South Carolina primary affords the next test of US election security. Cerberus evolves. Bot-driven fraud. FCC to fine wireless carriers for location data handling. FISA changes.
Dave Bittner: [00:00:03] South Carolina prepares for tomorrow's primary, confident that it will be able to conduct the vote, securely and without disruption. An evolved version of the Cerberus Trojan has been spotted. Bots are making fraudulent appeals for brushfire aid to the Australian Red Cross. The FCC is preparing to fine four major wireless carriers for mishandling user geolocation data. Proposed changes to FISA surveillance in the U.S. and a farewell to RSAC 2020.
Dave Bittner: [00:00:38] And now a word from our sponsor, ExtraHop, securing modern enterprises with network detection and response. Security teams today want to say yes to cloud adoption just like they want to support enterprise IoT and edge computing. But the more complex your architecture, the less you can trust your perimeter to keep threats out. When attackers make it into your environment, you need to be the hunter, not the hunted. ExtraHop helps organizations like Home Depot and Credit Suisse detect threats up to 95% faster with the context they need to act - immediately. Visit them at RSA for a full product demo of threat detection and response for cloud, multicloud and hybrid enterprises or learn more at extrahop.com/cyber. That's extrahop.com/cyber. And we thank ExtraHop for sponsoring our show.
Dave Bittner: [00:01:33] Funding for this CyberWire podcast is made possible in part by McAfee, security built natively in the cloud for the cloud to protect the latest, like containers, to empower your change-makers, like developers, and to enable business accelerators like your team's. Cloud security that accelerates business. It's about time. Go to mcafee.com/time.
Dave Bittner: [00:01:56] From the 2020 RSA Conference in San Francisco, I'm Dave Bittner with your CyberWire summary for Friday, February 28, 2020.
Dave Bittner: [00:02:06] The U.S. state of South Carolina holds its presidential primary tomorrow. The voting there, unlike the very troubled Democratic caucus in Iowa, will be run by state election officials, not the political parties themselves. One of the technologies in use in South Carolina will be closely watched. The state is using touch-screen voting machines during this election cycle. The machines do produce a paper ballot, but some observers have expressed concern that those ballots will prove less reliable than a traditional hand-marked paper ballot. Machines, the fear runs, are susceptible to hacking or sabotage in ways that pen and paper are not.
Dave Bittner: [00:02:45] The Washington Post summarizes security measures in place for tomorrow's voting - state and county officials have been training to manage elections cyber risks for two years. Paper ballots are available as a backup should problems arise with the new touch-screen voting machines. Both the State Election Commission and the state's Democratic Party are monitoring social media for disinformation. Only the Democrats will be holding a primary. The South Carolina Democrats also have lawyers standing by in three cities ready to respond quickly to reports of either disinformation or voter suppression. And, finally, the party has a roomful of millennials, social media jockeys who will presumably take care of countermessaging against misinformation.
Dave Bittner: [00:03:29] Transparency is tough enough without even attempting fact-checking or countermessaging. Facebook, The New York Times reports, is having trouble keeping up with presidential candidate Mike Bloomberg's meme troupe. Mr. Bloomberg's campaign has paid influencers to post content favorable to them. It's also hired what Reuters calls "hundreds of digital organizers" to send content out through their personal accounts. None of this seems illegal to be sure, but Facebook worries that it comes close to a breach of Menlo Park's terms of service. It's not coordinated in authenticity since the influencers and organizers are who they say they are. But it does seem, to the social network, that this kind of hiring amounts to sailing pretty close to the wind.
Dave Bittner: [00:04:13] Some of the memes are amusing in a self-deprecating way with the occasional intrusions of leetspeak, like LFMAO mixed with suggestions that Mr. Bloomberg means well but doesn't quite get it, like addressing a message to Mrs. Dow Jones. Business Insider has a good sample if you're curious. The campaign is said by The New York Times to be the work of Meme 2020, a young company that works memes in social media the way Madison Avenue used to work jingles on radio and broadcast television.
