CyberWire Daily - This cybersecurity stuff is tougher than it looks, US state election officials learn. Saudi surveillance. Espionage in Iran. New attack varieties. Chinese hardware concerns. US sanctions chipmaker.
Episode Date: October 30, 2018In today's podcast, we hear that installing cybersecurity tools to protect elections is tougher than it looks. Information operations continue to pose the most prominent foreign threat to US midterm e...lections, although there are concerns about voting machine security. Cointracker looks like a trader's tool with a side order of malware. Video embedded in Microsoft Word documents can carry malicious payloads through detection systems. Hardware worries and sanctions. Competing visions of norms in cyberspace. Robert M. Lee from Dragos with thoughts on the real-world threat of electromagnetic pulses. Guest is Rahul Kashyapp from Awake Security on the skills shortage and the importance of mentorship. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/October/CyberWire_2018_10_30.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Installing cybersecurity tools to protect elections is tougher than it looks.
Information operations continue to pose the most prominent foreign threat
to U.S. midterm elections,
although there are concerns
about voting machine security.
CoinTracker looks like a trader's tool
with a side order of malware.
Video embedded in Microsoft Word documents
can carry malicious payloads
through detection systems.
We've got some hardware worries and sanctions
and competing visions of norms in cyberspace.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary
for Tuesday, October 30th, 2018.
Here's a challenge most corporate CISOs will find has a familiar ring, but U.S. state election officials seem to be encountering it as a novelty.
They're gratified by offers of free security tools from cybersecurity companies,
but as many CISOs would authenticate, they're finding those tools confusing,
and in many cases beyond their ability to use.
The companies and the tools they're offering are well-known and quite reputable,
so this isn't a case of snake oil peddlers passing out lost leaders in Hicksville.
Cyberscoop and ZDNet note the companies who've made the offers
and their names you'll recognize and may well use yourself.
McAfee, Cloudflare, Jigsaw, which is a Google offering,
Senac, Akamai, Cylance, Centrify, Microsoft,
Valamail, Facebook, Symantec, Netscout,
and 1Password.
And this is by no means a complete list.
We think, from what we've seen, that while of course companies want to showcase their
products and solutions, there's a genuinely public-spirited impulse behind a good many
of their offers.
There are some concerns about the technical security of the voting infrastructure, worries about hacking proper.
There have been complaints of glitchy voting machines in Texas, for example,
and there's a certain climate of uneasiness, according to the Washington Post,
surrounding the companies that produce the tools used at the polling places.
The Post notes that three companies, ES&S, Dominion Voting Systems, and Hart InterCivic,
supply and service about 90% of the country's voting machines
and that their security could do with an outside look.
The companies themselves say concerns are overblown.
But at least with respect to the U.S. midterm elections,
most of the foreign cyber operations observed continue to be influence operations
conducted over social media by bots and sock puppets.
Their activities are opportunistic and inflammatory.
They're not so much interested in any particular electoral outcomes as they are in inducing mistrust along pre-existing fissures of the targeted societies.
Their messaging, therefore, is negative, destructive,
not aimed at pushing any particular worldview,
but rather at demolishing such worldviews as may conduce to healthy civil society.
So the challenge is so far mostly one of information operations,
and in this regard Russia especially is seen as playing a weak hand very effectively.
It will be interesting to learn how U.S. Cyber Command's troll hunting has been proceeding once that history can be told. In the meantime, good hunting to everyone
at Fort Meade. The problems of election influence are, to a significant extent,
problems for the private sector. Facebook in particular has been working not so much on
viewpoint censorship or content moderation as it has on identifying and
expunging what it calls coordinated inauthenticity, finding bots and bogus accounts and booting them
off its platform. The same has been true to a markedly lesser but still discernible extent of
Twitter. The approach seems promising because it seems to offer some promise of success without
doing violence to freedom of speech or association,
and since bots, not being even artificial persons, enjoy no natural or legal rights.
There are, however, signs of a growing appetite for censorship,
a tendency against which organizations like the Electronic Frontier Foundation have for some time cautioned against.
Iranian officials say President Rouhani's phone was recently compromised
and would be replaced. Their announcement was terse and offered neither details nor attribution,
but the AP notes that the greater and lesser Satans operating from their respective hells
of Washington and Tel Aviv are the usual suspects in Tehran when it comes to Iranian
suspicions of espionage.
