CyberWire Daily - Mueller Report is out. Sea Turtle DNS-manipulation campaign. Over-privileged and under-honest apps kicked out of Google Play. Facebook has another privacy incident. Fraud and destruction.
Episode Date: April 18, 2019The US Justice Department releases the redacted Mueller Report: investigators found no evidence sufficient to establish conspiracy or coordination between any US persons and the Russians over the 2016... campaign, but the Bears were busy. The Sea Turtle campaign sets a worrisome example of DNS manipulation. Sneaky apps booted from Google Play. Facebook apologizes again. Notre Dame fire fraud. Replication in cyber research. And an act of gratuitous computer destruction. Robert M. Lee from Dragos with a look back at the evolution of ICS technology. Guest is Nathan Katzenstein. He’s got 20 years in IT, and offers his perspective on the job market as he finishes up his masters in cyber security. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/April/CyberWire_2019_04_18.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The U.S. Justice Department releases the redacted Mueller report.
Investigators found no evidence sufficient to establish conspiracy or coordination
between any U.S. persons and the Russians over the 26th campaign, but the bears were busy.
The sea turtle campaign sets a worrisome example of DNS manipulation.
Sneaky apps have been booted from Google Play. Facebook apologizes, again. Notre Dame fire fraud,
replication in cyber research, and an act of gratuitous computer destruction.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, April 18, 2019.
for Thursday, April 18, 2019.
The long-awaited and much-discussed Mueller report on Russian influence operations during the U.S. 2016 elections
was released in redacted form this morning.
At a pre-release press conference,
U.S. Attorney General Barr reviewed the report.
He said it established there was an effort
on the part of Russian intelligence services
to interfere in the U.S. elections,
but that no U.S. persons were found to have collaborated in that effort.
He declined one reporter's invitation to talk about the origins of the investigation,
which have themselves become controversial,
noting that such discussion was another matter
and lay outside the scope of what he was prepared to go into.
Attorney General Barr also explained the redactions.
There were four categories of material that were redacted.
These included, first, grand jury material whose redaction is required by law.
Second, material that might compromise intelligence sources and methods was redacted.
Third, and the Attorney General explained that this category accounted for most of the redactions,
was material whose release might impair other ongoing investigations or prosecutions.
And finally, information affecting the privacy and reputation of other persons not the subject of the investigation was also redacted.
The White House reviewed the redacted version of the report and declined to invoke executive privilege.
The Attorney General also said that a bipartisan group of members of Congress would receive an almost unredacted version.
The only material they wouldn't see would be that in the first category, grand jury material,
since disclosure of such information is restricted by law and its release doesn't lie in the discretion of the Justice Department.
is restricted by law, and its release doesn't lie in the discretion of the Justice Department.
A quick look at the report, and we stress that our look was quick, there being 448 pages in the report, reveals the following highlights, none of them unexpected. Quote, the Russian government
interfered in the 2016 presidential election in sweeping and systematic fashion, end quote.
Much of that information occurred
through leaks obtained by a Russian intelligence service and retailed through Guccifer 2.0 and
WikiLeaks, among other channels. There was also, the investigation concluded, a Russian social
media campaign designed to disparage the Clinton campaign and favor the Trump campaign. While the
Trump campaign thought it would benefit from the discreditable material released through Russian efforts,
the investigation did not establish that any members of the campaign
conspired or coordinated with the Russians.
And the Russian actors most often named will come as no surprise either.
They're the Internet Research Agency and the GRU.
With that, we'll leave the report with our editors for further close reading.
Researchers at Cisco Talos describe Sea Turtle, a state-directed espionage campaign that's
been active since early 2017.
Most of Sea Turtle's operations have been in the Middle East, and the campaign is noteworthy
for its sophisticated domain name system manipulation.
Cisco Talos divides the victims into two distinct groups.
The first group includes the targets proper,
energy organizations, defense establishments, and foreign ministries.
The second group are third parties used to reach the primary targets,
telcos, ISPs, and DNS registrars.
CrowdStrike and FireEye had earlier described aspects of this DNS manipulation
campaign. FireEye tentatively attributed it to Iran. The U.S. Department of Homeland Security
issued a warning about this activity in January. Cisco Talos finds the incident worrisome,
not so much in its immediate effects as in its realistic potential to undermine users' trust in the Internet as such.
The company includes a plea to put DNS as a whole off-limits to offensive cyber operations.
They don't make this comparison, but we will.
Making DNS a prohibited target would be analogous to the protection the laws of armed conflict place
around such essentially civilian and humanitarian facilities as hospitals, supplies of drinking water, and so on.
That's a commendable aspiration, but arriving at an international consensus to leave DNS alone would seem to be a long process.
It was difficult enough to get hospitals off target lists,
and there's an obviousness and immediacy about hospitals that DNS just doesn't have.
BuzzFeed reports that Google has booted six ad fraud apps from the Play Store.
The apps, thought to be a subset of a larger number of related applications engaged in similar dodgy behavior,
were not only engaged in ad fraud, but were also abusing user permissions in their collection of data.
