CyberWire Daily - Power grid threats coming through the router. Cambridge Analytica and Facebook face tough questions.
Episode Date: March 20, 2018In today's podcast, we hear that ICS experts continue to warn of grid vulnerability to hacking. AMD chip flaws called real, but not very serious. Cambridge Analytica under investigation in the UK. F...acebook tries without much success so far to disentangle itself from Cambridge Analytica's use of Facebook data. President Putin wins reelection amid accusations of voting fraud. Former French President Sarkozy is in police custody over Libyan campaign contributions. (The Libyans want their money back, too.) Chris Poulin from BAH on malware evolution. Guest is Patrick Craven from the Center for Cyber Safety and Education, a nonprofit that has scholarships available. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
ICS experts continue to warn of grid vulnerability to hacking.
AMD chip flaws are called real, but not very serious.
Cambridge Analytica is under
investigation in the UK. Facebook tries without much success so far to disentangle itself from
Cambridge Analytica's use of Facebook data. President Putin wins re-election amid accusations
of voting fraud. Former French President Sarkozy is in police custody over Libyan campaign
contributions. The Libyans want their money back, too.
I'm Dave Bittner with your CyberWire summary for Tuesday, March 20, 2018.
ICS security experts take the occasion of U.S. government warnings
that Russian cyber operators are working against the U.S. power grid
to reiterate their own warnings. Electrical generation and distribution systems remain
dangerously vulnerable to attacks that could, in the worst case, induce catastrophic failure.
Cylance has determined that one of the ways attackers are getting access to utilities'
networks is through compromised Cisco routers.
They call out the Dragonfly group as one of the threat actors involved with this particular attack vector.
Dragonfly is widely believed to be a Russian government group.
There's an emerging consensus on the AMD chip vulnerabilities that CTS Labs reported
last week.
Other researchers have looked at them and concluded that, while real,
they don't really represent the sort of serious threats CTS said they did. Security firm Checkpoint,
among the third parties who verified the vulnerabilities, is also among those who
disagree with CTS labs' hair-triggered detailed redacted disclosure, which Checkpoint calls
very irresponsible.
Those who thought Fusion GPS might represent the nadir of political consulting will be interested to see the further depths Cambridge Analytica is alleged by many media outlets
to have plumbed.
The London-based firm is reported to have at least discussed using sparrows, honey traps,
to compromise political targets.
It also obtained data on some 50 million Facebook users.
Cambridge Analytica categorically denies accusations of blackmail and improper use of data,
although the company does at the very least seem to have engaged in some really indiscreet woofing.
Ukrainian women are the best at entrapping men, things like that.
greet wolfing. Ukrainian women are the best at entrapping men, things like that. Cambridge Analytica also says it questioned its clients closely about the ethical and legal dimensions
of the work that Cambridge Analytica was asked to undertake. To borrow from the exchange between
Hotspur and Owen Glendower in Henry IV Part 1, why sure you can question them, so can I,
so can anyone. But when they answer, what will you can question them. So can I. So can anyone.
But when they answer, what will you do with their replies?
Anywho, give them the benefit of the doubt, at least for the few remaining hours,
until the Information Commissioner's Office gets a warrant to toss their place of business.
But between the Steele dossier served up piping hot by Fusion GPS and the amazingly sleazy operational notions reported
in the Cambridge Analytica affair, there seemed to be some remarkably creepy imaginations
sloshing around in Greater London.
And those imaginations appear to have found an eager American market, because, hey, if
that don't fetch them, then I don't know Arkansas.
Cambridge Analytica's connection with Facebook has been very bad for Facebook,
whose stock price was hammered in the market yesterday.
The social media giant has booted the London analytics firm from its services.
Facebook has insisted, correctly, that the problem isn't a data breach.
It's an issue they became aware of, at least in part, as far back as 2015,
and took some steps to distance
themselves from.
This isn't a trivial verbal distinction.
Were the incident a data breach, Facebook would have found itself subject to various
disclosure rules.
Observers agree that it wasn't a data breach.
Facebook wasn't hacked, nor were the data it held stolen or exposed in any of the usual
ways.
But most observers seem to think that what happened was worse than a simple breach.
The data wasn't, as Motherboard puts it, a bug, but a feature.
In its own defense, Facebook essentially said that Cambridge Analytica used data in ways it shouldn't.
TechCrunch offered a useful gloss of the defense in the form of what it called a simplified timeline.
First, Facebook deliberately allows developers to collect a bunch of data from users who authorize it plus a bunch of their friends.
