The CyberWire Daily Podcast 2.15.19
Ep 782 | 2.15.19

GandCrab notes. Make tests, not bans, says GSMA. Content moderation. Takedown of inauthentic accounts. Influence operations. Happy birthday, GCHQ.

Transcript

Dave Bittner: [00:00:03] GandCrab scuttles through unpatched holes. Independent testing as an alternative to banning specific vendors as security risks. Big tech gets some Congressional scrutiny over content moderation. Facebook takes down inauthentic accounts working to influence the Moldovan elections. The Federal Trade Commission is rumored to be queuing up a record privacy fine. Amanda Berlin joins us with her story of helping folks with mental health issues in infosec. Defending forward from disillusioned Bears. And happy birthday, GCHQ.

Dave Bittner: [00:00:41] It's time to take a moment to tell you about our sponsor, Recorded Future. Recorded Future is the real-time threat intelligence company whose patented technology continuously analyzes the entire web, developing cyber intelligence that gives analysts unmatched insight into emerging threats. At the CyberWire, we subscribe to and profit from Recorded Future's Cyber Daily. As anyone in the industry will tell you, when analytical talent is as scarce as it is today, every enterprise owes it to itself to look into any technology that makes your security teams more productive and your intelligence more comprehensive and timely because that's what you want - actionable intelligence. Sign up for the Cyber Daily email, and every day, you'll receive the top trending indicators Recorded Future captures crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today and stay a step or two ahead of the threat. Go to recordedfuture.com/cyberwire to subscribe for free threat intelligence updates. That's recordedfuture.com/cyberwire. And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:51] The CyberWire podcast is made possible in part by RSA Conference, taking place March 4 through the 8 at the Moscone Center in San Francisco. The CyberWire is a proud media sponsor of RSA Conference, where the world talks security. Learn more and register today at rsaconference.com/cyberwire19.

Dave Bittner: [00:02:13] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, February 15, 2019. GandCrab ransomware is being pushed through a 2-year-old hole in the ConnectWise Manage plug-in for the Kaseya VSA remote management tool. A patch has long been available but far from universally applied. And Kaseya is reminding people to update their software and patch. MSPs are particularly affected, and through them, their customers. The campaign by unknown hackers came to light this week in a Reddit post whose author - again unidentified - claimed to have infected a small managed service provider. The vulnerability is potentially dangerous because of the administrator access exploitation gives the attacker. Updates are available.

Dave Bittner: [00:03:01] Rather than a ban on Huawei or other manufacturers, Reuters reports European telecommunications providers say they'd prefer an EU-wide security testing system that would address threats as they were found and before they were introduced into 5G networks. The proposal came from the 800-member trade group GSMA and was made at the Barcelona Mobile World Conference. The argument for testing vendors, as opposed to simply banning certain manufacturers, rests largely on fears that bans would so disrupt the telecommunication supply chain as to not only delay the rollout of 5G by years but also significantly degrade the performance of existing networks.

Dave Bittner: [00:03:42] GSMA is working, it says, on coming up with ways of enhancing existing testing regimes. Those include testing by independent operators, third-party laboratories or 3GPP itself, the 5G standards body. Huawei thinks this is a pretty swell idea and would be happy to participate. It remains to be seen whether an enhanced testing system would prove sufficiently reliable, thorough and convincing to allay concerns about Chinese espionage that runs strongest in the Five Eyes but that are spreading in EU governments as well.

Dave Bittner: [00:04:17] Big tech continues to receive pressure over content moderation. U.S. Representative Adam Schiff, a Democrat of California, sent Facebook CEO Mark Zuckerberg a letter requesting that the social network remove anti-vaccination content from its platform. Representative Schiff cast the matter as a public health issue. He's concerned about the implications of falling vaccination rates. Representative Schiff thinks that false ideas about vaccinations' risks gain an aura of authority through repetition online, and he wants to know what Facebook is doing about it. He applauds the way Instagram has excluded some conspiracies from its platform and would like Mr. Zuckerberg to get back to him on whether medically inaccurate content violates Facebook's terms of service, what Facebook is doing to address such information, whether Facebook accepts paid advertising from anti-vaccine activists - and if so, how much it takes - and, finally, whether it's preventing searches from returning anti-vaccine results. Bloomberg says Google received a similar letter.

Dave Bittner: [00:05:20] Facebook responded in a tentatively favorable way, saying it's looking into the ways it might best combat this problem, including, for example, reducing or removing this type of content from recommendations, including groups you should join, and demoting it in search results while also ensuring that higher quality and more authoritative information is available. Nothing yet from Google, but that company has already said it's looking for ways to exclude borderline content from its YouTube recommendation system.

