, to not have the customer insist on talking to a human
being or going to a brick and mortar. And so it's all about effectiveness, efficiency, and customer
delight. No one ever mentioned, oh, don't forget, we really need to follow user access controls.
And so what we found was these chatbots all had super user access.
It just takes one chatbot to be compromised, and the next thing you know, you're getting your customer data stolen right out from under your nose.
Our thanks to Teresa Payton from Fortalis for joining us.
Once again, she'll be one of the keynote speakers
of the 2018 ISC Squared Security Congress
that's taking place October 8th through the 10th in New Orleans.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, Thank you.