The CyberWire Daily Podcast 10.17.18
Ep 706 | 10.17.18

Two ways of hacking the vote. BlackEnergy is active in Poland and Ukraine. ISIS and info ops. Hurricane-stressed utility further stressed by ransomware. Silicon Valley governance.

Transcript

Dave Bittner: [00:00:03] Election security and two ways of hacking the vote. DHS points out that the states are getting better about sharing election security information. ISIS sets the template for terrorist information operations. BlackEnergy is back in Poland and Ukraine with new GreyEnergy malware. Diplomatic targets are prospected in Central Asia. North Carolina, recovering from hurricane damage, also faces some ransomware. And Silicon Valley governance receives scrutiny.

Dave Bittner: [00:00:37] Time to take a moment to tell you about our sponsor ThreatConnect. With ThreatConnect's in-platform analytics and automation, you'll save your team time while making informed decisions for your security operations and strategy. Find threats, evaluate risk and mitigate harm to your organization. Every day, organizations worldwide leverage the power of ThreatConnect to broaden and deepen their intelligence, validate it, prioritize it and act on it. ThreatConnect offers a suite of products designed for teams of all sizes and maturity levels. Built on the ThreatConnect platform, the products provide adaptability as your organization changes and grows. Want to learn more? Check out their newest research paper entitled "Building a Threat Intelligence Platform." ThreatConnect surveyed more than 350 cybersecurity decision-makers nationwide. Research findings include best practices and the impact of businesses due to threat intelligence programs, and how organizations who have fully mature programs have prevented phishing attacks, ransomware attacks and business email compromise. To check out the research paper, visit threatconnect.com/cyberwire. That's threatconnect.com/cyberwire. And we thank ThreatConnect for sponsoring our show.

Dave Bittner: [00:01:59] Major funding for the CyberWire podcast is provided by Cylance. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, October 17, 2018.

Dave Bittner: [00:02:10] Election security is much on people's minds as the US nears its midterm elections set for the beginning of November and the EU prepares for elections next year. The concerns are twofold. First, there's the prospect of election hacking proper, in which adversaries or partisans manipulate vote counts, disrupt polling or interfere with registration. Concerns about election hacking proper are serious, but it's not clear that this has, so far, in the US, at least, risen above the customary election background noise. That noise is the ward heeler corruption, ballots cast from cemeteries and the usual array of low-level sleaze one associates with machine politics. The typical forms such sleaze might take are, for example, voter fraud in the US - a red worry - or voter suppression in the US - a blue worry. And it's worth noting that both sides, in their public woofing, tend to deny that the things the opposition worries about actually happen.

Dave Bittner: [00:03:11] The second concern is perhaps more serious and less tractable - information operations by nation-states aimed at inducing mistrust and fissures in the countries they're targeting. This sort of activity - propaganda tuned for the internet age - is what outfits like the Internet Research Agency carry out. The Internet Research Agency, you'll recall, is the notorious St. Petersburg troll farm called out by Western investigators and intelligence services as behind a large number of fictitious online persona. It's also run by Russian intelligence services, although Moscow, of course, denies this. The threat of information operations is very real. It's been observed in the U.S. and Europe. And this is what principally worries the EU.

Dave Bittner: [00:03:57] The U.S. Department of Homeland Security yesterday downplayed the reported increase in threats to midterm elections. The Hill reports that Christopher Krebs, head of the department's National Protection and Programs Directorate, the NPPD, yesterday told a conference it's not an uptick in activity. Instead, he thinks that state and local election officials have gotten better at information sharing and about reporting the targeting of election systems, such as voter registration databases. In this, they've advanced considerably since the 2016 election. Krebs added, quote, "are we seeing an uptick? I don't know if we are. I think we're seeing a consistent and persistent level of activity," end quote. So an increase in reporting isn't necessarily correlated with an increase in the level of threat.

