CyberWire Daily - Qbot spreads. Bug hunting makes a millionaire. US Cyber Command shows what “persistent engagement” looks like. Huawei agonistes. There’s no Momo, really.
Episode Date: March 1, 2019Qbot infections are spreading. The bounty-hunting gig economy apparently has its first millionaire. Observers are liking what they see in US Cyber Command’s “persistent engagement.” Canada mull...s the extradition of Huawei’s CFO to the US. The US continues to call Huawei a security risk, and Huawei has some things to say back. The Momo Challenge is a viral online craze, but not the way you may have heard. Awais Rashid from Bristol University with thoughts on edge computing. Guest is Dr. Dena Haritos Tsamitis from Carnegie Mellon University on improving the culture of infosec, as well as her thoughts on the upcoming RSA conference. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/March/CyberWire_2019_03_01.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
QBOT infections are spreading.
The bounty-hunting gig economy apparently has its first millionaire.
Observers are liking what they see in U.S. Cyber Command's persistent engagement.
Canada mulls the extradition of Huawei's CFO to the U.S.
The U.S. continues to call Huawei a security risk, and Huawei has some things to say back.
Dr. Dina Harido-Samedes from Carnegie Mellon joins us to talk culture and what she's looking
forward to at next week's RSA conference.
And the Momo Challenge is a viral online craze, but not the way you may have heard.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, March 1st, 2019.
Researchers at security firm Varonis are describing a major campaign to distribute Qubot banking malware.
Qubot is polymorphic and has evolved continuously since its discovery in 2009.
Varonis says thousands of machines are now under Qubot's control. They've determined through observation of Qubot's command and control server that infections have been found in Europe, Asia, and South America, and that U.S. corporations have come in for particular attention.
Bug hunters may be viewed as the gig economy portion of the cybersecurity sector.
portion of the cybersecurity sector. Both HackerOne and BugCrowd have reports out on the subsector,
and they say, understandably since they're in the business, that the sector is a healthy one,
with bug hunters and bug bounty programs finding one another. One of the bug hunters associated with HackerOne has now earned more than a million dollars since he signed up with HackerOne in 2015.
Santiago Lopez, 19 years old, self-taught, and a native of Argentina,
earned his bounties by finding 1,670 unique bugs in various products.
Congratulations to him.
We wonder what Mr. Lopez's success, however,
in finding flaws in software written by or for some very wealthy companies
says about compensation in that gig economy.
U.S. Cyber Command's action against Russian troll farms
during the U.S. midterm election cycle
has been receiving generally favorable reviews,
with the Atlantic Council's Jason Healy
offering a particularly enthusiastic one in Cypher Brief.
It was, Healy says, a specific operation
to stop a specific adversary
from carrying out a particular operation. It wasn't deterrence and it wasn't signaling.
It was, he writes, more like blocking a punch. An op-ed in Lawfare by Ben Buchanan sees the
Cyber Command operation as giving some concrete form to what policymakers have called a strategy of persistent
engagement and makes the case to policymakers that Cyber Command has something to offer.
Buchanan concludes by writing, quote, in this sense the operation might have more of a long-term
impact in the United States than it did in Russia. Clarifying the art of the possible
might be the operation's real lasting success.
Canada has just decided to proceed with an extradition hearing for Meng Wanzhao, Huawei's CFO.
She's currently being detained in Vancouver,
where a Canadian court will decide whether she's to be extradited to the US,
where she will face charges related to money laundering and sanctions evasion.
There's been no decision yet, but observers think it fairly likely
that she'll eventually be turned over to American authorities.
The U.S. shows no disposition to relent on its view of Huawei as a security threat.
Secretary of State Pompeo is in Manila, and he's urging the Philippines in particular,
because after all, he's in Manila, and the world as a whole should keep its eyes wide open about
the security problem having Chinese gear in their infrastructure presents. Huawei has been defending
itself on two fronts, with a mixture of sharp and soothing words. First is the legal front.
The company has entered pleas of not
guilty to U.S. charges of industrial espionage. And it's also saying that CFO Meng did nothing,
nothing we tell you. Second, in response to U.S. and Australian insistence that its devices
represent a security risk, it continues to deny vigorously that it effectively operates as an arm
of Chinese intelligence services.
The honeyed words come with the company's expressions of willingness to submit to collaborative vetting of its hardware with governments,
mostly in Europe and the Five Eyes, who wish to see such reassurance.
The sharper words come, as they so often do, in the form of tu kuo kui.
as they so often do in the form of tu kuo kuei.
The you did it too and you're another bounces off me and sticks to you
in this case comes courtesy of Huawei's rotating chairman,
Guaoping.
What about all that US NSA and Cyber Command stuff
we keep hearing about?
Huh?
What about that?
You're spying too.
