Election security--a look back at Super Tuesday. Cyberspace Solarium preview. Rapid Alert System engaged in EU. Cyber capability building in Ukraine. Cloud backups as attack surface.
Dave Bittner: [00:00:04] A quick security retrospective on Super Tuesday, a day on which no dogs barked or bears growled or kittens yowled or pandas did whatever it is that pandas do. The Cyberspace Solarium previewed the good government framework it intends to recommend in next Wednesday's final report. The EU uses its rapid alert system against coronavirus disinformation. U.S. aid will go to Ukraine for cybersecurity capability building. And backups are an attack surface, too.
Dave Bittner: [00:00:40] And now a word from our sponsor ExtraHop, securing modern business with network detection and response. Cloud-native is a buzzword, but it's also a direction. IDC predicts that 70% of enterprise applications will be developed cloud-native by 2021. It's time for security teams to adopt the same agility and speed as their DevOps counterparts so they can secure multicloud deployments and enterprise IoT at scale. ExtraHop helps organizations like Home Depot and Wizards of the Coast detect threats inside their hybrid and cloud environments up to 95% faster and respond 60% more efficiently. Investigate an attack with ExtraHop in the full product demo of cloud-native network detection and response available online at extrahop.com/cyber. That's extrahop.com/cyber. And we thank ExtraHop for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee, security built natively in the cloud for the cloud to protect the latest, like containers, to empower your change-makers, like developers, and to enable business accelerators, like your teams. Cloud security that accelerates business - it's about time. Go to mcafee.com/time.
Dave Bittner: [00:02:01] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, March 4th, 2020.
Dave Bittner: [00:02:10] Voting in yesterday's Super Tuesday U.S. presidential primaries was uneventful from a security point of view. Any problems voters encountered - and problems were by no means endemic - were the result of ordinary friction and not the effects of foreign interference, the Voice of America reports. And as NBC News observes, also largely absent was evidence of serious disinformation. CISA told Nextgov that they'd seen no malicious activity during the voting.
Dave Bittner: [00:02:38] Not all went smoothly, of course, simply because nothing really ever does. The Washington Post has a summary of technical glitches, many associated with new technology that voters found frustrating at the polls. Some newly fielded voting machines in Los Angeles County, for one thing, failed to work, casting some doubt on the new technology's reliability. And people in Texas got robot calls telling them that Republicans and independents should vote Tuesday but Democrats should turn up on Wednesday. The calls are under investigation but don't appear to have had much effect. Other problems required poll workers to revert to manual lists in some other California counties when electronic poll books failed. Beyond that, there were the sorts of scattered local government website outages that in normal times are simply background noise.
Dave Bittner: [00:03:28] The relative absence of organized disinformation didn't necessarily calm all the rumor control gatekeepers. Some of them seemed to have picked up a case of the yips, unless that's just the algorithm talking. Twitter, for example, briefly limited Status Coup's Jordan Chariton's account when the progressive journalist retweeted former Vice President Biden's slip of the tongue urging voters to turn out for Super Thursday. Twitter sternly admonished Mr. Chariton that you may not post content providing false information about voting or registering to vote. So there. Besides, it was a Tuesday, not a Thursday. Don't confuse the voting public. As a public service, we'd like to point out that any of you who misunderstood something you saw in your Twitter feed and put off voting until tomorrow, well, you and the candidate of your choice are just out of luck.
Dave Bittner: [00:04:19] The Cyberspace Solarium, the U.S. blue-ribbon policy commission, previewed its recommendations yesterday. As we heard, one of the big points they made was commending the sort of well-informed citizenship that would easily recognize that a candidate meant Tuesday when he accidentally said Thursday and that saying, hey, check out this thing candidate so-and-so just said, wasn't actually engaged in voter suppression. The commissioners recommended voters get their information from state election sites, where, we are reliably informed, people have regular access to calendars. The commissioners promised, The Hill says, 75 specific recommendations for cyber strategy when they report later this month.
Dave Bittner: [00:04:59] The Cybersecurity Solarium's co-chair, Senator Angus King, Democrat of Maine, summed up the solarium's goal as define, develop, defend and deter. The commission is working to define a structure whereby we're going to confront this challenge and develop relationships with allies so these norms can be applied internationally. That structure will encompass not only approaches to stopping cyberattacks, but also plans for continuity and resilience when attacks succeed. We'll never completely prevent successful cyberattacks. And that, the senator said, is why deterrence forms another central component of the recommended framework.
