CyberWire Daily - Russians hacked two Florida counties. Fxmsp targets named. WhatsApp patches spyware-enabling flaws. Breach costs. Cisco patches routers. Endless Mayfly’s endless hogwash.
Episode Date: May 14, 2019Russian operators breached two Florida counties’ voting systems, but without altering vote counts. Symantec, McAfee and Trend Micro are thought to be the security vendors hit by Fxmsp cybercrminals.... WhatApp patches a flaw exploited to install spyware. The Equifax breach seems to have cost the company $1.4 billion. Companies are increasingly aware of data’s potential toxicity. Cisco patches two flaws. And Endless Mayfly peddled fake news on behalf of Iran. Daniel Prince from Lancaster University on asymmetric information and attacker/defender dynamics. Tamika Smith debuts on our show with her story on Hackground, a STEM and robotics club. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/May/CyberWire_2019_05_14.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Russian operators breached two Florida counties' voting systems,
but without altering vote counts.
Symantec, McAfee, and Trend Micro are thought to be the security vendors hit by FXMSP cybercriminals. Thank you. toxicity, Cisco patches two flaws, and endless mayfly peddled fake news on behalf of Iran.
From the Cyber Wire studios at Data Tribe, I'm Dave Bittner with your Cyber Wire summary
for Tuesday, May 14th, 2019.
In news that broke late this morning, Florida Governor Ron DeSantis said that he'd
met with the FBI and that the Bureau confirmed that Russian operators succeeded in intruding
into the voting systems of two counties in the state. He declined to name the two counties,
but did say that no vote tallies were affected. We'll be watching this story as it develops over the week.
Bleeping Computer writes that Symantec, McAfee, and Trend Micro were among the security firms allegedly breached by the FXMSP hackers. Trend Micro says data from a test lab had been accessed
by unauthorized parties, but that no source code or customer information were compromised.
Symantec denied
being affected at all, and McAfee says it's investigating. Bleeping Computer identified
the companies from unredacted FXMSP chat logs it received from advanced intelligence researchers.
There's no word yet about a rumored fourth victim, nor is there any further confirmation
of whether the breach is as serious a matter as some hold it to be.
WhatsApp has patched a vulnerability that permitted remote installation
of NSO Group's Pegasus intercept tool.
It's unknown how many phones were affected.
The University of Toronto's Citizen Lab says they're aware of at least one probable case.
The vulnerability is said to have affected both Android and iOS devices. NSO Group said it would not have been involved in
such activity and that it's investigating. The flaw that allowed the hack was, WhatsApp explained,
a buffer overflow vulnerability in the VoIP stack that permitted remote code execution
through specially crafted
packets sent to a target's phone number. Facebook, which owns WhatsApp, has urged users to apply the
patch that's available. What's the cost of a breach? In the case of Equifax, InfoSecurity
Magazine reports that so far it's cost the company $1.4 billion. Perhaps with figures like that in mind,
firms are concluding that many of the data lost in breaches
needn't have been collected in the first place.
A database of some 200 million individuals' information
is circulating in what CSO calls the grey market.
While it doesn't include such tripwire data as social security,
passport, driver's license, or credit card numbers,
it contains 42 fields of great interest but dubious direct marketing value.
No one has fessed up to being the source of the leak,
but speculation is centering on a third party who may have acquired the data from a credit bureau.
A large number of retailers are coming around to view that it's better not to have the data in the first place.
The workforce shortage facing the cybersecurity industry means it's more important than ever to spark an interest among kids in STEM.
There's an organization not far from our studios here in Maryland that aims to do just that.
The Cyber Wire's Tamika Smith has the story.
do just that. The Cyber Wire's Tamika Smith has the story.
Sounds of robots are common in the underground workshop nestled below an office building in Maryland. It's the headquarters for a non-profit called Hack Ground.
Now, any of the kids want to talk? I mean, it's your robot.
Of course, please. What's your name?
I'm Andrew. I'm on the mechanical team, helped to build this robot.
Andrew Lai is an 11th grader at Reservoir High School in Maryland.
Lai is one of nearly 100 creators building robots for competition.
He's very bright and slightly shy.
It uses a tank drive, which means each side is controlled by a different joystick.
He says it usually takes their team six weeks to build a robot for competition,
but it's just part of what Hack Ground does.
What we do is we teach classes in robotics.
We run competitive teams in robotics, drones, rockets.
Prasad Karunakaran is the not-for-profit's founder and visionary.
He got the concept for it about a decade ago after going on an adventure to find a robotics team for his sons to join.
It led him about 20 miles away from home.
Before even starting, I went to Baltimore.
There was a robotics competition, and I was just intrigued by this competition.
And in my mind, I didn't remember this until my neighbor pointed it out.