But developers have to promise they won't use it in certain ways.
Second, shady people take advantage of this choice and collect as much data as possible for use off the Facebook network
in ways Facebook
can't predict or control. Third, Facebook fails to predict or control use of the data it released
and fails to protect users who never even knew their data had been released. As TechCrunch sums
up at the end, Facebook monetized data customers gave it and released that data on the honor system.
Facebook has retained Strauss-Friedberg auditors to help mop up issues surrounding data use.
Facebook's CISO Alex Stamos, rumored to be at loggerheads with colleagues over his push
to investigate Russian trolling, will apparently not leave the company, as many outlets had
reported, but he has said that his role will change.
He tweeted, quote, I'm currently spending more time exploring emerging security risks
and working on election security, end quote.
Stamos has been through an incident or two.
He joined Facebook from Yahoo in 2015.
He departed Yahoo over a proposed program to scan incoming email on behalf of government
agencies.
to scan incoming email on behalf of government agencies.
In addition to commercial, government, and educational institutions,
cybersecurity supports a thriving nonprofit sector.
The Center for Cyber Safety and Education is one of those nonprofits,
and Patrick Craven directs that organization.
We're a nonprofit that tries to work globally to teach people about how to be safe on the internet.
We do research on cybersecurity, the industry, as well as scholarships that we provide financial aid
to young people who are trying to advance or enter into the career of information and cybersecurity. Those are our three big areas
that we focus on. So let's talk some about the scholarships there. We have a lot of students
who listen to our show. What sorts of opportunities do you have? We provide scholarships for
information, cybersecurity in a broad sense. Those who are studying that, we offer scholarships specifically for women. We
offer them for undergrad, for graduates, for veterans. We have a variety of different ways
that we try to break it out. In just our seven years that we've been in existence, we've awarded
over a million dollars in financial aid. We did nearly $200,000 last year, and we're accepting applications right now for the 2018 one, and that'll be closing up in the next few weeks.
We certainly hear about this skills gap and the number of open positions that are available.
What part do you see your organization playing in helping to try to close that gap?
Do you see your organization playing in helping to try to close that gap?
Well, it's kind of interesting when you bring up the gap.
That is actually, as I said, research is one of the things that we do.
That was our research.
We conduct the Global Information Security Workforce Study every couple of years.
And we surveyed nearly 20,000 cybersecurity professionals in 170 countries.
Far as we know, it's the biggest study ever done on it. And we look into those kinds of things, salaries and trends. And those are one of the
things that we've indicated. And we did in the research was finding out what are hiring trends,
where people see in their companies that they need to do. And that's where we were able to calculate out that
over the next five years, there's going to be a shortage of about 1.8 million is the number that
we came up with of those in information and cybersecurity. So for the college audience,
for the young people that are listening, even high school kids, here's a career that you definitely
want to take a look at. You're talking 100% employment
with really good salaries. It's definitely something to consider. And so we've got this gap.
And one of the things that we're trying to do is just encourage people, encourage young people,
even us old people, you know, maybe a career change opportunity to look into cybersecurity is a field of study.
And so we're promoting it, but then we also do the scholarships as a way to help.
We all know college is getting so expensive.
Coming out with, you know, hundreds of thousands of dollars in debt is not what we want to be doing.
That's not what we want to be doing.
And so we're trying to do our part to help encourage people to study it and to be able to afford to enter the field.
That's Patrick Craven from the Center for Cyber Safety and Education.
One thing that caught our eye on their website is they have the rights to use Garfield the Cat in some of their educational programs.
Check it out.
You can learn more about their scholarship opportunities on their website.
Presidents, ex-presidents, and aspiring prime ministers
have had a mixed week.
President Putin is having a good week,
winning a real squeaker of an election
in which he brought home only about three-quarters of the vote.
Former French President Nicolas Sarkozy is in police custody.
He's being questioned on suspicion of having accepted foreign money,
specifically around 50 million euros from late Libyan ruler Muammar Gaddafi,
in support of Sarkozy's 2007 campaign.
This would violate at least two provisions of French election law,
accepting foreign support and exceeding spending limits.
law, accepting foreign support and exceeding spending limits.
50 million in Libyan euros would have been more than twice the 2007 limit of 21 million euros.
Gaddafi's son and heir has been demanding his money back since 2011.
In the UK, Labour leader Jeremy Corbyn is rumoured to be in trouble with his own party.
Labour's front bench is said to be fed up with their leader, particularly over his tepid response to the nerve agent attacks in Salisbury
that many feel made him look both reflexively anti-Western
and a reliable Russian stooge.
