CyberWire Daily - Regional rivals jostle in cyberspace. Election interference and vulnerable online voting. Phishing for a competitive advantage. Reducing dependence on foreign companies for infrastructure.
Episode Date: June 8, 2020South and Southwest Asian regional rivalries play out in cyberspace. Election interference could move from disruptive influence operations to actual vote manipulation. Someone is spearphishing leaders... in Germany’s PPE task force. Nations move to restrict dependence on foreign companies in their infrastructure. Justin Harvey from Accenture on the train of thought behind breach disclosure. Our own Rick Howard on DevSecOps. And Washington State recovers some, but not all, of the unemployment funds lost to fraud. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/110 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
South and Southwest Asian regional rivalries play out in cyberspace.
Election interference could move from disruptive influence operations to
actual vote manipulation. Someone is spear phishing leaders in Germany's PPE task force.
Nations move to restrict dependence on foreign companies in their infrastructure.
Justin Harvey from Accenture on the train of thought behind breach disclosure.
Our own Rick Howard on DevSecOps. And Washington state recovers some,
but not all, of the unemployment funds lost to fraud.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, June 8, 2020.
Regional rivals continue to expand their operations in cyberspace.
Regional rivals continue to expand their operations in cyberspace.
Pakistani operators, Telangana Today describes as criminals,
are said to be smishing Indian defense officials.
Their aim appears to be data exfiltration.
The goal and the target set suggest a connection to espionage.
Both India and Pakistan are said by Eurasian Times to be increasing their cyber-operational capability
and doing so with the aid of allies, respectively Israel and Pakistan.
As more information about the exchange of cyber-attacks between Iran and Israel comes to public attention,
an essay in Foreign Policy assesses those operations as indicating the future of warfare,
increasingly conducted in cyberspace, especially at the lower end
of the spectrum of conflict and increasingly overt.
Both recent operations hit civilian infrastructure.
Iranian operators are said by Israel to have attacked water treatment and distribution
systems.
Those attacks are believed to have been unsuccessful, their effects mitigated by defenders.
Israeli operators are believed, on the basis of apparently deliberate leaks from within
the Israeli government, to have retaliated by crippling operations at an Iranian port.
That the operations are becoming increasingly overt suggests not only a growing disinhibition
in the offensive use of cyber tactics, but also that there's an emerging deterrence
regime.
Remote voting online has been used in some U.S. states' primaries and may see some limited use
in November's general elections. The New York Times discusses the risks this may pose for
direct manipulation of votes by hostile intelligence services. They focus, of course,
on Russian services. Delaware, West Virginia, and New Jersey
plan to use Democracy Live's Omnivote platform, but researchers at MIT and the University of
Michigan report that Omniballot represents a severe risk to election security and could allow
attackers to alter election results without detection. Omniballot isn't new, researchers
Michael A. Spector and J. Alex Halderman write.
It's, quote, long been used to let voters print ballots that will be returned through the mail, end quote.
What's new this year, they say, is its use for filing ballots online.
The three states are using it differently.
New Jersey has decided to make online voting available to voters with certain disabilities,
and it's treating that limited availability as a pilot that could be expanded if the need arose.
West Virginia lets the disabled, military voters,
and West Virginia citizens overseas to vote online with OmniBallot.
Delaware is making the most expansive use of the system.
As Specter and Halderman write,
online voting will be an option to anyone who's sick, self-quarantining, or engaging in social distancing, which as a practical matter includes close to everyone in the state.
The researchers see four problems with the system.
First, they conclude that OmniBallot's ballot return function cannot achieve either software independence or end-to-end verifiability. The system used third-party services and infrastructure,
including Amazon's Cloud,
with JavaScript executed from Google and Cloudflare.
Either unauthorized third parties or Democracy Live itself
could alter votes without being detected.
The threats could be either malicious insiders
or external threats who've gained access.
Second, the version of the ballot marking
mechanism that's being used in Delaware, in particular, sends the voter's identity and ballot
selections to Democracy Live, even if the voter opts to print the ballot and mail it in. This,
the researchers say, needlessly places ballot secrecy at risk. Third, even where OmniBallot
is used only to deliver blank ballots, the researchers find
that the ballots could be misdirected or altered in ways that would cause them to be counted
incorrectly. Election officials could mitigate these risks, but only with the expenditure of
considerable effort and in conducting rigorous post-election audits. And finally, in all cases,
Democracy Live!, the platform's corporate parent, collects a great deal of sensitive, personally identifiable information.
