In today's podcast, we hear that Twitter has suspended more accounts for "divisive social commentary" and "coordinated manipulation." Facebook blocks accounts belonging to Myanmar leaders over Rohingya persecution. US Senators are unconvinced by claims that it's dangerous to research voting-machine vulnerabilities. The House takes a look at the CVE database. Australia's new government reorganizes its cybersecurity portfolio. Justin Harvey from Accenture with details from their mid-year cyber threatscape report. Guest is Sean Tierney from Infoblox with their shadow IoT report.
Jack: [00:00:00] Dad, you gotta stop making up all these lies. I have a really nice backpack, but I could use some new clothes. So go to patreon.com/thecyberwire and donate now.
Dave Bittner: [00:00:16] (Laughter) OK. Thank you, Jack.
Dave Bittner: [00:00:22] Twitter suspends more accounts for divisive social commentary and coordinated manipulation. Facebook blocks accounts belonging to Myanmar leaders. U.S. senators are unconvinced by claims that it's dangerous to research voting machine vulnerabilities. The House takes a look at the CVE database, and Australia's new government reorganizes its cybersecurity portfolio.
Dave Bittner: [00:00:52] Now a few words about our sponsor Invictus. We've all heard that cyberspace is the new battle space. Invictus International Consulting was founded by people who know a battle space when they see it. This leading cybersecurity company, headquartered in Northern Virginia, boasts an expert staff with decades of cybersecurity, technology solutioning and intelligence analysis experience. Its customers in the intelligence, defense and homeland security communities highly value these Invictus cyberwarriors and their professional ethos. Invictus is a service-disabled, veteran-owned small business - that's SDVOSB - with over 60 percent of the Invictus workforce comprised of veterans. The company excels in achieving mission success not only within the government space, but it has been a game-changer within its commercial clientele as well. An award-winning company, recently named to 2018's cybersecurity 500 list as one of the world's hottest and most innovative cybersecurity companies, Invictus recently won the most valuable industry partner award at (ISC)2 15th annual Information Security Leadership Awards, as well as several others. Check them out at invictusic.com to learn more and to see if you have what it takes to become a cyberwarrior. That's invictusic.com, and we thank them for sponsoring the CyberWire. Major funding for the CyberWire podcast is provided by Cylance.
Dave Bittner: [00:02:25] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, August 28, 2018. Yesterday Twitter suspended 488 more accounts, this time for sharing divisive social commentary and coordinated manipulation as opposed to the inauthenticity Facebook stressed last week. Almost a hundred of the newly suspended Twitter accounts claimed to be located in the U.S. Many of those were less than a year old. It's perhaps worth noting that Twitter displayed some self-conscious evenhandedness in this week's takedowns. Some of the socially divisive stuff it exhibited no longer welcome on its platform consisted of anti-President Trump screeds and memes. And there's a gesture toward purging inauthenticity, too. Some, if not all, of the blocked accounts were linked to the coordinated efforts of Iranian actors.
Dave Bittner: [00:03:21] Twitter may have more difficulty maintaining a principled stance against divisive social commentary. Construed literally, this tendency would seem likely to transform Twitter into a 21st century analogue of some of the older print newspapers that sought to specialize in good news - human interest stories, fun facts, recipes and sports. Scores only with sports. But it seems unlikely that any social medium could survive such a viewpoint neutral blandness, which leads many to suspect that Twitter may have preferences for some forms of commentary that strike it, unreflectively, as uncontroversial but which, in fact, will lead substantial swaths of its users to see the platform itself as biased. It's not an easy task for Twitter or any other social platform. Concerns about radicalization, bullying and even fomenting violence are real, and social media companies feel considerable pressure to do something about them.
Dave Bittner: [00:04:20] Among the more serious instances of social media being used to foment violence have been the flash lynch mobs that have sprung up in India in response to generally false reports of abduction and other abuse of children and women. On a more widespread scale, the massacre of Rohingya Muslims in Myanmar by the majority-Buddhist state has been incited, popularized and sustained in significant part by Facebook, as the Times of London reports. Facebook has responded by blocking accounts of regime leaders, but the baleful climate of opinion these leaders serve is alive, well and online.
Dave Bittner: [00:05:00] Of course Twitter, Facebook and Google are private organizations free to adopt pretty much any viewpoint they choose, in the U.S. at any rate. But the quasi-monopolistic position a small group of companies are perceived as having achieved in the market has led some to think they ought to be treated more like utilities than newspapers. White House economic adviser Kudlow says the possibility is undergoing some preliminary study. Google has warned U.S. Senator Toomey, Republican of Pennsylvania, that the senator's staff had been subjected to apparently unsuccessful spear phishing attacks. The accounts targeted were dormant, leftover from the 2016 campaign. And most of the staffers were campaign workers who've since moved on anyway. Google did suggest the phishers were a foreign intelligence service, but whose foreign intelligence service Mountain View left as an exercise for the reader.
Dave Bittner: [00:05:56] Unease over election hacking and influence operations persists in U.S. political circles where DEF CON hacking demos are being taken seriously. The Senate intelligence committee yesterday gave the back of its hand to a letter from Election Systems & Software, the leading vendor of voting machines in the U.S. ESS didn't particularly care for the goings-on at DEF CON where white hats were given the opportunity to make a run at voting systems. The Washington Post quotes Election Systems & Software as saying, quote, "forums open to anonymous hackers must be viewed with caution, as they may be a green light for foreign intelligence operatives who attend for purposes of corporate and international espionage. We suspect that our adversaries are paying very close attention," end quote. Since this would seem to rule out the sort of sensible vulnerability research one would think important to enhanced security, the senators were unsympathetic. After all, if you can hack the Pentagon to make it more secure, what's the problem with hacking voting machines? The state authorities who use them are too poorly resourced to fix or update them when problems are found. Perhaps there's more to be said on the matter, but it seems difficult to disagree with a note from the staff of Senator Harris, Democrat of California, which told The Washington Post that, quote, "independent security research does not jeopardize election integrity. Instead, it helps us design more secure voting systems."
Dave Bittner: [00:07:26] Speaking of vulnerability discovery and disclosure, some members of the U.S. House of Representatives are pressing for reform of the common vulnerabilities and exposures database. The Department of Homeland Security has become increasingly unable to keep pace with rising demands for vulnerability information. There are also reports of bugs having been submitted without a timely or, in some case, any response. Republican members of the House energy and commerce committee have written the secretary of Homeland Security asking for improvements to the platform. One of the improvements they're considering lies within the authority of Congress. They may wish to give the CVE program its own budget line.
Dave Bittner: [00:08:08] Secure networking firm Infoblox recently surveyed cybersecurity professionals for their take on IOT devices on their networks to try to get a handle on what is known and unknown when it comes to BYOD policies. Sean Tierney is director of cyber intelligence at Infoblox.
Sean Tierney: [00:08:26] The whole notion of shadow IT - if you've been doing this for a long time, you probably remember back in the day when most organizations didn't have an IT department.
Dave Bittner: [00:08:33] (Laughter).
Sean Tierney: [00:08:34] They just kind of dealt with it within their individual teams. And then there was a need to kind of commoditize it, you know, kind of bring it all under one umbrella and get the most economies of scale. And those are perfectly reasonable and sound business reasons for doing this sort of thing. Then IT, with regulation and bureaucracy, kind of became slow, and so you saw teams within companies within organizations kind of start picking up a little bit of that work again, right? And that's the shadow IT. It's the guy that knows where all the software is that your department uses, and he's the technical expert that can help even though that's not his job. He's not an IT guy. He might not even be a technology worker, but he knows all the software and tools that the team is using. And so he's the guy that helps everybody else, right?
Dave Bittner: [00:09:20] Right.
Sean Tierney: [00:09:20] But the IOT devices that are not company sanctioned and company managed are really shadow devices - right? - so meaning that you don't have visibility into them because you're not managing them. Whether you own them or not as an organization - right? - you may have devices in your network that the company purchased, right? But because IT's not managing them, they're unmanaged devices. They're shadow devices.
