The CyberWire Daily Podcast 11.2.18
Ep 718 | 11.2.18

Cyber Sitzkrieg. Waiting for the Bears to show up (and ready to set the Dogs on them). Facebook private messages for sale.

Transcript

Dave Bittner: [00:00:03:19] Was that lull in Chinese cyber operations just a strategic pause? Huawei's on a charm offensive. People are seeing plenty of Russian trolling, but election hacking proper continues to be quiet. US Cyber Command is said to be ready to respond to any election cyber attacks swiftly and in kind. Later in the show we've got my conversation with Shannon Morse from Hak5 and, if you want to hear what people think about 80's techno pop, a dark web market will sell you the relevant Facebook messages for just one thin dime apiece.

Dave Bittner: [00:00:43:07] Now a moment to tell you about our sponsor, ObserveIT. It's 2018 - traditional data loss prevention tools aren't cutting it anymore, they're too difficult to deploy, too time consuming to maintain and too heavy on the end point. They are high maintenance and require endless fine tuning. It's time to take a more modern approach. With ObserveIT you can detect insider threats, investigate incidents quickly and prevent data loss. With its lightweight agent and out-of-the-box insider threat library, ObserveIT is quick to deploy and far more effective at stopping data from leaving your organization. That's because ObserveIT focuses on user behavior. It's built to detect and respond to insider threats and it's extremely difficult even for the most technical users to bypass. Bring your data loss prevention strategy into the modern era with ObserveIT. Learn more at observeit.com/cyberwire, and we thank ObserveIT for sponsoring our show.

Dave Bittner: [00:01:47:05] Major funding for the CyberWire Podcast is provided by Cylance.   From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, November 2nd, 2018.

Dave Bittner: [00:01:59:11] The lull in Chinese cyberattacks during the previous US administration, and the early days of the current one, appears to have amounted to a phony peace, a Sitzkrieg, if you will. Carbon Black's recent quarterly threat report has led some to conclude that the lull was a period of learning and development during which the PLA and the Ministry of State Security took lessons from Russian operations. Now it seems, as Ars Technica puts it, Beijing has taken the gloves off.

Dave Bittner: [00:02:28:19] Much of the Chinese cyber offense still seems directed at industrial espionage, as recent US indictments of some of their operators would indicate, but increased tensions over trade and over Chinese attempts to encroach on international waters in the South China sea, raise the probability of other uses of cyberattack. The Five Eyes generally remain suspicious of Chinese hardware manufacturers, with a particularly hard scowl being directed from the Australian and American Eyes. Huawei is continuing its charm offensive, seeking to reassure leaders in Canada and Australia that they've got nothing to fear, security wise, from letting Huawei hardware into their 5G network buildouts.

Dave Bittner: [00:03:13:03] There may be a partial explanation for terse warnings of cyberattacks targeting Iran. Bleeping Computer says, based in part on reporting by Israeli outlet Hadashot, that Iranian infrastructure has recently been afflicted with a Stuxnet-like strain of malware. Evidence remains thin, so these reports must be regarded as preliminary, especially given the infections that have been named, which seem more like spyware incidents as opposed to ICS malware installations.

Dave Bittner: [00:03:44:07] Turning to the US midterm elections, people are noticing the readiness of voters to swallow fake emails and catphishy profiles. What's surprising about this is the surprise, as if everyone thought that the electorate was critical and sophisticated in the ways of persuasion, as if no one had ever heard of P.T. Barnum's observations on the birth rate of suckers. It's one per minute, in case you've forgotten. Trolling aside, and there's been no shortage of that, observers are wondering where the Russians are in the US midterm elections. The Bears have been relatively quiet, which leads nervous commentators to breathlessly predict a big surprise for next Tuesday's voting.

Dave Bittner: [00:04:25:10] Among the scarier speculations are corruption or denial of service attacks on voter registration databases, that would effectively, turn people away from their polling places, or even a takedown of significant portions of a power grid that would also disrupt the election. US Cyber Command seems to be ready to retaliate in kind against any election day cyberattacks. National Security Advisor Bolton said this week that any such retaliation would be short of war, but what those restraints might amount to in practice is difficult to say.

Dave Bittner: [00:04:59:11] Russian information operations may have been more effective at home than abroad. Apparently conventional wisdom among Russians is that the US will experience a second Civil War by 2020. Celebrities and businesses sometimes come to take too much stock in their own press releases. The same might happen with trolling and statecraft, too. Foreign affairs are influenced by wishful thinking more than one might like to think, and authoritarian societies that strive to control information seem paradoxically more susceptible to this sort of fantasy blowing back at them.

