CyberWire Daily - UK, US blame Russia for 2019 Georgia hacks. Senator Sanders thinks Russian bots could impersonate supporters. Mr. Assange’s extradition. MGM Resorts breach. Ms Winner wants a pardon.
Episode Date: February 20, 2020British and American authorities blame Russia’s GRU for last October’s defacement campaign against Georgian websites. Senator Sanders thinks maybe some of his apparent supporters are Russian bots-...-the ones who are tweeting bad stuff in social media. Julian Assange says he was offered a pardon to say the Russians didn’t meddle with the DNC. Stolen data from MGM Resorts turns up in a hacker forum. NSA leaker Reality Winner would like a pardon. Justin Harvey from Accenture on staying prepared against potential Iranian cyberattacks, guest is Jamie Tomasello from Cisco Duo on cognitive capacity and burnout. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/February/CyberWire_2020_02_20.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
British and American authorities blame Russia's GRU
for last October's defacement campaign against Georgian websites.
Senator Sanders thinks maybe some of his apparent supporters are Russian bots,
the ones who are tweeting bad stuff in social media.
Julian Assange says he was offered a pardon to say the Russians didn't meddle with the DNC,
stolen data from MGM Resorts turns up in a hacker forum,
and NSA leaker reality winner would like a pardon.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, February 20th, 2020.
The UK and the US have formally blamed Russia for a wave of disruptive politically-themed website defacements that hit Georgia in October 2019.
British Foreign Secretary Robb called the GRU's campaign reckless and brazen, an unacceptable attack on a sovereign nation.
U.S. Secretary of State Pompeo said the attempts gave the lie to Russian claims of being a responsible actor in cyberspace. The British response is harsher.
The Americans call for Russia to reform itself
and offer Georgia some help securing itself against further attacks.
The defacement campaign was interesting in that it was, in effect,
and probably in conception, a purely disruptive operation.
You may recall that some 15,000 websites in Georgia
were defaced with a photo of the country's former president, Mikhail Saakashvili,
with the text, I'll be back, overlaid on top of the ex-president's smiling two-thumbs-up picture.
Now, the former president was known during his time in office
as a strong advocate of pro-Western policies,
which on the face of it would make him an unlikely figure for GRU boosting.
He left Georgia for Ukraine in 2013, saying that he was fleeing trumped-up corruption charges.
Defacements are a low-grade form of hacking, and as influence operations go,
they're a pretty blunt and not terribly effective instrument.
But in this case,
they serve to exacerbate domestic tensions in Georgia, and that, the US and UK suggest,
was the point all along. By ZDNet's count, this is the fifth time the Allies have accused the GRU
of cyberattacks against foreign states. Their list of the other four is as follows. Black Energy,
which in December 2015 shut down a portion of Ukraine's power grid for up to six hours.
In Destroyer, a second attack on Ukraine's power grid a year after Black Energy,
also known as Crash Override, this attack disrupted power distribution in and around Kiev for about an hour.
Not Petya, a June 2017 destructive pseudo-ransomware attack
that initially affected Ukrainian targets,
but which spilled over into many other parts of the world,
including Western Europe and North America.
And finally, BadRabbit, a ransomware attack in October 2017,
which encrypted hard drives and rendered IT inoperable.
The campaign was also concentrated on Ukrainian targets.
The public naming and shaming is being read as a warning to Moscow
to stay away from attempting to meddle in other countries' elections,
and of course, especially in fiddling with the U.S. 2020 elections.
It needn't, however, take much fiddling to achieve a disruptive result.
The difficulties the Iowa Democratic Caucus
experienced with Shadow Incorporated's less-than-fully-successful Iowa Report app
has already prompted some non-negligible intra-party suspicion, especially as the
ongoing re-canvas has shown the already small margin between caucus frontrunner Buttigieg
and second-place finisher Sanders having shrunk even more.
Last night at the Democratic debate that preceded this weekend's Nevada caucus,
Senator Sanders deplored some of the social media excesses some apparent supporters of him have been
seen to commit, but then immediately pointed out that it's quite possible that many of those
supporters are just Russian bots. As quoted in the Daily Beast, the senator said,
all of us remember 2016, and what we remember is efforts by Russians and others to interfere
in our election and divide us up. I'm not saying that's happening, but it would not shock me.