Dave Bittner: [00:05:51] The vaccine issue will be an interesting one to watch, especially as congressional forays into content moderation approach their inevitable First Amendment challenges. Unlike other borderline content, anti-vaccine sentiment, while distributed across a broad demographic, tends to be most deeply distributed as an elite, as opposed to a downmarket, opinion.

Dave Bittner: [00:06:13] Facebook's efforts against inauthenticity seem, as they so often do, to be less problematic than its attempts at content moderation. Most recently, the social network has blocked a number of such accounts engaged in influence operations directed toward Moldova's elections. The inauthentic accounts were said to be spreading fake news, but the grounds for the purge were found in the fact that the identities behind the pages weren't what they purported to be. One hundred sixty-eight Facebook accounts, 28 pages and eight Instagram accounts were taken down. Facebook said its review - and they specified it was a manual review, not an algorithmic one - determined that many of these accounts were traceable to Moldovan government personnel even as they represented themselves as neutral fact-checkers. The hot-button issues in the election include mandatory instruction in the Russian language and possible unification with Romania. In general, at issue is the direction of the country's future, whether it will lean west or east.

Dave Bittner: [00:07:13] Privacy concerns are coming to a head for Facebook. The Washington Post says the U.S. Federal Trade Commission is negotiating a multibillion-dollar settlement with Facebook over privacy lapses. Facebook says it's talking to the agency but not much else. And the FTC isn't saying anything at all for public consumption. The Federal Trade Commission opened its investigation of Facebook's data handling record after the Cambridge Analytica affair came to light last year. The fine - if it's as large as the anonymice close to the negotiations think it will be - would set a new record. The biggest fine Silicon Valley has paid to settle a federal privacy beef was the $22.5 million tab Google ran up back in 2012.

Dave Bittner: [00:07:57] Both U.S. Cyber Command and the Department of Homeland Security say that election influence and interference remain matters of concern. Cyber Command took a very restrained victory lap before the Senate yesterday as its head, General Paul Nakasone, explained to questioners that defending forward, as the new U.S. strategy is called, involves taking active measures in cyberspace against those who would muck around in elections. Homeland Security's Christopher Krebs, who leads the department's Cybersecurity and Infrastructure Security Agency, took strong exception to reports in The Daily Beast that CISA was giving up on election security. Not at all, Krebs said. In fact, they're doubling down against what they regard as a real threat.

Dave Bittner: [00:08:41] According to CNN, the U.S. Democratic National Committee's security chief has told potential presidential candidates that you don't have to actually declare your candidacy to become a hacker's target. While this sounds like something from Captain Obvious, the point probably is worth making. Hey, politician, you don't have to ride a bus on a listening tour of Iowa or New Hampshire to attract the attention of the Bear Sisters. And there's some insight into how the Bears see the world of information operations in an essay published earlier this month by Vladislav Surkov, an aide to President Putin and big numero in Russian policy circles. He decries what he calls the illusion of choice as a kind of con game paid by Americans and similar riffraff.

Dave Bittner: [00:09:26] It's more P.T. Barnum than the Cleisthenes of classic Athenian democracy. And if you're one of those suckers born every minute, of course, you're going to learn and mistrust your leaders and your institutions. Russia, by way of contrast, is not in the grip of such an illusion. Instead, Mr. Surkov says, it's a nation founded on authentic sound understanding of historical processes. Bogus choice is dashed to pieces when it encounters a deep and enduring nation. That's one way of looking at it.

Dave Bittner: [00:09:57] And finally, we were so distracted by Cupid's arrows and Aphrodite's pajamagrams yesterday that we almost forgot many happy returns to GCHQ. The oldest of the Five Eyes celebrated her hundredth birthday yesterday, and her majesty herself laid a tastefully encrypted plaque at the organization's original home, Watergate House near Charing Cross in London, to mark the occasion. So happy birthday to Auntie Eye from all of us stateside.

Dave Bittner: [00:10:24] A quick reminder - this Monday, February 18, is Presidents Day, and as is our custom on U.S. federal holidays, we won't publish either the daily news briefing or our daily podcast. Both will be back as usual on Tuesday. Enjoy the holiday if you're here in the U.S. Unless we're all dashed upon the rock of historical inevitability, we'll see you again Tuesday.

