The CyberWire Daily Podcast 10.30.18
Ep 715 | 10.30.18

This cybersecurity stuff is tougher than it looks, US state election officials learn. Saudi surveillance. Espionage in Iran. New attack varieties. Chinese hardware concerns. US sanctions chipmaker.

Transcript

Dave Bittner: [00:00:03] Installing cybersecurity tools to protect elections is tougher than it looks. Information operations continue to pose the most prominent foreign threat to U.S. midterm elections, although there are concerns about voting machine security. CoinTracker looks like a trader's tool with a side order of malware. Video embedded in Microsoft Word documents can carry malicious payloads through detection systems. We've got some hardware worries and sanctions and competing visions of norms in cyberspace.

Dave Bittner: [00:00:39] Now a moment to tell you about our sponsor, ObserveIT. It's 2018. Traditional data loss prevention tools aren't cutting it anymore. They're too difficult to deploy, too time-consuming to maintain and too heavy on the endpoint. They are high maintenance and require endless fine-tuning. It's time to take a more modern approach. With ObserveIT, you can detect insider threats, investigate incidents quickly and prevent data loss. With its lightweight agent and out-of-the-box insider threat library, ObserveIT is quick to deploy and far more effective at stopping data from leaving your organization. That's because ObserveIT focuses on user behavior. It's built to detect and respond to insider threats, and it's extremely difficult even for the most technical users to bypass. Bring your data loss prevention strategy into the modern era with ObserveIT. Learn more at observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show. Major funding for the CyberWire podcast is provided by Cylance.

Dave Bittner: [00:01:46] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, October 30, 2018. Here's a challenge most corporate CISO's will find has a familiar ring, but U.S. state election officials seem to be encountering it as a novelty. They're gratified by offers of free security tools from cybersecurity companies, but as many CISO's would authenticate, they're finding those tools confusing and, in many cases, beyond their ability to use. The companies and the tools they're offering are well-known and quite reputable, so this isn't a case of snake oil peddlers passing out loss leaders in Hicksville. CyberScoop and ZDNet note the companies who've made the offers - and their names you'll recognize and may well use yourself - McAfee, CloudFlare, Jigsaw, which is a Google offering, Synack, Akamai, Cylance, Centrify, Microsoft, Valimail, Facebook, Symantec, NETSCOUT and 1Password. And this is by no means a complete list. We think from what we've seen that while of course companies want to showcase their products and solutions, there's a genuinely public-spirited impulse behind a good many of their offers. There are some concerns about the technical security of the voting infrastructure - worries about hacking proper. There have been complaints of glitchy voting machines in Texas, for example, and there's a certain climate of uneasiness, according to The Washington Post, surrounding the companies that produce the tools used at the polling places. The Post notes that three companies - ESNS, Dominion Voting Systems and Hart InterCivic - supply and service about 90 percent of the country's voting machines and that their security could do with an outside look. The companies themselves say concerns are overblown.

Dave Bittner: [00:03:32] But at least with respect to the U.S. midterm elections, most of the foreign cyber operations observed continue to be influence operations conducted over social media by bots and sock puppets. Their activities are opportunistic and inflammatory. They're not so much interested in any particular electoral outcomes as they are in inducing mistrust along pre-existing fissures of the targeted societies. Their messaging, therefore, is negative, destructive, not aimed at pushing any particular worldview but rather at demolishing such worldviews as may conduce to healthy civil society. So the challenge is so far mostly one of information operations, and in this regard, Russia especially is seen as playing a weak hand very effectively. It will be interesting to learn how U.S. Cyber Command's troll hunting has been proceeding once that history can be told. In the meantime, good hunting to everyone at Fort Meade.