Dave Bittner: [00:04:45] The Department of Homeland Security also reminds everyone that the voting data security firm Anomali found in black markets is, for the most part, already public, as we noted in our discussion yesterday. That activity may well be ordinary criminal-to-criminal stuff, selling personal data to other crooks for use in committing identity theft or other forms of fraud. The prices reported don't seem particularly high, more in the mob soldier range than in intelligence services' budget lines.

Dave Bittner: [00:05:15] I spoke with New York Times cybersecurity and national security author Kim Zetter about election security. Her recent feature in The New York Times Magazine is titled "The Crisis of Election Security."

Kim Zetter: [00:05:27] Securing the machines is sort of the long - the long-haul way of addressing this. But you're never going to get a machine that's fully secure and not hackable. So what you have to do is you have to have a system in place that would help you know, in the first place, whether or not the software has been altered. And we don't have that right now. We don't have the ability to examine the software at all once it's on the machines because it's proprietary software, and the voting machine vendors have gone to court to prevent anyone from looking at their software. And we don't have sufficient audits in place that would compare, where we do have paper ballots, that would compare the paper ballot against the digital tallies to uncover discrepancies.

Kim Zetter: [00:06:15] So we've really been almost willfully resistant to engaging in methods that would actually tell us if there was a problem with our elections. And that's always been very curious to me - is there's almost - there's a sort of willful resistance to actually taking the steps needed to ensure the integrity of election outcomes.

Dave Bittner: [00:06:37] And what do you think's behind that? Why do you suppose that is?

Kim Zetter: [00:06:40] The voting machine vendors were very resistant and engaged in strong lobbying activities for many years to prevent even the paper trail from being added to paperless machines. It's always been very curious to me why they had such an interest in resisting that.

Kim Zetter: [00:06:58] But it wasn't just them. Election officials were really swayed by the voting machine vendors. They were really under the thrall of voting machine vendors for a long time and would follow their lead on many things. And so they sort of parroted the arguments from vendors that the paper trails would - it would be more expensive to install printers, that the printers would cause problems at the polls, just, you know, it would be inconvenient for disabled voters who couldn't see them - a lot of arguments against that. And election officials were, you know, sort of the driving - I guess the end stop, right? So if they decide that they don't want them, it's not going to happen.

Dave Bittner: [00:07:41] And a lot of that is because here in the United States, the elections are run at the state level.

Kim Zetter: [00:07:47] They are not just - no, there's actually - they're run at the county level. So the secretary of state, in many cases, is sort of the chief election official but doesn't really have a lot of involvement in the day-to-day running of elections. And elections don't just happen, you know, when you go to the polls. There's a lot of prep work and a lot of smaller elections that take place throughout the year that involve sort of ongoing activity. And the secretary of state will be involved in, let's say, setting procedures, maybe some protocol. But even that is sort of high-level. And they engage only when - in the past, only when there's been a problem.

Kim Zetter: [00:08:28] And so really, county officials, who are, for the most part, quite often not tech-savvy at all, are left - have been left to make these decisions on their own. And that's how the voting machine vendors have become so influential.

Dave Bittner: [00:08:44] That's Kim Zetter, longtime cybersecurity and national security reporter for The New York Times. She's also author of the book "Countdown to Zero Day." Our CyberWire Special Edition interview with her on election security is released today. You'll find that in your podcast feed.

Dave Bittner: [00:09:01] ESET warns that the threat actor behind BlackEnergy, involved in past attacks against sections of Ukraine's power grid, is back. This time, it's infected three energy and transport companies in Poland and Ukraine. ESET notes that the group has developed a new malware suite, GreyEnergy, and that it appears positioned for further campaigns. Reuters says that ESET doesn't call out a nation-state as responsible, but naming BlackEnergy associates the activity with the GRU. Others, notably Britain's GCHQ, have called out BlackEnergy, also known as Sandworm in FireEye's nomenclature, as an operation of the Russian military intelligence agency.