Dave Bittner: [00:10:51] Now a moment to tell you about our sponsor, ObserveIT. The greatest threat to businesses today isn't the outsider trying to get in. It's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. In fact, a whopping 60 percent of online attacks today are carried out by insiders. Can you afford to ignore this real and growing threat? With ObserveIT, you don't have to. See, most security tools only analyze computer, network or system data. But to stop insider threats, you need to see what users are doing before an incident occurs. ObserveIT combats insider threats by enabling your security team to detect risky activity, investigate in minutes, effectively respond and stop data loss. Want to see it in action for yourself? Try ObserveIT for free. No installation required. Go to observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.

Dave Bittner: [00:11:59] And joining me once again is Craig Williams. He's the director of Talos Outreach at Cisco. Craig, it's great to have you back. Your team has been tracking some vulnerabilities in a particular brand of router. Bring us up to date here. What do we need to know?

Craig Williams: [00:12:14] Well, what I'd like to talk about today is a little bit of research that Jared Rittle and Carl Hurd found. Basically, we were looking at a TP-Link TL-R600VPN broadband router, and we did find some issues that were concerning. When it comes to devices in this space, you know, often while they may be written really well from a performance perspective, some of the things that can be overlooked just, you know, from a time-to-market perspective can be things like protocols, have they been secured, have people fuzzed all the interfaces? They found all the bugs, in other words? And so we try to help vendors. We try to help, you know, software that we rely on find these issues, and then we work with them to get the issues fixed. And then we talk to the public about the issue so that people know to apply the patch. And in this particular one, we were able to find some reasonably severe issues. We were able to find several remote code execution issues and some information disclosure issues. Now, the good news here is that we were able to work successfully with TP-Link and get these issues addressed relatively quickly. And so what this means is if you - you know, you might be hearing us on the podcast, and you might think, oh, man, I think my little gray box says TP-Link on the side.

Dave Bittner: [00:13:22] (Laughter).

Craig Williams: [00:13:23] Well, not a big deal, right? If it does, go look at your box. If it says R600VPN, then you need to figure out a way to update the firmware on it. Now, I know this can sound challenging, right? When people say update the firmware, a lot of people might think, oh, my gosh, how do I do that?

Dave Bittner: [00:13:38] Right, it's dark magic.

Craig Williams: [00:13:39] Right, exactly. So the first thing you do is you get the box, and you stab it six times - no, I'm just kidding.

(LAUGHTER)

Craig Williams: [00:13:45] You usually just need to go to your router's log-in page. So typically, it'll be something like, you know, 192.168.0.1. And it'll have a log-in portal. Well, with any luck, you can log into that, and look for something that says updates, and click it over to automatic mode.

Dave Bittner: [00:13:59] Right. Use the hard-coded credentials that they've conveniently provided for you.

(LAUGHTER)

Craig Williams: [00:14:05] You know, if not, I'm sure there's a sticker on the box, and you can just go get it off of there.

Dave Bittner: [00:14:08] Sure, sure.

(LAUGHTER)

Craig Williams: [00:14:11] You know, speaking of, I did want to talk about another thing, too. You know, I think when it comes down to IOT, a lot of people don't realize that things like password reuse are so common. Multiple vendors tend to reuse the same passwords. You know, if you think about the number of routers that use admin admin, it's catastrophically alarming amount. So please, users, never set that as your password.

Dave Bittner: [00:14:34] Yeah, I mean, it's - is it fair to say, step number one, with any of these devices, is go in there and change the password?

Craig Williams: [00:14:42] Absolutely. You know, I would even say - first thing, change the password. Second thing, go over to updates, see if there's an automatic setting. The reality is, most of these home devices - well, they have QA teams, right? And the QA team may not be finding every single zero-day in the device, but I bet they're pretty good at testing the actual quality of the product and the overall functionality. And so for me, you know what? I would prefer to have my device secure itself, so that a attacker can't take control of it and install something like Mirai than, you know, gamble with, well, do I want to test it first? Do I want to give them a week or two to patch it? You know, I would prefer that my device be secure.

Dave Bittner: [00:15:14] Right. So the risk of having some sort of, I don't know, substandard update come through that could affect the device, brick it or affect performance, that's probably lower than the risk that you assume when you don't do the updates.

Craig Williams: [00:15:28] Absolutely, and especially if you're buying name-brand devices. You know, I think that's really what you pay for when you pay for a brand that you recognize, when you pay for a brand that's from a large, stable company. You know, chances are they don't want a bad product representing their brand, and they're going to try and find these issues. Now, does that mean, like, if you pay more, you can get a bulletproof router? Obviously not, right? There's no such thing as 100-percent hack-proof software. Anybody who says that is misleading you. But what it does mean is that there's going to be a team of developers that work on the product, they're going to be there after you buy the product, and they're going to maintain the product and help ensure that it's, you know, a quality product for the lifetime of the product. Now, the lifetime will end, right?

