CyberWire Daily - Stuxnet’s story. Watering hole was designed to attract China’s Muslim minority. USBAnywhere affects some Supermicro servers. Twitter’s CEO has his Twitter stream hijacked.
Episode Date: September 3, 2019A report on Stuxnet suggests there were at least five and probably six countries whose intelligence services cooperated in the disabling cyberattack against Iran’s nuclear enrichment program. The wa...tering hole Project Zero reported last week seems to have affected Android and Windows as well as iOS devices, and appears directed against China’s Uyghur minority. USBAnywhere vulnerability affects servers. And no, those tweets last Friday weren’t from Mr. Dorsey. Joe Carrigan from JHU ISI with thoughts on security onboarding as the fall semester begins. Guest is Rinki Sethi from Rubrick on the cybersecurity skills gap and the importance of diversity. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/September/CyberWire_2019_09_03.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
A report on Stuxnet suggests there were at least five and probably six countries
whose intelligence services cooperated the disabling cyberattack against Iran's nuclear enrichment program.
The watering hole Project Zero reported last week
seems to have affected Android and Windows as well as iOS devices
and appears directed against China's Uyghur minority.
The USB Anywhere vulnerability affects servers.
And no, those tweets last Friday weren't from Mr. Dorsey.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday,
September 3rd, 2019. A report in Yahoo News offers details on the Stuxnet attack against Iran's Natanz uranium enrichment plant.
The authors, Kim Zetter and Haab Maderkalk, says that the US CIA and Israel's Mossad approached the Netherlands intelligence service AIVD, which had an asset close to Iran's nuclear program.
According to the story, that asset, described as a mole who had been trained as an engineer,
was able, over a protracted period of time, to deliver the Stuxnet attack code via USB to the air-gapped centrifuge controllers at Natanz.
The centrifuges were arranged in a cascade that separated out uranium hexafluoride gas containing the fissile uranium isotope uranium-235
from that containing the far more common uranium-238.
Uranium-235 can be used in fission weapons, whereas uranium-238 cannot.
Since the two isotopes are chemically identical,
they can only be separated by physical means, like a centrifuge.
That's what the 1,700 centrifuges in the Natanz Cascade were being used for.
While the principal cooperating intelligence services were American, Israeli, and Dutch,
German, French, and British services are also said to have participated.
The agent on the ground is reported to have provided the American and Israeli services
with the technical information necessary for precision targeting.
Stuxnet was intended for the controllers at Natanz only,
not for any of the many other users of Siemens'
programmable logic controllers around the world.
The Dutch service became interested in Iran's nuclear program
when rogue Pakistani physicist Abdul Qadir Khan
stole centrifuge designs from a Dutch company in the 1970s,
used them in Palisna's nuclear program, and then sold them to other aspiring nuclear states,
including Libya, Iran, and probably North Korea.
AIVD infiltrated AQ Khan's supply network, which for the most part consisted of European consultants and
front companies.
It also succeeded in hacking email systems used by Iran's nuclear weapons program.
Thus, they had assets in a position to help when friendly powers asked for assistance.
Reports last week originating with Google's Project Zero that detailed watering hole attacks
against iOS devices
were amplified over the weekend.
Forbes reports that the attacks also affected Android and Windows systems.
There was speculation at the time of the initial reports that the attacks,
while relatively indiscriminate, were intended to target specific groups.
It now appears, according to TechCrunch, that the attackers were Chinese security services
and the targets were China's Uyghur minority. Google has received some criticism from TechCrunch
and others for what they regard as Mountain View's circumspection with respect to calling
out the involvement of China's government. As unrest continues in Hong Kong and Beijing's
reaction continues to escalate, Bloomberg and others report that Hong Kong protest organizers say that the Chinese government has mounted distributed denial-of-service attacks against LIHKG, the principal forum the protesters have used to coordinate their actions.
China has represented most of the online pushback against the Hong Kong protesters as the spontaneous reaction of patriotic expatriate Chinese,
and some of it is probably exactly that.
But the fishers that have appeared in the Great Firewall do seem to argue
that China's government did what it could to enable, encourage, and organize the patriotic hacktivism.
They also suggest that the government is doing a lot of its own propaganda.
As we head through the second half of 2019 toward 2020,
the cyber skills gap continues to challenge employers
as they try to find qualified workers to fill jobs in cybersecurity.