Dave Bittner: [00:04:44] ThreatFabric research indicates that an evolved version of the Cerberus Android banking Trojan can now steal Google two-factor authentication codes, and Cerberus is now also a RAT with serious remote-access functionality. ThreatFabric thinks that the new Cerberus is in a testing phase, but it can be expected to move into widespread uses soon.
Dave Bittner: [00:05:08] The Australian Red Cross is being flooded with bot-driven fraudulent requests for brushfire aid, SBS News reports. The staff is able to weed out the bogus cries for help, but it's time-consuming and wastes resources, working harm and doing nobody, not even the criminal bot masters, any good.
Dave Bittner: [00:05:27] Reuters says that the U.S. FCC is preparing to fine four major mobile carriers - AT&T, Verizon, Sprint and T-Mobile U.S. - a total of $200 million for improperly disclosing real-time consumer location data. In May 2018, the FCC began investigating reports that a flawed website could enable mobile phone users to be geolocated. That inquiry subsequently expanded to cover other ways in which third parties were using customer location data.
Dave Bittner: [00:05:56] U.S. Senator Rand Paul, Republican of Kentucky, tells The Wall Street Journal his proposal to rein in FISA has White House support. The Foreign Intelligence Surveillance Act signed by President Carter in 1978 established a FISA court to oversee requests for surveillance of U.S. citizens for counterintelligence or national security reasons. Senator Paul's proposed amendment would require the government to obtain warrants for such surveillance from ordinary federal courts, as they do now in all other cases.
Dave Bittner: [00:06:27] RSAC 2020 wraps up today, and we'll close our coverage of the event with this podcast. We're still coming to you from San Francisco, that city by the other bay. Some final thoughts on the conference. It seemed to our people on the floor that the companies who attended this year's conference found the traffic a bit lighter than in some previous years, but that they found the conversations they had with visitors to their booths noticeably more productive. There were, one exhibitor remarked, fewer swag baggers. And we're proud to say that our decision to leave certain members of our editorial staff back in Baltimore contributed to this positive winnowing. But there were many people who proved to be quality leads. So in general, apparently, a satisfying conference. Thanks to all who visited us on Broadcast Alley. Don't be strangers. It was great meeting you all. I hope to see you all again soon.
Dave Bittner: [00:07:25] And now a word from our sponsor, LookingGlass Cyber. Organizations have been playing a dangerous game of cyber Jenga, stacking disparate security tools, point solutions and boxes one on top of the other, hoping to improve their security posture. This convoluted and overloaded security stack can't hold up in today's microsegmented, borderless and distributed networks. As the enterprise network grows, organizations need a flexible protection around their unique network ecosystems. By weaving security into the investments your organization has already made, formerly disjointed tools can communicate with one another to disrupt and distract the adversary without revealing your defenses. With a software-based approach to unifying your security stack, security teams can easily scale their protection to fit their needs with one integrated software solution, requiring no specialty hardware. Meet the Aeonik Security Fabric. Learn more at lookingglasscyber.com. That's lookingglasscyber.com. And we thank LookingGlass Cyber for sponsoring our show.
Dave Bittner: [00:08:40] And joining me once again is Mike Benjamin. He's the head of CenturyLink's Black Lotus Labs. Mike, it is great to have you join us here at the RSA Conference.
Mike Benjamin: [00:08:49] Thanks for having me, Dave.
Dave Bittner: [00:08:50] So we are a couple days into the conference as we record this. So I feel like we really had a chance to get a sense for the tone of the conference, overall, what's on people's minds. What's your sense as you walk around? What sorts of things are rising to the top of your attention?
Mike Benjamin: [00:09:07] You know, I thought it was interesting this year. I walked the floor last year, and I left feeling that everybody needed to say the words AI in every booth and conversation. And there's still some token AI use here and there. But I think it's calmed down a little. People are maturing into understanding how to use statistics in their work and not trying to sell as much maybe snake oil with some of their capabilities. But, overall, you know, industry maturing I think is probably the biggest take-home I would take this year.
