CyberWire Daily - Secondary Infektion may be back, and interested in UK elections. Quantum Dragon. FaceApp risks. PyXie RAT in the wild. An Ethereum developer is charged with helping North Korea evade sanctions.
Episode Date: December 3, 2019Someone believes, or would like others to believe, that Britain’s National Health Service is for sale to the US. There’s no word on whether the US has offered the Brooklyn Bridge in exchange. The ...“Quantum Dragon” study summarizes Chinese efforts to obtain quantum research results from Western institutions. The FBI says FaceApp is a security threat. PyXie, a Python RAT, has been quietly active in the wild since 2018. An Ethereum developer is accused with aiding Pyongyang. Ben Yelin from UMD CHHS on a bipartisan bill requiring a warrant for facial recognition use. Guest is Earl Matthews from Verodin on the importance of collaboration between state governments and technology vendors to ensure election security. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/December/CyberWire_2019_12_03.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Someone believes, or would like others to believe,
that Britain's National Health Service is for sale to the U.S.
There's no word on whether the U.S. has offered the Brooklyn Bridge in exchange.
The Quantum Dragon study summarizes Chinese efforts to obtain quantum research.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning
with purpose, and showing the world what AI was meant to be. Let's create the agent-first future
together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io. is accused of aiding Pyongyang.
From the Cyber Wire studios at DataTribe, I'm Dave Bittner with your Cyber Wire summary for Tuesday, December 3rd, 2019.
A leak of purportedly secret documents outlining alleged topics of Anglo-American trade talks
appears to be foreign disinformation, most likely of Russian origin.
Reuters reports that researchers see similarities to the secondary infection campaign the Atlantic
Council unmasked in June. The incident has raised concerns that foreign attempts to interfere with
upcoming British elections may already be in progress. The report in Reuters is ambiguous.
On the one hand, it notes that the opposition
Labour Party is citing the documents as representing genuine leaks that show the
intention of the ruling Conservative Party to sell Britain's National Health Service to the
United States. On the other hand, the idea that either the UK or the US would actually be
interested in such a transaction seems pretty far-fetched.
Reuters says it's been unable to verify that the documents are genuine,
and no comments were available from Her Majesty's government,
the U.S. Trade Representative, or, surprisingly, the Labour Party itself.
Of course, we don't have any direct knowledge of the documents,
but if you bet on form, as we like to do, we think it's probably a lot of hooey.
Forgive our lapse into the technical jargon of analysts.
The provenance of the documents is dubious, to say the least.
They seem to have been first shared on Reddit by a user who seemed not to be a native speaker of English,
and that the poster's language and the websites and social media used to disseminate the documents
all looked a great deal like secondary infection.
The researchers who've looked into the matter,
including teams at the Atlantic Council's Digital Forensic Research Lab,
Grafica, and the Universities of Oxford and Cardiff,
think the whole affair looks fishy.
Attribution in such matters is notoriously difficult,
and Moscow isn't talking either.
But Lisa-Mar Marie Neudert,
a researcher at Oxford University's Project on Computational Propaganda, observed to Reuters
that if it's indeed a Russian operation, quote, we know from the Russian playbook that often it is
not for or against anything. It's about sowing confusion and destroying the field of political
trust, end quote. U.S. security startup Strider has released a report
on how China has penetrated quantum research laboratories
in the U.S., Switzerland, the U.K., and Germany
to obtain results that have important military applications.
Much of that penetration seems to have been obtained in traditional ways
by forming partnerships with universities,
recruiting Western scientists,
and placing students and faculty in research institutions of interest.
Heidelberg University is said to have been particularly thoroughly prospected.
As the year winds down and we head into 2020,
the coming elections present a security challenge at multiple levels,
local and national.
Earl Matthews is Chief Strategy Officer at Veriden, which is a
fire eye company, and he shares these insights. At the state level, every state has a secretary
of state, just like we do at the national level. And they're actually the ones who are responsible
as the chief election officer and have responsibility for the election administration,
you know, the testing and certifying that all the voting equipment for security,
the accuracy, the reliability and accessibility to ensure that every vote is counted as cast belongs to the Secretary of State and the Election Commission.
But the states also have reporting to the governor in a separate chain of command.
Our chief information officers, which are appointed by the
governor and the chief information security officer. And while these employees don't have a
direct working relationship or reporting relationship with the Secretary of State and
election commissions, I think that they should, especially with this growing importance of
cybersecurity, have a tighter relationship amongst states.