End quote. He wasn't saying that so, you see. Still, yes, that he had any evidence for it,
but as a matter of a priori possibility, sure, it's possible the Russian
bots are out and about. If your aim is disruption with bot hunters like that, who needs the actual
bots? At a certain point, suspicion and mistrust will do your work for you. Chances are you've got
systems in place to monitor the status and availability of the technical services you use day to day
to alert you if a server goes down, power goes out, or there's a sudden spike in traffic.
But how about your people? How do you monitor your teams and co-workers to make sure they're
not operating beyond their capacity and burning out? Jamie Tomasello is head of trust and
compliance at Cisco Duo Security. She presented at the Virus Bulletin 2019 conference,
and her talk was titled,
I'm Not Going to Die During This Conference Call,
Reflections on Availability and Burnout.
I think where a lot of people are focused
are around what they have to do as an individual
to prevent being burned out.
And a lot of the advice and presentations you hear say things around their own wellness,
things like you should exercise more, make sure you're drinking water,
make sure you get enough sleep, drink less caffeine or more caffeine,
depending on who you're talking to.
And one of the things that I think is being missed is the role of a manager or a leader
in preventing and mitigating harm with regards to burnout.
Well, let's dig into that. What part do you think the manager plays?
So I think what's really important to think about when we talk about managers and their role in
thinking about individuals from a burnout perspective is that people,
we're not perpetual motion machines. I think one of the challenges is that we fail to accept that
forcing ourselves and the teams which report to us into work patterns that exhaust our personal
energy will not lead to infinite productivity. If I'm a manager, how do I monitor for this?
And how do I foster an environment
where I feel as though I'm getting
the most out of my employees,
but at the same time, looking out for them
for both their personal health,
but also for the sake of the organization?
A few things that we can think about
when it comes to how to monitor this
or how to think about this is thinking about, especially those who are in engineering or operational roles,
thinking about what are the signs and symptoms that a system or a service isn't healthy,
optimized, or at a sustainable capacity. There's actually a cyber operation stress survey. It's
one of the techniques that you can use. Josiah Dykstra and Celeste Limpal of the U.S.
Department of Defense developed this, and it's a low-cost method to study fatigue, frustration,
and cognitive workload in tactical cyber operations. And it's easily adaptable
to anyone in an operations or security role. Do you have any insights on how companies successfully manage that transition
from what I'm imagining is that startup culture
where everyone is putting in a lot of hours and working hard
and just doing whatever needs to be done to get the company going.
But then there comes a point, there's a process of putting things in place to achieve sustainability.
Do companies have to be deliberate in that process?
Yes.
I think you have to be deliberate.
You have to be inclusive.
You have to be intersectional.
You have to be able to look at, in order to scale your organization, to take it from a startup into a growth stage company and then ultimately pass that point. You cannot just look at the sustainability or the growth of the product. It also has, you have to serve your organization are part of that growth plan and part of that trajectory and making sure you're keeping that resource and keeping that space for them to grow as the rest of the organization grows.
That's Jamie Tomasello from Cisco Duo Security.
That's Jamie Tomasello from Cisco Duo Security.
Julian Assange's attorneys in his extradition hearings have claimed that former U.S. Congressman Dana Rohrabacher offered him a pardon on behalf of President Trump if Mr. Assange would say that the Russians had nothing to do with leaking the Democratic documents WikiLeaks published during the 2016 election season.
WikiLeaks published during the 2016 election season.
WikiLeaks has long suggested that the Russians had nothing to do with the leaks,
so it's difficult to see why such an inducement might have been offered.
In any case, Mr. Rohrabacher and the White House have both denied making any such offer.
Mr. Rohrabacher said in a statement that he met with Mr. Assange in 2017 and upon his return told then-Trump advisor General Kelly that the WikiLeaks proprietor
might provide information about the DNC leaks in exchange for a pardon, but that no one in
the administration took the idea up. The White House says they knew nothing about any such offer.
Mr. Assange is currently fighting extradition from the UK to the US, where he faces a number
of federal charges. His attorneys would like the British court to release him so he can seek asylum in France.
MGM Resorts sustained a data breach last summer that affected almost 10,600,000 guests.
This week, much of the personal information lost was posted to a hacker forum.
ZDNet and Under the Breach confirmed that the data were indeed from the MGM's resorts incident.
MGM Resorts says it notified affected guests last year.
The data posted this week included names, home addresses, phone numbers, emails, and dates of birth.
MGM Resorts says no paycard information was compromised.
And finally, reality winner, the former airman and former NSA contractor
who's currently serving five years in prison for leaking a classified NSA report to the media,
specifically to The Intercept,
is asking President Trump for either a commutation of her sentence or a pardon.