He cites some of Mr. Snowden's reports
as the basis for his complaint
and goes so far as to point out that maybe the U.S. intelligence community
has its nose out of joint because Huawei won't oblige them
by putting U.S. backdoors into its equipment.
And besides, Chairman Gao says,
all this U.S. woofing is really about competition, not security.
The Americans, he says, know they're being out-competed and they don't like it.
In his words, quote, the global campaign against Huawei has little to do with security and
everything to do with America's desire to suppress a rising technological competitor, end quote.
Finally, consider the Momo challenge we've been hearing about, the one that's supposed to be
inducing teens, tweens, and even younger internet users to harm themselves. It's a real enough instance of a widespread,
virally spread belief mania, but not in the way it seemed. Here's the claim. There are embedded
video clips, illustrated by the big eyes, distorted face of Momo, that have been inserted into
otherwise innocent YouTube videos.
Those embedded clips are said to challenge young people to harm themselves in progressively more
dangerous ways, up to the point of suicide. And they're said to show them ways of carrying out
their self-destruction. YouTube makes the right noises about taking children's safety seriously,
but says it can't find any of the things people say
they found. The Washington Post, Naked Security, and others have been looking for the videos,
and they can't find them either. Naked Security calls the Momo Challenge a modern equivalent of
a campfire-side horror story. It was discussed last summer as a haunted WhatsApp account that
featured Momo's picture.
It resurfaced in an English Facebook group a couple of weeks ago
and rapidly entered public discourse over there as part of a larger discussion of content moderation
fueled by Parliament's release of a report on fake news.
So there's really no Momo challenge,
and no one's been able to find the victims who are said to have died taking it.
The mania, then, isn't a viral craze to follow Momo,
but a viral craze of fear
that children are going to hurt themselves.
Everyone can, we think, agree
that suicide prevention is a serious and important matter,
and who wouldn't want to protect children?
But there are enough real things to worry about
without the scary stories.
So no, Momo, and if you're warned about it in your Facebook group
or via the email list you're on,
tell people there's no epidemic of meme-driven suicide.
There's enough online foolishness without creating more of it.
Calling all sellers. More of it. Winning with purpose and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our
GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist,
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Professor Awais Rashid.
He's a professor of cybersecurity at University of Bristol.
Awais, it's great to have you back. We wanted to touch today on edge computing and some of the security challenges there.
Can we start off with just a description?
What are we talking about when we say edge computing? So edge computing, I suppose, is an extension of the Internet of Things world.
We think of deploying a range of wireless sensors and actuators that can work in remote locations
and provide all sorts of information back often through the cloud, but equally may be able to
impact the surrounding environment.
A good example of this would be, for example, in agricultural technologies where, you know,
large-scale farms can use it for crop management, for treatment against particular types of
infections or particular types of insects or whatever. Another example would be, you know,
or particular types of insects or whatever.
Another example would be, you know,
remote monitoring of, say, large-scale pipelines and so on and so forth.
And some of these sensors can be very simple
and not so powerful,
and others can have some more computational resource within them.
And so what are some of the specific challenges here
and how do you propose we address them?
Well, how long is a piece of string is the question.
There are a number of challenges, you know,
and there are the usual issues that when you have low computation power devices,
how do you actually ensure that they can have the level of security
that you would want to implement on those devices?
The big challenge, of course, comes is the remote nature
of the sensors and actuators themselves
because potentially attackers can have physical access
to these devices because they cannot always be within a,
they're almost always never within a physically constrained environment.
The other challenge, of course, is how do you actually trust the data
that is coming from these devices?
How do you actually demonstrate provenance of that data?
How do you distinguish between what is an error due to just failure and an error due to malicious interference with the device?
Yeah, that's really a fascinating element of this to me, the notion that you can have, say, a remote sensor somewhere,
of this to me, that the notion that you can have, say, a remote sensor somewhere,
and if a hacker gets in there and causes it to send you false information about whether a valve is open or closed or something like that, well, that can be a potentially catastrophic problem.
Yeah, absolutely. And the other challenge, of course, is that depending on how the systems
are architected, you can potentially enter through some of those devices and then pivot on to the more back-end systems in itself to move across to different parts of the system.
I think the key here has to be that we have to have more effective mechanisms for provenance of these devices and the data that is coming from these devices.
that is coming from these devices.
And then sitting underneath are all sorts of challenges of having effective access control models,
effective cryptographic techniques,
low-power cryptographic techniques,
as well as new types of, for example,
intrusion detection and prevention systems
that actually are potentially based on data provenance
and ways to actually verify that provenance in the first instance
and authenticity of the device. And so there is a range of challenges all the way from the
underlying hardware, all the way up to the stack to algorithms that may process data from that
in order to detect intrusions or prevent intrusions. Yeah, it's an interesting challenge.