Dave Bittner: [00:09:37] How do you think that manifests itself in terms of the maturity? Are we seeing - like, it strikes me that there's no shortage of startups. And I would imagine with maturing comes consolidation. Maybe we lose a little bit of, like you say, some of that breathlessness with the hype with some of the technologies. What does that mean to you?
Mike Benjamin: [00:09:54] Well, you know, one thing I find is that once people get informed on a topic, they know how to ask questions. They actually can ascertain whether something's good or bad. And, you know, the I-can-prevent-any-malware-on-earth statement persisted quite a few years ago. And that went away pretty fast, too - right? - as people learned, you know, that's not possible. Explain to me what you're actually doing that's different. And people can ascertain for themselves whether they should go forward with the technology, whether they should adopt a new trend and where it fits into their, you know, defense-in-depth strategy as a buyer.
Dave Bittner: [00:10:27] What sort of messaging are you all putting out from CenturyLink? What are some of the things you're sharing this year?
Mike Benjamin: [00:10:32] Well, there's a few things we focus on. Obviously, we're a massive telecommunications company. And so we have an opportunity to make security simple for our customers. So if you'd like to block a threat, we already are carrying for those customers the - we really have an opportunity to block things, filter things. And so simplicity and then the visibility that we get from our networks. That's what we're looking at a Black Lotus Labs. When I'm on the show, we're talking about the threats we're able to glean from that knowledge. And so can we make it simple while still blocking with the knowledge we have from an advanced threat basis?
Dave Bittner: [00:11:08] Is there anything, as you walk around, that you feel isn't getting the attention it deserves?
Mike Benjamin: [00:11:12] Well, it's sad to say, but it's the simple blocking and tackling and risk-understanding, the GRC basics that every company here has to worry about. There's not enough booths really just helping them with the basics of running their program. A lot of it tends to be whiz-bang technology rather than focused on, you know, here's what it takes to run a security program and how can we actually help you with it. We as an industry do tend to get really excited about those advanced actors and those advanced malwares. And I'm guilty of it, too. I love those topics. They're really fun to learn about. But at the end of the day, your average CISO really needs to run a program. And that's what the industry needs to help them with.
Dave Bittner: [00:11:52] What do you get out of a conference like this? For yourself attending from an educational point of view, from, you know, your own personal enrichment, what do you go home with?
Mike Benjamin: [00:12:02] That's a great question. I'm going to give away my secret here, so apologies as I do it.
Dave Bittner: [00:12:07] (Laughter).
Mike Benjamin: [00:12:07] I walk to the smallest booths possible, and I go have conversations. They tend to be staffed by the people who actually built the technology or really ingrained in how they're helping their customers. There are some great ideas that come out of those companies. There are some great conversations to be had. You tend to get the pulse of what new ideas are coming out out of the fringe vendors, the fringe folks. And then I really enjoy seeing all the folks that I work with in person, right? We - as a security community, we definitely adopt the technology. We're all in way too many Slack channels and Keybase and Signal messaging. It's good to shake a hand and see the people that you work with and build those relationships because at the end of the day, we all have to work together to raise the cost of how actors are being successful if we're going to have a chance stopping them.
Dave Bittner: [00:12:53] Yeah. All right. Mike Benjamin, thanks for joining us.
Mike Benjamin: [00:12:57] Thanks, Dave.
Dave Bittner: [00:13:02] And now a word from our sponsor, LastPass. LastPass is an award-winning security solution that helps millions of individuals and over 61,000 organizations navigate their online lives easily and securely. Businesses can maximize productivity while still maintaining effortless strong security with LastPass. Each entry point in your organization can compromise your business's security. LastPass Identity can minimize risk and give your IT team a breakthrough integrated single-sign-on password management and multifactor authentication. LastPass Identity enables you to manage and control user access for all access points in your organization, add an additional layer of security to every single login through multifactor authentication, securely authenticate into your work using biometrics, such as fingerprint or face, deliver a passwordless login experience for employees while securing every password in use through Enterprise password management, and gain an integrated view across all access and authentication tasks to know which employees are accessing what when and where. You can learn more at lastpass.com/enterprise. That's lastpass.com/enterprise. And we thank LastPass for sponsoring our show.
