CyberWire Daily - Social media struggle with their social role. Election hacking concerns remain high. Australia's new government shuffles cybersecurity responsibilities.
Episode Date: August 28, 2018In today's podcast, we hear that Twitter has suspended more accounts for "divisive social commentary" and "coordinated manipulation." Facebook blocks accounts belonging to Myanmar leaders over Rohingy...a persecution. US Senators are unconvinced by claims that it's dangerous to research voting-machine vulnerabilities. The House takes a look at the CVE database. Australia's new government reorganizes its cybersecurity portfolio. Justin Harvey from Accenture with details from their mid-year cyber threatscape report. Guest is Sean Tierney from Infoblox with their shadow IoT report. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/August/CyberWire_2018_08_28.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Twitter suspends more accounts for divisive social commentary and coordinated manipulation.
Facebook blocks accounts belonging to Myanmar leaders.
U.S. senators are unconvinced by claims that it's dangerous to research voting machine
vulnerabilities. The House takes a look at the CVE database. And Australia's new government
reorganizes its cybersecurity portfolio.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, August 28, 2018.
Yesterday, Twitter suspended 488 more accounts, this time for sharing divisive social commentary and coordinated manipulation,
as opposed to the inauthenticity Facebook stressed last week.
Almost 100 of the newly suspended Twitter accounts claim to be located in the U.S.
Many of those were less than a year old.
It's perhaps worth noting that Twitter displayed some self-conscious even-handedness in this week's takedowns. Some of the socially divisive stuff it exhibited
no longer welcome on its platform consisted of anti-President Trump screeds and memes.
And there's a gesture toward purging inauthenticity, too. Some, if not all,
of the blocked accounts were linked to the coordinated efforts of Iranian actors.
Twitter may have more difficulty maintaining a principled stance against divisive
social commentary. Construed literally, this tendency would seem likely to transform Twitter
into a 21st century analog of some of the older print newspapers that sought to specialize in
good news, human interest stories, fun facts, recipes, and sports. Scores only with sports.
But it seems unlikely that any social medium could survive such a viewpoint-neutral blandness,
which leads many to suspect that Twitter may have preferences for some forms of commentary
that strike it, unreflectively, as uncontroversial,
but which in fact will lead substantial swaths of its users to see the platform itself as biased.
It's not an easy task for Twitter or any other social platform.
Concerns about radicalization, bullying, and even fomenting violence are real,
and social media companies feel considerable pressure to do something about them.
Among the more serious instances of social media being used to foment violence
have been the flash lynch mobs that have sprung up in India
in response to generally false reports of abduction
and other abuse of children and women.
On a more widespread scale,
the massacre of Rohingya Muslims in Myanmar by the majority Buddhist state
has been incited, popularized, and sustained
in significant part by Facebook,
as the Times of London reports.
Facebook has responded by blocking accounts of regime leaders,
but the baleful climate of opinion these leaders serve
is alive, well, and online.
Of course, Twitter, Facebook, and Google
are private organizations, free to adopt pretty much any viewpoint they choose, in the U.S. at any rate.
But the quasi-monopolistic position a small group of companies are perceived as having achieved in the market has led some to think they ought to be treated more like utilities than newspapers.
White House economic advisor Kudlow says the possibility is undergoing some
preliminary study. Google has warned U.S. Senator Toomey, Republican of Pennsylvania,
that the senator's staff had been subjected to apparently unsuccessful spear phishing attacks.
The accounts targeted were dormant, left over from the 2016 campaign, and most of the staffers
were campaign workers who've
since moved on anyway. Google did suggest the Fishers were a foreign intelligence service,
but whose foreign intelligence service Mountain View left as an exercise for the reader.
Unease over election hacking and influence operations persists in U.S. political circles,
where DEFCON hacking demos are being taken
seriously. The Senate Intelligence Committee yesterday gave the back of its hand to a letter
from Election Systems and Software, the leading vendor of voting machines in the U.S. ESS didn't
particularly care for the goings-on at DEFCON, where white hats were given the opportunity to
make a run at voting systems.
The Washington Post quotes election systems and software as saying,
Quote, Forums open to anonymous hackers must be viewed with caution, as they may be a green light for foreign intelligence operatives who attend for purposes of corporate and international
espionage.