Rinki Sethi is chief information Security Officer at cloud data management company
Rubrik. In 2020, we're going to have millions of roles open for cybersecurity and not even close
to that many folks in the cybersecurity workforce. And so there's going to be a very, very big talent
gap. It already exists today, but it's going to get even bigger and even worse in the next few
years.
So what do you think is causing that talent gap and what are some of the ways we can address it?
I remember when I first started my career, I had a computer science degree and there was maybe one cybersecurity course.
And I was lucky in college that that was even offered as part of the curriculum for a computer science program. I don't think that's changed much today. And so when folks are getting technical degrees, a lot of times there's these
very defined career paths that they'll take, whether it's development or they go into a support
type role. But for cybersecurity, it's not still a well-defined career. And there's still not a lot
of courses available in the education system to get young folks really acquainted with cybersecurity.
Now, I know something that you're actively involved with is getting young girls involved in cybersecurity, opening up that career pathway for them.
Can you share with us some of your efforts there?
I think it was a couple years ago that my daughter was playing a game on her cell phone
and it sent her a text message asking, we need some kind of authorization code for you
to get more coins for the game.
And she texted back saying, my dad's sleeping right now.
So let me get back to you once he's awake.
And I realized being in the cybersecurity profession myself, I haven't taught my own daughter the right skills. And there's a huge gap when it comes to teaching
kids about cybersecurity. They're introduced to new technology very, very early on. You see two,
three-year-olds with iPads and phones, and they know how to use technology. And yet we're not
teaching them the most important part, which is around cybersecurity. And so when I was at Palo Alto Networks, they saw the importance of we've got to introduce this to
kids at an earlier age. So we had signed a partnership with the Girl Scouts to introduce
the first set of national cybersecurity badges for kindergarten through 12th grade. And the idea
being that cybersecurity curriculum would be available to every single
zip code in the United States, such that now these Girl Scouts would not just learn about
cybersecurity, but would be able to teach their communities, teach their teachers, even teach
their peers, teach their parents and grandparents about cybersecurity and learn concepts early on
to benefit the community. But not only that, now they've been exposed to cybersecurity
and hopefully some of these girls will enter the workforce
as cybersecurity professionals.
And if they don't, they're at least going to carry some expertise
in whatever job that they do,
which is going to be very important for our future workforce.
And what has your own experience been like
as you've been building the teams that you've led
and the teams you've worked with?
How do you make sure that you have an open, welcoming environment for women who want to join you?
That's really important.
Having an environment that's inclusive, not just for women, but for all people of all different kinds of backgrounds.
I think it's a really important thing.
Obviously, it hasn't been easy for me.
I've been the only woman on many cybersecurity teams. I'm proud that
my at my last company, I had a team that was 50% woman and 50% men. And so which is kind of unheard
of in the cybersecurity field. I think that, you know, in the way that I've done that is,
I go out and when I'm recruiting for talent, I'm not just looking for those that have careers in information security.
Because like I said, I think to fill the deficit that we're going to have, we're going to have to expand and look for, get creative with the type of folks we're bringing in.
People with different backgrounds, with different education backgrounds, different work experience that are really curious, that want to learn, that can then apply themselves to cybersecurity.
And so I've done that. I remember I've hired somebody with a journalism degree from Stanford
who had led security education and awareness for me as an example, but had run communications and
PR teams in her past, and then was using those skills to run an internal education and awareness
program at a previous company. And I
think when you get creative like that, you not only are bringing new folks into the workforce,
but it creates a very inclusive environment for women and for people of different backgrounds.
That's Rinki Sethi from Rubrik. Eclipsium has disclosed a family of authentication
vulnerabilities it discovered in Supermicro X9 through X11 servers,
baseboard management controllers. Eclipsium calls the vulnerabilities USB Anywhere.
Their exploitation could enable a range of USB-based attacks.
Krebs on Security summarizes reports that attackers running phishing expeditions
are paying increased attention to cloud providers.
In the case he discusses, the criminals were seeking credentials belonging to United Rentals customers.
They used a malicious link in a spoofed email that in fact sent the recipient to United Rentals' site,
but that also installed a malware package in the process.
Finally, Twitter CEO Jack Dorsey's Twitter account was hijacked Friday afternoon to display
racist messages.
The company fixed the problem, which it blamed on issues with Mr. Dorsey's cell phone carrier,
within an hour and a half.
The messages are said to have been puerile.
The Verge says a group calling itself the Chuckle Squad claimed responsibility.