Dave Bittner: [00:04:28] The problems of election influence are, to a significant extent, problems for the private sector. Facebook in particular has been working not so much on viewpoint censorship or content moderation as it has on identifying and expunging what it calls coordinated inauthenticity - finding bots and bogus accounts and booting them off its platform. The same has been true to a markedly lesser but still discernible extent of Twitter. The approach seems promising because it seems to offer some promise of success without doing violence to freedom of speech or association and since bots, not being even artificial persons, enjoy no natural or legal rights. There are, however, signs of a growing appetite for censorship, a tendency against which organizations like the Electronic Frontier Foundation have for some time cautioned against.

Dave Bittner: [00:05:18] Iranian officials say President Rouhani's phone was recently compromised and would be replaced. Their announcement was terse and offered neither details nor attribution, but the AP notes that the greater and lesser Satans, operating from their respective hells of Washington and Tel Aviv, are the usual suspects in Tehran when it comes to Iranian suspicions of espionage. As the controversy over the murder of Saudi journalist Jamal Khashoggi continues and with it concerns about Saudi policy toward dissenters generally, Motherboard describes the apparent role played by Saudi al-Qahtani, aka Mr. Hashtag, a close adviser to Saudi Crown Prince Mohammed bin Salman, in obtaining surveillance software from Milan-based HackingTeam. Saudi Arabia has been interested in acquiring lawful intercept tools - as such things are called in the market - not only from Italy's HackingTeam but from elsewhere as well. The Jerusalem Post describes the Saudis' surprising willingness to purchase other espionage tools from Israeli sources. They put the kingdom's purchases at $250 million.

Dave Bittner: [00:06:26] There's a popular notion that cybersecurity is suffering from a skills gap with a lack of qualified, properly trained professionals to fill available positions. Rahul Kashyap is CEO at Awake Security, and solving this problem is of particular interest to him.

Rahul Kashyap: [00:06:42] I've been thinking about this in many places. You know, I've been a (unintelligible) and entrepreneur in the world of cybersecurity. I've been doing - I've built several technologies. So there is one part where you can look at solving the problem by building intelligence solutions. The other aspect is, how do you really look at solving the people problem? Because there aren't enough people, and that is something you have to have a long-term vision and a strategy ready - and, you know, how can you inspire people and have people consider cybersecurity as a lucrative career opportunity and an option, right? So yeah, so I've been focused on both of those aspects. At a personal level, I've been looking at - we know - after doing some analysis, I have found that most of the fresh people coming in the industry, they kind of make decisions or try to form decisions about their career when they are in their high school time frame.

Dave Bittner: [00:07:44] And what kind of opportunities do you find yourself having there? Are the high schools open to this sort of thing?

Rahul Kashyap: [00:07:50] So I actually signed up with a group called Skillify. It's a mentorship program. I think it covers the entire LA - all the school districts in LA region. It's a pretty big pool of schools. So I've been using that program. Now and then - whenever I get an opportunity (unintelligible) with a high school kid who's interested to know more about cybersecurity, so I've been using that pretty actively to build out and kind of have as much - reach out to students as much as I possibly can.

Dave Bittner: [00:08:23] Now, when you interact with students who are in their high school years, what's the situation there? Do you find that they have any common misperceptions when it comes to careers in cybersecurity?

Rahul Kashyap: [00:08:34] Oh, yes. I mean, it actually varies across the board, you know? So most of the kids I know whom I talked to are looking at cybersecurity because they are pretty much, I would say, influenced by Hollywood, if I may. So they think of this as, you know - as a cool area to look at and they have a perception about - which very Hollywood-style-esque (ph) from what I have seen. In some sense, cybersecurity is definitely a very exciting, fast-paced, fast-moving and a very high-impact job, as well. But at the same time, there's a lot of work and lot of, you know, expertise that you need behind the scenes to really become a top-notch cybersecurity professional.

Dave Bittner: [00:09:17] Now, what about this notion of the industry reaching out to people from different disciplines? We've heard of companies looking towards people who've studied music - you know, outside of the normal computer science pipeline.

