CyberWire Daily - Special Counsel Mueller speaks about his investigation of Russian influence in the 2016 US presidential campaign. Iranian coordinated inauthenticity. BlueKeep, Pegasus updates.
Episode Date: May 29, 2019Special Counsel Mueller makes his first public statement about the results of his investigation into influence operations surrounding the 2016 US Presidential campaign. He says his first statement wil...l also be his last. FireEye identifies Iranian coordinated inauthenticity in US 2018 midterm elections, and Twitter and Facebook take down the offending accounts. Notes on the BlueKeep exploit. More Pegasus infestations. Reality Winner revisited. Updates on Baltimore ransomware. Ben Yelin from UMD CHHS reacts to allegations that NSA may have some culpability in the Baltimore ransomware incident. Guests are Julie Bernard from Deloitte and John Carlson from the FS-ISAC on the recent report, “Pursuing cybersecurity maturity at financial institutions.” For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/May/CyberWire_2019_05_29.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Special Counsel Mueller makes his first public statement
about the results of his investigation into influence operations
surrounding the 2016 U.S. presidential campaign.
He says his first statement will also be his last.
FireEye identifies Iranian-coordinated inauthenticity in U.S. 2018 midterm elections,
and Twitter and Facebook take down the offending accounts.
Notes on the Blue Keep exploit, more Pegasus infestations,
reality winner revisited, and updates on Baltimore ransomware. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, May 29th, 2019.
In his first public statement since completing his investigation into alleged influence operations and conspiracy during the 2016 elections,
Special Counsel Robert Mueller spoke to the media briefly this morning from the Justice Department.
After discussing the scope of his investigation, he quickly reviewed the indictments of Russian actors who engaged in hacking campaign networks,
mostly Democratic, although he didn't
name parties, and used WikiLeaks to retail the results of their doxing, and he did call out
WikiLeaks. He also reviewed the indictment of a private Russian organization, the Internet Research
Agency of St. Petersburg, although he didn't name them, for using social media in an attempt to
influence the election. The special counsel scrupulously stressed that everyone under indictment
is entitled to the presumption of innocence.
He described his report as having two parts.
Volume 1 dealt with efforts emanating from Russia to influence the election.
This portion of the investigation concluded that there were such efforts
and that there was insufficient evidence to charge any U.S. persons with conspiracy. The second volume dealt with possible obstruction of the investigation.
Here, Mueller stressed that the report made no determination of whether the president in
particular committed the crime of obstruction. The Constitution, he explained, precludes charging
a sitting president with a crime. Should a sitting president be suspected of a crime,
the Constitution prescribes other remedies.
Investigation of a sitting president is, of course, possible, he added,
and such investigation can preserve evidence
or result in charges being brought against others.
But by regulation, the special counsel had no option
to charge the president with a crime.
Thus, the special counsel ruled out making any determination
of whether the president might be charged with obstruction.
In addition to Justice Department rules and constitutional considerations,
Mueller cited a principle of fairness.
It would be unfair for a report to accuse someone with a crime
they cannot be formally charged with,
and so have their opportunity to be heard in court.
With that, special counsel declined to offer comment cannot be formally charged with, and so have their opportunity to be heard in court.
With that, special counsel declined to offer comment on other conclusions or hypotheticals about the president. Special counsel Mueller said he'd asked the attorney general to release only
parts of the report, but attorney general Barr preferred to make the entire report largely public,
and Mueller took no issue with this. At the end of his brief statement, Special Counsel
Mueller said he had no intention of speaking again, nor would he take any questions. Any
testimony he might render to Congress would not go beyond the contents of the report.
The report is my testimony, as he put it, adding that access to our underlying work product is
being decided in the process that does not involve our office. The statement as a whole took less than 10 minutes.
FireEye identified extensive coordinated information operations in support of Iranian
interests during the U.S. midterm elections. Inauthentic accounts tended to express opposition
to President Trump, but their ideological slant, in American terms, was opportunistic.
Some of the lines pushed represented themselves as progressive, others as conservative, but their common goal was to advance
Iranian policy. The tendency was, in general, anti-Republican, but again, it's important to bear
in mind that this was opportunistic. The overall goal was to advance Iranian views. Both Twitter and Facebook, tipped off by FireEye, have removed the accounts in question.
Politico observes that the Iranian activity indicates that other governments are cribbing from Russia's information ops playbook.
Exposing that playbook can be dangerous, as The Times explains in a profile of troll-hunting Finnish journalist Jessica Aro, who's drawn death threats for her work.
The Cyber Risk Services team at Deloitte
partnered with the Financial Services Information Sharing and Analysis Center,
that's the FSISAC,
to survey members on how they handle budgeting
and risk management for cyber vulnerabilities.
They recently published their report titled
Pursuing Cybersecurity Maturity at Financial Institutions.
Julie Bernard is an advisory principal in cyber risk services at Deloitte, and joining her is John Carlson, chief of staff at the FSISAC.