We suspect that our adversaries are paying very close attention.
End quote.
Since this would seem to rule out the sort of sensible vulnerability research one would think important to enhanced security, the senators were unsympathetic. After all, if you can hack the
Pentagon to make it more secure, what's the problem with hacking voting machines? The state authorities
who use them are too poorly resourced
to fix or update them when problems are found.
Perhaps there's more to be said on the matter,
but it seems difficult to disagree with a note from the staff of Senator Harris,
Democrat of California, which told the Washington Post that,
quote, independent security research does not jeopardize election integrity.
Instead, it helps us design more secure voting systems.
Speaking of vulnerability discovery and disclosure,
some members of the U.S. House of Representatives
are pressing for reform of the Common Vulnerabilities and Exposures database.
The Department of Homeland Security has become increasingly unable
to keep pace with rising demands for vulnerability information.
There are also reports of bugs having been submitted without a timely, unable to keep pace with rising demands for vulnerability information.
There are also reports of bugs having been submitted without a timely, or in some case any, response.
Republican members of the House Energy and Commerce Committee have written the Secretary
of Homeland Security asking for improvements to the platform.
One of the improvements they're considering lies within the authority of Congress.
They may wish to give the CVE program its own budget line.
Secure networking firm Infoblox recently surveyed cybersecurity professionals
for their take on IoT devices on their networks
to try to get a handle on what is known and unknown when it comes to BYOD policies.
Sean Tierney is director of cyber intelligence at Infoblox.
The whole notion of shadow IT, if you've been doing this for a long time,
you probably remember back in the day when most organizations didn't have an IT department.
They just kind of dealt with it within their individual teams.
And then there was a need to kind of commoditize it,
kind of bring it all under one umbrella and get the most economy as a scale.
And those are perfectly reasonable and sound business reasons for doing this sort of thing.
Then IT with regulation and bureaucracy kind of became slow.
And so you saw teams within companies, within organizations kind of start picking up a little
bit of that work again, right?
And that's the shadow IT.
It's the guy that knows where all the software is that your department uses, and he's
the technical expert that can help, even though that's not his job. He's not an IT guy.
He might not even be a technology worker, but he knows all the software
and tools that the team is using, and so he's the guy that helps everybody
else, right? But the IoT devices that are not company
sanctioned and company managed are really shadow devices, right? But the IoT devices that are not company-sanctioned and company-managed are really
shadow devices, right? So meaning that you don't have visibility into them because you're not
managing them. Whether you own them or not, as an organization, right, you may have devices in
your network that the company purchased, right? But because IT's not managing them, they're
unmanaged devices, they're shadow devices. So can you take us through what were some of the
key findings from the report? 33% of those organizations had more than devices, their shadow devices. So can you take us through what were some of the key findings from the report?
33% of those organizations have more than 1,000 shadow IoT devices on their network every day.
And we're talking about small to medium enterprises, not necessarily very large corporations,
which we would expect those to be much larger.
When asking employees what were they doing with their personal devices, how were they using them, 39% of them were using them for things like social media, apps, games, films, right? We see
things like 88% of IT leaders think that they have a well-placed and well-implemented and well-followed
IT security policy, and yet 24% of the employees report not knowing the policy
or not following it. And then in terms of kind of what we see in terms of actual
devices, 48% of the organizations find that they're seeing fitness trackers,
things like Fitbits on there, smart TVs, and then digital assistants like Alexa
or Google Home. And so we find this mix kind of interesting because
on the one hand, you have things that you would normally expect from a BYOD perspective,
laptops and tablets, right? And then yet when you go and look at what people are using and what
they're bringing into, you see a lot of these other types of non-traditional BYOD devices,
right? So if their fitness tracker is connected to the guest network
at the company, what kind of exposure is that creating for that company?
When we look at that, we want to think in terms of good, solid policies and practices.
So I think that depending on a corporation's or an organization's risk appetite, that perhaps a
guest network or a employee network that's segmented from their corporate business network
may be a good idea. They have to do their own risk analysis.
But that's, at a minimum, one way to look at how they can separate that
kind of traffic and take control of that sort of thing.