As the controversy over the murder of Saudi journalist Jamal Khashoggi continues,
and with it concerns about Saudi policy toward dissenters generally,
Motherboard describes the apparent role played by Saudi al-Qahtani,
a.k.a. Mr. Hashtag, a close advisor to Saudi Crown Prince Mohammed bin salman in obtaining surveillance software from milan-based hacking team saudi arabia has been interested in acquiring lawful
intercept tools as such things are called in the market not only from italy's hacking team but from
elsewhere as well the jerusalem post describes the saudi's surprising willingness to purchase
other espionage tools from Israeli sources.
They put the kingdom's purchases at $250 million.
There's a popular notion that cybersecurity is suffering from a skills gap,
with a lack of qualified, properly trained professionals to fill available positions.
Raoul Kashyap is CEO at Awake Security, and solving this problem is of particular interest to him.
I've been thinking about this in many places.
I've been a serial entrepreneur in the world of cybersecurity.
I've built several technologies.
So there is one part where you can look at solving the problem by building intelligent solutions.
The other aspect is, how do you really look at solving the people problem
because there aren't enough people,
and that is something you have to have a long-term vision and a strategy.
How can you inspire people and have people consider cybersecurity
as a lucrative career opportunity and an option, right?
So, yeah, so I've been focused on both of those aspects.
At a personal level, I've been looking at, you know, after doing some analysis,
I found that most of the fresh people coming in the industry,
they kind of make decisions or try to form decisions about their career when they
are in their high school time frame. And what kind of opportunities do you find yourself having
there? Are the high schools open to this sort of thing? So I actually signed up with a group called
Skillify. It's a mentorship program. I think it covers the entire LA, all the school districts in LA region.
It's a pretty big pool of schools.
So I've been using that program now and then whenever I get an opportunity
and whenever there's a high school kid who's interested to know more about cybersecurity.
So I've been using that pretty actively to build out and kind of have as much reach out to students as much as I possibly can.
Now, when you interact with students who are in their high school years, what's the situation there?
Do you find that they have any common misperceptions when it comes to careers in cybersecurity?
Oh, yes. I mean, it actually varies across the board. So most of the kids whom I talk to are looking at cybersecurity
because they are pretty much, I would say, influenced by Hollywood, if I may.
So they think of this as a cool area to look at,
and they have a perception about it, which is very Hollywood-style-esque
from what I have seen.
In some sense, cybersecurity is definitely a very exciting, fast-paced, fast-moving,
and a very high-impact job as well.
But at the same time, there's a lot of work and a lot of expertise that you need behind the scenes
to really become a top-notch cybersecurity professional.
Now, what about this notion of the industry reaching out to people from different disciplines?
We've heard of companies looking towards people who've studied music,
outside of the normal computer science pipeline.
Yes. In fact, I have personally worked with several folks who have had no cyber,
who have had no science background, no computer skills,
and who have done extremely well in cybersecurity, right?
So it's a skill, and a skill can be acquired.
You just need to be willing to acquire the skill and should be interested in that domain, right?
So I kind of tell everybody that you have to come with an open mind. You don't really necessarily have to be a top-notch student having almost A grades all the time to be a top-notch cybersecurity professional, right? There are specific skills, specific mindset you need to develop when it comes to cybersecurity. And if you can incubate and build that, you can really move fast up the ladders
and build a good career for yourself.
That's Raoul Kashyap from Awake Security.
Malware Bytes warns that a Mac app,
CoinTicker,
installs keyloggers and backdoors
along with its handy altcoin price tracker.
It looks like a legitimate app,
but to install CoinTicker
is to invite nemesis
into your digital life it's an interesting bit of cryptocurrency themed malware instead of directly
seeking to loot people's wallets it exploits their enthusiasm for cryptocurrency to induce them to
swallow the bait of a trader's ticker researchers at simulate demonstrate a way of infecting Word documents
by introducing malicious code into embedded video
the attack evades common forms of detection
There are two more bits of concern about Chinese hardware
The director of the Australian Signals Directorate
warns that using high-risk Chinese telecom devices
poses a threat to water and power infrastructure.
The devices of concern are principally Huawei and ZTE equipment.
And in the U.S., the Department of Commerce has banned U.S. companies from doing business
with Chinese chipmaker Fujian Xinhua Integrated Circuit.