Financial planners look at efficiency ratios and leverage ratios as they evaluate companies.
ratios and leverage ratios as they evaluate companies, is there an equivalent in the cyber marketplace for measuring the effectiveness or efficiency of a cyber program? Yeah, there's a
lot of data in the report. One of the things I want to focus on in the time we have today is
you go through what you describe as cybersecurity maturity levels. Can you walk us through what
they are and how you came up with the different
categories? We did not come up with the categories. We have borrowed them from the NIST
cybersecurity framework. So whereas in my history, serving firms and doing maturity scores,
we often use like a CMMI level one through five. In this case, we borrowed from our friends at NIST. They have a
more one to four type relationship. And so they use partial, informed, repetitive, and adaptive
as their descriptors of maturity level. And let's focus in on the highest level there,
which I suppose is adaptive. What are the aspects of an organization that falls into that category?
John? Well, I mean, adaptive in the sense that our members are constantly monitoring what the
threat environment is looking like through the sharing of voluntary information by disseminating
information that we receive from U.S. government partners and other companies that do threat intelligence work.
So they're constantly looking at that information and making adjustments to their information
security programs to respond to the changing threats. So it's that ability to constantly adapt
the cybersecurity program to deal with the evolving threat. And that also means leveraging best practices,
both in terms of governance, in terms of intelligence and information sharing,
and then resiliency in the form of exercises and developing crisis response playbooks that will
ultimately help the firms that they work for improve their security and protect their customers.
Now, Julie, one of the things the report digs into are the defining characteristics of advanced
cybersecurity programs. These are the organizations that are running at a high level. What are the
characteristics that set these companies apart? Well, to reinforce what John just said, it's the adaptive nature of that.
Most often they have C-suite visibility, whether the CISO actually reports to the CEO or a CIO,
chief operating officers, chief risk officers, and then your financial services clients.
Usually there is a straight line to one and a dotted line potentially to one
or more of those types of roles.
So that helps because it gets them visibility at an executive level.
There is also a higher level of board interest and board involvement, reporting to the board
on a fairly regular cadence on both their strategy, as John mentioned, what the current
threatened risks are that are impacting them in the environment,
and a little bit on their program status. And almost half, 48% of the respondents said that
cyber is on the board agenda at these companies at least once a quarter.
Cybersecurity is a team sport. And that's why it's so important to have a strong tone set at
the very top of the organization. As Julie noted, it's on the agenda
for most of the board meetings. It's a top priority for the CEOs as well as chief risk officers,
in addition to the chief information security officers, which we work with most closely.
But it's also about kind of embedding security into the culture, into the business lines, so that firms take advantage
of the protections that are necessary, given that cyber is really everywhere in the business
these days.
So that aspect of it's a team sport.
You've got to have leadership at the top.
You've got to have strong implementation that goes deep into the business lines.
And it's not just something that a security officer is imposing standards and requirements.
It's something that's built into the DNA of the company.
That's John Carlson from the FSISAC.
He was joined by Julie Bernard from Deloitte.
The report is titled, Pursuing Cybersecurity Maturity at Financial Institutions.
You can find it over on the Deloitte website.
Eratus Security thinks that roughly a million machines are susceptible to exploitation of the BlueKey Remote Desktop Protocol vulnerability.
Trend Micro has looked at the risk BlueKey poses and concludes that while it may seem easy to trigger,
actually achieving code execution on a target would be incredibly challenging.
A more realistic danger, they think, is inducing DHCP server service crashes,
a denial-of-service condition that could enable attacks via a rogue DHCP server.
Forbes reports that other Saudi dissidents were infected with Pegasus spyware
before the apparently Pegasus-connected, perhaps enabled, murder of Jamal Khashoggi.
One of those affected is a Saudi dissident.
The other is a well-known comedian, by YouTube standards,
who's long devoted himself to lampooning the Kingdom of Saudi Arabia.
Both targets reside in London,
which lends an unpleasant international complication to the matter
from the Saudi government's point of view.
An essay in The National Interest argues that Abu Bakr al-Baghdadi,
sometimes self-proclaimed leader of the now territory-less caliphate,
is reorganizing ISIS.
The terror group would now survive as a virtual community
with local franchises operating murderously on the ground.
The Easter massacres in Sri Lanka would serve as a template for further inspiration.
Huawei alleges that U.S. sanctions amount to an unconstitutional bill of attainder.
The company claims that Section 889 of the National Defense Authorization Act 2019
is the offending legislation.
A bill of attainder, forbidden by Article 1, Section 9, Paragraph 3
of the U.S. Constitution, is legislation that imposes an extrajudicial criminal penalty on an
individual or group. Huawei says that the National Defense Authorization Act, by barring U.S. federal
agencies from using the company's products, amounts to exactly that. Kaspersky Lab took a similar line
in court against its own ban.
They weren't successful, and most observers think it unlikely that it will work for Huawei either.