Dave Bittner: [00:05:37] A few of the specific recommendations will be that election officials use paper ballots, that a fifth nonpartisan member be added to the U.S. Election Assistance Commission to break the deadlock too often achieved by the EAC's current two Democrat, two Republican membership and that the U.S. embark on a civic education program to make citizens more skeptical about disinformation. The Cyberspace Solarium's final report is expected out next week on Wednesday, March 11th.
Dave Bittner: [00:06:06] Chris Kubic is the chief information security officer at Fidelis Cybersecurity. Prior to joining Fidelis, he led a distinguished career at the National Security Agency, where he held senior technical roles, including the NSA chief information security officer. He shares his insights on protecting that which is valuable online.
Chris Kubic: [00:06:25] At the National Security Agency, I was certainly in the trenches there. You know, that's a very large organization - you know, lots of IT technology there, so it was a very demanding job. You know, working at Fidelis Cybersecurity, we're a lot smaller company. So that, you know, makes things a little easier as far as taking care of the IT. However, in this position, I'm also helping with the product evolution, you know, and working with our product teams, taking the experience that I've had at National Security Agency and helping to improve the product, as well as, you know, working with our customers, you know, helping them with, you know, some of the enterprise-level strategy for security. That's an important piece to go along with the technology. So this particular job's, you know, quite a bit different than the other one where I was completely inwardly focused on the IT security. You know, this one has a lot more external-facing responsibilities.
Dave Bittner: [00:07:20] Are there any particular insights that you feel like you can bring from your time at the agency?
Chris Kubic: [00:07:26] Yeah, certainly. I mean, you know, I think the most important thing is, particularly if you have a large enterprise network, you know, that network is constantly changing. It's very easy to kind of lose configuration control of what you have as part of the enterprise. So I think some important things there are, you know, bring in some automated capabilities to help you kind of map out the terrain that you're trying to defend and really sort of build that catalog of the assets that are included within your environments, certainly keeping an eye on Internet of things that seem to creep into our environment and making sure that you can map those out and understand how they're connected. But really understanding that terrain, understanding those assets and how they're configured, whether they're well-patched and all those types of things - that's really very critical to trying to defend a large enterprise.
Chris Kubic: [00:08:15] And then, you know, going beyond that, you have to be really good at the cyber hygiene basics, making sure you're keeping your patches up to date because, you know, the attack vectors, still, are almost all exploiting either - you know, using phishing or using unpatched vulnerabilities to really gain that foothold within your environment or, really, using a combination of both. So it's important to be good at the, you know, the basics of cyber hygiene.
Chris Kubic: [00:08:39] And then on top of that, you have to have some automation built-in to be able to, you know, kind of distill all of the different alerts that are being generated across your enterprise and really kind of roll those up into some higher-level conclusions that are kind of higher-confidence alerts that the cyber analysts can dive in and really take a look at because, you know, most enterprises, with the combination of multiple tools, the volume of alerts being generated just overwhelms the analyst today. So whatever can be done from a machine-learning automation standpoint to be able to get higher confidence in your alerts and be able to help the analysts focus in on what's most critical is really important in a large enterprise.
Dave Bittner: [00:09:18] You know, I'm curious. As your role as chief information security officer there at Fidelis, from a leadership point of view, how do you set your priorities for yourself and your team? As you look to the year ahead, how do you set those priorities and decide where you and your team are going to spend their resources?
Chris Kubic: [00:09:39] You know, I've only been with Fidelis for a couple of months now. So, you know, I would say for any new CISO that's coming into an organization, it's really kind of important first to get to know the people that are - you know, have been in place of securing the environment. And sit down with them, and understand from them kind of where things stand from a security standpoint. It's important to understand the culture of the organization and really kind of step back a little bit and understand kind of what the risk tolerance is for the organization. And, you know, kind of based on that, you kind of understand where, you know, some of the potential gaps would be, kind of understand what the risk tolerance is. You can start to prioritize.
Chris Kubic: [00:10:18] At least in my case, having worked a lot with large enterprises, I think where a lot of people fall down is just doing things consistently across the board. You know, you have development environments. You have production environments. You have corporate IT environments. And you tend to have multiple teams working that. And things can get out of sync. So, you know, I think looking across the board there and just looking at kind of best practices that are occurring within each team and then trying to be able do that consistently and, you know, with rigor across the entire collection of IT systems is a good place to start.
Dave Bittner: [00:10:50] I can imagine it must be something of a culture shift for you, even just being able to, you know, at the end of the day, to be with your friends and family and say, hey, this is what I did at work today.
Chris Kubic: [00:11:03] (Laughter) Well, that certainly has been a change for my wife because I didn't...
Dave Bittner: [00:11:06] (Laughter).
