CyberWire Daily - Two ways of hacking the vote. BlackEnergy is active in Poland and Ukraine. ISIS and info ops. Hurricane-stressed utility further stressed by ransomware. Silicon Valley governance.
Episode Date: October 17, 2018In today's podcast, we hear about election security, and two ways of hacking the vote. DHS points out that the states are getting better about sharing election security information. ISIS sets the temp...late for terrorist information operations. BlackEnergy is back, in Poland and Ukraine, with new, "GreyEnergy" malware. Diplomatic targets prospected in Central Asia. North Carolina, recovering from hurricane damage, also faces some ransomware. Silicon Valley governance receives scrutiny. Craig Williams from CISCO Talos on dealing with FUD. New York Times writer Kim Zetter on election security. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/October/CyberWire_2018_10_17.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Election security and two ways of hacking the vote.
DHS points out that the states are getting better about sharing election security information.
ISIS sets the template for terrorist information operations. DHS points out that the states are getting better about sharing election security information.
ISIS sets the template for terrorist information operations.
Black energy is back in Poland and Ukraine with new gray energy malware.
Diplomatic targets are prospected in Central Asia. North Carolina, recovering from hurricane damage, also faces some ransomware.
And Silicon Valley governance receives scrutiny.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday,
October 17, 2018. Election security is much on people's minds as the U.S. nears its midterm elections, set for the beginning of November, and the EU prepares for elections next year. The concerns are twofold. First,
there's the prospect of election hacking proper, in which adversaries or partisans manipulate vote
counts, disrupt polling, or interfere with registration. Concerns about election hacking
proper are serious, but it's not clear that this has so far, in the U.S. at least,
risen above the customary election background noise.
That noise is the ward-healer corruption, ballots cast from cemeteries,
and the usual array of low-level sleaze one associates with machine politics.
The typical forms such sleaze might take are, for example,
politics. The typical forms such sleaze might take are, for example, voter fraud, in the U.S., a red worry, or voter suppression, in the U.S., a blue worry. And it's worth noting that both sides,
in their public woofing, tend to deny that the things the opposition worries about actually
happen. The second concern is perhaps more serious and less tractable. Information operations by
nation-states aimed at inducing
mistrust and fissures in the countries they're targeting. This sort of activity, propaganda
tuned for the internet age, is what outfits like the Internet Research Agency carry out.
The Internet Research Agency, you'll recall, is the notorious St. Petersburg troll farm called
out by Western investigators and intelligence services
as behind a large number of fictitious online persona.
It's also run by Russian intelligence services, although Moscow, of course, denies this.
The threat of information operations is very real.
It's been observed in the U.S. and Europe, and this is what principally worries the EU.
Europe, and this is what principally worries the EU. The U.S. Department of Homeland Security yesterday downplayed the reported increase in threats to midterm elections. The Hill reports
that Christopher Krebs, head of the department's National Protection and Programs Directorate,
the NPPD, yesterday told a conference it's not an uptick in activity. Instead, he thinks that
state and local election officials
have gotten better at information sharing
and about reporting the targeting of election systems
such as voter registration databases.
In this, they've advanced considerably since the 2016 election.
Krebs added,
Are we seeing an uptick? I don't know if we are.
I think we're seeing a consistent and persistent level of activity, end quote.
So an increase in reporting isn't necessarily correlated with an increase in the level of threat.
The Department of Homeland Security also reminds everyone that the voting data security firm anomaly found in black markets
is for the most part already public, as we noted in our discussion yesterday.
for the most part, already public, as we noted in our discussion yesterday.
That activity may well be ordinary criminal-to-criminal stuff,
selling personal data to other crooks for use in committing identity theft or other forms of fraud.
The prices reported don't seem particularly high,
more in the mob-soldier range than an intelligence service's budget lines.
I spoke with cybersecurity and national security author Kim Zetter about election security. Her recent feature in the New York Times Magazine is titled,
The Crisis of Election Security. Securing the machines is sort of the long haul way of addressing
this. But you're never going to get a machine that's fully secure and not hackable. So what you have to do is you have to have a system in place that would help you know in the first place whether or not the software has been altered.
And we don't have that right now.
We don't have the ability to examine the software at all once it's on machines because it's proprietary software and the voting machine vendors have gone to court to prevent anyone from looking at their software.