Dave Bittner: [00:05:35:11] The BBC reports that tens of thousands of Facebook private messages, many from accounts based in Russia or Ukraine, are now for sale on the dark web. The proprietors of this particular market contacted the BBC to boast, or to advertise, their possession of data from some 120 million Facebook accounts. That number seems suspiciously high, and has met with cautious skepticism, but the BBC did have security firm, Digital Shadows, examine part of the take, and confirmed that 81,000 of the accounts did appear to be genuine.

Dave Bittner: [00:06:11:02] A crook with the hacker name, FBSaler - he probably meant to call himself FBSeller, but spelling is hard - described the offering as follows, "We sell personal information of Facebook users. Our database includes 120 million accounts." The wares went up in the online market back in September. The hackers, who've taken down their page since drawing attention to themselves, were offering the accounts for ten cents a pop. As we've noted, most of the compromised data belonged to users in Russia and Ukraine, but there have been a few victims in the US, the UK, Brazil, and some other countries as well.

Dave Bittner: [00:06:48:23] Some of the private messages are intimate or embarrassing, but a lot of them seem pretty anodyne, hardly worth the couple of nickels the hoods are charging. Examples the BBC mentions include vacation photos (possibly embarrassing), chit-chat about a Depeche Mode concert (sure to be embarrassing), and complaints about a son in law, (arguably better kept quiet, but hardly surprising, we're pretty sure Anatoly and Sergei already know what Tanya's and Sonya's moms think of them).

Dave Bittner: [00:07:17:02] Facebook says it hasn't been compromised, and that they think rogue browser extensions were the source of the data loss. It's contacted the browser vendors and asked them to boot the bad extensions from their stores. The BBC's consultants think this is a criminal operation, not something run by the Russian intelligence services. That's certainly how it looks. One of the crooks' websites, established in, where else, St. Petersburg, had an IP address that the Cybercrime Tracker service says has been used to distribute the LokiBot credential stealing Trojan.

Dave Bittner: [00:07:51:04] But a few words to the wise, watch your browser extensions, also watch your virtual tongue. Would you like your thoughts about that recalcitrant, probably dope-sodden, layabout son-in-law to be on the front page of the Washington Post, or worse yet, splashed all over Reddit? We speak purely hypothetically, of course, since Chad, Lamar, and Randy are no doubt swell guys. But it does make one think, doesn't it?

Dave Bittner: [00:08:22:12] It's time to tell you about our sponsor, ManTech. The cyber threat is growing and so is the cyber talent gap. By 2019, ISACA predicts a two million global shortage of skilled professionals to meet demands. ManTech has the answer. They've been designing, building and staffing Department of Defense cyber ranges for more than ten years.

Dave Bittner: [00:08:43:24] With ManTech's advanced cyber range environment, or ACRE, organizations of any size can develop their own core of cyber professionals. ACRE uses more than a dozen proprietary tools, techniques and processes to emulate any network environment, regardless of size or complexity. Train, evaluate tools, conduct security architecture testing, and undergo live fire exercises, on an exact replica of your own network environment and do it with instructors who understand both offensive and defensive cyber. ManTech helps you think like your adversary and out maneuver them. This is advantage ManTech.

Dave Bittner: [00:09:23:17] See how ManTech can work to your advantage. Go to ManTech.com/cyber today, and we thank ManTech for sponsoring our show.

Dave Bittner: [00:09:45:18] And joining me once again, is Malek Ben Salem - she's the senior research and development manager for security at Accenture Labs. Malek, welcome back. Here in the US we are coming up on our midterm elections - it'll be here before we know it - and there's been talk about using blockchain for election security. Bring us up to date here, what do we need to know?

Malek Ben Salem: [00:10:06:04] There's been discussion about voter fraud in elections and the need to reduce that or the need to make sure that everybody who can vote, is able to vote. We need to increase the number of people who can actively vote and one approach to do that is the use of online voting. We know that online voting is not very secure so there's been discussion about how we can leverage blockchain technologies to provide some of the benefits that online voting can bring, while ensuring that there is enough security, and that the integrity of the elections is preserved.

Malek Ben Salem: [00:10:48:10] However, I think it's important to know that some of the main benefits of blockchain technology, namely that it's basically distributed ledger, that those unique characteristics also, in some cases, are the roadblocks to adopting that technology for elections. So, for instance, if we talk about the authentication of users, or, the authentication of voters in a Bitcoins blockchain, the typical way of using it is to generate a public address, where that acts as a deposit-only account number, and then you have a secret digital key that you can use to send Bitcoins over.