And that's primarily because I don't think we have been treating the election system as a business system.
And that is really the fundamentally of the CIO and the chief security officers.
What do you mean by treating it as a business system?
Typically, what ends up happening with voting is we treat it as isolated events and it's not a consistent event that happens every single day.
And so as a result, we don't tend not to put the same layers of defense in place for our election system as we would treat a business system that is being accessed every single day.
as we would treat a business system that is being accessed every single day.
What about this notion that rather than the actual physical altering of votes,
the idea that people don't have a trust in the system, that that can be just as corrosive?
Yeah, Dave, I am becoming less and less concerned with the actual physical mechanism of voting because, as I mentioned earlier, I think the voter database roles, hacking at the DMV,
because that's connected to the election system. I'm worried about phishing. I'm worried about spoofing of websites on the day of the election, you know, kind of producing false information or
misinformation, saying that a particular polling place is closed or
There's an email comes that looks like it's coming from the election official giving out false information
That's really kind of what I'm starting to become more concerned about than the actual, you know physical day of voting, you know, I've heard
many people who work in the realm of election security say that they believe that the ultimate fallback here is that we need to be writing things down, that paper ballots and paper records are a backstop that we should have.
What's your take on that? you go in and you use a voting machine to vote, that not only is there an electronic record,
but it also produces a paper ballot in which then the voter can sign.
And then that can also be used then when we do the audits if there seems to be an irregularity. So I'm a fan of actually both.
I think the electronic version speeds up the counting of the vote. If you only
go to paper-only ballots, right, which is the most secure way, however, you know, that even
depends, that has some vulnerabilities, right, because it has to be physically transported
somewhere. It just takes longer to tabulate the vote. So ultimately, I mean, what are the
take-homes here? What are your recommendations, both as security professionals and citizens? What should our attitude be towards securing our elections? on what are the techniques and how the vulnerability system could be upset during the whole process through the year.
They need to deploy, like we do in IT business systems, a layered defense,
which includes physical security, system hardening, user authentication, encryption, audits and trails like that.
authentication, encryption, audits, and trails like that.
They should take advantage of existing online resources on about election security.
DHS has election services, really good white papers on that,
as does Cook County, as does the Belfer Center at Harvard University,
as does the Center for Internet Security, just to name a few.
They need to practice good cyber hygiene, still the number one problem even for business systems,
which means you have to have a culture around elections the same way that we have around our financial and medical information.
I think that none of the elections should be connected to the internet, even if they're automated.
I think election commissions need to use risk-limiting
audits. If there's a wide variance, that means there is a percentage of records that have to be
recounted. And then finally, as part of this overall ecosystem, it's not just the election
system because it's tied into the voter database system and it's tied into the DMV and tied into
other systems. So that's why I recommend the involvement of the state chief information officer and
the state chief information security officer.
That's Earl Matthews from Verodin.
Responding to senatorial questions, the U.S. FBI said the Russian-developed facial image
editing application FaceApp represents a counterintelligence threat.
The New York Times points out that FaceApp denies sharing data with anyone,
including the Russian intelligence and security organs,
and says that most images are deleted from its servers within 48 hours.
But the FBI regards any app built in Russia as inherently problematic.
Russian services have robust cyber exploitation capabilities
with both the ability and authority
to remotely access all communications and servers
on Russian networks without making a request to ISPs.
BlackBerry's Silance describes Pixie,
a new Python remote access trojan.
This particular rat delivers ransomware to targets
in the education and healthcare sectors.
It's been quietly active in the wild since 2018,
the researchers say,
and it hasn't attracted much attention.
Its operators have been more successful than most
at obfuscation and misdirection.
A U.S. Ethereum developer was charged Friday
with offenses related to helping North Korea evade sanctions.
Virgil Griffith, whom the
U.S. denied permission to travel to Pyongyang, nonetheless obtained travel documents from what
U.S. federal prosecutors describe as a diplomatic mission facility in Manhattan, presumably a DPRK
mission associated with the United Nations, and then in April used those documents to attend a
conference in Pyongyang.
What's objectionable about that?
According to the U.S. prosecutors, here's the problem.
The topic of Mr. Griffith's talk was how North Korea could use cryptocurrency to achieve independence from the global banking system.
And that, in the considered view of the U.S. government,
amounts to providing North Korea with technical knowledge
Pyongyang would use
to launder money and evade international sanctions.
North Korea is under very tight international sanctions
that have effectively crippled it financially
and rendered the Kim regime a pariah state.