Some of the Android apps were popular, notably a selfie app that had more than 50 million downloads.
The applications Google ejected from Play in this current round of expulsions
were produced by the Chinese company Du Group.
The apps asked for a lot of permissions and obscured the nature and destination of the information they would gain access to.
the nature and destination of the information they would gain access to.
Cybersecurity offers employment opportunities for people with all sorts of backgrounds and work experiences. Some folks are fresh out of school while others are looking to move into
the field from another line of work. Nathan Katzenstein is a bit of a combination of both
of those things. He's got over 20 years of experience in IT, but decided it was time to
head back to school and earn a master's in cybersecurity.
He reached out to us and made the case that it's a path many are on these days, one worth sharing.
So we got him on the line.
I wanted to get into a market or into an area, a space where there was a new beginning and there was a lot more to grow.
But I didn't want to lose any of my background. I
wanted to leverage my experiences. So I felt that the cybersecurity area was an area that would
really fit well where I could bring my IT and management experiences and leverage that into
this field. And so what are your aspirations when you get your master's? So where do you hope it
takes you? So I have a background in the energy field.
I worked in the deregulated energy, electric and gas area for about 16 years.
And what I'm looking to do is to get into the critical infrastructure protection.
And what's your sense for the opportunities that may present themselves once you're out there looking for a job?
I know that it's tough to break into a new market, and I'm well aware of that. As we all know,
there seems to be a big gap in the skills and market in cybersecurity. I believe the
numbers I've read is that there are half a million jobs that are going unfulfilled.
believe the numbers I've read is that there are like half a million jobs that are going unfulfilled.
I think maybe there's an artificial gap, perhaps.
You know, there's this joke about this man who's looking on the floor and some Good Samaritan
comes by and says, gee, what are you doing?
And he said, and the man says, I'm looking for my key.
So the Good Samaritan helps him look for the key.
And after a while, he says, well, where did you drop your key?
We said, oh, I dropped it across the street.
So the Good Samaritan says, why are we looking here?
He says, well, because here we have streetlights.
So I think what companies are looking for,
are they looking for a lot of requirements that maybe don't exist in the real world?
For example, you want an SQL programmer,
you want a database person, so you can say I'd like somebody with 10 years SQL experience,
I'd like a seven-year C-sharp programmer. But when you look at some of the requirements for
the cybersecurity jobs, when they're looking for individuals with 10 years of cybersecurity experience,
it's very hard to find because there aren't that many out there.
So I believe there's this artificial gap between the requirements, but there really aren't individuals out there who can answer the call.
Maybe looking outside the box, maybe you're looking for individuals that like math, for
example, or like to solve puzzles, because these are the types of people that can really solve cybersecurity issues for companies as well.
So what are your recommendations for folks who may feel as though they want to follow a similar path to you?
They want to maybe reach out to a different part of tech than they've been
in before or open up some new opportunities for themselves. What are your recommendations?
So my recommendations are not to be afraid. My recommendations are look at the market,
see what area or what space you really want to and talks to you and then go for it.
you really want to and talks to you and then go for it.
You know, it's never too late in your life.
There's no reason that you shouldn't go ahead and try to teach yourself new skills, whether you want to do it on your own, whether you want to go for some certification or if you
really want to get a master's degree.
There's no question.
Go ahead and do it.
I think there's a lot that the market has to offer.
And I think that anybody who really wants to get into it should grab it with two hands.
That's Nathan Katzenstein. He's finishing up his master's in cybersecurity this summer
at Utica College. Yesterday, Facebook acknowledged inadvertently uploading email
contacts of a million and a half users without the user's consent.
The social network regrets this, says the social network,
and it says it will remove contacts uploaded in connection with its now disenabled email password verification feature.
The contacts may have found their way into data used to draw inferences for ad targeting and the people
you may know feature. Whether those inferences will also be removed is, The Guardian reports,
unknown. But Facebook regrets the whole matter and resolves to do better in the future.
ZeroFox sees a wave of opportunistic scamming conducted around the Notre Dame fire.
wave of opportunistic scamming conducted around the Notre Dame fire. Ad fraud, direct fraud,
malware installation, and even stock fraud. Be concerned and feel free to give help,
but be skeptical and alert for the grifter's come-ons.
The Washington Post interviews Tyler Moore, a professor of cybersecurity and information assurance at the University of Tulsa, who sees problems with the conduct of cybersecurity research.
The issues apparently derive from how research uses data entangled with marketing.
The University of Tulsa study was interested in how one might determine such information
as frequency and severity of attacks, the efficacy of various security products,
and how well various defensive tactics, techniques, and procedures
worked. Marketing is more concerned with persuasion than it is with replication,
and much of the raw data that underlies or might underlie published research into these topics
is generally not readily available, and replication, of course, would need raw data.
And finally, a former student at the upstate New York College of St. Rose,
one Vishwanath Akuthata, has taken a guilty plea to charges that he destroyed 66 computers on the
college's campus by inserting a USB killer into each of them. USB killers are, as the name implies,
devices you insert into a USB port to overload a computer's surge protection.