Dave Bittner: [00:09:41] So can you take us through what were some of the key findings from the report?
Sean Tierney: [00:09:45] Thirty-three percent of those organizations have more than a thousand shadow IOT devices on their network every day, right? And we're talking about small to medium enterprises, not necessarily very large corporations, which we would expect those to be much larger. When asking employees, what were they doing with their personal devices and how were they using them, 39 percent of them were using them for things like social media, apps, games, films, right?
Sean Tierney: [00:10:10] We see things like 88 percent of IT leaders think that they have a well-placed and well-implemented and well-followed IT security policy, and yet 24 percent of the employees report not knowing the policy or not following it. And then in terms of kind of what we see in terms of the actual devices, 48 percent of the organizations find that they're seeing fitness trackers - things like Fitbit's on there - smart TVs and then digital assistants, like Alexa or Google Home. And so we find these kind of - this mix kind of interesting because on the one hand, you have things that you would normally expect from a BYOD perspective - laptops and tablets, right? And then yet when you go and look at what people are using and what they're bringing in, you see a lot of these other types of non-traditional BYOD devices, right?
Sean Tierney: [00:11:01] So if there are fitness trackers connected to the guest network at the company, what kind of exposure is that creating for that company? When we look at that, we want to think in terms of a good, solid policies and practices. So I think that, depending on a corporation's or an organization's risk appetite, that perhaps a guest network or a employee network that segmented from their corporate business network may be a good idea. They have to do their own risk analysis, but that's, at a minimum, one way to look at how they can separate that kind of traffic and kind of take control of that sort of thing. So they don't - if they're not permitting those devices to come onto their network, they're not giving the passwords for them to join or the using - network access control to keep those kinds of things off their business network. They're still affording their employees a venue for using those sorts of tools and keeping it off their corporate networks.
Dave Bittner: [00:11:51] That's Sean Tierney from Infoblox. You can find the results of their IOT survey on their website.
Dave Bittner: [00:12:00] The Bank of Spain has experienced intermittent distributed denial of service attacks since Sunday, but says its services haven't been disrupted. So the attacks remain at a nuisance level. Australia's newly formed government won't have a dedicated cybersecurity ministry. Instead, Home Affairs Minister Peter Dutton will assume responsibility for cybersecurity and critical infrastructure protection.
Dave Bittner: [00:12:26] Not all investigations result in convictions or indictments or even conclusions. Switzerland has closed its investigation into a 2014 cyberespionage incident involving defense firm RUAG. The results were inconclusive. No perpetrator could be identified with confidence. Russia had been suspected, and Swiss authorities did say they believed it unlikely any other actor than a nation state could have carried out the attack. But it wasn't possible to attribute the incident to any particular government.
Dave Bittner: [00:13:04] Now a few words about our sponsor, the Incident Response Consortium, a leading nonprofit organization working to advance the cybersecurity through community building and the sharing of best practices. They're returning to the D.C. metro area this year with their popular free security conference IR18. That's right - it's free. And it's being held September 5 and 6 at the Renaissance Arlington Capitol View Hotel. IR18 welcomes experts, those new to the industry and anyone looking to learn more about the critical issues of cybersecurity. There will be valuable cybersecurity best practices training, hands-on vendor product training, cyber range wargaming, social networking, career opportunities, mentorship opportunities, chances for educational scholarships and much more. Of course, there'll be free breakfast and lunch too. Don't miss this great learning opportunity. And it's a chance to make new friends and build professional relationships. Space is limited. And with over 600 registered attendees already, be sure to head on over to incidentresponse.com com to register today. That's incidentresponse.com. We thank the Incident Response Consortium for sponsoring our show.
Dave Bittner: [00:14:28] And I'm pleased to be joined once again by Justin Harvey. He's the global incident response leader at Accenture. Justin, welcome back. You all recently published your midyear threat-scape report. Bring us up to date. What's the latest?