To anyone who knows Karuna Karan, his neighbor going on a field trip with him is not uncommon.
He's all about involving the community. Before Hack Ground, he started in his basement with
the neighborhood kids and his sons, Siddharth and Anurag. Inevitably, kids grow up, and that
presented a new challenge. So I created two teams. So the second team was for my middle schooler.
So I kind of played a little game, went to the middle school and said,
hey, PTA, can we start a robotics team here?
I just wanted four kids to fill up my middle school kids' team.
I had 25 kids show up.
By 2014, he officially created Hack Ground.
It's grown to be a STEM home of sorts for more than 100 students of all ages. A sign Karuna Karun says that there's a growing interest in science, technology, engineering and math among today's youth.
The bad guys and the tools that the bad guys use are more sophisticated. So the threats are expanding, they're increasing, and there's
an increasing need. This growth is exactly what Taylor Aberdeen writes about for Synopsys,
a software company. His focus is on cybersecurity and privacy and says there'll be more positions
than people with the skills to fill them. The United States job shortage is an estimated
300,000 jobs.
In other words, unemployment is below zero, which is kind of interesting.
And worldwide, that figure is in the millions.
One of the estimates I saw said that two years from now, the worldwide job shortage of skills will be 3.5 million.
skills will be 3.5 million. The projected deficit is driving states like Maryland and Michigan and companies like Capital One Bank and Booz Allen to dedicate funding to STEM initiatives
creating a fertile space for this expanding field. It's even a cause President Trump is
making more prominent. He created the Cybersecurity and Infrastructure Security Agency Act in 2018.
The men and women of the new cybersecurity and infrastructure security agency will be on the front lines.
He goes on to outline how this new department will impact homeland security.
They will partner with the private sector and all levels of government to defend America's power grids,
banks, telecommunications, and other critical parts of our economy. But Ron Therrien, a semi-retired computer engineer for General Electric,
doesn't need a push from the president to start helping. But in the end, you actually competed
very well. He spent the last decade of his life mentoring students in the Washington, D.C. area.
I mean, I had a girl that she wanted to go to school for music. And she came in and
we moved around doing different things. And she's going to school right now to be an electrical
engineer. And she thanked me for centering her down that path. This summer, one of the program's
students will be graduating into a new mentor role of his own. He's a robotics creator showing
interest in many areas. And I want to just
throw a plug in for Mario. Like, you know, you know what this is? This is a Google Home.
Mario made it here. It's a homemade Google Home. It's a homemade Google Home. You made this, Mario?
Yeah. Does this actually work, Mario? Yeah. It does. Mario Moray started learning with Karan
and Karan when it was a small community gathering in
a basement. He was about 12 then. Now he's 16 and feels ready to teach an emerging field of STEM,
ethical hacking. So this summer I'm going to be running an ethical hacking camp. So I want to
get kids introduced to the like hacking world. And because Hackron was built on the term that hacking isn't something that's
supposed to be bad. It's supposed to be something that's educational and good.
Although there's a projected shortfall in the number of people like him going into the field,
there is no lack of grassroots efforts by communities and state governments
preparing current generations for the rapidly changing field of technology.
For the Cyber Wire, I'm Tameka Smith.
Tameka Smith is the newest member of our Cyber Wire team.
You'll be hearing a lot more from her in the coming weeks.
We're excited to have her on board, and we hope you'll join us in welcoming her.
Cisco is patching vulnerabilities discovered and reported by researchers at Red Balloon Security.
One of them, called Thrangrycat, affects the Trust Anchor module,
which is a proprietary hardware security chip Cisco has used in its equipment since 2013.
The vulnerability allows attackers with root access to install backdoors in Cisco devices.
By itself, Thrangrycat isn't much of a problem since it does, after all, require root access.
Unfortunately, another vulnerability, a remote execution flaw without a cute name,
it's known only as CVE-2019-1862,
can be chained with ThrangryCat to provide the access necessary to install those backdoors.
Cisco products are, of of course in use worldwide,
so while there are no reports of exploitation in the wild yet,
it's a matter of some concern.
Cisco issued fixes for both vulnerabilities yesterday.
The University of Toronto's Citizen Lab has attributed
a multi-year, multilingual influence operation to Iran.
The lab offers its attribution with what it calls moderate confidence.
The narratives being pushed were unsurprising.
They are directed against the United States, the great Satan,
Israel, the lesser Satan, and Saudi Arabia,
the throbbing heart of what is Sunni heresy,
at least from an Iranian Shiite point of view.