Chris Kubic: [00:11:06] ...Have the opportunity to talk about work too much. You know, the other big change is, you know, most of my work was done on closed networks. So, you know, you didn't take your work home with you unless you got a phone call in the middle of the night. So now I'm connected 7x24. So that's a little bit of culture shock right there.
Dave Bittner: [00:11:24] That's Chris Kubic from Fidelis Cybersecurity.
Dave Bittner: [00:11:28] The European Union has used its rapid alert system, an approach to controlling disinformation by information sharing and coordinated messaging, to respond to widely distributed fake news about COVID-19, EURACTIV reports.
Dave Bittner: [00:11:43] The U.S. State Department has allocated $8 million in cybersecurity assistance to the government of Ukraine, according to The Hill. It's a capability building project. Some of Foggy Bottom's $8 million will go to the U.S. Agency for International Development's cybersecurity project, which plans to invest $38 million over four years to build Ukraine's cybersecurity capabilities.
Dave Bittner: [00:12:07] The recent ransomware trend in which the attackers steal the victims' data before they encrypt it may, if Bleeping Computer has it right, have taken a surprising turn. Apparently, DoppelPaymer and Maze ransomware operators, at least, are going after cloud backups as their source of sensitive files. It's a bit surreal, but both DoppelPaymer and Maze seemed happy to answer questions from Bleeping Computer, just as if they were legitimate IT businesses. Yes, we download them, said the Maze gang, referring to cloud backups. They went on to add, it is very useful. No need to search for sensitive information. It is definitely contained in backups. With backups in the cloud, it is even easier. You just log in to cloud and download it from your server - full invisibility to data breach detection software. Clouds is about security, right? DoppelPaymer's controllers offer this take - cloud backups are a very good option against ransom but do not 100% protect, as cloud backups are not always good configured. Offline backups often outdated. The system of backups is really nice, but human factor leaves some options. So there you have it. Do back up your data, but do so securely.
Dave Bittner: [00:13:24] And now a word from our sponsor ObserveIT, a Proofpoint company. The greatest threat to businesses today isn't the outsider trying to get in. It's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. Sixty percent of online attacks are carried out by insiders. To stop these insider threats, you need to see what users are doing before an incident occurs. ObserveIT enables security teams to detect risky user activity, investigate incidents in minutes and effectively respond. With ObserveIT, you'll know the whole story. Get your free trial at observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.
Dave Bittner: [00:14:17] And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute, also my co-host on the "Hacking Humans" podcast. Joe, great to have you back.
Joe Carrigan: [00:14:26] Hi, Dave.
Dave Bittner: [00:14:26] Interesting news out of the FBI. They've been doing some work over a number of years, and sounds like they've got some success here. What can you share with us?
Joe Carrigan: [00:14:35] Yeah, these are some Romanian hackers that have been sentenced. And this is directly from fbi.gov. So it looks like this is the FBI taking a well-deserved victory lap for this one.
Dave Bittner: [00:14:43] Yeah.
Joe Carrigan: [00:14:44] They're talking about the Bayrob Group, which was a Romanian hacker group.
Dave Bittner: [00:14:49] OK.
Joe Carrigan: [00:14:49] And they got attention back in 2007 when an Ohio woman wired thousands of dollars to an eBay seller, thinking that she was buying a car. And the car never arrived. She went to local police. And the listing did not appear on their computers. And what had happened was she had some malware installed on her computer that was not allowing her to go to eBay but instead sending her to the hacker sites.
Dave Bittner: [00:15:15] So she went to a site that looked like eBay.
Joe Carrigan: [00:15:18] Looked like eBay but was not eBay. In fact, her browser probably even said that she was at eBay because a common tactic in the early 2000s was to infect a computer and essentially put a hosts file in there that would - that's the first place your computer checks when you enter a DNS name, which is what ebay.com is.
Dave Bittner: [00:15:38] I see.
Joe Carrigan: [00:15:39] So if you enter ebay.com into the hosts file and put another IP address after it, it'll go to that IP address. It won't even go out to DNS and look for it - or it wouldn't even go out to DNS and look for it.
Dave Bittner: [00:15:49] Right.
Joe Carrigan: [00:15:49] I don't know how it works now. But...
Dave Bittner: [00:15:50] Yeah.
Joe Carrigan: [00:15:51] ...You know, it's the same thing in Linux. There's a file in the /etc directory called hosts that does the same thing. You don't even need to bother querying DNS services. Or maybe that hosts doesn't even have a name in a DNS server. It's just something you want to call it, right? So like I want to connect to Dave's machine, so I type, you know, SSH joe@davesmachine. And it goes out. And I don't have to remember what your IP address is...