Dave Bittner: [00:14:29] RSAC 2020 wraps up this year with magicians Penn and Teller joining RSA program committee chair Hugh Thompson and Carnegie Mellon's Lorrie Cranor onstage to share their insights into human behavior and security fallibility. I caught up with Penn and Teller before the show.
Penn Jillette: [00:14:47] When you're doing a con one-on-one or even conning in a pyramid scheme a few thousand, there's some sort of investment to get over the hump, whether that's having to expose yourself to possibly being busted. But the thing about phishing scams is you can send out, you know, a hundred million emails. And all you have to do is hit your most vulnerable. So whereas someone who's doing a pigeon drop scam or any of these get-rich-quick scams or even paving-your-driveway scams or any of that, you have to find an older person in their home. You have to go there. You might be bumping into an ex-law enforcement person who's aware of this stuff. There's a lot of risk. When you're sending out hundreds of millions of emails, you know, you don't need to get close to one-hundredth of 1% to be able to hit, so you can dumb them down, tremendously, to protect yourself. You don't want to get someone on the hook who is at all savvy.
Dave Bittner: [00:16:02] Right, right.
Penn Jillette: [00:16:03] So there's a - the difference in numbers changes the whole con thing. Although, it does come down to, you know - and you don't want to overstate this because you end up blaming the victim for the crime, which is always a mistake, but it does come down to something for nothing. And you have to be very careful of that, you know? You're not going to be offered the deal that's something for nothing. And it's very hard to remember that because it's very seductive. But once again, I don't want to get close to blaming the victim for the crime. I mean, we do that so easily in scams, going, oh, these people that fall for this are stupid or these people - I mean, it's a small step from there to, you know, she shouldn't have been dressed like that walking in the street. It's a small step to that, and it's deeply, deeply immoral.
Dave Bittner: [00:16:53] Yeah, do you feel as though with the perspective that you have, the knowledge that you have - look, I'm imagining if you're walking down the street and you see someone doing a shell game, you know, like, you know what the mechanisms that are going on. You can watch that from a different point of view than me.
Penn Jillette: [00:17:10] But, no, I - no because that's part of the lie. You know, when David Mamet writes about scams, it's always this kind of beautiful interplay that shows basic human needs and desires. That's not what's going on in three-card monte. If Teller and I were to go up and know every single move and be able to see the move - which we couldn't do anyway, but let's postulate that we could - we could see the move and therefore be able to make the bet and stop them from doing the turnover and stop all of that, there are six people working that scam, and they will pull you in the back alley, beat you up and take your money.
Dave Bittner: [00:17:50] I see (laughter).
Penn Jillette: [00:17:50] It is not someone outsmarting you at a game. It is somebody who is a thug, a bully, a violent person operating outside of the trust of society who will hit you. So if you were able to say that's where the queen is, hold the person's hand back, turn over the queen, showed that to them, triumphantly, they are not going to go, jolly good, well played, here's our money.
Dave Bittner: [00:18:21] Right.
Penn Jillette: [00:18:21] They're not going to say that. So we can't pretend the people - and there's even that romance that goes on in phishing scams. Here's how smart they were to throw a thumb drive in the parking lot that someone picked up and checked it out. The people that decide to do that are operating outside of our rules. So if they - if you were to outsmart them, they will beat you up. But is it fair to dismiss what might be a certain level of craft? They become good at it through practice, yes?
Penn Jillette: [00:18:54] I think the craft - you know, you'll always see this stuff like, oh, pickpockets...
Dave Bittner: [00:19:00] Right.
Penn Jillette: [00:19:00] ...They're so good and so quick at the handoffs. Yes, compared to someone doing it for the first time, not compared to the Olympic relay team (laughter).
Dave Bittner: [00:19:09] Right, right.
Penn Jillette: [00:19:11] You know, and the people who have clever phishing scams are not anywhere near the level of the people who developed UNIX at Bell Labs, you know. It's just we make a big mistake when we glorify anything about this.
Dave Bittner: [00:19:29] I've often wondered, like - you know, to me, a close-up sleight-of-hand magician would never have to pay for a candy bar unless they wanted to, right?
Penn Jillette: [00:19:40] Oh, no, it's a different skill.
Dave Bittner: [00:19:42] But you understand what I'm - I mean, my point that...
Penn Jillette: [00:19:45] The point is that you...
Dave Bittner: [00:19:46] ...You don't - you choose.
Penn Jillette: [00:19:47] No, everybody chooses.
Dave Bittner: [00:19:49] Right.
Penn Jillette: [00:19:49] You do not have to pay for a candy bar. I can assure you that you have been at a convenience store when someone was watching you closely that you could've stuck it in your pocket. There's no special skill to steal. There really is no special skill to steal it, you know. Most of your robberies are opportunist. The idea of the clever heist, the "Ocean's Eleven" is essentially a fiction. There's a few stories of very clever robberies, but those stories are - there's two dozen of them over the past hundred years. I mean, they're just not. There's the one with the dice being switched to the table on innocent people while something else is happening over there that's very, very clever. And that's something that happened in the late '60s that is still brought up as the one clever scam.
Dave Bittner: [00:20:47] Right.
Penn Jillette: [00:20:47] Mostly, it's people who are - most of your crimes are done by high, stupid, incompetent people who are willing to perpetrate violence on other people. I don't think there's any difference in the cyber world.
Dave Bittner: [00:21:04] Podcasting is an audio medium, obviously. You have your podcast.
Penn Jillette: [00:21:08] Yup.
Dave Bittner: [00:21:09] Are you aware of any - of the existence of any audio-only magic tricks? Is magic a visual medium?
Penn Jillette: [00:21:18] Everybody's - there's a bunch, you know. There's - our mentor, Johnny Thompson, used to talk about radio tricks in a live show where the visual is there. We have tricks in our show that we hope you don't notice, but you aren't really seeing very much. You are counting on the audience reaction and our reaction and the way it happens there. And it's not actual close-ups of what's happening. Magic is to me an intellectual medium more than - when you're talking about pure illusion - which, to me, is the lowest form of magic. It's just something that looks one way, instantly, you know, the stuff that is done with mirrors or optically. I think that's the least interesting kind of magic.
Penn Jillette: [00:22:11] The most interesting kind of magic at one level or another I believe is psychological. So there have been OK audio-only magic tricks. They are harder just like TV-only magic tricks are much harder because you really want to be in the room so that the rules of time and physics cannot be manipulated. The problem with magic on television is the most amazing magic trick we could ever do happens every 20 seconds on TV, which is a different point of view. If we could suddenly have you looking at us from over there, it would be the most phenomenal magic trick ever done and yet on TV, all the time. On TV, you have "Avengers," you know. You have all that that's showing.
Penn Jillette: [00:23:05] So audio has kind of that same problem. If we do a trick right here for people that you know and you understand that they are being honest and they are sincerely shocked, that's very different than someone you don't know in audio. So I would say that it's not so much a difference between sound and light as is the difference between immediacy and real in the room.
Dave Bittner: [00:23:31] Our thanks to Penn and Teller for joining us. We'll have a longer version of this interview on an upcoming episode of our "Hacking Humans" podcast, so be sure to check that out and subscribe. Special thanks to CyberWire producer Jennifer Eiben for coordinating our interview with Penn and Teller.
Dave Bittner: [00:23:51] And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And don't forget, you can get the daily briefing as an Alexa flash briefing, too.
Dave Bittner: [00:24:01] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:24:14] Funding for this CyberWire podcast is made possible by RSA Conference, where the world talks security. Through global events and year-round content, RSAC connects you to cybersecurity leaders and cutting-edge ideas for a safer more secure future. Learn more at rsaconference.com.
Dave Bittner: [00:24:33] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Dave Bittner: [00:24:42] Our amazing CyberWire team is Rick Howard, Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll be back home next week. We'll see you then.