CyberWire Daily - Super Tuesday eve primary jitters. DoppelPaymer hits an aerospace supplier. WordPress plugins exploited in the wild. Vote for the catphish.
Episode Date: March 2, 2020It’s Super Tuesday eve, and people worry about influence operations, both foreign and domestic. DoppelPaymer hits a precision manufacturer, and moves surprisingly quickly to expose stolen files. Vul...nerable WordPress plugins are being exploited in the wild. And a catphish is running for Congress in Rhode Island--he’s even got the blue checkmark. Johannes Ullrich from the SANS Technology Center on the development of authentication issues in iOS, guest is Elvis Chan from the FBI on election security. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/March/CyberWire_2020_03_02.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
It's Super Tuesday Eve, and people worry about influence operations, both foreign and domestic.
Doppelpaymer hits a precision manufacturer
and moves surprisingly quickly to expose stolen files.
Vulnerable WordPress plugins are being exploited in the wild.
And a catfish is running for Congress in Rhode Island.
And he's even got a blue checkmark.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, March 2, 2020.
Tomorrow is Super Tuesday in the U.S.
Fourteen states will hold their Democratic presidential primary. The Washington Post, noting the ways in which occasions for influence operations are topical
and closely tied to current events and popular sentiment,
observes that several experts, including government officials,
are expecting coronavirus to serve as fodder for attempts to suppress turnout.
There's been a great deal of misinformation about the COVID-19 strain of coronavirus
gurgling about on the Internet.
Most of that has involved the
flacking of patently bogus cures, dodgy supplements and pharmaceuticals, and of course the sort of
survivalist paraphernalia disasters tend to churn to the surface of the popular imagination.
But Super Tuesday affords an opportunity to use public fear in the service of influence operations.
Such attempts could be
either foreign or domestic, especially since the South Carolina results, with the first strong
showing by former Vice President Biden, have caused the Democratic race to tighten. Consider
someone desires for political reasons to suppress turnout, either globally or in certain districts.
It wouldn't be difficult to spread a rumor to the effect that going to the local polling place is bound to expose you to a disease that you don't understand
very well, but that seems very scary. Or suppose a campaign tanks where it was expected to run
strongly. How difficult would it be to ascribe failure at the polls to a rival's conspiracy to
scare away people with coronavirus worries.
And of course, if you're a state operator, and of course we're looking at you, Russia,
any confusion or mistrust is, from your point of view, just gravy.
The feds are, as they say, on the case, actively coordinating with and providing support for local election boards throughout the nation.
Last week at RSAC 2020, we met with Elvis Chan, who is among the top experts on election security in the nation. Last week at RSAC 2020, we met with Elvis Chan,
who is among the top experts on election security in the FBI.
I think the beauty of the United States of America is we have the federal government, and then we have the state governments that are actually in charge of the election systems,
right? So I think there's just a healthy tension, say, between the two governments,
right? At the end of the day, the states are in charge
of the elections. As a U.S. government representative, I totally get that. And so I think it's just
continuing to build on the relationships that we have established with the different state,
county, and local election officials. I do think it's much better. We are at a much better posture
than where we were in 2018. In terms of the professionals who are in the cybersecurity sector,
what sort of things would you like them to know about the state of our elections here?
So I would like the cybersecurity professionals to know that we're all on it.
And it's really not just the U.S. government's job or even the state and county government's job.
It is everyone's job.
I would like to say for the upcoming election and for all elections, it is a whole of society effort and approach that we are
hoping for. And we're really trying to sell that idea to everyone. Can you give us some insights
on some of the partnerships that happen between the various agencies, how all of you work together,
the parts that you play to ensure the integrity of the elections? Yes, that's, I would like to say the interagency is working well.
I really thought it came together, if we can use post 9-11 as a context, right?
So it was really focused around counterterrorism, all of the different agencies involved in counterterrorism, DHS, FBI, CIA, NSA, right?
So all working well in that space.