Malek Ben Salem: [00:11:39:08] If you're dealing with a government election, that ability to have voters create their own addresses should not be there, because you want to make sure that State and local authorities, manage the lists of eligible voters. If you committed a felony in certain States, you're not allowed to vote for a certain period of time, so there is a need for some central authority to manage that list of eligible voters. This does not make use of that main property of blockchain as a distributed ledger where everything is completely distributed where every person can join the blockchain, create their own key and, and be able to transact.

Malek Ben Salem: [00:12:30:21] We know West Virginia, for instance, has experimented with this but again, it's not the classical blockchain technology but it's a modified blockchain-based platform. The set of users that were used in this case study, were using biometrics to authenticate through their mobile phones, in order to join that blockchain-based platform. I think blockchain brings certain properties and components that may be very useful for conducting online elections, but certainly, the technology is still not that mature and it will not be the way we know Bitcoin blockchain, but it will be certainly a modified version of it, where a lot of the authentication and the identities are handled off the chain.

Dave Bittner: [00:13:21:23] It's interesting, too, because of the way elections are handled here in the US where they're headed up by the states. It seems to me like that provides an opportunity for miniature labs, for the states to experiment with things on a smaller level and, and see if they work and, if they do, other States can follow their lead.

Malek Ben Salem: [00:13:43:23] Exactly, before we move onto a nationwide election.

Dave Bittner: [00:13:50:14] Alright, well as always, Malek Ben Salem, thanks for joining us.

Dave Bittner: [00:13:59:06] And now a word from our sponsor, Edgewise. If you've been following cybersecurity news in the past year, you've probably heard the phrase, zero trust security, more than once. The TLDR of zero trust, is to never trust and always verify, every connection in your environment. That all may sound well and good, but the next questions are how, why and where to begin? If you're in search of a guide to help you get from zero to zero trust, Edgewise networks has you covered. They recently published Zero Trust Security for Dummies, to help organizations like yours understand what zero trust security is and how it can prevent breaches in your cloud or data center. Zero Trust Security for Dummies has the answers to all your zero trust questions and the book is available for free - you can download it at edgewise.net/cyberwire. And we thank Edgewise for sponsoring our show.

Dave Bittner: [00:15:06:05] My guest today is Shannon Morse. She's a host and producer at Hak5.org, famous for their popular YouTube channel, podcasts, pen-testing gear and immersive infosec training. They've built an impressive community of professionals, students and hobbyists, with a contagious enthusiasm for hacking, security, and all things tech.

Shannon Morse: [00:15:27:24] I started off really getting interested in computers because I used to build my own computers as a kid and I was also obsessed with theater as well. So, when I got into college, podcasting did not exist, cybersecurity was still a very budding industry - it wasn't even a very large industry when I was in college so, I went into a completely different media. After college, I made friends with the Hak5 crew, and I didn't have any career path plans at the time and, Hak5 was just getting started, and they asked me to join them in Virginia, so I did, and at some point or another, they said, "Do you wanna try to host a segment?" so I did. It was a terrible segment - it was reviewing an open-source video game, but they liked it, they thought that it was really cool, even though I was super awkward on camera but, over time, I've really developed a passion for it.

Shannon Morse: [00:16:22:12] So, I'm completely self taught in cybersecurity, information security and hacking and making and I just fell in love with it. It took my love of theater and my love of building computers, and allowed me to share it with more than just myself and more than just a small job. I was able to share it with a multitude of people that subscribe to our channel now.

Dave Bittner: [00:16:45:07] What are the things that you cover over on Hak5?

Shannon Morse: [00:16:48:17] So, Hak5, specifically covers information security for professionals and for budding hackers - people that are interested in cybersecurity but aren't really sure where to start. We focus on a slew of different playlists that, kind of, introduce the information to young budding professionals. For example, I've done videos about Linux Terminal hacking, so I've done a lot of command line interface information, I've done Wireshark tutorials and map, and all sorts of different software tutorials.

Shannon Morse: [00:17:27:00] We also focus a lot on hardware hacks too. We've built our own products that a lot of professionals use in cybersecurity now, that are even listed in MIST which is pretty awesome and we're pretty proud of that. But we've been doing podcasts and selling products online for about 13 years now. The store started up in 2008, however, the podcast has been around since 2005. It's a cool job, I would not be lying if I said that it's my dream job. So, I'm totally happy and really grateful to everybody that watches it, because I'm able to live a dream job right now.

Dave Bittner: [00:18:06:19] Good for you. You and I met recently for the first time, out in Las Vegas at Black Hat this year - you were one of the key note presenters at the Diana Initiative. What drew you to that? Why did you think it was important to present there?