Dave Bittner: [00:16:13] (Laughter).

Craig Williams: [00:16:13] You can't have a 20-year-old router or a 10-year-old router and think it's fine, right? That's the world we live in.

Dave Bittner: [00:16:20] Yeah (laughter).

Craig Williams: [00:16:20] You know, I could see, you know, somebody with a, you know, good old dial-up modem think, well, why do I need one? Right? And it's, well, (laughter) there's probably vulnerabilities in that chip architecture that are going to be hard to exploit because we don't even remember what they were.

Dave Bittner: [00:16:33] Right, yeah. A lot of our parents, I suppose, are probably in that, if it ain't broke, don't fix it category, but you just can't think that way these days.

Craig Williams: [00:16:42] Right, and this is especially true for things that are from niche vendors, right? Which may be something that - you know, if you're at a very small ISP, that may be something that's appealing to them, and then if those issues aren't patched quickly, you could put - it could put you at risk.

Dave Bittner: [00:16:55] Yeah. All right, well, good advice as always. Craig Williams, thanks for joining us.

Dave Bittner: [00:17:04] Now I'd like to share some words about our sponsor Cylance. AI stands for artificial intelligence, of course, but nowadays, it also means all image or anthropomorphized incredibly. There's a serious reality under the hype, but it can be difficult to see through to it. As the experts at Cylance will tell you, AI isn't a self-aware Skynet ready to send in the Terminators. It's a tool that trains on data to develop useful algorithms. And like all tools, it can be used for good - or evil. If you'd like to learn more about how AI is being weaponized and what you can do about it, visit threatvector.cylance.com, and check out their report, "Security: Using AI for Evil." That's threatvector.cylance.com. We're happy to say that their products protect our systems here at the CyberWire, and we thank Cylance for sponsoring our show.

Dave Bittner: [00:18:03] My guest today is Amanda Berlin. She's senior security architect at Blumira, but today, she joins us to share the story of the nonprofit she started, Mental Health Hackers. It's a group of infosec professionals dedicated to helping others in the industry deal with mental health issues, either their own or those of loved ones.

Amanda Berlin: [00:18:23] I was asked to do my first keynote at BSides Nashville, and I kind of wanted - like, all my talks prior were technical topics, right? And I had never done a keynote before, and I thought, I kind of want, like, a TED Talk-ish topic, right? More high-level. And then at the time, there were some suicides that had just happened, like, in infosec. Come to find out it is way more of an issue than I thought it was. I just gave that talk, gosh, probably 14, 15 times last year because people just kept on asking me to come talk about it. So it went from that to I felt like I could be doing more. Rather than just, you know, the 20 to 100 people that come and watch the talk, maybe I could create a space for people, you know, to go and talk about.

Dave Bittner: [00:19:15] So you mentioned earlier the Mental Health and Wellness Village that you ran. Take us through what was going on there. What did folks get out of it?

Amanda Berlin: [00:19:22] The idea was, you know, for that quiet space at the conference. So a lot of times I'll have panic attacks, like, two or three days into a conference because, like I said, I'm sitting at home alone all the time, and then I'm just surrounded by people, 24/7, for a couple days, and it's - you know, it overwhelms my system. And I just go back to my room, and I chill out, and I calm down or whatever. And I just realized, you know, in most of these conferences, you know, there's villages for everything, and everything's always so busy and so loud that I thought it would be cool to have just, like, chill, like, quiet music, place you can go and kind of hang out, and it kind of grew from there.

Amanda Berlin: [00:20:04] So we did this fidget table where there was, like, all of the different things you see online and some new ones that I had found of just stuff to play with. We had people come in and do, like, paracord crafts and essential oils and all that kind of other things that people can do sometimes for mental health. And then we had a therapy dog. I also had a lot of volunteers want to speak about things. So we split it up in between actual, like, real conference presentations, you know, where you sit and you watch people do slides and talk, and then discussion groups.

Amanda Berlin: [00:20:40] So all of those went super well, and then the majority of the money actually went towards massage therapists. We had four massage therapists come in all day Saturday and just do chair massages for anybody that wanted to come and get them. All of it was really, really well received, and we just want to, like, grow that more and provide that kind of stuff to more conferences.

Dave Bittner: [00:21:02] