CyberWire Daily - South Carolina primary affords the next test of US election security. Cerberus evolves. Bot-driven fraud. FCC to fine wireless carriers for location data handling. FISA changes.
Episode Date: February 28, 2020South Carolina prepares for tomorrow’s primary, confident that it will be able to conduct the vote securely and without disruption. An evolved version of the Cerberus Trojan has been spotted. Bots a...re making fraudulent appeals for brushfire aid to the Australian Red Cross. The FCC is preparing to fine four major wireless carriers for mishandling user geolocation data. Proposed changes to FISA surveillance in the US. And farewell to RSAC 2020. Partner is Mike Benjamin from CenturyLink with observations from RSA, guests are magicians Penn and Teller with insights on deception and social engineering. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/February/CyberWire_2020_02_28.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
South Carolina prepares for tomorrow's primary,
confident that it will be able to conduct the vote securely and without disruption.
An evolved version of the Cerberus Trojan has been spotted.
Bots are making fraudulent appeals for brushfire aid to the Australian Red Cross.
The FCC is preparing to fine four major wireless carriers for mishandling user geolocation data.
Proposed changes to FISA surveillance in the U.S.
And a farewell to RSAC 2020.
From the 2020 RSA Conference in San Francisco, I'm Dave Bittner with your CyberWire summary for Friday, February 28, 2020. The U.S. state of South Carolina holds its presidential primary tomorrow.
The U.S. state of South Carolina holds its presidential primary tomorrow.
The voting there, unlike the very troubled Democratic caucus in Iowa,
will be run by state election officials, not the political parties themselves.
One of the technologies in use in South Carolina will be closely watched.
The state is using touchscreen voting machines during this election cycle.
The machines do produce a paper ballot, but some observers have expressed concern that those ballots will prove less reliable than a traditional hand-marked paper
ballot. Machines, the fear runs, are susceptible to hacking or sabotage in ways that pen and paper
are not. The Washington Post summarizes security measures in place for tomorrow's voting.
State and county officials have been training to manage election cyber risks for two years.
Paper ballots are available as a backup should problems arise with the new touchscreen voting machines.
Both the State Election Commission and the state's Democratic Party are monitoring social media for disinformation.
Only the Democrats will be holding a primary.
media for disinformation. Only the Democrats will be holding a primary. The South Carolina Democrats also have lawyers standing by in three cities, ready to respond quickly to reports of
either disinformation or voter suppression. And finally, the party has a room full of millennials,
social media jockeys, who will presumably take care of counter-messaging against misinformation.
Transparency is tough enough without even attempting fact-checking or counter-messaging against misinformation. Transparency is tough enough
without even attempting fact-checking or counter-messaging.
Facebook, the New York Times reports,
is having trouble keeping up
with presidential candidate Mike Bloomberg's meme troop.
Mr. Bloomberg's campaign has paid influencers
to post content favorable to them.
It's also hired what Reuters calls
hundreds of digital organizers
to send content out through their personal accounts.
None of this seems illegal, to be sure,
but Facebook worries that it comes close to a breach of Menlo Park's terms of service.
It's not coordinated in authenticity,
since the influencers and organizers are who they say they are,
but it does seem to the social network that this kind of hiring
amounts to sailing pretty seem to the social network that this kind of hiring amounts to sailing pretty
close to the wind. Some of the memes are amusing in a self-deprecating way, with the occasional
intrusions of leetspeak like LFMAO mixed with suggestions that Mr. Bloomberg means well but
doesn't quite get it, like addressing a message to Mrs. Dow Jones. Business Insider has a good sample, if you're curious.
The campaign is said by the New York Times to be the work of Meme 2020,
a young company that works memes in social media,
the way Madison Avenue used to work jingles on radio and broadcast television.
Threat Fabric Research indicates that an evolved version of the Cerberus Android banking trojan
can now steal Google two-factor authentication codes.
And Cerberus is now also a rat with serious remote access functionality.
Threat Fabric thinks that the new Cerberus is in a testing phase,
but it can be expected to move into widespread uses soon.
The Australian Red Cross is being flooded with bot-driven fraudulent requests for
brushfire aid, SBS News reports. The staff is able to weed out the bogus cries for help,
but it's time-consuming and wastes resources, working harm and doing nobody, not even the
criminal botmasters, any good. Reuters says that the U.S. FCC is preparing to fine four major mobile carriers, AT&T, Verizon,
Sprint, and T-Mobile U.S., a total of $200 million for improperly disclosing real-time consumer
location data. In May 2018, the FCC began investigating reports that a flawed website
could enable mobile phone users to be geolocated, that inquiries subsequently expanded to cover other ways
in which third parties were using customer location data.
U.S. Senator Rand Paul, Republican of Kentucky,
tells the Wall Street Journal his proposal to rein in FISA has White House support.
The Foreign Intelligence Surveillance Act, signed by President Carter in 1978,
established a FISA court to oversee
requests for surveillance of U.S. citizens for counterintelligence or national security reasons.
Senator Paul's proposed amendment would require the government to obtain warrants for such
surveillance from ordinary federal courts, as they do now in all other cases.
RSAC 2020 wraps up today, and we'll close our coverage of the event with this podcast.
We're still coming to you from San Francisco, that city by the other bay. Some final thoughts
on the conference. It seemed to our people on the floor that the companies who attended this
year's conference found the traffic a bit lighter than in some previous years, but that they found
the conversations they had with visitors to their booths noticeably more productive. There were, one exhibitor remarked, fewer swag baggers,
and we're proud to say that our decision to leave certain members of our editorial staff back in
Baltimore contributed to this positive winnowing, but there were many people who proved to be
quality leads. So, in general, apparently a satisfying conference.
Thanks to all who visited us on Broadcast Alley.
Don't be strangers.
It was great meeting you all.
I hope to see you all again soon.
Calling all sellers.
Salesforce is hiring account executives
to join us on the cutting edge of technology.
Here, innovation isn't a buzzword. It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals
to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Mike Benjamin.
He's the head of CenturyLink's Black Lotus Labs.
Mike, it is great to have you join us here at the RSA conference.
Thanks for having me, Dave.
So we are a couple days into the conference as we record this,
so I feel like we really had a chance to get a sense for the tone of the conference overall,
what's on people's minds.
What's your sense as you walk around?
What sorts of things are rising to the top of your attention?
You know, I thought it was interesting this year. I walked the floor last year and I left
feeling that everybody needed to say the words AI in every booth and conversation. And there's
still some token AI use here and there. But I think it's calmed down a little. People are maturing
and understanding how to use statistics in their work and not trying to sell as much maybe snake
oil with some of their capabilities. But overall, industry maturing, I think, is probably the
biggest take home I would take this year. How do you think that manifests itself in terms of
the maturity? It strikes me that there's no shortage of startups.
And I would imagine with maturing comes consolidation.
Maybe we lose a little bit of, like you say,
some of that breathlessness with the hype
with some of the technologies.
What does that mean to you?
Well, you know, one thing I find is that
once people get informed on a topic,
they know how to ask questions.
They actually can ascertain
whether something's good or bad and
you know the i can prevent any malware on earth statement persisted quite a few years ago and
that went away pretty fast too right as people learned you know that's not possible explain to
me what you're actually doing that's different and people can ask them for themselves whether
they should go forward with the technology whether they they should adopt a new trend, and where it fits into their defense-in-depth strategy as a buyer.
What sort of messaging are you all putting out from CenturyLink?
What are some of the things you're sharing this year?
Well, there's a few things we focus on.
Obviously, we're a massive telecommunications company,
and so we have an opportunity to make security simple for our customers.
So if you'd like to block a threat, we already are caring for those customers, their traffic.
We really have an opportunity to block things, filter things.
And so simplicity and then the visibility that we get from our networks, that's what we're looking at at Blacklist Labs.
When I'm on the show, we're talking about the threats we're able to glean from that knowledge.
And so can we make it simple while still blocking
with the knowledge we have from an advanced threat basis? Is there anything as you walk around that
you feel isn't getting the attention it deserves? Well, it's sad to say, but it's the simple
blocking and tackling and risk understanding, the GRC basics that every company here has to worry
about. There's not enough booths really just
helping them with the basics of running their program. A lot of it tends to be whiz-bang
technology rather than focused on, you know, here's what it takes to run a security program
and how can we actually help you with it? We as an industry do tend to get really excited about
those advanced actors and those advanced malwares. And I'm guilty of it too. I love those topics. They're really fun to learn about. But at the end of the day, your average CISO really needs to run
a program and that's what the industry needs to help them with. What do you get out of a conference
like this for yourself attending from an educational point of view, from your own personal
enrichment? What do you go home with? That's a great question. I'm going to give away my secret here.
So apologies as I do it.
I walk to the smallest booths possible
and I go have conversations.
They tend to be staffed by the people
who actually built the technology
or really ingrained in how they're helping their customers.
There's some great ideas that come out of those companies.
There's some great conversations to be had.
You tend to get the pulse of what new ideas are coming out
out of the fringe vendors, the fringe folks.
And then I really enjoy seeing all the folks
that I work with in person, right?
We as a security community,
we definitely adopt the technology.
We're all in way too many Slack channels
and Keybase and signal messaging.
It's good to shake a hand and see the people
that you work with and build those relationships. Because at the end of the day, we all have to
work together to raise the cost of how actors are being successful if we're going to have a chance
stopping them. Yeah. All right. Mike Benjamin, thanks for joining us. Thanks, Dave.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. RSAC 2020 wraps up this year with magicians Penn and Teller joining RSA Program Committee Chair
Hugh Thompson and Carnegie Mellon's Lori Cranor on stage to share their insights into human
behavior and security fallibility. I caught up
with Penn and Teller before the show. When you're doing a con one-on-one or even conning in a
pyramid scheme a few thousand, there's some sort of investment to get over the hump, whether that's
having to expose yourself to possibly being busted.
But the thing about phishing scams is you can send out 100 million emails, and all you
have to do is hit your most vulnerable.
So whereas someone who's doing a pigeon drop scam or any of these get rich quick scams or even paving your driveway scams or any
of that.
You have to find an older person in their home.
You have to go there.
You might be bumping into an ex-law enforcement person who's aware of this stuff.
There's a lot of risk. When you're sending out hundreds of millions of emails,
you don't need to get close to one hundredth of one percent
to be able to hit.
So you can dumb them down tremendously to protect yourself.
You don't want to get someone on the hook who is at all savvy.
Right, right.
You don't want to get someone on the hook who is at all savvy.
Right, right.
So there's a, the difference in numbers
changes the whole con thing.
Although it does come down to, you know,
and you don't want to overstate this
because you end up blaming the victim for the crime,
which is always a mistake.
Right.
But it does come down to something for nothing.
And you, you have to be very careful of that.
You're not going to be offered the deal
that's something for nothing.
And it's very hard to remember that
because it's very seductive.
But once again, I don't want to get close
to blaming the victim for the crime.
We do that so easily in scams,
going, oh these people that fall for this are stupid,
or these people, I mean it's a small step from there
to, you know, she shouldn't have been dressed like that
walking down the street.
It's a small step to that, and it's deeply, deeply immoral.
Yeah.
Do you feel as though, with the perspective that you have,
with the knowledge that you have,
like, I'm imagining if you're walking down the street
and you see someone doing a shell game, you know, you know what the mechanisms that are going on, you can watch that
from a different point of view than me. No, no, no, because that's part of the lie. You know,
when David Mamet writes about scams, it's always this kind of beautiful interplay that shows basic human needs and desires.
That's not what's going on in three card Monty.
If Teller and I were to go up and know every single move
and be able to see the move, which we couldn't do anyway,
but let's postulate that we could,
we could see the move and therefore be able to make the bet
and stop them from doing the turnover and stop all of that.
There are six people working that scam and they will pull you in the back alley, beat you up and take your money.
I see.
It is not someone outsmarting you at a game.
It is somebody who is a thug, a bully, a violent person operating outside of the trust of society who will hit you.
