CyberWire Daily - Venezuela power blackout updates. Social media and social control. Trojanized games. Free decryptor out for ransomware strain. Ads on Facebook. A look at 30 years of the web.
Episode Date: March 12, 2019In today’s podcast, we hear an update on Venezuela and its power outages. Amplification of social media posts as a form of mass persuasion. A look at how control of the Internet has replaced control... of the radio station as a move in civil war and coup or counter-coup planning. Asian game makers get backdoored out of China. Decryptors are out for BigBobRoss ransomware. Senator Warren versus Facebook, and Facebook versus itself. And Sir Tim Berners-Lee on the Web’s 30th birthday. Joe Carrigan from JHU ISI with an early look at NSA’s Ghidra reverse engineering tool. Guest is Dr. Phyllis Schneck from Promontory Financial Group (an IBM company) on regulation in cyber security, a preview of her talk at the upcoming JHU Annual Cybersecurity Conference for Executives. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/March/CyberWire_2019_03_12.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
An update on Venezuela and its power outages.
Amplification of social media posts as a form of mass persuasion.
We've got a look at how control of the Internet has replaced control of the radio station as a move in civil war and coup or counter-coup planning.
Asian game makers get backdoored out of China.
Decryptors are out for Big Bob Ross ransomware.
Senator Warren versus Facebook and Facebook versus itself.
And Sir Tim Berners-Lee on the web's 30th birthday.
From the Cyber Wire studios at Data Tribe,
I'm Dave Bittner with your Cyber Wire summary
for Tuesday, March 12th, 2019.
If you're interested in concise expositions of the Chavista line on Venezuela's
ongoing power crisis, Citizen Truth is retailing it like it's 1919, and Iran's Tasnim agency like
it's 1979. It was criminal Yankee cyberattacks and sabotage by traitorous, disloyal Venezuelans that done it, says nominal but arguably deposed President Maduro.
The New York Times has a reflective and comprehensive account of the outages,
which it sadly concludes are likely to continue for the foreseeable future
with all the suffering they produce.
The Timesman on the scene who co-wrote the article, Anatoly Kormanaev,
is even clearer in his personal Twitter feed on how the blackouts probably came about.
Neglect, layoffs, failure to clear brush from around transmission lines and substations,
with brush fires knocking out power, load demand exceeding capacity, and so on.
It certainly looks like the result of infrastructure collapse,
with no need to reach for sabotage or cyberattack as explanations.
21 of Venezuela's 23 states have been affected by the blackouts.
There are two bits of overt and undeniable Yankee intervention in the crisis.
The U.S. State Department has pulled its last remaining diplomats from Caracas,
and the U.S. Treasury Department
has sanctioned a Russian bank for evading sanctions against the Shavista regime.
Researchers at security firm F-Secure have been looking at Brexit posts in social media
and believe they've found that at least one side of the House, the Brexit side, has had
its views amplified by tweets from unspecified international actors,
generally engaged in boosting causes and moods F-Secure characterizes as right,
including such populist unrest as that of France's G.A. Jean.
Effective control over the Internet seems to have become the equivalent
of what shaky regimes and their coup-plotting opponents of the mid-20th century
always sought in the opening days of a crisis, control of the radio station.
Online intelligence firm Recorded Future this morning released a study
of how such control has played out in troubled places over the last half-decade or so.
Their research follows up an earlier report outlining the digital conflict that has attended Yemen's civil war.
Two more NetSweeper devices have now been set up in Yemen.
These devices are usually used for web content filtering,
but they can be used for censorship if they're implemented with a consumer-facing Internet service provider.
When Houthi rebels took over Yemen's capital in 2014,
the country's major Internet provider fell under their control.
The researchers had previously identified one NetSweeper device on the Houthi-controlled
network.
Beyond Yemen, Recorded Future also takes a look at internet manipulation in Venezuela,
Bangladesh, Sudan, and India.
Last month, Kaspersky Lab observed DNS manipulation in Venezuela that resulted in Venezuelan supporters of Juan Guaido entering their personal information on a malicious spoofed website.
In January, Bangladesh throttled all mobile data services in the country in order to limit communication before its national election.
election. Recorded Future sees this as an attempt to control the external narrative of the country's internal affairs, particularly by inhibiting talk of human rights abuses. This past December,
Sudan cut off access to Twitter, Facebook, Instagram, and WhatsApp as a rumor control
move during a period of nationwide protests. India, with a well-developed and relatively
sophisticated level of connectivity,
saw a large number of internet disruptions. Most of the government-induced shutdowns came in
response to reported terrorist or militant activity, but the researchers say the scope
and regularity of the incidents inevitably raise troubling questions about control of information.
The Johns Hopkins University Information Security Institute
is hosting their fifth annual Cybersecurity Conference for Executives that takes place
March 13th in Baltimore. One of the featured speakers is Dr. Phyllis Schneck. She's Managing
Director of the Global Cyber Solutions Practice at Promontory Financial Group, an IBM company.