That information includes voters' names, addresses, dates of birth, physical locations, party affiliations, and partial social security numbers.
And when the system is used to submit ballots online, more comes in, including ballot selections and a browser fingerprint.
The possibilities for
misuse of this information are extensive and obvious. It could be used, for example, for
targeting political advertising, equally rifle shot accuracy and hitting targets for disinformation,
and so on. And the researchers point out that OmniBallot seems to have no privacy policy posted,
leaving it unclear what, if any, safeguards may be in place.
Secure online voting is a difficult problem,
and it would be difficult to object to the goals with which states are planning to use OmniBallot.
Enabling disabled citizens to vote, for example, is one,
and anyone who's struggled to get even a mail-in absentee ballot during their military service
can tell you that snail mail isn't exactly a day at the beach either.
But clearly there are problems to be worked out,
especially since this election and all elections for the foreseeable future
are going to be held under conditions of opposition.
IBM's X-Force reports that the PPE task force Germany's health ministry organized to facilitate procurement of personal protective equipment, items like masks, has been subjected to a phishing campaign directed against PPE supply chains.
It may be the work of a nation-state intelligence service interested in gaining competitive advantage in the market.
What kind of advantage, one might ask?
in the market. What kind of advantage, one might ask? Well, if you can cripple a competitor in a market, you might clear the field a bit and give yourself a better shot at getting scarce commodities
at a knockdown price. There are other possibilities as well. There's a degree of overlap between
executives connected with the task force and those connected with the development of COVID-19
vaccines and treatments. Intelligence about these may also be a goal.
And finally, we all know that the COVID-19 pandemic
and the relief programs designed to ease people's economic pain
have generated a great deal of fraud.
How much?
Well, it's not clear, but here's one indication.
The AP reports that the U.S. state of Washington
says it's recovered $333 million in fraudulent claims.
That's a lot, but maybe that means they've made good their losses, right?
Not so fast.
The state's not sure just how much has been lost to fraud,
but they think the total is somewhere between $550 and $650 million.
There are a lot of venti lattes in that margin of error, friends.
And if the missing $100 bills were laid end-to-end,
well, at a low estimate,
that's the combined height of about 1,800 space needles.
And joining me once again is Rick Howard.
He is the CyberWire's Chief Analyst and Chief Security Officer.
Rick, always great to have you back.
Hey, Dave. How are you doing?
Not bad, not bad.
So in this week's CSO Perspectives podcast, you are digging in on DevSecOps.
And in order to get there, you kind of have to take a trip through DevOps first, right?
Exactly right.
And for this whole series, I've been working on kind of an InfoSec first principles discussion.
What are the most important things that cybersecurity practitioners should be doing based on first principles?
So DevSecOps has come up, and I was one of the original enthusiastic supporters of the DevOps idea.
And what got me really excited about this, do you know the Google story? Do you know how they
got started? Have I told you this? I do. Well, let's say that I do, but our audience doesn't.
Let us know what it's all about, Rick. Nice setup. So back in 2004, when Google was nothing more than just a search engine, the leadership made this extraordinary decision. They handed the management of the network over to the development team and not to the traditional network managers that everybody else on the planet uses.
everybody else on the planet uses.
So when you hand a task like that to a bunch of programmers, what do they do?
Well, they program it, right?
And so they've automated everything.
The Google stuff is not just automated.
It's an autonomous system.
And a clear six years before we even had a name for DevOps.
And when I read that, I was going, oh my goodness, that is the thing. That is how the security practitioners will shift left
in the design and deployment of new capabilities
for our organizations,
because we'll automate everything
and inject a layer of consistency
as we deploy all of our things.
What's happened is that has not really happened at all. There's been a lot of resistance to doing that. And one of the reasons is it
turns out that the network security community, we don't have a lot of coders.
The ones that we do have, they're really, really good. But most of us
struggle with putting lines of code together to do anything useful.
So that's been one problem.
The other problem is the DevOps people use a set of tools that we are not familiar with.
You know, things like Puppet and Ansible and other really strange sounding tool sets.
And where our folks prefer to use things like, you know, Python and C and, you know, those kinds of things.
So we're kind of like oil and water.
So our progress of pursuing this DevSecOps mission
has not really come to fruition.
So we'll be talking about that.
And really, though, it's still the atomic thing
we need to put on our InfoSec first principles wall
because we still have to do it.