Such devices are readily available and easily purchased.
We must ask, why?
Mr. Akathutta made videos of himself strolling around campus in February saying,
I'm going to kill this guy, and then doing so.
Guy, in this case, refers to a computer, not a human being.
and then doing so.
Guy, in this case, refers to a computer, not a human being.
He caused over $58,000 in damages,
and when sentenced will face up to 10 years in prison and a quarter of a million dollars in fines.
Given the video Mr. Akathota took,
it seems safe to say that the FBI and the Albany Police Department
had little difficulty investigating the crime.
Mr. Akathota's motive is unknown, at least to the general public.
Resentment? A sense of injured merit?
The libido ostentandi, which is how Cicero would have translated,
Hey, look at me, y'all!
We hear, by the way, that Cicero is all the rage in Silicon Valley these days.
Around Mountain View and Sunnydale, they think he was this cool stoic.
The lulz?
Maybe.
As far as we can tell, it's just another act gratuite.
Which is what Jean-Paul Sartre would have called just behaving like a jerk.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of
technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer
challenges faster with agents, winning with purpose, and showing the world what AI was
meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber
for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals
to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And I'm pleased to be joined once again by Robert M. Lee. He's the CEO at Dragos.
Rob, I wanted to take a little bit of a walk down memory lane with you. I wanted to
address how some of these industrial control systems worked in the days before computers.
How was the security handled and were things easier back then or harder or just different?
Yeah, I think it's fair to say that it was different. I see a lot of discussion now of almost trying to take us back of let's go more analog. And I'll come back
to that point and where there's good discussion happening, but also some concern. So industrial
control systems predate really computer systems. They predate IP based networks and internet and
DARPA and ARPANet um a lot of folks would
would hearken back to some of the early control systems and i think the classic like textbook
example is the the water clock in egypt you know i mean like obviously a long time ago um but when
we're talking about the modern control system really we start seeing like the 70s and 80s
as being the introduction of the modern-ish industrial control system.
And obviously at that time, we are still talking like more computer-like systems of a system that is able to take an input and output
and actually have control over that in some mechanism.
But we're looking more of serial communications.
We're looking at analog devices.
communications we're looking at analog devices we're looking at um even in some cases manual control systems and and the ability to operate and control the plant obviously with much more
manpower the risk that has been associated with a lot of the industrial control systems today is in
their connectivity but a lot of risk existed before that as well and this is where i think
the balance is important go back to that initial comment i made where i think it is fair there's some really good work going on in the community
like cce which is this idea of cyber-informed consequence-driven engineering and which is
hey i mean it's far more complex than this and idaho national labs has done a lot of good work
on this but let me really simplify it to a basic statement, which is, hey, the process controller that's running our
valve to an important part of our infrastructure, or let's just say the
program logic controller that is involved in the safety of our system in a gas turbine facility,
should it also be able to run Microsoft Paint and PowerPoint?point you know it's basically the argument which is you
know these common operating systems are coming on that can do a lot of different things like do we
really want what's controlling a really important system to be a common operating platform can we
not do more design driven like understanding that we can have purpose-built systems for some things
or even in some rarer cases manual manual systems. Do we really need your safety
system talking to a domain controller? And I think that is a really good discussion happening,
and I think it's important. On the converse of that, though, I don't want it to swing too far
because our infrastructure has been modernized and is being modernized in a way that has added
to the overall value.
And it's not just a business value, but things like manual operations and I would say more
simple control systems dictated so much more human interaction.
And especially in environments that were like petrochemical or chemical manufacturing and
paper and pulp and others, there's loss of life and injuries that come from dealing with
highly dangerous type environments and a lot of the automation that we went to and connectivity
that we went to was not only about driving business value but also driving safety and so
the idea that i see congressmen and politicians throw this out all the time now oh well if a
cyber attack happens we'll just go back to manual operations and we'll do that because ukraine did
that to recover it's like yeah uk Ukraine had to do that to recover at a
couple of sites. You're not doing manual operations across multiple regions of the
power grid in the US if an attack happens. And you don't want to have to because you could really get
people hurt. And so from the memory trip, things look a lot better than they were, I think, from
a security aspect. But things were a lot worse than they are now in terms of safety and reliability. We've never had a more safe and reliable infrastructure
than we do today. And we need to allow security to complement that. And we need to have design
built systems and make sure we are making smart choices. But we got to strike that balance because
there are definite pros and cons and they matter in this world. Robert M. Lee, thanks for joining us.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly
evolving field, sign up for CyberWire
Pro. It'll save you time and
keep you informed. Listen for us on
your Alexa smart speaker, too.
The CyberWire podcast is proudly
produced in Maryland out of the startup studios of
DataTribe, where they're co-building the next
generation of cybersecurity teams and
technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett
Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave
Bittner.
Thanks for listening.
We'll see you back here tomorrow. that are not only ambitious, but also practical and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses
that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.