She's hopeful because at the time of her sentencing,
the president called her offense small potatoes,
specifically smaller than what former Secretary of State Clinton did
in setting up her home-brewed server while she was in office.
The documents Ms. Winner leaked, Fifth Domain reminds us,
had to do with Russian attempts to penetrate a provider of voting software
and to compromise the accounts of election officials.
and to compromise the accounts of election officials.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to
evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Justin Harvey.
He's the Global Incident Response Leader at Accenture.
Justin, it is always great to have you back.
I think a lot of folks out there have concerns with all of the things we're hearing in the news
about tensions
between the U.S. and Iran, the possibility for Iran reaching out via cyber attack, stirring things up
that way. What are some of the things that companies should be focused on? What are some
of the actual actionable things that they can do to make sure that they're prepared should something happen?
Well, from a security operations perspective, there's a set of processes and procedures that should be well matured and acted upon now. First is operating at a heightened sense of alert by
scrutinizing events and infrastructure and including administrative actions, looking for the three
mainstays in monitoring today. Number one is the known bad. An attack will most likely not
originate from an Iranian IP address. It might not even be a foreign IP, but at least still having
your beefing up your known bads, I think will help a little bit in that respect.
When I say known bads, I mean IPs and domains and indicators of compromise that the Iranians have allegedly used in the past. Having those loaded into your monitoring infrastructure won't
hurt. But Dave, I'll tell you, I'm a little bit skeptical if the Iranians are going to use the
same malware approach or tactics, techniques,
and procedures they've used before. But it still helps to have the known bad there.
The second one is anomalous behavior. Hosts acting in a strange way, but not necessarily
malicious. It could be odd. Administrative activity. It could be some weird registry
settings that were changed. Essentially, anomalous means looking for the weird.
And the third one would be looking for the suspicious, particularly around users and or
administrators. So one of the areas that I think needs a lot of work in our industry is scrutinizing
privileged access actions. So for instance,
if you work at all with Linux,
you know it's generally not a good thing to log in as root,
particularly via SSH.
You want to log in as yourself
and then you want to use a command like sudo
to become root or the system administrator.
So suspicious could be
if you see the system administrator
who is not on the console of the box,
perhaps SSHing in from a remote site or even someone SSHing in as a user and then becoming root from a weird location, that could also be suspicious.
Secondly, ensuring that the SOC is properly prepared to escalate potential findings to leadership in the event of attack.
And that means establishing a strong communication path.
Whether you're an analyst in the security operations center, the director of the SOC,
or the CISO, you should have a clear means to communicate that suspicious or anomalous behavior
up the chain of command. And that chain of command should be ready for this. So if you're
an executive, a CISO, a CSO, make sure that you
collaborate with the C-suite and the board and let them know all of the plans that you're taking
and that if something were to happen, these are the steps they're going to take.
Next is validating that the enterprise's high value assets are known, labeled, and cataloged
by the SOC for heightened monitoring. We all know you can't secure that which you do not know exists.
So if your business is all about credit cards and credit card data,
well, you darned well should know all the databases that your credit cards are in
and also who's accessing that data.
You know, it's interesting to me.
I have to wonder,
when you talk about potential events like this,
is it right to think that an organization
who has taken all of the proper steps ahead of time,
who is running and using best practices,
that overall it would pretty much be business as usual for them?
They already have these things in place.
Very good question.
The answer is you're absolutely right.
If you're doing it right from the start, if you know your high value assets,
if you have great threat intelligence, if you have a resilient enterprise, then this should
just merely be a blip on the radar. Yes, you should read the bulletins. Yes, you should double
check with the board in the C-suite and everyone should have
a clear understanding of what possible attacks could occur. There's probably not very much
technically or procedurally that you would need to do to shore yourself up. So our large clients
that I speak with, our financial services clients in particular, they're all prepared. There's
nothing really different that they're doing
from a technology or process standpoint. They're just bubbling this up and making sure everyone's
on the same page. All right. Interesting stuff. Justin Harvey, thanks for joining us.
Thank you.
Cyber threats are evolving every second and staying ahead is more than just a challenge
it's a necessity that's why we're thrilled to partner with threat locker a cyber security
solution trusted by businesses worldwide threat locker is a full suite of solutions designed to
give you total control stopping unauthorized applications, securing sensitive data, and
ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company
safe and compliant. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell, Thanks for listening.
We'll see you back here tomorrow. Thank you. comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable
impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.