CyberWire Daily - What are the adversaries’ goals in election interference? A case study in the ransomware-as-a-service market. Untangling TikTok, as the clock ticks toward September 15th.
Episode Date: August 10, 2020The US Office of the Director of National Intelligence has released an appreciation of the goals of election interference among three principal US adversaries, Russia, China and Iran. Anomali offers a... look at the ransomware-as-a-service market with its research on Smaug. The CyberWire’s Rick Howard continues his exploration of incident response. Andrea Little Limbago from Interos on cyber regionalism. And the tangles that need to be untangled in the TikTok affair, with a deadline looming less than a month from now. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/154 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose,
and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more. Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected. Thank you. Now at a special discount for our listeners. Today, get 20% off your Delete Me plan
when you go to joindeleteme.com slash N2K
and use promo code N2K at checkout.
The only way to get 20% off
is to go to joindeleteme.com slash N2K
and enter code N2K at checkout.
That's joindeleteme.com slash N2K, China, and Iran. Anomaly offers a look at the ransomware as a service market with its research on smog.
The Cyber Wire's Rick Howard continues his exploration of incident response.
Andrea Little-Limbago from Interos on cyber regionalism
and the tangles that need to be untangled in the TikTok affair
with a deadline looming less than a month from now.
TikTok affair with a deadline looming less than a month from now.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday,
August 10th, 2020. The U.S. Office of the Director of National Intelligence on Friday released a statement on election interference. NCSC Director William
Evanina says that Russia, China, and Iran are all interested in various forms of interference.
Briefly, China dislikes President Trump, whom it regards as unpredictable, and wants him out so
that he can't, in Beijing's view, continue to damage Chinese interests. Iran also dislikes the incumbent
and sees the prospect of his re-election as likely to mean increased pressure on the Islamic Republic
and pressure that would be designed to bring about regime change in Tehran.
Iran also has a more general interest in undermining U.S. institutions, the statement says.
Russia has been busy denigrating former Vice President Biden,
whom Moscow sees as dangerously connected with Ukraine and with the Obama administration's
disapproval of Russia's armed slow-motion re-engorgement of that country. He's also
seen as part of an anti-Russian establishment. So China and Iran trend blue, Russia red. The returns from Pyongyang aren't in yet.
Cybersecurity and Infrastructure Security Agency Director Christopher Krebs commented on the ODNI
statement, praising the intelligence community for its contributions to transparency, declassifying
and sharing intelligence in ways CISA thinks likely to contribute to election security.
and sharing intelligence in ways CISA thinks likely to contribute to election security.
Director Krebs said, quote,
We have long said Russia and other nation states are targeting our elections.
We knew this to be true in 2016.
We know it's true today.
And we know they will continue to attempt to interfere.
While motives may vary, one thing is consistent.
They are attempting to interfere in our democratic process, end quote.
Security firm Anomaly this morning published its analysis of smog ransomware, recently hawked in
criminal-to-criminal markets as a ransomware-as-a-service offering. Simple and lacking
some of its competitors' functionality, smog offers a clean user interface, tech support,
and a respectable range of ransomware
services from encryption to payment to decryption customers are forbidden from infecting targets in
the commonwealth of independent states cis the former ussr but that can be accounted for by its
hosting on a forum that prohibits operations against the CIS, the exclusion isn't decisive evidence of CIS origin.
Wherever smog came from, it probably didn't emerge from the English-speaking world.
The threat actor's original posts were in non-native English,
legitimately broken English, not the phony, facetious lingo of, for example, shadowbroker ease,
and the proprietors advertised at the time for an
English-speaking developer. The English in the dashboard and the ransom note are much better.
So halting English, and so probably not from an Anglophone country, although recent expertise
with secondary education in, oh, let's just pick any country at random, the U.S.,
gives one a little bit of pause.
Smog seems to be a market failure.
Its proprietors have been led to offer it at a discount during a trial period,
and in mid-May, the forum that had hosted the offering froze the threat actor's activities
for evidently failing to deposit $8,000 in escrow.
The research is interesting for the insight it provides into the workings
of the cyber underworld. According to NPR, TikTok is considering litigation against the U.S.
government in the hope of overturning last week's executive order that would kick the social
platform out of the U.S. entirely. A suit could be filed in the U.S. District Court for the Southern
District of California as early as tomorrow,
and NPR speculates that the grounds of TikTok's challenge would be that the president's findings of fact are thin,
that the order violated due process, and that, moreover, he lacks the authority to do what he did.
