Buggy app delays count in Iowa Democratic caucus. US county election sites ill-prepared against influence ops. Twitter fixes API exploited by fake accounts. NIST on ransomware.

Dave Bittner: [00:00:04] Iowa Democrats work to sort out app-induced confusion over Monday's presidential caucus. A McAfee study finds widespread susceptibility to influence operations in U.S. county websites. NEC gets around to disclosing a network intrusion incident detected in 2017. Twitter fixes an API vulnerability and suspends a large network of fake accounts. NIST's proposed ransomware defense standard are out for your review, and comments are open until February 26. 

Dave Bittner: [00:00:40]  And now a word from our sponsor ObserveIT, a Proofpoint company. The greatest threat to businesses today isn't the outsider trying to get in. It's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. Sixty percent of online attacks are carried out by insiders. To stop these insider threats, you need to see what users are doing before an incident occurs. ObserveIT enables security teams to detect risky user activity, investigate incidents in minutes and effectively respond. With ObserveIT, you know the whole story. Get your free trial at observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee, security fueled by insight. Intelligence lets you respond to your environment. Insights empower you to change it. Identify with machine learning. Defend and correct with deep learning. Anticipate with artificial intelligence. McAfee, the device-to-cloud cybersecurity company. Go to mcafee.com/insights. 

Dave Bittner: [00:01:53]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, February 4, 2020. 

Dave Bittner: [00:02:02]  Heard who won the Iowa Democratic caucuses yesterday? Neither have we. Neither has anyone. Our hardworking editorial staff has been on watch, and they're not seeing anything yet either. Yeah, sure, President Trump won the Republican contest in a walkover, but incumbents tend to do that. The story for the Democrats is more complicated, but not in a good way. "Chaos" and "debacle" are the words the San Diego Union-Tribune, the Wall Street Journal, and others used to describe the problems counting the party faithful's expression of preference for a presidential candidate. Those preferences remain unknown as the results are still being counted and checked, delayed by problems with an app deployed in the caucuses for the first time. 

Dave Bittner: [00:02:48]  Former Clinton campaign manager Robby Mook was widely blamed for the problems, but this seems entirely unfair, as he had nothing to do with the app. It was, rather, built by Shadow, which is affiliated with ACRONYM, the democratic not-for-profit founded to educate, inspire, register and mobilize voters. Shadow's app was intended to facilitate quicker, more accurate and more transparent counting and reporting from the precincts. The Iowa caucuses in 2016 were very close, with ultimate nominee Hillary Clinton enjoying only a slim victory over Senator Bernie Sanders. Many Sanders supporters felt the results had been influenced by the party, so the party was determined to avoid a repetition of such controversy this time around. 

Dave Bittner: [00:03:34]  Thus today's difficulties are Greek in the classical sense, not the fraternity row sense, as the candidates all claim various levels of unsubstantiated victory or darkly hint of chicanery. The very steps the Democratic Party took to clear up the intraparty suspicion that the game was rigged, that somebody's thumb was on the scale have bitten back to bring about the very result they were taken to avoid. 

Dave Bittner: [00:03:59]  The lessons to be learned for election security in general may be limited. The Iowa caucuses don't resemble regular voting using machines or marked ballots but instead represent a precinct-by-precinct set of nearly 1,700 meetings, each of whose result had long been reported by precinct chairs over the phone. 

Dave Bittner: [00:04:18]  While there were earlier concerns expressed that the app might be vulnerable to cyberattack – NPR, for example, reported on such concerns back on January 14 – the prospect the app itself just might not work well enough was touched on more lightly. There are no reports, we stress, of any form of cyberattack. That's what the chair of the Iowa Democratic Party said this morning, according to Iowa's WHO TV. And most observers seem to agree. State party chair Troy Price said, quote, "we have every indication that our systems were secure and there was not a cybersecurity intrusion. In preparation for the caucuses, our systems were tested by independent cybersecurity consultants," quote. 

Dave Bittner: [00:05:00]  As we mentioned, the distinctive way the caucuses are conducted suggests only limited lessons for election security. Principal among those would be don't deploy technology in voting until it's thoroughly tested under realistic conditions. NBC News reports that a significant number of precinct captains and caucus organizers had decided as early as yesterday morning that Shadow's app was bad news, not working out as hoped. It appears, says state party chair Price, that the collection went fine. The party officials have been able to check it against such backups as paper records. It was the reporting that collapsed. Party officials noted unspecified inconsistencies in the data being reported, which is what led them to slow down and check the information. And he's confident that they'll be able to get an honest, accurate count, but it will take some time. Reports from the precincts are still coming in. 