But Huawei's real audience is probably the media and not the federal bench.
Reality Winner, the former U.S. Air Force member and post-service NSA contractor,
is currently serving five years and three months under the Espionage
Act for taking a classified report and sending it to a news outlet, in this case, The Intercept.
Her mother, understandably, thinks reality is a patriot being held unfairly and hopes to see her
pardoned by the president. Some of President Trump's tweets have in the past suggested he
might be open to such a pardon, despite the strong and intemperate
language Ms. Winner used about him in her various social media accounts. Pre-arrest, that is. on the cutting edge of technology. Here, innovation isn't a buzzword. It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose,
and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now?
We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for
cyber criminals to bypass your company's defenses is by targeting your executives and their families
at home? Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
Joining me once again is Ben Yellen. He's a senior law and policy analyst at the University
of Maryland Center for Health and Homeland Security. Ben, it's great to have you back.
I wanted to touch base about what's been going on in the city of Baltimore with their ransomware situation. There's been a lot of attention. The New York Times, The Washington Post and security pros on Twitter and other places have weighed in on this notion that some of the tools that perhaps had enabled this attack on Baltimore came from NSA. Yeah, so we're in week three of the ransomware attack here in
Baltimore City. It certainly had tangible effects. I haven't gotten a water bill, which might be a
blessing for the moment, but I'm sure I'm going to be owing back pay in the months to come. But
it's had far more serious effects in terms of people being unable to record real estate deals.
In terms of people being unable to record real estate deals, you've heard about there are these health databases that notify the public about bad batches of recreational drugs. That's been down.
So it has life and death consequences.
And we found out that the tool used by the hackers, and we still don't know who these hackers are, whether they are rogue foreign actors, whether they represent a nation state.
But now, apparently, we know that the tool they used is something called Eternal Blue, and it was originally developed by the National Security Agency several years ago.
The NSA, as we know, has both offensive and defensive purposes.
They are charged with protecting the cybersecurity of our entire country, including states and localities. And as part of their work, their job is to identify flaws in the most commonly used
systems and networks. They had discovered a flaw in Microsoft's system several years ago,
and they developed this tool to potentially expose that flaw.
In the intervening period, two things have happened.
One, Microsoft very quickly came up with a patch to that vulnerability.
So all of its updates include that patch.
So theoretically, if states and localities have
been updating their systems that patch would have been in place but most dangerously the
information in regards to this eternal blue tool was released online in 2017 by a group called the
shadow brokers right and two years later we still don't know who this
group is, whether they're rogue actors, whether they represent a nation state. There's been this
sort of discussion as to whether the NSA can be blamed for both developing this dangerous hacking
tool and having it leak publicly on the internet to be used for some of the world's worst cyber actors.
I certainly think it's a legitimate debate, although I understand the NSA's role in doing
what they can to identify vulnerabilities in our system for the purpose of protecting them against
bad actors, and knowing that these types of NSA leaks or their own security vulnerabilities are going to happen.
We saw it with Edward Snowden, a low-level contractor in 2013, and we saw it with the shadow brokers.
Just because the NSA was unable to protect that information, there is something that states and localities could have done, which is to institute all updated security patches.
And I think that needs to be the lesson going forward. Microsoft reacted quickly as soon as
this vulnerability was identified. They came up with a security patch. And for whatever reason,
cities and states across the country have been slow to update their networks. And that's opened
the door for bad actors to find these vulnerabilities and cripple our networks.
It's interesting. I mean, a couple of things come to mind.
First of all, my understanding of this attack on Baltimore is that while it made use of Eternal Blue,
that was primarily it allowed the ransomware to spread, to move laterally within the network. It wasn't the way that they got in,
which is interesting. It was an additional functionality that they were able to use there.
I have to say, and I suppose that part of this is just a local affection for the city, but boy,
my heart goes out to Baltimore on one side because it's a city that has had a lot of trouble lately, sort of kicking them when they're down.
But on the other hand, as you say, it's been two years.
And this is a basic functionality with something as serious as Eternal Blue.
When there's patches available, at some point you have to scratch your head and wonder why couldn't the city have been more up to date or just kept on top of this?
Absolutely. And, you know, I think our first instinct really should be sympathy.
Baltimore's been through a lot, particularly since 2015.
that is strapped for resources, and it's always easier after the fact to say that you should spend time and resources updating Windows software on every single device at City Hall. I get that,
and I think we have to come at a place of understanding. But this is really just a lesson
going forward, and institutional knowledge to institute these patches, this is just a lesson
learned as we go forward. Tough and expensive lesson for institute these patches. This is just a lesson learned as we go forward.
Tough and expensive lesson for sure.
Absolutely.
Ben Yellen, thanks for joining us.
Thank you.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatL are evolving every second, and staying ahead is more than just a challenge. It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
sensitive data and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
for us on your Alexa smart speaker too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, Thank you.