And we don't have sufficient audits in place that would compare, well, we do have paper ballots,
that would compare the paper ballot against the digital tallies to uncover discrepancies.
cover discrepancies. So we've really been almost willfully resistant to engaging in methods that would actually tell us if there was a problem with our elections. And that's always been very
curious to me. There's almost, there's a sort of willful resistance to actually taking the steps
needed to ensure the integrity of election outcomes. And what do you think's behind that? Why do you suppose that is?
The voting machine vendors were very resistant
and engaged in strong lobbying activities for many years
to prevent even the paper trails from being added to paperless machines.
It's always been very curious to me
why they had such an interest in resisting that.
But it wasn't just them. Election
officials were really swayed by the voting machine vendors. They were really under the thrall of
voting machine vendors for a long time and would follow their lead on many things.
And so they sort of parroted the arguments of vendors that the paper trails would,
it would be more expensive to install printers, that the printers would cause problems at the polls, just, you know, it would be
inconvenient for disabled voters who couldn't see them. A lot of arguments against that. And
election officials were, you know, sort of the driving, I guess, the end stop, right? So if they
decide that they don't want them, it's not going to happen.
And a lot of that is because here in the United States,
the elections are run at the state level.
They are not just, no, there's actually, they're run at the county level.
So the Secretary of State, in many cases, is sort of the chief election official,
but doesn't really have a lot of involvement in the day-to-day running of elections. And elections don't just happen,
you know, when you go to the polls. There's a lot of prep work and a lot of smaller elections
that take place throughout the year that involve sort of ongoing activity. And Secretary of State
will be involved in, let's say, setting procedures, maybe some protocols.
But even that, it's sort of high level.
And they engage only when, in the past, only when there's been a problem.
And so really county officials who are, for the most part, quite often not tech savvy at all,
are left, have been left to make these decisions on their own.
And that's how the flooding machine vendors have become so influential.
That's Kim Zetter, longtime cybersecurity and national security reporter.
She's also author of the book Countdown to Zero Day.
Our CyberWire special edition interview with her on election security is released today.
You'll find that in your podcast feed.
ESET warns that the threat actor behind black energy involved in past attacks against sections
of Ukraine's power grid is back. This time it's infected three energy and transport companies in
Poland and Ukraine. ESET notes that the group has developed a new malware suite, Grey Energy,
and that it appears positioned for further campaigns.
Reuters says that ESET doesn't call out a nation-state as responsible, but naming Black Energy associates the activity with GRU.
Others, notably Britain's GCHQ, have called out Black Energy,
also known as Sandworm in FireEyes nomenclature,
as an operation of the Russian military intelligence agency.
There's also a reported spike in Russian activity,
or at least activity by people who speak the Russian language,
against diplomatic targets in Central Asia.
Iset and Kaspersky track the campaign as dust squad and nomadic octopus.
This seems to be conventional espionage.
A great deal of it seems to be concentrated in Kazakhstan.
Onslow County, North Carolina, badly hit by this season's Atlantic hurricanes,
has suffered a cyber attack that seems time to kick the region while it's down and vulnerable.
The Onslow Water and Sewer Authority,
called ONWASA, disclosed Monday that it had been the victim of a ransomware attack that's crippled
its systems. The attack was delivered by a phishing email carrying the Emotet Trojan.
ONWASA compared the attack to the ransomware that hit the city of Atlanta, Georgia,
and Mecklenburg County, North Carolina. Until remediation is complete,
UNWASA will use manual systems to recover from storm damage, deliver services, and restore things
to normal. The utility will not pay the ransom. Law enforcement authorities, including the FBI,
are investigating. Facebook's recent data handling, content moderation, and privacy issues today attracted a fresh set of furies.
The state treasurers of Rhode Island, Illinois, and Pennsylvania, and the New York City Comptroller,
announced that they're joining Trillium Asset Management's shareholder proposal to push Mark Zuckerberg out of his chairman's role at the company.
It's not going to happen, if only because Mr. Zuckerberg controls most of Facebook's
super-voting shares, giving him the equivalent of 59% of the say in what goes on. But it's an
indication that Facebook's governance and the governance of Silicon Valley companies generally
will continue to receive close and not particularly friendly scrutiny.
Facebook's former security chief Alex Stamos, from his new perch at Stanford
University, has announced what he's calling the Stanford Internet Observatory. It will be designed
to address issues of tech governance and policy in ways intended to ameliorate some of the negative
effects technology is, by consensus, having on society at large. Of course, there are good
effects, too.
We don't want to lose the good with the bad. Here, innovation isn't a buzzword. It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
executives and their families at home. Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when
executives are compromised at home, your company is at risk. In fact, over one-third of new members
discover they've already been breached. Protect your executives and their families 24-7, 365
with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Craig Williams.