Dave Bittner: [00:05:54]  While there was little to no evidence of foreign interference in Iowa, a McAfee study released this morning suggests that local authorities in the U.S. are particularly ill-prepared to counter the problem of influence operations conducted through compromised county websites. Fixing the basic failures in website design McAfee calls out wouldn't be a panacea, but it might amount to a good start. McAfee calls out as a lapse the widespread tendency of many counties to use dot-com, dot-net, dot-org and dot-us domains, which can be purchased without the buyer undergoing any validation. The dot-gov domain requires such validation. And these tend to be used for voting information sites even where the county has a dot-gov domain. 

Dave Bittner: [00:06:38]  The study also finds that a little less than half the county voting sites even use HTTPS encryption. So fixing these issues would be no panacea. But if one thinks, for example, of the large number of successful ransomware attacks and website defacements local governments in the U.S. have sustained over recent years, it's difficult to feel entirely happy about how resilient official voting information sites would be to a campaign that aimed simply at disruption. 

Dave Bittner: [00:07:06]  There is a common, oft-used security metaphor which describes your digital valuables safely protected by castle walls and maybe even a moat full of crocodiles - hungry ones. But these days, thanks in large part to so many business services and functions moving to the cloud, things are a good bit more fuzzy. Alex Burkardt is vice president of field engineering at VERA, and he describes how to protect critical financial data beyond the corporate perimeter. 

Alex Burkardt: [00:07:36]  Where a lot of people run into trouble is when they're working on very sensitive things like deals - like deal documents. You know, there used to be this thing known as secure deal rooms, where people come together. They work in these centralized repositories on deal documents, really to secure financials. Then they leave those documents in that room, and they're supposedly secure. 

Alex Burkardt: [00:07:53]  Well, what tends to happen is if you're working on a really sensitive deal, everyone wants in on it. And being able to revoke access to files once you've determined a partner is no longer the one you want to work with is exceptionally powerful and isn't something that people even really realize exists. And that's why I love talking about the problem. When you apply the notion of, if I'm handing you a dollar, Dave, I have to physically have contact with you, and we have to transfer that dollar. And I know who you are. And I've met you once before. But in the internet, that doesn't really exist, right? 

Dave Bittner: [00:08:19]  So are we relying on a central server somewhere that's taking care of these encryption keys and permissions and so on? 

Alex Burkardt: [00:08:28]  Yeah. Fundamentally, you know, what we've done is we've added all the infrastructure on the back end where people don't even need to see it. That introduces the typical controls you would expect for interpersonal file sharing interaction where, on the back end, we figure out is the person who they say they are? Have you, the person sharing the file, allowed someone to have access to it? And are they doing things they're not supposed to be doing with it? And you get an audit list of everything that's going on with that. And you get to see, at the end of the day, do they try to access the file again if you revoke their access? So it's a lot of really - it's a lot of things that people just assumed were impossible that we've now introduced into a platform. And, really, all the end user has to do is right-click to protect the file. After that, we handle the rest, which is pretty cool. 

Dave Bittner: [00:09:12]  Yeah. I was going to ask you about how do you make sure that you're not introducing a lot of friction? Because I would imagine if someone sends me a document and in order to see it - especially if they're trying to get business from me or pitch something to me, I don't want there to be any additional friction there. How do you crack that nut? 

Alex Burkardt: [00:09:31]  Well, that's one of the things that everyone's trying to solve. And there have been numerous companies that have started and haven't been successful or have tried and failed in this industry. What I think, you know, VERA is doing really, really well is we understand that friction is the enemy of business. And in the security space, period, people will ultimately make the decision to forgo security procedures in order to make sure the business can run. 

Alex Burkardt: [00:09:54]  So when it comes to what VERA does most specifically and what I like is we understand that as long as you know who the owner of the file is and give the owner the ability to grant access and remove it in a very simple way by assigning it to an email or by you leveraging their existing authentication provider, it turns the tables on what people thought they had to do in order to regain access to their files. 

