The CyberWire Daily Podcast 3.2.20
Ep 1035 | 3.2.20

Super Tuesday eve primary jitters. DoppelPaymer hits an aerospace supplier. WordPress plugins exploited in the wild. Vote for the catphish.

Transcript

Dave Bittner: [00:00:00] Hey, everybody. Dave here. Our new subscription program, CyberWire Pro - much discussed and much anticipated, especially by us - has launched today. It's designed for busy cybersecurity professionals and all others who want to stay abreast of this rapidly evolving field. CyberWire Pro is a premium news service that will save you time and keep you informed. Go to thecyberwire.com/pro. That's thecyberwire.com/pro. Thanks for taking a look. 

Dave Bittner: [00:00:35]  It's Super Tuesday eve, and people worry about influence operations, both foreign and domestic. DoppelPaymer hits a precision manufacturer and moves surprisingly quickly to expose stolen files. Vulnerable WordPress plugins are being exploited in the wild. And a catfish is running for Congress in Rhode Island, and he's even got a blue checkmark. 

Dave Bittner: [00:01:02]  And now a word from our sponsor ExtraHop - securing modern business with network detection and response. Cloud-native is a buzzword, but it's also a direction. IDC predicts that 70% of enterprise applications will be developed cloud-native by 2021. It's time for security teams to adopt the same agility and speed as their DevOps counterparts so they can secure multi-cloud deployments and enterprise IOT at scale. ExtraHop helps organizations like Home Depot and Wizards of the Coast detect threats inside their hybrid and cloud environments up to 95% faster and respond 60% more efficiently. Investigate an attack with ExtraHop in the full product demo of cloud-native network detection and response available online at extrahop.com/cyber. That's extrahop.com/cyber. And we thank ExtraHop for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee - security built natively in the cloud for the cloud to protect the latest, like containers, who empower your changemakers, like developers, and to enable business accelerators, like your teams. Cloud security that accelerates business - it's about time. Go to mcafee.com/time. 

Dave Bittner: [00:02:24]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, March 2, 2020. Tomorrow is Super Tuesday in the U.S. Fourteen states will hold their Democratic presidential primary. The Washington Post, noting the ways in which occasions for influence operations are topical and closely tied to current events and popular sentiment, observes that several experts, including government officials, are expecting coronavirus to serve as fodder for attempts to suppress turnout. 

Dave Bittner: [00:02:57]  There's been a great deal of misinformation about the COVID-19 strain of coronavirus gurgling about on the internet. Most of that has involved the flacking of patently bogus cures, dodgy supplements and pharmaceuticals and, of course, the sort of survivalist paraphernalia disasters tend to churn to the surface of the popular imagination. But Super Tuesday affords an opportunity to use public fear in the service of influence operations. Such attempts could be either foreign or domestic, especially since the South Carolina results, with the first strong showing by former Vice President Biden, have caused the Democratic race to tighten. 

Dave Bittner: [00:03:35]  Consider someone desires for political reasons to suppress turnout, either globally or in certain districts. It wouldn't be difficult to spread a rumor to the effect that going to the local polling place is bound to expose you to a disease that you don't understand very well but that seems very scary. Or suppose a campaign tanks where it was expected to run strongly. How difficult would it be to ascribe failure at the polls to a rival's conspiracy to scare away people with coronavirus worries? And, of course, if you're a state operator - and, of course, we're looking at you, Russia - any confusion or mistrust is, from your point of view, just gravy. The feds are, as they say, on the case, actively coordinating with and providing support for local election boards throughout the nation. 

Dave Bittner: [00:04:22]  Last week at RSAC 2020, we met with Elvis Chan, who is among the top experts on election security in the FBI. 

Elvis Chan: [00:04:30]  I think the beauty of the United States of America is we have the federal government, and then we have the state governments that are actually in charge of the election systems, right? 

Dave Bittner: [00:04:37]  Right. 

Elvis Chan: [00:04:37]  So I think there is just a healthy tension, say, between the two governments, right? At the end of the day, the states are in charge of the elections. As a U.S. government representative, I totally get that. And so I think it's just continuing to build on the relationships that we have established with the different state, county and local election officials. I do think it's much better - we are at a much better posture than where we were in 2018. 

Dave Bittner: [00:05:07]  In terms of the professionals who are in the cybersecurity sector, what sort of things would you like them to know about the state of our elections here? 

Elvis Chan: [00:05:12]  So I would like the cybersecurity professionals to know that we're all on it. And it's really not just the U.S. government's job or even the state and county government's job. It is everyone's job. I would like to say for the upcoming election and for all elections, it is a whole-of-society effort and approach that we are hoping for, and we're really trying to sell that idea to everyone. 

Dave Bittner: [00:05:34]  Can you give us some insights on some of the partnerships that happen between the various agencies, how all of you work together, the parts that you play to ensure the integrity of the elections? 

Elvis Chan: [00:05:43]  Yes. That's - I would like to say the interagency is working well. I really thought it came together if we can use post-9/11 as a context, right? 

Dave Bittner: [00:05:52]  Yeah. 