Shannon Morse: [00:18:22:11] The main reason that I wanted to do that is because the longer that I've been a part of this community, not just in the convention aspects or the YouTube aspects, but the community for information security as a whole. I've noticed that there's a lot of women in the industry but a lot of them don't really necessarily have a voice. There's a few of us out there, you know - there's me, there's Kate, there's hacks4pancakes, who share a lot of our opinions and things on Twitter, and we do a lot of talks but, there's a lot of young women who are students, who are young professionals, who haven't necessarily ever given a talk. They don't have a big voice online, like on Twitter or on YouTube and they're just trying to start their young professional lives. So, having Diana Initiative was really nice because it's informing people that there needs to be more diversity in cybersecurity. From 2017, women make up roughly 11 or 13% of the industry total, which is terrible.

Shannon Morse: [00:19:27:21] So, I was trying to go there and introduce more people to cybersecurity especially for the minorities out there - not just women but, you know, people of color and people that are not necessarily white males. No offense, Dave!

Dave Bittner: [00:19:45:16] That's okay, none taken.

Shannon Morse: [00:19:48:10] So, and I would love to see that too. I've worked in several different office bases up 'til now, I've worked at a bank, I've worked at a lot of restaurants etc, etc, and I've noticed that we grow a lot as an industry, no matter what that industry is, when you have a whole bunch of different people in there giving out-of-the-box ideas and they're able to share their experiences. If you close yourself off to a very specific type of person, then you limit your ability to grow as a business. So, not only is it really good to have women there, just for myself, selfishly, but also for a business, because you can be highly profitable when you make your business more diverse.

Dave Bittner: [00:20:33:20] I was lucky enough to be there when you were giving your presentation and enjoyed it very much. One of the things that you pointed out was that sometimes, by being in the public eye, by being front and center, that made you the target of some unwelcome attention.

Shannon Morse: [00:20:48:19] Oh, absolutely, yes. [LAUGHS] One thing I learned early on when I was doing video shows on YouTube is that people definitely share their opinions in the comments, and people will share their opinions over email or Twitter -wherever they can find you - and those opinions will not necessarily be constructive. Sometimes they will be destructive criticism and not necessarily good, positive feedback. You can definitely give constructive feedback but you can give it in a positive way so that it influences the person that you're giving feedback to do better in their future.

Shannon Morse: [00:21:27:14] However, a lot of times, I've experienced a lot of destructive feedback, that is not necessarily focused on the content that I'm creating, but it's focused on me as a person. For example, I've had people tell me they don't like how I speak, or, they don't like that my nails weren't done one day when I was showing a product off on a close up camera. There's a lot of strange things that people decide that they want to share with you.

Shannon Morse: [00:21:53:23] I've experienced a lot of harassment too. Definitely based on the fact that I am a woman, I am a female in the industry, but, also, that I'm outspoken. I'm definitely very outspoken on Twitter and I believe that we all have the right to be outspoken, but I definitely try to follow that morale or being somebody who brings positive feedback to the industry and is not somebody who comes in there and attacks all the time. I don't think attacking people is something that really helps us grow, worldwide, you know, as a community. I think that it definitely helps to be somebody who is a positive influence and who other people want to look up to, and want to be a part of that kind of group.

Shannon Morse: [00:22:45:24] So, yes, I definitely deal with quite a bit of that kind of stuff online, but I have learned how to tune it out, after ten years. It definitely helps to have a lot of friends that are in the industry that I can talk to so I've opened up quite a lot and discussed these things with my friends and family and husband, etc. But it also helps to just have that kind of feedback from your friends and family - that support group, I guess it would be. Having a support group definitely helps with dealing with that kind of harsh criticism or harassment online, and also learning how to block, and learning how to filter certain words, definitely helps too.

Dave Bittner: [00:23:29:17] Right. So you have to have a thick skin but, but in addition, your technical skills pay off as well?

Shannon Morse: [00:23:36:03] Yes, absolutely.

Dave Bittner: [00:23:37:12] That's Shannon Morse from Hak5. You should check out all the things they do over at hak5.org. There's more to our conversation that we didn't have time to include in today's program. We're going to post the complete interview over on our Patreon page - that's patreon.com/thecyberwire. You don't need to be one of our supporters to access it, so do check it out.

Dave Bittner: [00:24:04:01] And that's The CyberWire. Thanks to all of our sponsors for making The CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. And Cylance is not just a sponsor. We actually use their products to help protect our systems here at The CyberWire. And thanks to our supporting sponsor, VMware, creators of Workspace ONE Intelligence. Learn more at vmware.com.

Dave Bittner: [00:24:31:20] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor, Jennifer Eiben, technical editor, Chris Russell, executive editor, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.