Such a suit seems unlikely to succeed on any of these grounds, and TikTok can't count on much political
support. The executive order is directed against TikTok as a threat to users' data and as an actual
or potential tool of Chinese intelligence. Bipartisan suspicion of Chinese data collection
is now so deep that it would be difficult for TikTok to maintain plausibly that it wouldn't
share user data with Beijing's intelligence and
security services, especially when Chinese law seems to require that companies based there do
so on demand. In any case, the U.S. Senate last Thursday unanimously voted to ban TikTok from all
government-issued devices. Microsoft's possible TikTok acquisition would be technically challenging,
Reuters reports.
TikTok shares a significant amount of code and resources with its ByteDance corporation sister, Doyin, a social platform available only in China.
Carving TikTok out from its dependence on such shared resources is likely to be not impossible, but surely difficult.
not impossible, but surely difficult. Doing so without damaging what observers think is TikTok's distinctive advantage, its recommendation engine that meretriciously keeps users coming back for
more, is part of that challenge, although the engine itself is believed to be unique to TikTok
and not shared with other platforms. Another challenge the mooted acquisition faces is that
it requires a geographical disentanglement as well.
Microsoft is said to be considering acquiring not TikTok as a whole,
but only its operations in four of the five I's, the U.S., Canada, New Zealand, and Australia.
There apparently are or have been other suitors for TikTok.
The Wall Street Journal says that Twitter has been in talks
with the ByteDance-owned social platform.
The House of Dorsey is viewed as a dark horse competitor.
It doesn't have Microsoft's cash, for one thing,
and so any acquisition would have to be highly leveraged.
On the other hand, of course,
Twitter's already in the social business game,
so it's got that going for it.
CNBC thinks Netflix should look at TikTok
because the movie and television service's
big competitive threats aren't so much direct competitors
like Disney+, but rather what Netflix calls
substitution threats.
That is, other ways of spending your time
receiving amusement, which apparently come down to gaming,
watching other people game,
and looking at stuff on your phone.
So kids, if you're so taken by the Fortnite Charleston,
at least put the controller down, get up off the couch, and do some dancing on your own.
And it is my pleasure to welcome Rick Howard back to the show.
Rick Howard is, of course, the CyberWire's chief analyst and also our chief security officer.
And he is the host of the CSO Perspectives podcast, which you can find over on CyberWire Pro.
And this week, Rick, you are continuing your exploration of incident response.
Share with us where you're headed today.
That's right, Dave.
And we spent the last two
episodes talking about that. And, you know, in a nod to the old adage, you can't teach an old dog
new tricks. Okay. I may be the exception to the rule because I think I may have learned something
new this week. Okay. Okay. It's a shocker. I know. I think I know everything. So when I invited some of the CyberWire's pool of experts to sit around the hash table with me this week,
and we discussed incident response, I expected that we would be talking about some of the technical things
that the InfoSec team had to consider during a crisis.
But what every hash table expert jumped to immediately was how do you plan and execute the escalation process?
How do you get everybody into the groove about what's going on?
Because you know, Dave, at a certain point, you are no longer investigating a potential breach,
but managing a company crisis due to a real honest-to-goodness compromise that may materially impact your organization.
Yeah.
So when that happens, you get all kinds of people coming in to help.
And I'm using air quotes around the help part here, like the CIO and the IT team and the lawyers
and the risk people and the business continuity people and the business unit general managers.
And the question is, how do you keep that bag of often differing viewpoints,
all moving in the same direction, in times of high stress and no time to think about it?
I've worked on this problem for many years, and it turns out, like most things in cybersecurity,
there is a framework for this. So have you ever heard of the DAISY model before?
I don't think so.
So it's a decision-making framework.
It was developed by the Intuit company.
They improved an earlier version of it called the RACI model.
That's RACI with an R.
The DAISY acronym spells out what it does.
So D as in the driver, this is the person who organizes the potential decisions.
A, that's the approver.
This is the one making the decisions.
C is the contributors. These are the people doing all the legwork to figure out what we need to do.
And I is the informed, the people that will be impacted by whatever decisions we make.
And it turns out this is something you can use for all kinds of big projects, but especially
incident response. And one of the experts at the hash table this week is Steve Winterfeld.