So if you were able to say that's where the queen is, hold the person's hand back,
turn over the queen, show that to them triumphantly,
they are not going to go jolly good, well played, here's our money.
They're not going to say that. So we can't pretend that people,
and there's even that romance that goes on in phishing scams. Here's how smart they were to
throw a thumb drive in the parking lot that someone picked up and checked it out. The people
that decide to do that are operating outside of our rules. So if you were to outsmart them, they will beat you up.
But is it fair to dismiss what might be
a certain level of craft?
They've become good at it through practice, yes.
I think the craft, you know, you'll always see this stuff
like, oh, pickpockets.
Right, right.
They're so good and so quick at the handoffs.
Yes, compared to someone doing it for the first time,
not compared to the Olympic relay team.
Right, right, right, right.
You know, and the people who have clever fishing scams are not anywhere near the level of the people
who developed Unix at Bell Labs.
You know, it's just, we make a big mistake
when we glorify anything about this.
I've often wondered, like, you know, to me,
a close-up sleight-of-hand magician
would never have to pay for a candy bar
unless they wanted to, right?
No, it's a different skill.
It's a different skill.
But you understand what I'm, I mean, my point that
The point is that you
You choose.
No, everybody chooses.
Right.
You do not have to pay
for a candy bar.
I can assure you
that you have been
at a convenience store
Right.
when someone wasn't
watching you closely
that you could have
stuck it in your pocket.
There's no special skill to stealing.
There really is no special skill to stealing.
You know, most of your robberies are opportunist.
The idea of the clever heist, the Ocean's Eleven, is essentially a fiction.
There's a few stories of very clever robberies,
but those stories are,
there's two dozen of them over the past hundred years.
I mean, they're just not.
There's the one with the dice being switched
at a table on innocent people
while something else is happening over there
that's very, very clever.
And that's something that happened in the late 60s
that is still brought up as the one clever scam.
Mostly, it's people who are,
most of your crimes are done by
high, stupid, incompetent people
who are willing to perpetrate violence on other people.
I don't think there's any difference in the cyber world.
Podcasting is an audio medium, obviously.
You have your podcast.
Are you aware of any, of the existence
of any audio-only magic tricks?
Is magic a visual medium?
Everybody's, there's a bunch.
You know, there's our mentor, Johnny Thompson, used to talk about radio tricks in a live show where the visual is there.
We have tricks in our show that we hope you don't notice, but you aren't really seeing very much.
You are counting on the audience reaction and our reaction and the way it happens there
and it's not actual close-ups of what's happening.
Magic is, to me, an intellectual medium
more than, when you're talking about pure illusion,
which to me is the lowest form of magic,
just something that looks one way instantly.
You know, the stuff that is done with mirrors or optically.
I think that's the least interesting kind of magic.
The most interesting kind of magic at one level or another,
I believe, is psychological.
So there I've been,
there have been okay audio,
audio only magic tricks.
They are harder.
Just like TV-only magic tricks are much harder because you really want to be in the room
so that the rules of time and physics cannot be manipulated.
The problem with magic on television is the most amazing magic trick we could ever do of time and physics cannot be manipulated.
The problem with magic on television
is the most amazing magic trick we could ever do
happens every 20 seconds on TV,
which is a different point of view.
If we could suddenly have you looking at us from over there,
it would be the most phenomenal magic trick ever done.
And yet on TV, all the time.
On TV you have Avengers, you know,
you have all that that's showing.
So audio has kind of that same problem.
If we do a trick right here for people that you know
and you understand that they are being honest
and they are sincerely shocked,
that's very different than someone you don't know in audio.
So I would say that it's not so much the difference between sound and light
as it is the difference between immediacy and real in the room.
Our thanks to Penn & Teller for joining us.
We'll have a longer version of this interview on an upcoming episode of our Hacking Humans podcast,
so be sure to check that out and subscribe.
Special thanks to Cyber Wire producer Jennifer Iben for coordinating our interview with Penn & Teller.
And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. solutions that are not only ambitious, but also practical and adaptable. That's where Domo's AI
and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.