Awais Rashid, thanks for joining us.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
The Cyber Wire is proud to be a media sponsor of the 2019 RSA Conference, taking place March 4th through the 8th at the Moscone Center in San Francisco.
Today, we welcome Dr. Dina Haridos-Semitis, member of the 2019 RSA Conference Advisory Board
and Director of the Information Networking Institute at Carnegie Mellon University.
We've done a lot. So, as Director of the Information Networking Institute,
I've been Director since 2004, and I was associate director previously. And when I first started, we only had 6%
women in my graduate programs. And it forced me to really look at what
possibly could be the reason for that. So I looked into the research of my
colleagues Lenore Bloom and Carol Freese, who are in the computer science
department, and they found, their findings findings suggest that culture plays a huge role
in being able to attract women in particular to computer science and
information technology programs based upon their recommendations I took a look
at our culture addressed many of the cultural issues
that I thought were perhaps barriers. But also, and very importantly, I was very proactive in
building partnerships with organizations that are focused on attracting women, retaining women,
developing women, and underrepresented minorities so that my students could engage with them.
Through these partnerships, I've established fellowships and scholarships for women and
underrepresented minorities.
I've established mentoring programs, a number of initiatives to, again, not only attract
women to the program and underrepresented minorities, but help retain them and develop them and nurture them and inspire them while they're students in my program and as they
go on to the field to later become leaders.
And the great thing that I've seen happen is that many of these alumni who've been a
part of these partnership programs with organizations, have gone onto the field
and be leaders in the area.
One important initiative that I created was Women at INI that we fondly call WINI.
It's an organization with a mission of helping attract, retain, nurture, and inspire our
students in the program, but also to build this network that our students
can have as they go on to the field and stay connected with the INI. And I've seen that the
leaders of each class have taken the lessons that they've learned and the inspiration that they
felt, and they've gone on to create organizations and employee
research groups and the organizations they serve. One student who graduated
maybe 12 years ago went on to create such an organization in Apple. And how do
you measure success? How has it been going? Well it's been going well because
when I started in 2002 we had 6%, and our last incoming class was well over 40% women.
Wow.
We don't even look at retention rates because it's very rare for a student not to graduate
who's entered the program.
Because we've made a huge investment into our admissions criteria.
So we've been very successful and effective in selecting students, admitting
students who will be successful in our program. We've done a lot. We've made a huge investment
in developing this pipeline, but there's more work to be done. And I'm talking about graduate
programs, pipeline into graduate programs. But when we think about undergraduate students,
programs, pipeline into graduate programs. When we think about undergraduate students,
you know, the pipeline is K through 12. I want to switch gears a little bit and talk about the RSA conference that's coming up next week. You are a member of the RSA conference advisory
board. I'm wondering, what are you looking forward to with this week to come? Well, I'm looking forward to a number of initiatives that are going to take
place. One in particular I am very invested in is the RSA Scholars Program. I think this was
launched about five years ago, and the RSA Scholars Program brings in students from across the country to present their research in a poster session
to conference attendees. And in addition, these RSA scholars have access to, well, they get a
free registration for the conference. Their travel is supported, their travel and accommodations,
but they get to interact with the keynote speakers.
They have VIP seating. They're invited to lunches and dinners with the speakers. And it just gives them such an amazing access to the network, the cybersecurity network, and exposure to a breadth
of companies and organizations. And it's a really special program and I've seen in these
years since we've been involved we were the first institution to get involved how they've strengthened
the program and ensured that the schools represented were diverse the topics are diverse
and it's it's really I think a a gem there that I would love to create awareness about that, you know, because I'd like to see these students supported by conference attendees.
I encourage all the conference attendees to attend the poster presentation and get to know these students.
You know, these are great students to hire.
Universities can see them as prospective PhD students or graduate students.
So but they're they're amazing talent with great potential.
And like I said, I'm very proud of it and I'm very much looking forward to that.
We have four students going this year. in the conference program a number of presentations that do focus on diversity
and how to develop the pipeline. There's another session that talks about creating,
one of my good friends, Joyce Brocaglia, as well as a colleague here from Carnegie Mellon
University, Bobby Stempley, are presenting on presentation techniques for women in the field.
So there are a number of exciting topics that are integrated throughout the conference
that are part of this diversity initiative that RSA has invested a lot of time and effort in
and has received a lot of feedback from their advisory board on. So I'm really looking
forward to see how it plays out. And I'm sure that conference attendees will notice this,
will take note. That's Dr. Dina Haridos-Samidis. She's Director of the Information Networking
Institute and Founding Director of Education Training and Outreach at Scilab at Carnegie
Mellon University. She's also an advisory board member of
RSA Conference. And that's the Cyber Wire. For links to all of today's stories, check out our
daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders
who want to stay abreast of this rapidly evolving field,
sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel Thank you. insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.