Rahul Kashyap: [00:09:31] Yes. In fact, I have personally worked with several folks who have had no cyber, who have had no science background, no computer skills and who have done extremely well in cybersecurity, right? So it's a skill, and a skill can be acquired. You just need to be willing to acquire the skill and to be interested in that domain, right? So I kind of tell everybody that you have to come with an open mind. You don't really necessarily have to be, you know, an - a top-notch student doing - having A - almost A grades all the time to be a top-notch cybersecurity professional, right? There are specific skills, you know, specific mindset you need to develop when it comes to cybersecurity. And if you can incubate and build that, you can really move fast up the ladders and build a good career for yourself.

Dave Bittner: [00:10:24] That's Rahul Kashyap from Awake Security.

Dave Bittner: [00:10:28] Malwarebytes warns that a Mac app, CoinTicker, installs keyloggers and back doors along with its handy altcoin price tracker. It looks like a legitimate app, but to install CoinTicker is to invite nemesis into your digital life. It's an interesting bit of cryptocurrency-themed malware. Instead of directly seeking to loot people's wallets, it exploits their enthusiasm for cryptocurrency to induce them to swallow the bait of a trader's ticker.

Dave Bittner: [00:10:56] Researchers at Cymulate demonstrate a way of infecting Word documents by introducing malicious code into embedded video. The attack evades common forms of detection. There are two more bits of concern about Chinese hardware. The director of the Australian Signals Directorate warns that using high-risk Chinese telecom devices poses a threat to water and power infrastructure. The devices of concern are principally Huawei and ZTE equipment. And in the U.S., the Department of Commerce has banned U.S. companies from doing business with Chinese chipmaker Fujian Jinhua Integrated Circuit. The grounds for the ban are that the company poses a risk to national security in so far as it's deemed likely to cooperate with the Chinese government in activities contrary to the legitimate interests of the United States. It's striking that the ban that's expected to deal Fujian a severe blow is a ban on selling to them, not buying from them. In this, it resembles the earlier, now-relaxed sanctions that did so much damage to ZTE earlier this year. Finally, Russia and the U.S. have offered the UN predictively competing proposals for international norms of conduct in cyberspace, the former favored by authoritarians, the other by liberal democracies.

Dave Bittner: [00:12:20] It's time to tell you about our sponsor, ManTech. The cyber threat is growing, but so is the cyber talent gap. By 2019, ISACA predicts a 2 million global shortage of skilled professionals to meet demands. ManTech has the answer. They've been designing, building and staffing Department of Defense cyber ranges for more than 10 years. With ManTech's Advanced Cyber Range Environment, or ACRE, organizations of any size can develop their own core of cyber professionals. ACRE uses more than a dozen proprietary tools, techniques and processes to emulate any network environment, regardless of size or complexity. Train, evaluate tools, conduct security architecture testing and undergo live-fire exercises on an exact replica of your own network environment, and do it with instructors who understand both offensive and defensive cyber. ManTech helps you think like your adversary and outmaneuver them. This is Advantage ManTech (ph). See how ManTech can work to your advantage. Go to mantech.com/cyber today. That's mantech.com/cyber. And we thank ManTech for sponsoring our show.

Dave Bittner: [00:13:40] And I'm pleased to be joined once again by Robert M. Lee. He's the CEO at Dragos. Rob, it's great to have you back. I want to sort of get a reality check here when it comes to EMPs, electromagnetic pulses. This is one of those things that comes up from time to time as being one of the great threats to the power grid, our nation, everything (laughter). And so I figured, let's check in. And what's the reality here? First of all, what are we talking about?