Justin Harvey: [00:14:42] So the latest is we're seeing an uptick in various areas. The first one would be an uptick in Iranian cyberattacks around the world. Particularly we're seeing them heavily concentrated in North America. And also we're seeing that affect multiple industries, particularly financial services and resources clients, which would be utilities, critical infrastructure, things like that.
Justin Harvey: [00:15:11] Some of the other highlights that we're seeing - increased attacks versus industrial control systems. As you know, your listeners hear about industrial control systems security, or OT network security, quite a bit on the show. So I'm really happy that it's getting a lot of airplay and a lot of notice. But industrial control systems, Dave, are still really vulnerable to external attacks. It seems like every week I'm having a meeting with a client that claims that their network is completely air-gapped, and there's (laughter) no way to access it. But then you find out there's some - perhaps some private VPNs to various vendors in the background, and it's not quite as secure as people thought.
Justin Harvey: [00:15:52] And OT network security is also extremely difficult, given the nature of the systems. No. 1, they are not considered IT systems. So a lot of the maintenance, a lot of the people that are accessing them are not your typical information security or information technology personnel. So it's not very well understood. That operating system, which is the same operating systems that we operate on every day - typically Linux, Windows - if you can believe it, Solaris is still out there - they're actually very static. They don't have a lot of the same tools that brethren systems in IT have. So it makes it a little bit difficult to work on those, and it's also difficult because it - there's a lack of understanding around the operational impact of making changes to these systems.
Justin Harvey: [00:16:48] And what I mean is, if we're doing an incident response or a threat hunt for one of our resources, perhaps resources customers, one of our critical infrastructure customers - let's say it's a utility - we, being an outside vendor, or even we from IT and information security, we don't know what would happen if we rebooted this system that could have been compromised. We don't know the operational impact. Perhaps it's - if you reboot that system, then the turbine restarts and power production ceases. Or perhaps it's - if you reboot that system, or you put on - you make one little change to the registry and that system goes down, what happens to the manufacturing floor? Perhaps it stops production. Perhaps it creates a - an environmental or a health and safety issue. So industrial control systems security is still a very big challenge, and we are seeing more and more nation-state activity across those types of systems.
Justin Harvey: [00:17:48] And I guess to pick on one more trend that we are seeing is that we're seeing more advanced persistent threat actors - so nation-state actors - are not just focusing on areas of opportunity around OT networks. But we're - also see them - they are targeting more and more financial systems, and they're doing things for financial gain. If you were to look at this from a cyber-espionage, nation-state level, I think it's very valid that (laughter) these attack teams are starting to recoup some of the investment costs that the nation-states have been putting into them. Meaning, why make your cyber-espionage team a loss leader? Why not actually use that same attack team to go out and recover some funds and use them in different areas, particularly with using digital currencies?
Dave Bittner: [00:18:42] Yeah. If you're going to sack the city, you might as well loot the banks while you're at it, I suppose.
Justin Harvey: [00:18:46] (Laughter) Exactly. That is the thinking.
Dave Bittner: [00:18:48] Yeah. All right. Well, as always, Justin Harvey, thanks for joining us.
Dave Bittner: [00:18:55] And that's the CyberWire. For links to all the stories mentioned in today's podcast, check out our daily news brief at thecyberwire.com.
Dave Bittner: [00:19:03] Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor VMware, creators of Workspace ONE Intelligence. Learn more at vmware.com.
Dave Bittner: [00:19:30] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe, and I'm Dave Bittner. Thanks for listening.
Copyright © 2019 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
Invictus is a premier cybersecurity services and technology solutions company that provides elite cyber talent to the Intelligence, National and Homeland Security communities, and commercial clientele. Invictus is a Service-Disabled Veteran-Owned Small Business (SDVOSB) based in Virginia and started by military veterans. Learn more about Invictus.
IR18 is a conference for cybersecurity professionals to learn and develop playbooks to improve incident response processes. Receive 20+ hours of practical training on today’s best practices in IR topics, including 36 breakout sessions designed for all levels of experience.