And I feel like that has now migrated over
to what is essentially a counter espionage,
counter intelligence space, right?
So we work very well with the other agencies.
I kid you not when I say that we either email
or talk on the phone almost every day.
I talk on the phone or email
with one of those agencies every single day,
and we're coordinating all on election security.
We're all counting on each other's reporting,
so there's no stovepiping, right?
So I get a daily email
that has all of the election security-related reporting
from the entire U.S. intelligence community
every single day, and it is fantastic information. We're tracking on a lot of interesting stuff, a lot
of good stuff, and working to counter and disrupt things that we see coming on the horizon.
As a citizen, as someone here, a proud U.S. citizen, How do I calibrate my views on the upcoming election?
There's so much information out there and so much coming from different sources saying,
you know, bad things are going to happen or don't worry at all.
And as with many of these things, the truth is somewhere in the middle.
From your perspective, for those of us who are going day to day about our everyday lives,
what should we know about this upcoming election?
going day to day about our everyday lives. What should we know about this upcoming election?
I think what everyone should know is that all of us within the government, whether it be the U.S. government, state, county, local, we are all doing our best. We need the American electorate
to be as informed as possible, right? And so I know that we live in an age, you know, of social
media where we get to live in our bubbles,
but I would ask all Americans,
let's all get out of our bubbles.
Let's look at different viewpoints.
Let's try to be informed with,
I mean, I don't wanna use air quotes,
but like trusted news sources.
There are different news sources
and I think Americans are smart enough
to be able to look at different news sources
and then decide for themselves at the end of the day, listen to all of the different
candidates who are talking and they should vote with, you know, being informed on all of that
information. Really what I'm asking for is the American public, like go do your research. And
then after that, you make the decision that you want to make on election day. I do want to make
a plug on fbi.gov. We have an initiative called the Protected Voices
Initiative. And if people just want to search on our website, they can go. There's a bunch of
different training videos that have really good cybersecurity, very short cybersecurity videos,
but it's helpful not only for political campaigns, but for us as the American public.
That's Elvis Chan from the FBI. RT is sniffing that accusations of Russian collusion go back to the Cold War.
And so how about those nutty Yankees, huh?
An uncluttered and hysterical lot?
Just look at the kinds of TV shows they watch.
Not a pretty side, Drukmoj.
And indeed, RT, an official Kremlin news source, by the way,
offers a nice review of the ways in which U.S. presidents have been at various times accused of being Russian tools.
But collusion is probably something of a red herring, as they used to say back in the Cold War.
Attempts at influence have been much more the thing, as RT ought to know better than anybody else, and those do indeed go back to the Cold War and beyond.
else, and those do indeed go back to the Cold War and beyond. There's been an interesting attack,
which, while it doesn't appear to be directed against a supply chain, nonetheless may have supply chain effects. Visser Precision, a manufacturer with customers in several industrial
sectors, disclosed over the weekend that it had been the victim of a cyber attack. TechCrunch
reports that the attack was a ransomware infection,
specifically an attack using the Doppelpamer ransomware strain.
Visser said in a brief statement to TechCrunch that the company continues its comprehensive investigation of the attack and business is operating normally.
Doppelpamer followed its recent pattern of stealing as well as encrypting data.
Emsisoft researchers told TechCrunch they'd found a website that listed the files stolen
in the incident.
On display were folders named for Visser customers.
Those included Tesla, SpaceX, Boeing, and Lockheed Martin.
Some, but not all, of the files were available for download.
It's interesting that in this case the Doppelpamer operators seem to have lost little time in
exposing the stolen files online.
Vulnerabilities in several WordPress plugins are being actively exploited in the wild, ZDNet reports.
Some of the affected plugins include Google Maps and Modern Events Calendar Lite plugins,
where similar zero-days in Async JavaScript, 10-web MapBuilder are being used.
Also affected are ThemeRex, WooCommerce, ThemeGrill Demo Importer, Duplicator, and ProfileBuilder.