Those sanctions are for the most part aimed at North Korea's nuclear and ballistic missile programs.
Mr. Griffith, whom Fifth Domain describes as someone who established himself as a bit of a tech embarrassment back in the aughts,
is charged with one count of conspiracy to violate the International Emergency Economic Powers Act.
He's had brushes with the law before, but those were the sorts of things that aren't uncommon among those who buy into the hacker romance.
aren't uncommon among those who buy into the hacker romance.
While a student at the University of Alabama, for example,
he and another student had described ways of hacking a campus debit card system to get free sodas, free use of laundry machines,
and access to the other impedimenta of undergraduate life.
That time, he apologized, promised not to actually build the device he described,
and agreed to 40 hours of community service.
The stakes, unfortunately, are higher this time around.
The government has said that Mr. Griffith had at least one co-conspirator, so far unnamed,
who will be brought to New York and arrested.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And joining me once again is Ben Yellen.
He's the Program Director for Public Policy and External Affairs at the University of Maryland Center for Health and Homeland Security
and also my co-host on the Caveat podcast.
Ben, it's great to have you back.
Good to be with you again.
Interesting article. This is from CNET.
This is a bipartisan bill that would require agencies who wanted to use facial recognition surveillance. Well, they would
have to get a warrant. What's going on here? So this is a bipartisan bill in the United States
Senate proposed by Senator Chris Coons of Delaware and Mike Lee of Utah. Coons, the Democrat. Lee is a Republican but sort of libertarian leaning.
And what this bill would do is set the first federal standards for the use of facial recognition.
It would apply to applications to surveil somebody for up to 72 hours using facial recognition software.
So if you go beyond 72, that's where the warrant requirement kicks in?
Would be required.
Okay, interesting.
A warrant would not be required for identification purposes.
So we use facial recognition software at the federal level to identify individuals, particularly
as it relates to their immigration status.
So I know this article mentions that ICE, Immigrations and Customs Enforcement, uses that technology for identification.
And that would not be covered under this piece of legislation.
So while I think this is a noble effort, it sort of falls short in the mind of civil liberties advocates in a number of ways.
First and foremost, this is kind of obvious, but when you're passing any sort of federal law dealing with law enforcement, it's a relatively limited universe because most law enforcement activity happens at the state level.
So this bill wouldn't prevent, you know, state police or local police departments from using facial recognition software for monitoring without a warrant.
And we already know that that's something that does happen in a lot of states.
Now, so that being the case, is this a situation where, for example, a federal law enforcement
organization could partner with their local friends at the state level and the state folks
would be fine doing the surveillance?
Yeah. and the state folks would be fine doing the surveillance? Yeah, although if you had a statute,
you could construct a statute in such a way
that you could prohibit any federal agency
from even partnering with a state organization
using this technology.
Okay.
The other limiting factor, which this article mentions,
is that the type of persistent facial recognition surveillance
they talk about here isn't really something that the federal government does to this point.
The technology is just not quite ripe enough for the federal government to use.
So it's sort of, I think, one of the advocates against this piece of legislation,
not necessarily against it, but somebody who was observing this legislation was sort of like,
what's the point?
If we're not preventing facial recognition for identification purposes
and we're requiring warrants for something that the federal government
is not yet doing, why even do this in the first place?
I think the answer to that is probably just laying the groundwork.
We have this area of concern.
I mean facial recognition obviously poses major privacy and civil liberties concern.
And this is sort of a first stab at trying to put some federal regulation behind it.
So unlikely that this will have a lot of traction in its current form but maybe an initial volley to start the conversation.
Exactly. Yeah. I don't see this piece of legislation going anywhere. I mean,
nothing really goes anywhere in the United States Senate.
It's your optimism I admire.
It is. Yeah, absolutely. I would not bet my life on a piece of legislation passing the Senate.
Right.
But yes, I believe this is sort of the first volley. You know, it's always,
there's going to be some piece of maybe broader data privacy legislation in the future.
And maybe this becomes one component of that.
And that happens frequently.
Yeah.
You sort of get something on the record, you know, lay down a claim that you think a certain type of surveillance should be regulated.
And that sort of seeps into the national political conversation.
Gets people talking about it like you and I.
Yep.
All right.
We're part of the solution.
There you go.
All right.
Well, Ben Yellen, thanks for joining us.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies. Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. AI agents connect, prepare, and automate your data workflows, helping you gain insights,
receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo
is easy. Learn more at ai.domo.com. That's ai.domo.com.