She joins us with a preview of the presentation
she'll be giving at the conference on the role of regulation in cyber.
In cybersecurity, you're dealing a lot with the application of technology to enable our business
and here our banking. But if you regulate that technology too much, you could end up preventing
some of the very innovation that makes the technology. So day-to-day at Promontory, my team
focuses with our clients at banks and other areas such as biotechnology and aviation. And we say,
what is your risk? It's not about how much technology you buy. It's about what is the
risk your board of directors has decided that your company is willing to take. They call it
the risk appetite. How do you manage that risk?
What are the things that make you, for example, a target or put you in danger?
And what are the things you need to do, technology, governance, people-wise to put in place as a process to ensure that it's not if unfortunately, but when someone tries to intrude,
steal or damage your systems electronically, how you're able to bounce right back.
And this is a very important part of the safety and soundness of any infrastructure.
It's really looking at your board of directors and your company and your brand and saying,
how much risk am I willing to take from all the electronics that enable my world and how do I protect it?
And then the big question is
how much of that protection should be required
and how much is up to you?
And a lot of it comes to the difference
between compliance and security.
Compliance is not security.
Regulatory compliance says you've met the requirements
of a law or regulation from a
government agency or state agency or somebody that says you have to meet those requirements
and you literally check the box and you demonstrate how you met them that's not security it's a good
start but every adversary in the world that wants to get you will look at what your compliance
requirements are and go right around them it's an an easy roadmap to say, don't try here. They had to fill that hole. Where else should I
look? I want to get your take on what I would consider to be a sort of a healthy tension. I
think there's a, I think we could agree that there's a need for a certain amount of regulation.
At the same time, it strikes me that it doesn't do anybody good if that relationship between
government and industry is more adversarial than collaborative.
So that's the big question. It's always, I think for decades, people have been trying to determine
that correct relationship, right? We're all on the same side. We want to maintain our way of life,
have safe and sound systems. So I think it actually depends by sector. So for example,
the financial sector has always been highly regulated. The IT one, historically, not so much because the makers of technology have
felt that innovation could get stifled in many ways if you have too much regulation.
And as a geek myself, I can tell you where there's a lot of truth in that, where if you
are told, here's what a company must do for cybersecurity,
companies will go and manufacture. If you're told you have to have widget A, B, and C,
companies will manufacture all kinds of varieties of A, B, and C because they know they're going to
sell. They know they'll make money. The consumers won't invest in anything outside of what they have
to have because candidly, unless they are
really forward thinking and willing to invest, they don't have to. So you end up with two bad
things there, right? One is nobody's making anything new because there's no market for it.
No one cares because the government's told you what you have to have to be secure. But the worst
thing is that all the adversaries know exactly. They've now reverse engineered, which is A, B, and C, and they have created their attacks right around it.
You can always get around something.
It's about resilience.
It's about understanding, not if, but when the storm comes to me, how I'm going to recover.
It's really about what is the, in my opinion, it's about what's the minimum
amount that can be required so that you're in a position to innovate toward resilience. It's a
very tough balance, but you have to preserve the innovation and the free market and have just
enough regulation to ensure that balance, that innovation isn't causing harm. That's Phyllis
Schneck from Promontory Financial Group. She's a featured presenter at
the fifth annual Cybersecurity Conference for Executives, hosted by Johns Hopkins University,
March 13th in Baltimore. ESET has found another supply chain campaign, apparently originating
within China, attempting to backdoor Asian gaming companies. ESET thinks the group is the one Kaspersky described in its 2013 report
on the Winit operation. At least one Trojanized game, ironically called Infestation, remains in
circulation. Avast and Emsisoft have each released decryptors for Big Bob Ross ransomware. Bravo to
both companies. If you've been afflicted by Big Bob Ross, go to the company
sites, those would be Avast and Emsisoft, and see what they placed out there to help you salvage
your data. Senator Elizabeth Warren, Democrat of Massachusetts, took out an ad on Facebook
calling for big tech companies like, oh, Facebook, for instance, to be broken up,
in particular because critics say they tend to exercise
a monopolistic control over information.
Facebook took the ad down, citing misuse of its logo in the senator's ad.
But then Facebook put the ad back up
because the company said it's in favor of robust debate.
We hope the senator's people sent Mr. Zuckerberg's people a nice fruit basket,
because that kind of self-confirming publicity you really can't buy. Human curation or algorithm,
we don't know, but the to and fro is so good for the senator that if we were peddling a conspiracy
theory, we'd tell everyone she and Mr. Zuckerberg arranged the whole kabuki dance just between the
two of them, and maybe even at the Bohemian Grove.
Hashtag Monopolygate.
Hashtag Wealthy Elite Kabuki.
Alas, such stories really are too good to be true.
There's nothing new under the sun, but rather we see time and chance in all.
Really, she just bought the ad, and really, they just took it down and put it back.
But why aren't the shadow brokers all over this story?
Anywho, yesterday was recognized as the 30th anniversary of the World Wide Web
and Sir Tim Berners-Lee called for the Internet's users to help it grow up.