Alex Burkardt: [00:10:19]  You know, when people approach me, you know, a security professional and trying to figure out how to solve a problem, a lot of times, they wonder, like, Alex, why is what you're doing at VERA different or even interesting? Or why are you pitching this to me? And the answer is it's not really a pitch. I don't even feel like - it wouldn't be fun to work at a company if you're not solving a real problem. What I think is most interesting about what this company is doing is we're taking a topic - super complex - which is encryption, and we're taking authentication. And we're taking these two discrete and difficult to manage items that everyone knows of but really kind of hates whenever they're applied together, and we're trying to show people that you can regain access to your files, or you can have the benefit of applying cryptography and still get work done. And when that marriage occurs, you actually see the best of both technologies. That's my opinion. 

Dave Bittner: [00:11:09]  That's Alex Burkardt from VERA. 

Dave Bittner: [00:11:12]  Japanese electronics giant NEC disclosed Friday that its networks had sustained an unauthorized intrusion by parties unknown in 2016. The incident was discovered in 2017, with remediation continuing into 2019. The company says no sensitive data were lost, but it doesn't explain why the disclosure was made now. 

Dave Bittner: [00:11:32]  Twitter said yesterday that a network of fake accounts had been exploiting its API to match usernames with phone numbers. Twitter says it's fixed the vulnerability with the API and suspended the fake accounts. Twitter wrote on its privacy site, quote, "we observed a particularly high volume of requests coming from individual IP addresses located within Iran, Israel and Malaysia. It is possible that some of these IP addresses may have ties to state-sponsored actors," end quote. 

Dave Bittner: [00:12:03]  And finally, we close with a somber, respectful note as we mark the passing of one of the last of the Second World War's Code Talkers. Flags at the Navajo Nation are at half-staff to honor Joe Vandever Sr., who served in the United States Marine Corps in the Pacific, where he and his colleagues' native language served as the basis of a tactical code that the enemy never broke. Rest in peace, Marine, and semper fi.

Dave Bittner: [00:12:38]  And now a word from our sponsor KnowBe4. There's a reason more than half of today's ransomware victims end up paying the ransom. Cybercriminals have become thoughtful, taking time to maximize your organization's potential damage and their payoff. After achieving root access, the bad guys explore your network, reading email, finding data troves. And once they know you, they craft a plan to cause the most panic, pain and operational disruption. Ransomware has gone nuclear. But don't panic. KnowBe4 is hosting an exclusive webinar where you can find out why data backups - even offline backups - won't save you, why ransomware isn't your real problem and how your end users can become your best last line of defense. Go to knowbe4.com/ransom and learn more about this exclusive webinar. That's knowbe4.com/ransom. And we thank KnowBe4 for sponsoring our show. 

Dave Bittner: [00:13:50]  And joining me once again is Ben Yelin. He's from the University of Maryland Center for Health and Homeland Security. Ben, I wanted to talk about an article that came by. This is from the folks at ProPublica, written by Will Young. The title is "How Corporate Lawyers Made It Harder to Punish Companies that Destroy Electronic Evidence." Take us through what happened here. 

Ben Yelin: [00:14:10]  So back with the corporate governance scandals of the early 2000s, there were cases where big companies were illegally destroying evidence. And harsh punishments were levied by courts as a result of civil lawsuits against those companies. We had, and this article mentions, a penalty for the tobacco giant Philip Morris - $2.7 million for a breach, 250,000 fines against each company supervisor found culpable. So those are significant penalties. 

Ben Yelin: [00:14:42]  There was a law passed in 2006 at the behest of some of these corporations to change the rules. As a result of that statute, there is now what's called a safe harbor provision. And this protects companies from the consequences of failing to retain electronic files. As long as companies follow a consistent policy when they're informed that they are going to be the subject of litigation, as long as they make a good faith effort to preserve relevant materials according to their company policies, they will not be held liable in court for destroying those electronic materials. 

Dave Bittner: [00:15:20]  So in other words, if my understanding is correct here, if over the course of my company's regular data retention policy, there was a sunsetting of data - you know, we get rid of all of our emails that are older than 10 years old - then that's probably not a problem. But if... 

Ben Yelin: [00:15:36]  Right. And that's what - yeah. 

Dave Bittner: [00:15:37]  ...A lawsuit comes in and all the sudden the message goes out to everybody, hey, start frantically... 

Ben Yelin: [00:15:41]  Delete now. 

Dave Bittner: [00:15:42]  ...Deleting - delete, delete, delete, delete - right? 

Ben Yelin: [00:15:44]  Yeah. 

Dave Bittner: [00:15:44]  That could raise some eyebrows. 

Ben Yelin: [00:15:45]  Exactly. As long as you're following consistent organizationwide policy... 