So if they're not permitting those devices to come onto their network, they're not giving
the passwords for them to join or they're using network access control to keep those
kinds of things off their business network they're still affording their employees a a venue for using that those
sorts of tools and keeping it off their corporate networks that's sean tierney from info blocks
you can find the results of their iot survey on their website
the bank of spain has experienced intermittent distributed denial of service attacks since Sunday,
but says its services haven't been disrupted, so the attacks remain at a nuisance level.
Australia's newly formed government won't have a dedicated cybersecurity ministry.
Instead, Home Affairs Minister Peter Dutton will assume responsibility for cybersecurity and critical infrastructure
protection. Not all investigations result in convictions or indictments or even conclusions.
Switzerland has closed its investigation into a 2014 cyber espionage incident involving defense
firm Ruag. The results were inconclusive. No perpetrator could be identified with confidence.
Russia had been suspected, and Swiss authorities did say they believed it unlikely any other actor
than a nation-state could have carried out the attack, but it wasn't possible to attribute the
incident to any particular government. Thank you. winning with purpose, and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our
GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist,
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. Thank you. that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's
vanta.com slash cyber for $1,000 off. And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Justin Harvey.
He's the Global Incident Response Leader at Accenture.
Justin, welcome back.
You all recently published your mid-year Threatscape report.
Bring us up to date.
What's the latest?
So the latest is we're seeing an uptick in various areas.
We're seeing an uptick in various areas. The first one would be an uptick in Iranian cyber attacks around the world.
Particularly, we're seeing them heavily concentrated in North America.
And also we're seeing that affect multiple industries, particularly financial services and resources clients, which would be utilities, critical infrastructure,
things like that. Some of the other highlights that we're seeing, increased attacks versus
industrial control systems. As you know, your listeners hear about industrial control system
security or OT network security quite a bit on the show. So I'm really happy that it's getting
a lot of airplay and a lot of notice. But industrial control systems, Dave, are still really vulnerable to external attacks. It seems
like every week I'm having a meeting with a client that claims that their OT network is
completely air-gapped and there's no way to access it, but then you find out there's perhaps some
private VPNs to various vendors in the background, and it's not quite as secure as people thought.
And OT network security is also extremely difficult given the nature of the systems.
Number one, they are not considered IT systems.
So a lot of the maintenance, a lot of the people that are accessing them are
not your typical information security or information technology personnel. So it's not
very well understood that operating system, which is the same operating systems that we operate on
every day, typically Linux, Windows, if you can believe it, Solaris is still out there. They're actually very static.
They don't have a lot of the same tools that Brethren systems and IT have. So it makes it a
little bit difficult to work on those. And it's also difficult because there is a lack of
understanding around the operational impact of making changes to these systems. And what I mean is,
if we're doing an incident response or a threat hunt for one of our resources, perhaps resources
customers, one of our critical infrastructure customers, let's say it's a utility, we being an
outside vendor, or even we from IT and information security, we don't know what would happen if we
rebooted this system that could have been compromised.
We don't know the operational impact.
Perhaps it's if you reboot that system, then the turbine restarts and power production ceases.
Or perhaps it's if you reboot that system or you make one little change to the registry and that system goes down, what happens to the manufacturing floor? Perhaps it stops production. Perhaps it creates an
environmental or a health and safety issue. So industrial control system security is still
a very big challenge. And we are seeing more and more nation state activity across those types of systems. And I guess to pick on one more
trend that we're seeing is that we're seeing more advanced persistent threat actors. So nation state
actors are not just focusing on areas of opportunity around OT networks, but we're also
see them, they are targeting more and more financial systems and they're doing things for financial gain. If you were to look at this from a cyber espionage nation state level,
I think it's very valid that these attack teams are starting to recoup some of the investment
costs that the nation states have been putting into them. Meaning, why make your cyber espionage team a loss leader? Why not
actually use that same attack team to go out and recover some funds and use them in different areas,
particularly with using digital currencies? Yeah, if you're going to sack the city,
you might as well loot the banks while you're at it, I suppose.
Exactly. That is the thinking.
Yeah. All right. Well, as always, Justin Harvey, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company
safe and compliant. And that's the Cyber Wire. For links to all of today's stories, check out
our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is
Elliot Peltzman, Puru Prakash,
Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson,
Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided
apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.