Dave Bittner: [00:09:45] There's also a reported spike in Russian activity, or at least activity by people who speak the Russian language, against diplomatic targets in Central Asia. ESET and Kaspersky tracked the campaign as DustSquad and Nomadic Octopus. This seems to be conventional espionage. A great deal of it seems to be concentrated in Kazakhstan.

Dave Bittner: [00:10:08] Onslow County, North Carolina, badly hit by this season's Atlantic hurricanes, has suffered a cyberattack that seems timed to kick the region while it's down and vulnerable. The Onslow Water and Sewer Authority, called ONWASA, disclosed Monday that it had been the victim of a ransomware attack that's crippled its systems. The attack was delivered by a phishing email carrying the Emotet Trojan. ONWASA compared the attack to the ransomware that hit the city of Atlanta, Ga., and Mecklenburg County, North Carolina. Until remediation is complete, ONWASA will use manual systems to recover from storm damage, deliver services and restore things to normal. The utility will not pay the ransom. Law enforcement authorities, including the FBI, are investigating.

Dave Bittner: [00:10:55] Facebook's recent data handling, content moderation and privacy issues today attracted a fresh set of furies. The state treasurers of Rhode Island, Illinois and Pennsylvania and the New York City comptroller announced that they're joining Trillium Asset Management's shareholder proposal to push Mark Zuckerberg out of his chairman's role at the company. It's not going to happen, if only because Mr. Zuckerberg controls most of Facebook's super voting shares, giving him the equivalent of 59 percent of the say in what goes on. But it's an indication that Facebook's governance and the governance of Silicon Valley companies generally will continue to receive close and not particularly friendly scrutiny.

Dave Bittner: [00:11:36] Facebook's former security chief Alex Stamos, from his new perch at Stanford University, has announced what he's calling the Stanford Internet Observatory. It will be designed to address issues of tech governance and policy in ways intended to ameliorate some of the negative effects technology is, by consensus, having on society at large. Of course, there are good effects, too. We don't want to lose the good with the bad.

Dave Bittner: [00:12:08] And now a bit about our sponsors at VMware. Their Trust Network for Workspace ONE can help you secure your enterprise with tested best practices. They've got eight critical capabilities to help you protect, detect and remediate. A single open-platform approach, data loss prevention policies and contextual policies get you started. They'll help you move on to protecting applications, access management and encryption. And they'll round out what they can do for you with micro-segmentation and analytics. VMware's white paper on "A Comprehensive Approach to Security Across the Digital Workspace" will take you through the details and much more. You'll find it at thecyberwire.com/vmware. See what Workspace ONE can do for your enterprise security - thecyberwire.com/vmware. And we thank VMware for sponsoring our show.

Dave Bittner: [00:13:08] And I'm pleased to be joined once again by Craig Williams. He's the director of Talus Outreach at Cisco. Craig, it's good to have you back. Today, we want to touch on FUD - fear, uncertainty and doubt. There is no shortage of this, particularly on the marketing side of things. And I know this is something that kind of gets your hackles up.

Craig Williams: [00:13:27] Absolutely. You know, for those of us who were lucky enough to be at DEFCON, you may have seen our live show where we discussed some specific examples of this. But if you weren't, we've all seen this unroll online, right? A security research team finds a bug. And then seemingly, all that data is taken from them by the marketing department, who climbs the Empire State Building and grabs onto it while waving down at the people, scaring them. And that's kind of what we see a lot of the time. And the problem with that is twofold.

Craig Williams: [00:13:56] No. 1, by unnecessarily spreading that fear, you cause people to misprioritize their response, right? It can be a severe security issue but not be a high priority, right? You can have a high severity exploit that's going to be very difficult to attack and very difficult to attack remotely. And that shouldn't be a high priority, obviously unless there's extenuating circumstances.

Dave Bittner: [00:14:17] Right.