Dave Bittner: [00:15:50]  Yeah. 

Ben Yelin: [00:15:50]  ...And, you know, the effort is made in good faith to retain documents when you're informed that you're facing litigation, then that safe harbor provision applies. You will not be subject to punishment. 

Dave Bittner: [00:16:03]  OK. 

Ben Yelin: [00:16:04]  This didn't solve the problem for corporations. There is an incident in 2008 where Qualcomm - I know them from sponsoring the sports stadium in San Diego... 

Dave Bittner: [00:16:13]  (Laughter). 

Ben Yelin: [00:16:14]  ...But they are also a chipmaker company. 

Dave Bittner: [00:16:16]  Evidently, yeah (laughter). 

Ben Yelin: [00:16:19]  They were fined $8.7 million for destroying evidence. This happened to a bunch of different corporations as well. So some lawyers got together - lawyers representing some of the largest corporations in the country and also representing the United States Chamber of Commerce. And they went through the regulatory process to get a change to the regulations on data retention. And in 2015, a rule took effect that limited judge's latitude to punish people who destroy electronic evidence. 

Ben Yelin: [00:16:53]  And this rule, as - you know, they quote a retired judge here, making the statement this rule is sort of backwards. It requires that a litigant who claims the other side destroyed or didn't keep evidence - they have to prove that whatever was destroyed would have been unfavorable to the person destroying it. Now, that presents the very obvious Catch-22. How do you know it's unfavorable if that data has already been destroyed? 

Dave Bittner: [00:17:20]  Right, right. 

Ben Yelin: [00:17:21]  And this is just an absolutely daunting hurdle for litigants. And usually, these litigants will have fancy, hotshot lawyers. But they're oftentimes, you know, people who use the products produced by these corporations or, you know, people alleging some sort of injury as a result of corporate action. And it's just because of this rule that's very favorable to these corporations, it's going to be much harder for those plaintiffs to seek relief. 

Dave Bittner: [00:17:48]  So how has this played out in the real world? What's been the effect? Are organizations having, you know, shredding parties, or what - how does it play out? 

Ben Yelin: [00:17:58]  So the numbers are actually staggering. You know, they have the stats, the receipts to back up how big of a change this is. ProPublica said that they looked at 900 civil cases involving the deletion of electronic records. In 2014, which was before this regulation took effect, judges approved 51% of the motions to penalize somebody for destroying evidence. That number dropped to a staggering 19% in 2019. And that's four years after that regulation took effect. The same is true for a second category of penalties, which are largely confined to just fines for these companies - 76% penalty rate before this regulation took effect and 38% after it took effect. 

Dave Bittner: [00:18:46]  So all that lobbying literally paid off. 

Ben Yelin: [00:18:48]  It paid off. 

Dave Bittner: [00:18:49]  Yeah, yeah. 

Ben Yelin: [00:18:49]  Yeah. You know, the problem is very few people are paying attention to Federal Rules of Civil Procedure. And the ones who are are the people who are going to benefit from these types of changes. And the U.S. Chamber of Commerce has the resource to effectuate these kinds of policy changes. And here, they were able to do so. 

Dave Bittner: [00:19:09]  And so in your estimation, you're not a fan of these changes and how they played out. 

Ben Yelin: [00:19:15]  I generally am sympathetic to plaintiffs in these circumstances just because, at the very least, all the potential evidence that could be relevant in a case should be maintained. You know, there's no normative reason why companies shouldn't be forced to retain electronic evidence where feasible. I mean, I think the 2006 rule was actually a decent compromise. You don't have to go, you know, above and beyond your corporate retention policies. But unlike the current rules, you're not putting a burden on the plaintiff to prove negative information that was in those documents... 

Dave Bittner: [00:19:50]  Right. 

Ben Yelin: [00:19:50]  ...When, of course, they would have no access to documents that have already been destroyed. 

Dave Bittner: [00:19:55]  Right, right. Yeah, you can't prove a negative. 

Ben Yelin: [00:19:57]  Exactly. 

Dave Bittner: [00:19:58]  Yeah, interesting. All right. Well, (laughter) interesting stuff, as always. Ben Yelin, thanks for joining us. 

Ben Yelin: [00:20:04]  Thank you. 

Dave Bittner: [00:20:10]  And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. 

Dave Bittner: [00:20:16]  Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at observeit.com. 

Dave Bittner: [00:20:27]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. See you back here tomorrow.