The CyberWire Daily Podcast 9.17.21
Ep 1420 | 9.17.21

Patch that password manager. The hidden hand of the troll farm. Election meddling. Coin-mining’s costs, and a crackdown in China. If you really loved me, you’d speculate in Dogecoin....or something.


Dave Bittner: Patch your Zoho software now - vulnerable instances are being actively exploited. Maximum engagement isn't necessarily good engagement. The hidden hand of the trolls replaces the invisible hand of the marketplace of ideas. Politics ain't beanbag, Russian edition. An indictment emerges from the U.S. investigation into possible misconduct during the 2016 elections. The costs of coin mining. Josh Ray from Accenture on protecting critical infrastructure. Our guest is Tony Pepper from Egress with a look at insider data breaches. And no matter how lonely you might get, don't mix investment advice with matters of the heart.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, September 17, 2021. 

Dave Bittner: The U.S. Cybersecurity and Infrastructure Security Agency has issued with the FBI and the Coast Guard a joint advisory warning that CVE-2021-40539, a vulnerability in Zoho's password manager and single sign-on solution ManageEngine ADSelfService Plus is, being actively exploited in the wild. Zoho fixed the bug on September 6, and CISA urges users to apply the patch as soon as possible. The software is of concern to CISA because it's used by critical infrastructure companies, U.S.-cleared defense contractors and academic institutions. Some of the active exploitation may be the work of nation-state espionage services. 

Dave Bittner: MIT Technology Review reports that Facebook's engagement maximization algorithms automatically pushed inflammatory, often false, troll-farmed content into American users' news feeds during the 2020 election season, reaching as many as 140 million individuals per month. An internal Facebook study concluded, quote, "instead of users choosing to receive content from these actors, it is our platform that is choosing to give these troll farms an enormous reach," end quote. The social network did seek to put guardrails in place to keep content from veering too far from some approximation of truth and normality. And it continued its work against coordinated inauthenticity, but its own algorithms were stacked against its better intentions. 

Dave Bittner: Russia is preparing for its own elections. While such gestures in the direction of democratic process have a whiff of kabuki about them, they can't be treated entirely with contempt. And even under the worst periods of communist power, state policy and leadership were often decently covered with the fig leaf of something more or less resembling elections. The current oligarchic regime is organized in such a fashion that elections have been given a certain indeterminate weight, but that doesn't mean the government is any more content to leave the outcome to chance than was, say, Alderman Fast Eddie Vrdolyak in Chicago's 10th Ward back in the '70s. United Russia - that's President Putin's party - has resorted to such familiar ward heeler-style tactics as busing supporters to the polls. 

Dave Bittner: No word on whether they've shown up with the equivalent of Thanksgiving turkeys as an inducement to continued support. But if they're talking to people in Chicago, the idea would have certainly occurred to them. The Atlantic Council and Foreign Policy both have overviews of some of the more creative get-out-the-vote tactics. Here's one - run some guys who look like the guy you want not to win. NPR has an interview with a candidate who's been the subject of such hostile campaigns interested in confusing voters. 


Charles Maynes: When it comes to Russia's elections, little surprises Boris Vishnevsky. 

Boris Vishnevsky: (Non-English language spoken). 

Charles Maynes: A veteran politician with the liberal Yabloko Party in St. Petersburg, he's seen all sorts of tricks over three decades in politics. And yet this caught his eye. Amid his current campaign for reelection to the city legislature, his two opponents are also named Boris Vishnevsky. 

Boris Vishnevsky: (Through interpreter) These people changed their names, legally, to mine just to stop me. This has never happened before. 

Charles Maynes: Neither has this - for their campaign posters, the imposters adopted Vishnevsky's, let's call it, signature look - a scraggly beard and receding hairline. The Russian internet finds that funny. Boris Vishnevsky does not. 

Boris Vishnevsky: (Through interpreter) It's not funny at all because people can really get mixed up. 

Dave Bittner: Listen to the whole thing at NPR. 

Dave Bittner: And so, Vladimir Vladimirovich, vote early and often. You can't be too sure. After all, Fast Eddie's candidate for mayor lost the Democratic primary in an upset back in 1979. Don't just vote for the bald guy with the scruffy beard, vote for the right bald guy with the scruffy beard. There's one than more dude answering that description. 

Dave Bittner: Talk of Russian election influence inevitably brings one's mind to the most recent U.S. presidential elections, those of 2016 and 2020. An indictment was filed yesterday involving activities in 2016. Special Counsel John Durham, tasked with investigating potential FBI misconduct during the election, has secured the indictment of Michael Sussman, a former federal prosecutor then working at the Democratic Party-connected law firm Perkins Coie who represented the FBI with information alleging connections between then-candidate Trump and a Russian bank, Alfa Bank. The charges of lying to the FBI when he, quote, "stated falsely that he was not acting on behalf of any client," end quote, which led the bureau to understand that, quote, "was conveying the allegations as a good citizen and not as an advocate for any client," end quote. The indictment alleges that Mr. Sussman was billing the time he spent on researching the matter to the Clinton campaign. He now faces one federal charge of making a false statement. 

Dave Bittner: If you were considering setting up an illegal cryptocurrency mining rig somewhere in China - not that you would, but just suppose - you might want to think twice. Bloomberg writes the Chinese police are increasing their enforcement of laws against illicit alt-coin mining, which is producing a noticeable drain on the country's electrical power. Many cryptocurrency miners evaded the law by representing themselves as data researchers or storage facilities. Chinese coin miners have recently held 46% of the global hash rate. People freelancing big coin mining rigs have been a problem in China for some time, and mining Bitcoin and other cryptocurrencies can be surprisingly profitable despite gobbling up electrical power. 

Dave Bittner: There was, for example, the principal of Puman Middle School out in Hunan province who was fired back in 2018 when he was found to have set up a big coining rig in a dormitory. He moved it there from his home because he was dismayed by how big his electric bill had gotten, so he was mining away on the school's dime. School officials noticed something fishy about slow network performance at the middle school, and they also saw the school's own power bills going up. At first, they put it down to heavy use of the air conditioning, but then found out that - what the hey - someone was mining Ethereum up there behind the acoustic tiles in the drop ceiling or wherever it was they had the rig cashed. Exit the principal. The assistant principal was also involved, but he got off with just a warning. Insofar as simple energy consumption is concerned, the most reliable estimates, like one by the Cambridge Centre for Alternative Finance, put the annual electrical budget of Bitcoin at about 110 terawatt-hours, which is about what it takes to keep the lights on for a year in Malaysia, say, or Sweden. We've found no comparable estimates for Ether, Dogecoin and the rest. 

Dave Bittner: But anyhoo, however you reckon it, it's not negligible. And so the Chinese authorities aren't necessarily blowing smoke about this being a problem. There are other costs to coin mining that impose externalities on the rest of us. The Guardian, citing a study in Resources, Conservation And Recycling, puts the average lifespan of crypto mining hardware at just 1.29 years and that the researchers estimate that the whole Bitcoin network currently cycles through 30.7 metric kilotonnes of equipment per year. This number is comparable to the amount of small IT and telecommunication equipment waste produced by a country like the Netherlands. While the Netherlands is a fairly neat and tidy place, that's still a lot of waste. 

Dave Bittner: And finally, let's not overlook the toll in hopes disappointed and unrequited love, either. The U.S. Federal Bureau of Investigation, experts in their own buttoned-down way in affairs of the heart, have issued a warning that alt-coin has found its way into romance scams. It all starts in the familiar way - an online contact progresses to an online friendship and then to an online romance. Once the mark is sufficiently starry-eyed, the scammer offers them an exclusive investment opportunity in cryptocurrency. The victim makes a small investment, makes a small profit and is even able to make a withdrawal. And then, of course, the victim is primed to trust honey with even more money. What follows can be easily predicted. So advice to the lovelorn - if they really loved you, they wouldn't offer investment tips. 

Dave Bittner: Tony Pepper is CEO and co-founder of Egress Software Technologies, where they recently surveyed 500 IT leaders and 3,000 employees in the U.S. and U.K. to put together their 2021 Insider Data Breach Survey. I checked in with Tony Pepper for some highlights. 