Robert M Lee: [00:14:08] Yeah, I hope you're ready for, like, your email and comments section on this one to blow up. EMP - the idea is that - and usually - I mean, there's a lot of things that create EMP. But the idea and the scenario that's often purported is that a state power will use a nuclear weapon and detonate it at a certain, you know, height above the United States. And the EMP from that warhead or that ICBM that has that capability will be able to knock out significant portions of the electric power grid and other aspects of our daily life - or solar flares. And so there's science to the - sort of the EMP discussion. And aspects of solar flares and EMP - like, it's very much considered. And in fact, the Department of Energy has done studies before and go, you know what? There's some things we should do. And so you have to use certain levels of shielding and electric wiring, and, you know, power grid operators are fairly well-aware of what they need to do from, like, shielding perspectives. And they do it, and I think that's the - the thing that doesn't get represented well is - it's not the electric community is like, EMPs don't exist.

Robert M Lee: [00:15:16] No, we fully understand that there is such a thing as EMPs, and there are natural scenarios that can occur, and so shielding is important. It's usually an argument of what type of scenarios and how much shielding and what type of protections may be put in place that gets a little spun out of control. And when you're talking about detonating a nuclear weapon above, you know, any major city or portion of the United States, that's where the science goes off the rails a little bit. There's some variables that - not fully well-understood and I think some people extending the conversation a little bit further than it probably should be. And it also then comes down to, like, the scenarios of, OK, so you're telling me that Russia or North Korea or China or - they're going to launch a nuclear weapon at us, but they're not going to actually try to hit us. They're going to just aim a little high and hope that it actually works. And, you know, I mean, there's so many different aspects. You can go down sort of the science discussion, or you can go down the doesn't-even-make-sense irrational theory kind of discussion (ph).

Robert M Lee: [00:16:16] I mean, there's a lot of elements to this, but here's what I think is the important thing for everyone to take away - is, one, EMP and shielding from electromagnetic pulses of any type has been done with electric grid operators to a level that the Department of Energy and the U.S. government have found successful and appropriate. The extra level and the idea that we're going to build, like, shielding containers around transmission (inaudible) thing - there's no proof that we actually should. It sounds, actually - like, everything points to it being extremely far-fetched. So it's not like we're just lacking proof. It actually points to the other direction of, this doesn't seem sound at all, and it comes at an inordinate expense. And what makes it even more difficult is the conversation's been - sort of extends to be a little bit misleading.

Robert M Lee: [00:17:11] And it's very difficult to, like - there's very smart people on this discussion, so I try not to just throw people under the bus. But it gets to a point of being misleading, where to have the EMP discussion, it almost gets hidden inside of other discussions. And I have myself have found myself in a situation where I'll be asked to go present at, you know, Congress and to the staffers, and they say it's a cybersecurity event. I'm like, OK, and I go to, like, speak on cyber. And it turns out, it's an EMP event, but they couldn't get anybody to show up, so they asked me to come speak on cyber so people would show up, and then they tell us it's all about EMP (ph). Or I give a quote to, you know, a reporter who's asking questions about cyberattacks, and I have a nuanced take on, yeah, you know, cyberattacks are real, and there's real threats to infrastructure, but - and our infrastructure's actually pretty reliable, and here's, like, the balance between it. And then they cut off all of my nuance, and they just capture the cyberattacks-are-real and, you know, grid's-going-down portions of the quote, and then they tack it onto EMP stories. And what I've found is if you're - in any walk of life, if the position you're taking isn't sound and well-founded on its own, and you have to sort of bait people into it with other topics or misrepresent people's quotes to sort of tell a story, I'm less likely to be empathetic with the story you're trying to tell. And I think others should be very careful in a lot of the EMP discussion.

Dave Bittner: [00:18:35] Rob Lee, thanks for joining us. And that's the CyberWire. For links to all the stories mentioned in today's podcast, check out our daily news brief at thecyberwire.com. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. Find out how Cylance can help protect you using artificial intelligence. Visit cylance.com. And Cylance is not just a sponsor; we actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor, VMware, creators of Workspace ONE Intelligence. Learn more at vmware.com. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe, and I'm Dave Bittner. Thanks for listening.