And finally, in election news, there's a candidate for Congress in Rhode Island, Andrew Walls,
who's running as a proven business leader and a passionate advocate for students.
His campaign tagline is,
Let's make change in Washington together.
So, definitely a guy to watch.
Only actually, that will be hard because Mr. Walls is a catfish,
the creation of an anonymous high school student in upstate New York.
That is, Mr. Walls doesn't actually exist.
But, real or not, Mr. Walls got himself a coveted blue checkmark from Twitter.
The high school student who created Andrew Walls did so over his school's winter break because he was bored.
We hope that unnamed student moves Andrew Walls onto some dating sites.
We think Andrew Walls and Robin Sage would make beautiful music together.
Andrew Walls and Robin Sage would make beautiful music together.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be. Let's create the agent-first future together. Head to salesforce.com slash
careers to learn more. Do you know the status of your compliance controls right now? Like,
right now? We know that real-time visibility is
critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
Black Cloak. Learn more at blackcloak.io.
And I'm pleased to be joined once again by Johannes Ullrich. He's the Dean of Research at the SANS Technology Institute, also the host of the ISC Stormcast podcast. Johannes,
it's always great to have you back. We've seen some developments in iOS when it comes to some authentication issues here.
What's going on? Yeah, so one problem you always have with mobile devices, and in particular
with mobile web applications, is that it's a real pain to log in. You're on the way to work,
in your car, you know, coffee mug in one hand, phone in the other hand, trying to log in.
Steering with your knees.
Steering with your knees.
You're not going to type a complex password with lots of special characters and such.
So that has been a real pain, and there have been sort of some workarounds for this.
But there's sort of a real neat standard evolving.
Many mobile devices now have some reasonably robust biometrics, like in iOS, lately you
had this pretty good face ID, you had fingerprint scanners and the like.
But what was missing really was a link between these authentication mechanisms that you have built in the phone and your web browser.
You could use them in mobile applications, but not necessarily in web-based applications.
And with the latest version of iOS, Apple has finally caught up here and added some of these mechanisms into Safari on iOS.
caught up here and added some of these mechanisms into Safari on iOS. Android had a little bit longer, but you can't really write a web application these days that's just working
for Android. It has to work at least for Android and iOS. Now, with that, you have a couple new
options now. For example, you can use these USB or NFC security keys for authentication. And that works reasonably well
for a mobile device and that you really only have to hold this little token close to the device in
order to authenticate. So no typing involved on the keyboard. In general, if you are developing
a web application these days, standard practice is now, you know, mobile first.
It has to work on a mobile device.
And then the desktop browser is almost sort of a little bit an afterthought for that.
You really have to apply the same to the authentication as well.
It's not easy.
You really have to come up with a reasonable good compromise between usability and security.
And I highly recommend that developers start looking at FIDO2, some of these tokens, some of these standards that start showing up in web browsers to see if they can leverage that to secure authentication better.
Now, in your estimation, I mean, is this a reasonable compromise?
Is there a good balance of security and convenience here? sort of big issue. Late last year, I think it was sort of fall last year, in Europe, they came up with a new directive
where banks have to require
a two-factor authentication for login.
I know from my parents who live in Germany
that I think they can still not reach
any customer support at their bank.
Pretty much has been overwhelmed
since this directive came into place.
It's not easy to really get the usability right of this.
And we really have security professionals to remember
using 32 character random passwords
that change once a day is not going to do the trick.
So techniques like this,
yes, you will read a lot about weaknesses in it,
but you have to come up with a good compromise.
And I think it's something,
as a developer, you should look into. You should see how this could possibly apply
for your application. All right. Well, Johannes Ulrich, thanks for joining us.
Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
Thank you. field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced
in Maryland out of the startup studios of DataTribe,
where they're co-building the next
generation of cybersecurity teams and
technologies. Our amazing CyberWire
team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri,
Kelsey Vaughn, Tim Nodar, Joe
Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Thanks for listening.
We'll see you back here tomorrow.
Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com. That's ai.domo.com.