He is an old Army buddy of mine and is currently the advisory CISO for Akamai.
But he is a huge advocate of the DAISY RACI model.
I think one of the best tools out there to map out those roles and responsibility is
a RACI.
And a RACI, if you haven't seen one,
is a spreadsheet that talks about,
on the left, who is going to be doing it,
on the top, what is going to be done,
reverse those if you want.
And then you're going to talk about,
is this person for this task responsible,
accountable, consulted, or informed?
When I build my race seat,
only one person can be responsible.
Multiple people can be accountable,
consulted, or informed.
And then, you know, you break that out
to different stakeholders for, you know,
legal and public relations and, you know,
leadership and all of these. And then, you know, leadership and all of these.
And then, you know, deciding if there is a breach
and deciding to go public and making the public announcement.
So it's just a way to organize everything.
So in one graphic, you can tell who's supposed to do what.
All right, so there you have it.
I've been trying to manage the escalation process my entire career
and didn't know that a framework even existed.
So there you go.
Even an old dog can learn new things.
Well, congratulations.
Give me a nice little scratch behind the ears there for you, Rick.
But does a framework like this also help keeping people in their lanes?
Because I can imagine in an emotional situation like this, like you said, you put air quotes around help.
And I think part of this has to be the discipline for people to contribute in the ways that they're trained and their areas of expertise, despite having the impulse to want to help out with everything.
Yeah, it does, right?
And it helps out in a number of different ways.
During the crisis, you don't have to be remembering,
you know, what you said you were going to do two years ago
the last time you thought about it.
It's a simple spreadsheet.
So you can just see who's responsible for everything.
It's also really good for exercises, right?
When you practice this,
I guarantee you that what you thought was going to happen is not going to happen during the exercise.
So you bring that in, the DAISY chart in, and say, oh, we thought it was going to be this.
Now it's going to be this other thing.
So it's a way to keep it fresh and on everybody's mind.
So, yeah, I wish I would have had it like 10 years ago.
My life would have been easier.
Right. Fair enough.
Well, it's CSO Perspectives.
It's part of CyberWire Pro.
You can check it out on our website, thecyberwire.com.
Rick Howard, always a pleasure.
Thank you, sir.
Transat presents a couple trying to beat the winter blues.
We could try hot yoga.
Too sweaty.
We could go skating. Too icy. We could book hot yoga. Too sweaty. We could go skating. Too icy.
We could book a vacation.
Like somewhere hot. Yeah, with
pools. And a spa. And endless snacks.
Yes! Yes! Yes!
With savings of up to 40%
on Transat South packages, it's easy
to say, so long to winter.
Visit Transat.com or contact your Marlin
travel professional for details. Conditions
apply. Air Transat.com or contact your Marlin travel professional for details. Conditions apply. Air Transat. Travel moves us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to
bypass your company's defenses
is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Andrea Little-Limbago. She is the vice president of research and analysis at Interos.
Andrea, it's always great to have you back.
I wanted to touch today on this pattern we're seeing when it comes to regionalism
and sort of contrast that against the, you and I have talked about this notion of the splinternet, of nations kind of breaking away from the global internet
and putting a virtual wall around themselves.
Where are we finding ourselves these days when it comes to those two elements?
Yeah, and thanks for having me.
It's always fun to chat with you.
So we're seeing the divisions continue to grow,
would be the simplest way to put it.
And it really is, you know,
the SplinterNet for a while was something that,
you know, it was almost one of those things
we thought about was something, a future component,
but, you know, what really is going on,
I mean, it's really already here.
And whether you think about, you know,
how certain websites look or what you have access to,
depending on where you sit,
is only, you know, one component of it.
It's really where we're seeing it going
is even more so into well beyond what data you have access to
and what you can explore into what the tech stacks
are going to be built on.
And that's where I think sort of the bigger changes
we're starting to see is that you're seeing
both on the fracturing of the internet,
but also fracturing of the software stacks
and the hardware that's
being, that will be driving these technologies from different countries. And so it's even,
you know, from a splinternet, I feel like it's evolving into more of a two different technospheres
that kind of encapsulates the broader divisions that are going on on the technology front,
but also encapsulating the internet divisions. And so it really is very much so along geopolitical
lines. And this is something
we've talked about in the past, you know, with the rise of digital authoritarianism. And so the use
of, you know, by the various authoritarian leaders to leverage the internet for internet control and
leveraging the technology for that, albeit from a surveillance state to disinformation,
to perhaps enabling some sorts of backdoors through various kinds of technologies.