He's generally seen as the web's inventor.
He proposed it when he was at CERN as a way of capturing information
that might
otherwise be lost due to personnel turnover. Sir Tim writes in Quartz that he sees three big
problems with the internet today. First, deliberate malicious intent, such as state-sponsored hacking
and attacks, criminal behavior, and online harassment. Second, system design that creates
perverse incentives where user value is sacrificed,
such as ad-based revenue models that commercially reward clickbait and the viral spread of
misinformation. And third, unintended negative consequences of benevolent design, such as the
outraged and polarized tone and quality of online discourse. The first can be mitigated through laws and codes.
The second calls for a redesign of systems to realign incentives.
That third one is the tough one.
Berners-Lee calls for research to understand existing systems
and model possible new ones or tweak those we already have.
Specimens of all three issues are on display in today's news.
Specimens of all three issues are on display in today's news.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies
like Atlassian and Quora
have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Joe Kerrigan. He's from the Johns Hopkins University Information Security Institute. Also my co-host over on the Hacking Humans podcast. Joe, great to have you
back. It's good to be back, Dave. Joe, we recently at the RSA conference, the folks over at NSA released Ghidra.
Ghidra.
This is their reverse engineering tool, and you've taken a look at this.
I did.
I downloaded it and played with it.
Yeah.
What do you think?
I'm impressed, Dave.
Yeah.
This is a good tool from the about hour and a half to two hours I spent playing with it.
Okay.
You will need to install a JDK of some kind in order to get it to run.
Okay.
I just had the runtime environment, so that didn't seem to work.
But the JDK, I just downloaded the open source one or the open Java, whatever it is now,
and that seemed to work just fine.
Okay.
So there's no real hurdles.
You can just go out and download this thing.
So there's no real hurdles.
You can just go out and download this thing.
And the first thing I did was decompile a program that was on my hard drive that was just to look at it and see if it worked.
And it worked pretty well. Yeah.
The next thing I did was I took a look at some code I had written for an AVR solution.
Okay.
Okay, so AVR is microcontroller architecture.
Okay.
Okay, so AVR is microcontroller architecture.
If you've ever heard of the Arduino, the Arduino board, at its center it has an AVR processor.
Okay.
It used to be Atmel, now it's Microchip. So I just took one of my own files that had been compiled in AVR and loaded it up in this tool and told it it's an AVR file.
And sure enough, it disassembled it and then even put up some C code that looks pretty similar to what I wrote.
What if you didn't know that this code was AVR code?
Would it try to figure out what it was?
No, it didn't know what to do with it until I told it it was AVR code.
I did have to tell it it was AVR code, but you'll be knowing that it's AVR code if you're pulling it off an AVR chip.
Oh, I see. Sure, sure. Yeah. tell it was AVR code, but you'll be knowing that it's AVR code if you're pulling it off an AVR chip.
Oh, I see.
Sure.
Sure.
Yeah.
Yeah.
Interesting.
And what do you make of this, that NSA has put this out there in the wild and open sourced it?
I don't know.
That's a good question.
Why did they do this?
Maybe it's because they're trying to make this kind of a tool more available. There is a tool like this called IDA Pro, but you have to buy not only IDA Pro, but
the hex raise component to get everything that's available in this Ghidra product.
Yeah.
And those are prohibitively expensive.
I have heard some speculation that this allows folks to sort of come into NSA for a career being pre-trained on one of their
primary tools. So rather than having to train them in-house, you just open up that more people
will come in knowing how to use the tools that NSA uses. I think a better theory might be that
if more people have access to these tools, we'll find these vulnerabilities faster and then we can
fix them. Of course, there's always a thing, If they're releasing this, what are they not releasing?
Yeah.
Well, but I think it's an interesting contribution to the community.
Yeah.
Certainly there are PR aspects to it of making NSA seem a little less mysterious and closed
door, you know, that they're sending this out there for people to use, contributing
to the community.
So I think that's an interesting aspect of it.
I would agree.
And, of course, there's always the you cannot help when anything like this comes out.
There's the speculation that the true purpose from NSA is to include this with some sort of backdoor
where they'll be able to see everything that we're doing.
You know, it's funny when you say that. As soon as I started this thing up, I got a message that said Java wants to open a connection to the Internet.
And I said no.
But that was probably for the updating software.
I don't know that that was actually Ghidra doing that.
Yeah, I've seen some.
I guess there are a couple of little bugs in there, a couple of things that are ways it comes out of the box configure that made people raise their eyebrows.
But I don't know.
It seems as though –
You know what?
You could decompile it with itself and see what it says.
Yeah, it's Geetras all the way down.
Right.
All right.
Well, it's an interesting development and an interesting little bit of software for folks to be able to use.
I'd say go out and play with it.
Yeah.
If nothing else.
It's free.
Right.
It's totally free.
Yeah.
All right.
Joe Kerrigan, thanks for joining us.
It's my pleasure, Dave.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
Thank you. and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow. Thank you.