His Lenin cap has also aroused controversy,
with Labour insisting it's not really a Lenin cap
and shouldn't be made to look more like a Lenin cap in news photos
than it already does.
But the need to offer even this defense has been accepted with ill grace.
Besides, Russia's not really communist anymore.
Let's get up to speed, Mr. Corbyn.
If you'd like a change of headgear, this Baltimore company will happily send you a Red Sox cap.
Finally, we are shocked, shocked to hear that President Putin's re-election may have
been aided by ballot stuffing, especially because ballot stuffing seemed in this case hardly
necessary, even more unnecessary than Richard Nixon's itch to send burglars into the Watergate,
as if he needed that to beat George McGovern. Still, if the Russians voted early and often,
give Vladimir Vladimirovich credit for going that extra mile.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning
with purpose, and showing the world what AI was meant to be. Let's create the agent-first future
together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Chris Poulin.
He's the Director of Connected Product Security at Booz Allen Hamilton.
Chris, welcome back.
We wanted to touch today on some of the evolution of some of these bits of malware,
things like Mirai that were being used as botnets for things like DDoS,
but they're evolving now.
Yeah, that's right.
In fact, one of the variants that presumably uses some of the same source code of Mirai
and takes over control of consumer-based IoT devices is now being used to mine cryptocurrency.
So a little bit, my take on it is we're seeing the threat actors actually trying different tactics to use the same tool.
And it almost feels like way back in the 90s when there were viruses which would do something mischievous,
like put up a little message that says,
you know, the I love you virus,
or there's one that said you're a big, dumb, stupid head
or something like that.
It didn't do anything destructive,
but you could tell they were sort of testing
what they could do with viruses,
but also presumably the infection rate.
And so I think we're seeing the same thing with Mirai,
where it's sort of going from something that was a little bit more destructive with DDoS capability to something that's a little bit more lucrative on the financial side, which is cryptocurrency mining.
And so the question is, what's next for these kind of botnets?
So what's the end game?
And I hate predictions because they're usually wrong and everybody feels compelled to give you them but you know i can see that if we look to the past to inform the future it's quite possible that the
that mirai or one of its descendants will start to attack more enterprise connected devices
so go for things that have higher power and maybe use those for crypto mining in fact it was an
interesting article.
I don't know if you saw it.
There were people who own Teslas who were putting crypto mining rigs
in the trunks of their car
and then using the power of the supercharger stations
to mine it because it takes an enormous amount of energy.
So I hadn't seen, no, I didn't.
I hadn't seen the electricity angle on that,
but that's fascinating and sadly unsurprising.
Yeah, well, you know, and it's fascinating and sadly unsurprising. Yeah.
Well, you know, it annoys me because I'm a Tesla owner.
And so that basically erodes my ability to use the resource that I've already paid for.
But I think that, you know, when you start looking at enterprises, they've got access to a lot more electrical power, presumably a lot more compute power.
lot more electrical power, presumably a lot more compute power. So I wouldn't be surprised if Mirai or something similar were to start to attack enterprises and also cloud computing
environments, you know, particularly when you combine recent AWS configuration vulnerabilities
that we've seen where the users have not properly locked down their AWS instances.
You know, something you and I have touched on before when it comes to these devices and
the botnets taking advantage of them is how quite often the operators of the devices,
the owners of the devices don't know that the device is doing this dual duty, you know,
a camera still taking pictures while it's doing its DDoSing or its crypto mining. It strikes me as a bit surprising that in the crypto mining case
that these folks tend to overstay their welcome.
They try to use up all of the processing power
rather than staying below the radar
and sort of dialing in a lower amount of use
that perhaps wouldn't be noticed.
Yes, well, I think that works on the consumer side, because if you think about it, most consumers
don't know why things don't work half the time.
And, you know, when in doubt, power out, and then the systems come back and they work again
until they get reinfected.
Because a lot of these things are not persistent because they're IoT devices.
It depends.
And so I think that it would not work in an enterprise environment because there's, hopefully, there's more people that are actual security admins who are looking at this stuff through things like SIMs, et cetera, et cetera.
So as long as you've got proper logging and event management and you've got eyeballs on screen or at least some good analytics that will raise alertsably, using up all the compute power would be pretty obvious
and not to the attacker's long-term benefit.
I see.
All right, Chris Poulin, as always, thanks for joining us.
Thank you.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe
and compliant.
Thank you. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, Thanks for listening. We'll see you back here tomorrow. Thank you.