The Chuckle Squad also hit a range of YouTube celebrities with similar hacks last week.
Law enforcement has been notified, and the Chuckle Squad may soon be given the opportunity
to giggle its way through a sabbatical at Club Fed.
Calling all sellers. Thank you. showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Joe Kerrigan. He's from the Johns Hopkins University Information Security Institute,
also my co-host over on the Hacking Humans podcast.
Joe, always great to have you back.
Dave, it's always great to be here.
We are in the midst of back-to-school season.
Yes, we are.
We had our orientation this past week.
At Hopkins?
Yep, at Hopkins, where we had all of our different new student orientations.
We have a bunch of different orientations, like undergrad, the ISI has their own orientation
and I was present at that.
Is there any sort of onboarding when it comes to getting the students onto the networks
on campus and all that sort of stuff?
All that stuff has to happen.
That stuff happens like in the last couple of weeks of August.
We have our own network at the Information Security Institute because, as you might imagine,
we do some stuff that the Hopkins security team doesn't want happening on their network.
It's all right.
I see.
We are actually outside of the Hopkins network, and we have engineers that manage that network as well.
We have engineers that manage that network as well.
And because we're not part of that network, we have to have all of the students signed up for their own domain access within the MSSI network.
MSSI is the actual degree that we give out.
It's a Master of Science in Security Informatics.
Okay.
And so, yeah, we have to go through this process of setting up user accounts, getting agreements from the users on the students on how they're going to use the system appropriately, telling them if you really think you're going to set up something that could be potentially malicious, we need to know about that in advance.
Right.
And we have a special place where you can put that that's really not even associated with our network.
I see.
And from time to time, we do get telephone calls from network security going, what's going on over there?
Because we're getting complaints.
It's a really interesting thing to think about how folks in the education industry have this huge onboarding every year.
And there is a lot of personal information that goes into this process.
And these people, you know, just think about signing a kindergartner up for school.
You have to give them a bunch of information.
You have to give them the name, the address, the parents' names,
who's eligible to pick them up.
There's medical information.
Medical information.
You have to have vaccination records and things like that.
So that's PHI, right?
And all this information is then stored presumably on a computer system.
Most school districts in the country are smaller than 2,500 students, right?
Because here in Maryland,
our school districts are organized by county.
Right, so they're bigger than most other places.
Right, like we live in Howard County,
so there's a Howard County public school system.
But in other parts of the country, it's not like that.
School districts are much smaller organizations.
And because they're much smaller organizations, they have less money, which means they don't have as much money for securing the data that they're collecting from these people.
And that can make them a target.
And that can make them a target.
In fact, it frequently does.
Well, let me ask you this.
I mean, you have kids who are around college age.
Yes, I do. It's the security talk. You're heading off to a bigger world. And there are going to be people who are going to try to steal your things.
Yeah.
When my son was in high school, I got him a cheap Chromebook that was sufficient to get him through high school and did everything he needed to do.
I like the Chromebook because the security is constantly being updated.
I think Google does a good job with it.
You could argue that Google is using all that information for data mining, and that's a risk I'm aware of. But I've decided that's okay with me. That's why I go with Chromebooks
for my son when he's in high school. Now he's in college. He's using a laptop that's a personal
computer-style laptop. So he's beyond the Chromebook. My daughter, who is now graduated
from college and actually completed the cybersecurity
track in her computer engineering degree, I think she's probably good. She's telling you what to do.
Right. Okay. Fair enough. And she's also grown up with me and my wife, and we all have a healthy
dose of skepticism on a regular basis. My son's that way as well. He just might not be as technically astute. All right. Well, I mean, it's a good time
to sort of take stock, I think, and make sure as you send those kids out into the world, whether
it be high school, middle school, or even off to college, check in with them. Just have a
conversation. Make sure that they're where they need to be in terms of security. Yeah. And be
careful about the information you give to the school.
You know, if they're asking for your social security number, I don't know what they would ask for that.
Don't give them that.
Joe, when I was in college, my social security number was my student ID.
Mine, too.
It just makes me think about how many legacy bits of paperwork and records are on file on campus that all tie back to my social security number.
Yes.
Yeah. Good times. Good times.
All right. Joe Kerrigan, thanks for joining us.
It's my pleasure.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly
and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your
company safe and compliant. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, Thanks for listening. We'll see you back here tomorrow. Thank you. into innovative uses that deliver measurable impact. Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.