There's really a broad range of tools that the digital authoritarians are using.
And so that continues, and that's largely driven by the Chinese model,
the Russian model, and that's permeating through to different countries
across each of the regions across the globe.
And for a while, there wasn't much of a democratic model, I would argue,
until lately, on the one hand,
as far as where privacy is concerned,
Europe's GDPR is basically
the main global counterweight
as far as how to protect data.
But that's starting to emerge.
And so the example that I'm keeping an eye on
and want to,
that I think might be indicative
of emerging democratic collaboration
would be the pact that the UK pushed forward about a month ago, I think,
on creating a 5G pact to help strengthen the trust within supply chains,
the technology supply chains or the digital supply chains, if you will,
and ensuring that the technologies building into the digital supply chains
are from trusted countries.
And so the focus for that is to reach out to coordinate with 10 democratic countries
and one release reliance on various Chinese technologies that may be untrusted,
but then also to build up their own domestic capabilities as well.
And on days that I'm hopeful in this area,
a lot of it focuses on that kind of collaboration that we're starting to see across democracies
and trying to create more of a trusted environment to at least, you know, head towards
some of those aspirations of what the internet was supposed to be as far as free-flowing information,
but still having, you know, maintaining some security within it. And so we will see what
happens with that, but I think it's also a nice counterweight to, you know, the rising economic
nationalism that we see and, you know, concerns off on their own, which is not the best way to handle all the global challenges that we have right now.
So I think we will hopefully continue to see some more collaboration in that area.
And I think that will be an interesting trend to keep an eye on and could have a very large impact to counter some of the more negative trends that we're seeing going on in cybersecurity.
Yeah, I mean, is it fair to describe it almost as like a recoil, a reaction of, I feel like
in some ways things were rolling along and in a way the democracies sort of took their
eye off the ball for a little while as so many of the benefits,
things we got used to with the connectivity of the internet and global commerce and all those
sorts of things and the exchange of information. And then it's sort of been a, like I say,
a recoil is the image I have in my mind. Is that a fair description?
Yeah, I think it is. And I think it's also that,
you know, whether it's a recoil or whether, I mean, I like the analogy of, you know,
taking the eye off the ball. I mean, really for quite some time, it was just assumed that
the internet would provide, you know, only had, you know, good ends and means going along with it.
And if you think about it, because especially if you think about the Arab Spring now,
and you know, that almost a decade ago, or in some cases, people looked at the Arab Spring and saw, look what social media can do.
It can give voice to people who didn't have a voice before.
And there certainly was an element of that, and those were the aspirations on which the internet was built.
But it ignored the fact that, oh, these tools are also available to those who don't have good intentions and can also be used for suppression and through disinformation
and actually to crush those same voices.
And so that dual use nature of the internet,
I think was just ignored.
And so, you know, in some regards,
you can say maybe the 2016 US election
was some level of a wake up call for democracies,
but, you know, even then, you know,
Russia and other countries had been interfering
in elections for, you know, years before that and continue to do so.
So democracies, I think, really are just starting to see how much their dependence on both technologies from other countries,
but also on some of the fact that they hadn't built in some of these guardrails.
You know, that's where the norms and the policies come to place.
But they kind of just forgot about building some of those.
And at the time, you know, for a while, you know, especially if you think about norms and cyber norms and the proper
rules of the road for behavior in that, you know, there were plenty of efforts that went through the
UN, you know, over the last decade. And, you know, they basically fell apart due to these divisions
that, you know, I was talking about as far as, you know, Russia and China and, say, Cuba on one hand
and then democracies on the other. And I think that was one of those, looking at those norms,
discussions are almost a precursor to where we see things going now. And the difference is it's not just, you know, a discussion at the
UN, it's actually we're seeing it play out through the technologies that we have and through the data
that we have access to and just how governments are handling themselves. Yeah, it really is
fascinating to watch. It's interesting times for sure. Andrea, a little embargo. Thanks for joining us.
Great. Thank you.
Cyber threats are evolving every second and staying ahead is more than just a challenge. It's a necessity.
That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of
solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach
can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Databe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease
through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.