Tony Pepper: It really falls into three categories. So the first category is people getting hacked. So the first category is I am effectively tricked by a malicious external actor that's trying to make me do stuff that I don't believe is actually the right thing to do. Or maybe I'm communicating with someone I believe is trusted. So a classic phishing email would fall into that category. And that probably represents 73% of the incidents of insider that we surveyed. 

Tony Pepper: But I think you quite rightly picked up that human error is another one of those categories. I think everyone can appreciate - we've all made mistakes in our lives - and in particular when using tools like email and in particular stuff like Outlook autocomplete, where it kind of prompts us and almost double-guesses who we're trying to speak to. It's actually very, very easy to make a really easy error and send information to the wrong person accidentally. And again, that was the top cause of insider breach on the survey. Eighty-four percent of IT leaders said that they'd had a serious breach caused by human error. 

Tony Pepper: But there actually is a third category. And that category is data exfiltration. So that kind of falls under the banner of people breaking the rules. And these are people that maybe are either breaking them recklessly - so I'm sending information to a web mail account because I'd like to print off a document at home - or they are maliciously taking data, and they are sending it to a personal account to take that information with them when they go to that next role. So they're the core categories that fit out insider risk. 

Dave Bittner: What are your recommendations here based on the information you've gathered? I mean, how do we strike that balance between, you know, allowing folks to do the work they need to do but also keeping a good eye on things to maintain your security? 

Tony Pepper: You know, I think the recommendations are that - the reality is I think there's too much demonization within technology in the broader cybersecurity industry that it's people's fault. I think it's the responsibility of every organization on the planet to ultimately provide tools to help their employees do the right thing. Now, naturally, those tools will also catch those more malicious insiders, who may be knowingly doing the wrong thing. But actually, by and large, many of the insider breaches that we've seen that's covered in the survey are actually well-intentioned employees that are just purely either tricked externally or making a genuine mistake. So that relies on education. And I think there's a huge amount of work going on in the industry about helping people understand where the threats might come from. 

Tony Pepper: But it's also technology. You know, I think it's investing in technology that can offer guide rails to their employees to enable them to ultimately avoid making genuine mistakes or avoid being tricked by someone that's pretending that's someone that they think it is. So I think it's a combination of education and technology to try and get in front of this issue. 

Dave Bittner: That's Tony Pepper from Egress Software Technologies. There's a lot more to this conversation. If you want to hear the full interview, head on over to CyberWire Pro and sign up for Interview Selects, where you'll get access to this and many more extended interviews.  

Dave Bittner: And I'm pleased to be joined once again by Josh Ray. He is managing director and global cyber defense lead at Accenture Security. Josh, it is always great to have you back. I wanted to touch base with you 'cause I know that recently you were one of the keynote speakers at the EDGE 2021 conference, and you've got some interesting stuff you wanted to share with us today about that experience. What can you describe for us? 

Josh Ray: Data was fantastic. And thanks for having me back on the show. To actually be in-person, to kind of create those relationships and reinforce those - reestablishing existing relationships was just so important, I think, and something that I think we all have missed. And it's key to solidify in that trust when you talk about trying to continuously drive innovation and, you know, move towards our collective mission success. The - one of the things that was actually really, I think, impactful were - a lot of the things that we talked about were, you know, creating those meaningful relationships between public and private sector in a way to create and achieve this notion of collective defense, right? So you know, what are those desired outcomes for both parties? What are some of the challenges and best ways to establish that trust? 

Josh Ray: One of the things that - you know, Sean Kaufman actually pointed out - and all of these guys have had - you know, whether it's Adam Lee from Dominion Power or Brian Harrell from Avangrid and Sean Kaufman from Discover - they've all kind of seen both sides of the coin, public and private sector. And Sean pointed out - and I'm paraphrasing here - but when you're talking about sharing information with the public sector, can sharing too much information put an organization like his in this notion of kind of regulatory purgatory? But he kind of went on to speak about - you know, had Colonial, for instance, been a physical attack or any of these, you know, ransomware or Nation-State attacks been physical in nature, we would have seen the full strength of the federal government kind of being brought to bear. 

Dave Bittner: Right. 

Josh Ray: And, you know, he fights his fight. And so many of my clients fight this fight on a day-to-day basis, investing tremendous amount of resources and money to defend shareholder value, intellectual property, you know, everything that you can think of there. And it's needed. But one of the things that Sean really kind of pointed out was that we also need that same level of deterrence from a cyber standpoint that really only the federal government can bring to bear if we really hope to level the playing field against some of our cyber adversaries. 

Dave Bittner: Is there an ongoing sense of, I don't know, fuzziness as to who's responsible for what when it comes to this stuff? You know, how much of this responsibility falls on the private sector? How much should the public sector, the - even the military, take responsibility for? 

Josh Ray: Yeah, I - you know, we talked a little bit about, you know, roles and responsibilities and spoke quite a bit about kind of moving past really this compliance-based, you know, security model and much more towards this kind of risk and intelligence-based security - resilient security approach. And I think when you're talking about kind of who has responsibility in that world, it's really on the organizations to kind of, you know, pull themselves up by their bootstraps. And, you know, one of the things that Adam Lee kind of pointed out and, I think, you know, really articulated well is that this notion of compliance is not security. It's a baseline, right? 

Josh Ray: But you know, organizations really need to kind of get to be nimble in order to secure your business against a variety of the types of adversaries that, you know, most of my clients face, especially Adam. They really need to be nimble - right? - and be able to kind of approach this through the lens of risk and not purely compliance. Because if you're just looking at it from a compliance checkbox, you're not going to account for all of those - the variety of different types of risks here you're going to face. And your program is not going to be nimble enough to really protect that shareholder value. 

Dave Bittner: You know, you mentioned trust, and I'm curious what the opinions were of your fellow folks there on the panel at the conference when it comes to the future of that, establishing that trust in a more than just lip service between the private and public sectors. 

Josh Ray: Dave, what we saw, really, with the attendees - and each one of them having kind of that dual-hatted public and private sector experience, and, you know, I've experienced it myself, right? - is those relationships are best created when you've kind of been there and done that, right? And what I mean by that is you have to be able to understand that this is a shared success model, and each one of the - you know, whether it's public or private sector, needs to be able to feel like they're getting something out of that relationship. And the mission has to operate at that speed of trust, right? So you can't - there's really no room for kind of ambiguity or distrust when you're trying to be, you know, operational to respond to a variety of different types of threats. 

Josh Ray: So, you know, a great example was, you know, Brian Harrell, in his CISA role, worked very closely with Adam when, you know - in his current Dominion role. And that trust has now transferred over to Brian's current role at AVANGRID. And you see that, you know, there's a much tighter collaboration between those two organizations as they kind of have that - again, that shared success model. But, you know, when you have leaks that get out, when organizations share information with the public sector, I mean, these are all things that, you know, continuously erode trust. Or when public - or private organizations don't protect information that's been given to them, you know, these are all things that kind of degrade that ability to, you know, to have that collective defense and that shared trust model. 

Dave Bittner: Yeah, it's interesting, and it really swings back around to what you were saying at the outset, which is the importance of being able to get together face-to-face and actually talk about these things. 

Josh Ray: Absolutely. And, you know, I loved one of the quotes that, you know, that Brian had is, you know, let's protect pencils like pencils and diamonds like diamonds, right? And it really speaks to the fact that, you know, we need to be thinking about what's on the horizon and what's next. And those are - that's difficult to do in a virtual session, right? So - and he was right on the money when he talked about allocating the right level of resources to kind of think about kind of, you know, what's coming next? What's that emerging threat? You know, employing people and expending those resources - that folks that really are thinking about all the different avenues of attack into your organization and thinking much bigger than kind of just being consumed, you know, with the monster at the moment. And getting out of your day-to-day, getting to a conference or getting to kind of information-sharing groups, even if they're local, is just a great way to kind of extend your ability to have influence in the community, create those relationships and really, I think, make a big difference in our collective ability to defend ourselves against threats that are just going to continuously evolve and become much more capable in nature. 

Dave Bittner: All right. Well, Josh Ray, thanks for joining us. 

Josh Ray: Thanks, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at The CyberWire podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Be sure to tune in to this weekend's "Research Saturday" and my conversation with Jake Valletta from Mandiant and FireEye. We're discussing the vulnerabilities found in IoT devices that use ThroughTek Kalay networks. That's Research Saturday. Check it out. 

Dave Bittner: Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here next week.