Elvis Chan: [00:05:53]  So it was really focused around counterterrorism - all of the different agencies involved in counterterrorism, DHS, FBI, CIA, NSA - right? - so all working well in that space. And I feel like that has now migrated over to what is essentially a counterespionage/counterintelligence space. Right? So we work very well with the other agencies. I kid you not when I say that we either email or talk on the phone almost every day. I talk on the phone or email with one of those agencies every single day, and we're coordinating all on election security. We're all counting on each other's reporting so there's no stovepiping - right? 

Elvis Chan: [00:06:34]  So I get a daily email that has all of the election security-related reporting from the entire U.S. intelligence community every single day. And it is fantastic information. We're tracking on a lot of interesting stuff, a lot of good stuff and, you know, working to counter and disrupt things that we see coming on the horizon. 

Dave Bittner: [00:06:55]  As a citizen - as someone here (laughter) - you know, a proud U.S. citizen, how do I calibrate my views on the upcoming election? There's so much information out there and so much coming from different sources saying, you know, bad things are going to happen or don't worry at all. And as with many of these things, the truth is somewhere in the middle. From your perspective, for those of us who are going day to day about our everyday lives, what should we know about this upcoming election? 

Elvis Chan: [00:07:25]  I think what you - what everyone should know is that all of us within the government, whether it be the U.S. government, state, county, local, we are all doing our best. We need the American electorate to be as informed as possible. Right? And so I know that we live in an age, you know, of social media where we get to live in our bubbles. But I would ask all Americans, like, let's - let's all get out of our bubbles. Let's, you know, look at different viewpoints. Let's try to be informed with - I mean, I don't want to use air quotes but, like, trusted news sources. 

Elvis Chan: [00:07:58]  There are different news sources. And I think Americans are smart enough to be able to look at different news sources and then decide for themselves at the end the day. Listen to all of the different candidates who are talking. And they - they should vote with, you know, being informed on all of that information. Really, what I'm asking for is, the American public, like, go do your research. And then after that, you make the decision that you want to make on Election Day. 

Elvis Chan: [00:08:20]  I do want to make a plug. On fbi.gov, we have an initiative called the Protected Voices Initiative. And if people just want to search on our website, they can go. There's a bunch of different training videos that have really good cybersecurity - very short cybersecurity videos. But it's helpful not only for political campaigns but for us as the American public. 

Dave Bittner: [00:08:39]  That's Elvis Chan from the FBI. 

Dave Bittner: [00:08:42]  RT is sniffing that accusations of Russian collusion go back to the Cold War. And so how about those nutty Yankees, huh? An uncluttered and hysterical lot - just look at the kinds of TV shows they watch. Not a pretty side, drug moi. And indeed, RT, an official Kremlin news source, by the way, offers a nice review of the ways in which U.S. presidents have been at various times accused of being Russian tools. But collusion is probably something of a red herring, as they used to say back in the Cold War. Attempts at influence have been much more the thing, as RT ought to know better than anybody else. And those do indeed go back to the Cold War and beyond. 

Dave Bittner: [00:09:24]  There's been an interesting attack which, while it doesn't appear to be directed against a supply chain, nonetheless may have supply chain effects. Visser Precision, a manufacturer with customers in several industrial sectors, disclosed over the weekend that it had been the victim of a cyberattack. TechCrunch reports that the attack was a ransomware infection, specifically an attack using the DoppelPaymer ransomware strain. Visser said in a brief statement to TechCrunch that the company continues its comprehensive investigation of the attack, and business is operating normally. 

Dave Bittner: [00:09:57]  DoppelPaymer followed its recent pattern of stealing as well as encrypting data. Emsisoft researchers told TechCrunch they'd found a website that listed the files stolen in the incident. On display were folders named for Visser customers. Those included Tesla, SpaceX, Boeing and Lockheed Martin. Some but not all of the files were available for download. It's interesting that in this case, the DoppelPaymer operators seem to have lost little time in exposing the stolen files online. 

Dave Bittner: [00:10:27]  Vulnerabilities in several WordPress plug-ins are being actively exploited in the wild, ZDNet reports. Some of the affected plug-ins include Google Maps and Modern Events Calendar Lite plug-ins, where similar zero days in Async JavaScript, 10Web Map Builder are being used. Also affected are ThemeREX, WooCommerce, ThemeGrill Demo Importer, Duplicator and Profile Builder. 

Dave Bittner: [00:10:53]  And finally, in election news, there's a candidate for Congress in Rhode Island, Andrew Walz, who's running as a proven business leader and a passionate advocate for students. His campaign tagline is, "Let's make change in Washington together." So definitely a guy to watch. 

Dave Bittner: [00:11:11]  Only, actually, that will be hard because Mr. Walz is a catfish, the creation of an anonymous high school student in upstate New York. That is, Mr. Walz doesn't actually exist. But real or not, Mr. Walz got himself a coveted blue checkmark from Twitter. The high school student who created Andrew Walz did so over his school's winter break because he was bored. We hope that unnamed student moves Andrew Walz onto some dating sites. We think Andrew Walz and Robin Sage would make beautiful music together. 