Craig Williams: [00:14:18] And No. 2, when you do that, when you cry wolf every single time, people tune you out. And so you've got to try and maintain your credibility as a security research team and, you know, hold the reins a little bit and tell marketing calm down. And we're so lucky at Cisco that we work so well with our marketing team that we've been very successful at avoiding this because we want to make sure that we maintain that integrity, right? It's very similar to how we handle our threat intelligence. You know, when we go out, if we don't have all the answers, that's what we start the blog with, right? We don't have all the answers, but here's what we do have.

Craig Williams: [00:14:51] And so I think when it comes down to security marketing, that's a good way to approach it. Say, look. Here's an issue. Here's the facts about the issue. Is this important? And then give them the honest truth. Don't try and overhype it because, you know, at the end of the day, there are going to be high severity, high urgency issues. And the thing is you've got to help identify what those are and then use that to your advantage, right? If you want to go shout something from the rooftops, be patient. Something will come along. Something always does, right?

Craig Williams: [00:15:21] We remember from the last year or so - right? - we had - what was it? WannaCry, NotPetya inside of a 60-day window - definitely lots of stuff to talk about there. And then we had, just more recently, Olympic Destroyer. And so there are super-high severity cyberattacks, absolutely. But we've got to be sure that when we identify them, we're not just trying to spread fear or uncertainty or doubt because that's not helpful to anyone. And it actually hurts our users because they don't know how to properly respond and what priority to respond in.

Dave Bittner: [00:15:53] Yeah. And it seems to me like it also spreads confusion, which doesn't do the industry good as a whole.

Craig Williams: [00:16:00] Right. And it - I think in mainstream media reflects this, right? A lot of the time, they may not respond right away because they don't know if an issue's actually going to end up being super-high urgency.

Dave Bittner: [00:16:10] So how do you handle internally that communications process with the marketing team? Because, you know, you have different impulses than they do. They want to get out there and share the latest news, the thing that could, you know, lead to that big sale. Where do you meet in the middle on that?

Craig Williams: [00:16:28] It's a really good question. So our playbook is very similar to almost like an incident response team, right? We break threats down into different categories. And each category has a different priority. Each priority has a different set of marketing things that can happen, a different set of PR things that can happen. And so once we decide on where it hits from a severity or urgency perspective, we then can take out plans of action. We don't necessarily do all the plans all the time, right? Sometimes, we just do a couple of them. Sometimes, we do do all of them. It just depends on what the threat is and how it works.

Craig Williams: [00:17:00] But I think by making that playbook where you, you know, sketch out, here's our possible actions at this level, it helps people see and helps everyone stay on the same page. And I really think it helps your users as well because then they see consistent reporting. They see consistent actions taken. And they know when something's important because you've done something different, and you've done something rare.

Dave Bittner: [00:17:19] Right. Right. So when you do sound the alarm, they know you mean it.

Craig Williams: [00:17:23] Right. And, you know, we saw this again and again last year. And I - we're going to continue to see it, right? Cyber threats are not going to go away. And so I really hope that as companies find security issues, that they try and think about, is this something that's really going to be severe for the average user? Because, you know, like I said, you can have severe issues. But if they're so impossibly hard to exploit that the average user's never going to see them exploited, I think you owe it to the audience to make sure that they know that so that they can patch other issues that are more urgent.

Dave Bittner: [00:17:51] All right. Craig Williams, thanks for joining us. And that's the CyberWire. A quick personal note of thanks to my wife, Ilana. We are celebrating 25 years of marriage today. And I couldn't ask for a better partner. I love you, sweetie. For links to all the stories mentioned in today's podcast, check out our daily news brief at thecyberwire.com.

Dave Bittner: [00:18:16] Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire.

Dave Bittner: [00:18:34] And thanks to our supporting sponsor, VMware, creators of Workspace ONE Intelligence. Learn more at vmware.com.

Dave Bittner: [00:18:42] We hope you'll check out the CyberWire's "Hacking Humans" podcast, where each week, we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I co-host that show with Joe Carrigan from the Johns Hopkins University Information Security Institute.

Dave Bittner: [00:19:01] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.