The grounds for the ban are that the company poses a risk to national security insofar
as it's deemed likely to cooperate with the Chinese government
in activities contrary to the legitimate interests of the United States.
It's striking that the ban that's expected to deal Fujuan a severe blow
is a ban on selling to them, not buying from them.
In this, it resembles the earlier, now relaxed sanctions
that did so much damage to ZTE earlier this year.
Finally, Russia and the U.S. have offered the U.N. predictably competing proposals for
international norms of conduct in cyberspace, the former favored by authoritarians,
the other by liberal democracies. We'll see you next time. Winning with purpose and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Robert M. Lee.
He's the CEO at Dragos.
Robert, it's great to have you back.
I want to sort of get a reality check here when it comes to EMPs, electromagnetic pulses.
This is one of those things that comes up from time to time as being one of the great threats to the power grid, our nation, everything.
And so I figured let's check in.
And what's the reality here?
First of all, what are we talking about?
Yeah, I hope you're ready for like your email and comment section on this one to blow up.
EMT.
The idea is that and usually there's a lot of things that create EMT.
There's a lot of things that create EMP, but the idea in the scenario that's often purported is that a state power will use a nuclear weapon and detonate it at a certain height above the United States. warhead or that ICBM or that capability will be able to knock out significant portions
of electric power grid and other aspects of our daily life or solar flares.
And so there's science to the EMP discussion and aspects of solar flares and EMP, it's
very much considered.
And in fact, the Department of Energy has done studies before and go, you know what,
there's some things we should do. And so you have to use certain levels of shielding and
electric wiring. And power grid operators are fairly well aware of what they need to
do from shielding perspectives. And they do it.
I think that's the thing that doesn't get represented well is not like the electric
community, like EMPs don't exist. No, we fully understand that there is such a thing as EMPs,
and there are natural scenarios that can occur, and so shielding is important.
It's usually an argument of what type of scenarios and how much shielding
and what type of protections need to be put in place that gets a little spun out of control.
And when you're talking about detonating a nuclear weapon above any major city
or portion of
the United States, that's where the science goes off the rails a little bit.
There's some variables that are not fully well understood, and I think some people are
extending the conversation a little bit further than it probably should be.
And it also then comes down to the scenarios of, okay, so you're telling me that Russia
or North Korea or China, they're going to launch a nuclear weapon at us,
but they're not going to actually try to hit us.
They're going to just aim a little high and hope that it actually works.
And, you know, there's so many different aspects.
You can go down to the science discussion.
You can go down the doesn't even make sense national theory kind of discussion.
I mean, there's a lot of elements to this,
but here's what I think is the important thing for everyone to take away.
Is one, EMP and shielding from electromagnetic pulses of any type has been done with electric grid operators to a level that the Department of Energy and the U.S. government have found successful and appropriate.
have found successful and appropriate.
The extra level and the idea that we're going to build shielding containers around transmission units and things, there's no
proof that we actually should. It sounds
actually like everything points to it being extremely far-fetched.
It's not like we're just lacking proof. It actually points the other direction of this doesn't
seem sound at all.
And it comes at an inordinate expense.
And what makes it even more difficult is the conversations then sort of extend to be a little bit misleading.
And it's very difficult.
There's very smart people on this discussion.
So I try not to just throw people on the bus.
But it gets to a point of being misleading where to have the EMP discussion, it almost gets hidden inside of other discussions.
And I myself have found myself in a situation where I'll be asked to go present at Congress and to the staffers.
And they say it's a cybersecurity event.
I'm like, okay.
And I go to speak on cyber.
And it turns out it's an EMP event, but they couldn't get anybody to show up.
So they asked me to come speak on cyber so people would show up and then they tell them about EMP.
Or I give a quote to a reporter who's asking questions about cyber attacks.
And I have a nuanced take on, yeah, cyber attacks are real and there's real threats to infrastructure.
But our infrastructure is actually very reliable and here's the balance between it.
And then they cut off all of my nuance and they just capture the cyber attack
real and grids going down, portions of the quote,
and then they tack it on the EMP stories. And what I've found is
if you're in any walk of life, if the position you're taking
isn't sound and well-founded on its own, and you have
to bait people into it with other topics
or misrepresent people's quotes to sort of tell a story,
I'm less likely to be empathetic with the story you're trying to tell.
And I think others should be very careful in a lot of the EMP discussions.
Rob Lee, thanks for joining us.
Rob Lee, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.