Dave Bittner: [00:11:48]  And now a word from our sponsor ObserveIT, a Proofpoint company. The greatest threat to businesses today isn't the outsider trying to get in. It's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. Sixty percent of online attacks are carried by insiders. To stop these insider threats, you need to see what users are doing before an incident occurs. ObserveIT enables security teams to detect risky user activity, investigate incidents in minutes and effectively respond. With ObserveIT, you'll know the whole story. Get your free trial at observeit.com/cyberwire. That's observeit.com/cyberwire, and we thank ObserveIT for sponsoring our show. 

Dave Bittner: [00:12:40]  And I'm pleased to be joined once again by Johannes Ullrich. He's the dean of research at the SANS Technology Institute, also the host of the ISC "Stormcast" podcast. Johannes, it's always great to have you back. We've seen some developments in iOS when it comes to some authentication issues here. What's going on? 

Johannes Ullrich: [00:13:00]  Yeah, so one problem you always have with mobile devices and, in particular, with mobile web applications is that it's a real pain to log in. You're on the way to work in your car, you know, coffee mug in one hand, phone in the other hand... 

Dave Bittner: [00:13:17]  (Laughter). 

Johannes Ullrich: [00:13:17]  ...Trying to log in. You're not going to... 

Dave Bittner: [00:13:20]  Steering with your knees (laughter). 

Johannes Ullrich: [00:13:21]  Steering with your knees, right. 

Dave Bittner: [00:13:22]  Yeah (laughter). 

Johannes Ullrich: [00:13:23]  You're not going to type a complex password. 

Dave Bittner: [00:13:25]  (Laughter) Right. 

Johannes Ullrich: [00:13:25]  ...With lots of special characters and such. So that has been a real pain, and there have been sort of some workarounds for this. But there's sort of a real neat standard evolving. Many mobile devices now have some - reasonably robust biometrics. Like, in iOS lately, you had this pretty good face ID; you had fingerprint scanners and the like. But what was missing, really, was a link between these authication (ph) mechanism that you have built in the phone and your web browser. You could use them in mobile applications but not necessarily in web-based applications. And with the latest version of iOS, Apple has finally caught up here and added some of these mechanisms into Safari on iOS. 

Johannes Ullrich: [00:14:16]  Android had a little bit longer. But, you know, you can't really write a web application these days that's just working for Android. It has to work at least for Android and iOS. Now, with that, you have a couple new options now. For example, you can use these USB or NFC security keys for authication, and that works reasonably well for a mobile device and that you really only have to hold this little token close to the device in order to authenticate, so no typing involved on the keyboard. In general, if you are developing a web application these days, standard practice is now, you know, mobile first. It has to work on a mobile device. And then the desktop prowess is almost sort of a little bit an afterthought for that. 

Johannes Ullrich: [00:15:06]  You really have to apply the same to the authication as well. And it's not easy, you know? You really have to come up with a reasonable good compromise between usability and security. And I highly recommend that developers start looking at FIDO2, some of these tokens, some of these standards that start showing up in web browsers to see if they can leverage that to secure authication better. 

Dave Bittner: [00:15:32]  Now, in your estimation, I mean, is this a reasonable compromise? Is there a good balance of security and convenience here? 

Johannes Ullrich: [00:15:38]  I think there is. It's in particular for the more sensitive applications. If you, for example, need two-factor authication, I would definitely suggest that. You know, two-factor and usability is another sort of big issue. Late last year - I think it was during fall last year - in Europe, they came up with a new directive there. Banks have to require a two-factor authication for login. I know from my parents who live in Germany that - I think they can still not reach any customer support at their bank - pretty much has been overwhelmed, you know, since this directive... 

Dave Bittner: [00:16:12]  (Laughter) Wow. 

Johannes Ullrich: [00:16:12]  ...Became - came into place. It's not easy to really get the usability right of this. And, you know, we really have, as security professionals, to remember, using 32-character random passwords that change once a day is not going to do the trick. So techniques like this, yes, you will read a lot about weaknesses in it, but you have to come up with a good compromise. And I think it's something, you know, as a developer, you should look into; you should see how this could possibly apply for your application. 

Dave Bittner: [00:16:43]  All right. Well, Johannes Ullrich, thanks for joining us. 

Johannes Ullrich: [00:16:51]  Thank you. 

Dave Bittner: [00:16:52]  And that's the CyberWire. For links to all of today's stories, check out our daily news briefing at thecyberwire.com. And don't forget; you can get the daily briefing as an Alexa flash briefing, too. 

Dave Bittner: [00:17:01]  Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at observeit.com. 

Dave Bittner: [00:17:13]  Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security Hah! I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the "Recorded Future" podcast, which I also host. The subject there is threat intelligence, and every week, we talk to interesting people about timely cybersecurity topics. That's at recordedfuture.com/podcast. 

Dave Bittner: [00:17:41]  The CyberWire podcast is probably produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Rick Howard, Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you all back here tomorrow.