We just have to get there.
I was going to say, whatever happened to Google? Hardly hear about them anymore.
They're a small up-and-comer. I think you should pay attention to them.
All right. We'll do. We'll do. All right. Well, it is Rick Howard's podcast, CSO Perspectives.
You get that as part of your membership with CyberWire Pro. You can find that on our website,
thecyberwire.com. Rick Howard, always a pleasure. Thanks for joining us.
Thank you, sir.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta
brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives. Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more
at blackcloak.io.
And I'm pleased to be joined once again by Justin Harvey.
He is the Global Incident Response Leader at Accenture.
Justin, it's always great to have you back.
I wanted to touch today on breach disclosure
and get your insights on the factors that go into
the decisions that companies
make when it comes to disclosures, whether or not to disclose and the variables that go into those
decisions. What can you share with us? Well, there's a lot of variables, but the main
theme that I see in the press is always X or Y organization did not disclose fast enough. And after having been embedded with our team doing incident response on a regular basis for our large customer base,
this actually becomes a very sticky and complicated point.
I want to mention here that it may not be the right move at the right time to discuss a breach.
be the right move at the right time to discuss a breach. There is one school of thought that says,
as soon as the C-suite understands that they've been hit or they've lost something,
they need to go public or they need to go right to the regulator and go public with this. And that is actually counterproductive to the well-being and to the successful conclusion of an investigation.
When you're running an investigation, you need to keep in mind that for the most part,
particularly at the beginning, the adversary, A, doesn't know that you're in the environment,
and B, you still really don't know what the true impact of the cyber attack is or what it could be. So really at the
beginning, you're in a discovery phase. You're saying you're going out into the network and the
endpoints and you're trying to see where is the adversary? Because if you were just to take a
knee-jerk reaction and say, well, we know that this adversary came in on this machine and then
they've moved to these three others and then it looks like there's some more,
but we don't care about that.
Well, if you were to go through an expulsion event,
which is turn everything off,
change passwords and kick the adversary out,
they know you're onto them.
And without truly understanding
where the adversary has been and where they are,
you don't know if you've plugged all the holes
that they're going to use to get back in.
And that is magnified when this becomes public.
Because when it becomes public,
the adversary will probably read it in their own newsfeed.
Oh, okay.
You've tipped your hand.
You've tipped your hand.
The next thing is that when you tip your hand,
it makes the adversary change behavior.
And they understand that their main infrastructure has been burnt.
So they immediately move to their secondary infrastructure, which you don't even know about and so on.
Now, understanding that there are some regulatory issues here, I mean, does the situation ever arise
where, for example, a company can go to a regulator
and say, listen, this is what has happened.
This is what we know so far.
And here are the reasons
why we don't want to make this public yet.
We're sharing this with you,
but we think we have rational reasons
to delay a little while.
Are they likely to get a positive response from
something like that? Absolutely. Let's not forget about the role of regulators. The regulators are
there to develop a relationship with the regulated and to have an open dialogue and communicate and
to be the oversight. Many people out there that don't work in the industry think that regulators are
more like binary human beings saying you're either in compliance or you're not and when you're not in
compliance we're gonna we're gonna lift the lid and tell everyone and you're you're guilty that's
not the way it really works um the way it works is and the most effective means to this end is having
a great relationship with your regulators of which many global
organizations do. And when something happens, being able to go very early on in the process,
particularly with things like GDPR and say, hey, regulator, we understood it happened
on this date and we just discovered it, I don't know, yesterday or within 24 hours.
This is what we have seen the initial impact. We are not ready to go public with this
because we don't know where else the adversary has been and the number could be bigger or better off
yet. This was a swag for what we think the impact is. It might actually be less with further analysis.
And the problem is if you don't give those sort of controls to the regulators when it does become public and if the numbers are artificially large, it's really difficult when you go public with, let's say, a hundred million individual breach.
Let's say two weeks later, you actually find out it was a million or a hundred thousand or a hundred that were actually stolen.
No one ever remembers that, right, in the press.
They're like, oh, no, that was that $100 million one?
No, no, no, you said $100 million.
And because when you do have that case to say,
well, yeah, we thought it was $100 million,
we went public too early,
and it's really this number amount,
if they'd have just taken the time to get it right,
then they would have gone public with the right amount.
Yeah.
All right, interesting insights and words of wisdom there.
Justin Harvey, thanks for joining us. Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Ivan, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.