He's the director of Talos Outreach at Cisco.
Craig, it's good to have you back.
Today we want to touch on FUD, fear, uncertainty, and doubt.
There is no shortage of this, particularly on the marketing side of things.
And I know this is something that kind of gets your hackles up.
Absolutely.
You know, for those of us who are lucky enough to be at DevCon, you may have seen our live show where we discussed some specific examples of this.
But if you weren't, we've all seen this unroll online, right? A security research team finds a bug and then seemingly all that data is taken from them by the marketing department who climbs the Empire State Building and grabs onto it while waving down at the people scaring them.
And that's kind of what we see a lot of the time.
And the problem with that is twofold.
Number one, by unnecessarily spreading that fear, you cause people to misprioritize
their response, right? It can be a severe security issue, but not be a high priority,
right? You can have a high severity exploit that's going to be very difficult to attack
and very difficult to attack remotely. And that shouldn't be a high priority,
obviously, unless there's extenuating circumstances. And number two, when you do that,
obviously, unless there's extenuating circumstances.
Right.
And number two, when you do that,
when you cry wolf every single time,
people tune you out.
And so you've got to try and maintain your credibility as a security research team
and hold the reins a little bit
and tell marketing, calm down.
And we're so lucky at Cisco
that we work so well with our marketing team
that we've been very successful at avoiding this
because we want to make sure
that we maintain that integrity, right? It's very similar to how we handle our threat
intelligence. You know, when we go out, if we don't have all the answers, that's what we start
the blog with, right? We don't have all the answers, but here's what we do have. And so I
think when it comes down to security marketing, that's a good way to approach it and say, look,
here's an issue. Here's the facts about the issue. Is this important?
And then give them the honest truth. Don't try and overhype it because, you know, at the end of
the day, there are going to be high severity, high urgency issues. And the thing is, you've got to
help identify what those are and then use that to your advantage, right? If you want to go shout
something from the rooftops, be patient. Something will come along. Something always does, right?
you want to go shout something from the rooftops, be patient. Something will come along. Something always does, right? We remember from the last year or so, right? We had, what was it? Wanna cry,
not pet you inside of a 60 day window. Definitely lots of stuff to talk about there. And then we had
just more recently Olympic destroyer. And so there are super high severity cyber attacks.
Absolutely.
But we've got to be sure that when we identify them,
we're not just trying to spread fear or uncertainty or doubt because that's not helpful to anyone.
And it actually hurts our users
because they don't know how to properly respond
and what priority to respond in.
Yeah, and it seems to me like it also spreads confusion,
which doesn't do the industry good as a whole.
Right, and I think mainstream media reflects this, right? A lot of the time,
they may not respond right away because they don't know if an issue is actually going to
end up being super high urgency. So how do you handle internally
that communications process with the marketing team? Because you have different impulses than
they do. They want to get out there
and share the latest news, the thing that could lead to that big sale. Where do you meet in the
middle on that? It's a really good question. So our playbook is very similar to almost like an
incident response team, right? We break threats down into different categories and each category
has a different priority. Each priority has a different set of marketing things that can happen, a different set of PR things that can happen. And so once we decide
on where it hits from a severity or urgency perspective, we then can take out plans of
action. We don't necessarily do all the plans all the time, right? Sometimes we just do a couple of
them. Sometimes we do do all of them. It just depends on what the threat is and how it works.
But I think by making that playbook where you, you know, sketch out, here's our possible actions at this level, it helps people see and helps everyone stay on the same page. And I really
think it helps your users as well, because then they see consistent reporting, they see consistent
actions taken, and they know when something's important because you've done something different
and you've done something rare. Right, right. So when you do sound the alarm, they know you mean it.
Right. And, you know, we saw this again and again last year and we're going to continue to see it,
right? Cyber threats are not going to go away. And so I really hope that as companies find
security issues that they try and think about, is this something that's really going to be severe
for the average user? Because, you know, like I said, you can have severe issues, but if they're so impossibly hard to exploit
that the average user is never going to see them exploited,
I think you owe it to the audience to make sure that they know that
so that they can patch other issues that are more urgent.
All right. Craig Williams, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach
can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker too. The CyberWire podcast is proudly produced in
Maryland out of the startup studios of DataTribe, where they're co-building the next generation of
cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Thanks for listening.
We'll see you back here tomorrow. Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com. That's ai.domo.com.