Citizen Lab called the campaign Endless Mayfly, and therein lies a tale. The mayfly is, of course,
a member of an order of primitive insect, whose adults have a proverbially short lifespan,
as low as five minutes in some species, and in any case too short for the adult imago to even enjoy a decent meal,
so a day or so tops. So too with the stories pushed by endless mayfly. They swarmed, hit the internet,
and then were gone, like their insect namesake. Those of you who are connoisseurs of the lower
end supermarket checkout line tabloids will recognize the telltale short lifespan of the preposterously
bogus news story. While Woody Woodpecker's sad last days or Minnie Mouse's amazing diet tips
might have some traction, and what journalists used to call legs, the more amazing stories tend
to rise to become screamer headlines but then sink without a trace, winding up probably somewhere below the Snickers bars and the astrological pamphlets.
Thus, you'd think headlines like
President Obama Negotiates Trade Agreement with Space Aliens
or Hitler, Age 92, Behind Argentina's Invasion of the Falklands
would warrant some follow-up.
You'd think, right?
By the way, our supermarket checkout line desk assures us
that they saw exactly those headlines in the wild back in the day.
But no, you never hear of them again.
Next week, they're on to something else.
And that's how it was with Endless Mayfly.
Their stories were less entertaining, to be sure, than intergalactic trade agreements or the secret history of late 20th century South Atlantic conflict,
but they were equally implausible and equally short-lived. They also gained little apparent traction and not much
amplification on social media. So, scoff if you wish, but do note that Tehran's cyber operators
learned quickly and got better fast. There's every reason to think they're going to get better at
information operations, too.
Their basic technique was simple but proven, typo-squatting,
with fairly convincing landing pages that mimicked those of real publications,
including Bloomberg, The Guardian, The Atlantic, and Politico.
So you might easily misread a URL containing The Atlantic and be left either marveling at James Fallows' scoop or wondering
what in the world had gotten into him. Stay in school, friends, because as you know, spelling
always counts. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Daniel Prince.
He's a senior lecturer in cybersecurity at Lancaster University.
Daniel, it's great to have you back.
We wanted to talk today about asymmetric information and attacker-defender dynamics.
There's a lot to unpack there.
What do you have to share with us today?
Well, thanks for having me back on. So this came from working with one of myal economics colleagues here at the university,
and generally having conversations around this idea from economics of asymmetric information
and what that does to markets and different parties and how they behave.
And they're reflecting on what happens in cyber security,
and particularly with sort of a cyber risk management hat on or a defender hat on.
Oftentimes, as a defender, we obviously know a large proportion of our network, we can start
to think about how we would attack it. But we have a significant amount of information about that
network. If you have the total map of the network, you can plot the best and most logical route.
total map of the network, you can plot the best and most logical route. But for attackers, they incrementally, typically incrementally build up a picture over time of the network
that you have and the systems that you have. So they start out with much less information.
That results in potentially attack pathways and ways they attack the network, which seem
illogical to the defender, but very logical to the attacker,
because they have incomplete and impartial information.
The result of that is just thinking about, actually, how do we use that to our advantage as a defender?
Yeah, it's interesting. I'm reminded of that old parable about the group of blind men trying to describe an elephant by feel,
and each of them approaches
a different part of the creature, and so they have a different description because each of them has
an incomplete part of the whole. Yeah, and I think that's sort of the heart of the problem.
And one of the key things that we need to do as defenders is to think about how we can use this
to our advantage in terms of designing the responses. But also be aware of that because what we think
to be the most likely attack pathway will buy us to defending against that pathway. But we've got
to remember that as an attacker, they may not ever see that pathway. In your analogy, they may not
ever see the trunk. So if they only see four legs, then they're only going to develop an attack
strategy which will deal with four legs.
But if the most prominent thing that we think about is the trunk, we're only going to ever
defend the trunk. And it seems, you know, very simplistic when you kind of go through it. But
actually, I think a lot of people, when they're developing defense strategies or defense
technologies or defense systems, because they have that complete picture, that biases them to develop the defenses in certain ways, which perhaps may not ever be
triggered because the attacker might not see the whole of the network.
How important is it to get a fresh set of eyes on your network, to get an outsider,
perhaps a third party, to take a look at it without that insider information?
Well, I think that's very important in terms of the whole idea of penetration testing and
vulnerability assessments. This idea of having an external party acting as that attacker,
as that particular threat agent is really useful. And we've seen really strong examples of that,
for example, the CBEST scheme that's used in the uk now being exported more widely which takes an intelligence led attack penetrating approach where they um
you know they take an intelligence approach to try and identify the types of attackers which will
come up against an organization and then attempt to really mimic uh that that attacker behavior
so that we can get a real sense of how attackers would approach their network
and open up those avenues of attack, which perhaps because we know more about the network
than we think we do, do tend to cause us to not think about and maybe go in a different direction.
All right, Daniel Prince, thanks for joining us.
Thank you. is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.