Dave Bittner: [00:16:16] OK.
Joe Carrigan: [00:16:16] ...Because humans aren't really good at remembering numbers. We're much better at remembering names.
Dave Bittner: [00:16:19] Right.
Joe Carrigan: [00:16:20] Anyway, these malicious actors would then launder this money, of course. And they use money mules and all kinds of other stuff. And they were really good at being nimble and covering their tracks, according to this thing. They use multiple layers of proxies to hide their locations. So when you have a VPN - if you're running a VPN and then inside of that you're running another VPN - right? - your exit point is one thing, but it can absolutely mask where you're coming from, make it very difficult to find you.
Dave Bittner: [00:16:49] OK.
Joe Carrigan: [00:16:50] As it gained more victims, though, they had more people entering the investigation. So the FBI worked with numerous law enforcement agencies around the world, including some companies like AOL, eBay and Symantec were involved on this. And beginning in 2012, the Bayrob Group began to diversify their criminal enterprise because now it's - as I've always said on this, the market changes, right?
Dave Bittner: [00:17:14] Yeah.
Joe Carrigan: [00:17:14] So they would continue to spread malware via spam and social media, but they also got into cryptomining, credit card number, you know, carding, as it's called - buying and selling credit card numbers on the dark web.
Dave Bittner: [00:17:26] Right.
Joe Carrigan: [00:17:26] And they had all these infected systems that - from their first effort. And they still had these systems out there. They were continuing to grow this huge network of malicious systems. So they could send these emails out and spam out. It was difficult to catch them. But a break came when they made a mistake.
Dave Bittner: [00:17:44] (Laughter).
Joe Carrigan: [00:17:44] And this is usually what happens.
Dave Bittner: [00:17:45] Right.
Joe Carrigan: [00:17:46] One of these guys logged into his personal email account instead of his criminal account, and AOL caught it. And they were investigating some abuse of their network. And they connected the two accounts. And through that, they were able to find some social media accounts. And then they were able to get the Romanian Police involved - the Romanian national police - and they arrested them in 2016. So these guys operated for nine years - 2007 to 2016. They had become one of the top senders of malicious emails.
Dave Bittner: [00:18:16] And it all unraveled because somebody...
Joe Carrigan: [00:18:18] Somebody didn't have good OPSEC.
Dave Bittner: [00:18:19] ...Got a little sloppy.
Joe Carrigan: [00:18:19] Right.
Dave Bittner: [00:18:20] Yeah, yeah.
Joe Carrigan: [00:18:20] One mistake. This is the case where the bad guys have to be good 100% of the time, right? Normally, we say the good guys have to be good 100% of the time; the bad guys only have to be good once.
Dave Bittner: [00:18:30] (Laughter).
Joe Carrigan: [00:18:30] When you're a bad guy, your OPSEC has to be good 100% of the time if law enforcement's looking at you because if they catch you, this is what will happen. Anyways, these guys were brought to trial in the U.S. They were extradited. One of them got 20 years in prison. Another one got 18 years in prison. And a third - he pled guilty and was sentenced to 10 years in prison. They made $4 million during the process, though.
Dave Bittner: [00:18:55] Yeah, over the course of...
Joe Carrigan: [00:18:56] Over the course of nine years, yeah.
Dave Bittner: [00:18:57] ...Several years - still real money.
Joe Carrigan: [00:18:59] Yep.
Dave Bittner: [00:19:00] Yeah. Well, it's a happy ending, I suppose. I mean, it's a well-earned win on behalf of the FBI and their partners around the world.
Joe Carrigan: [00:19:07] Yes. In this article, the FBI was - thanked the Romanian national police. They said they wouldn't have been able to do it without them.
Dave Bittner: [00:19:14] Yeah, it really is a global effort these days.
Joe Carrigan: [00:19:17] It is.
Dave Bittner: [00:19:17] Really interesting.
Joe Carrigan: [00:19:17] It has to be.
Dave Bittner: [00:19:17] Yeah, yeah.
Joe Carrigan: [00:19:18] Absolutely has to be 'cause if there's a noncooperative government, you're not going to catch the guys.
Dave Bittner: [00:19:23] All right. Joe Carrigan, thanks for joining us.
Joe Carrigan: [00:19:25] My pleasure.
Dave Bittner: [00:19:31] And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And don't forget you can get the daily briefing as an Alexa flash briefing, too.
Dave Bittner: [00:19:41] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:19:52] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Rick Howard, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson (ph), Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening.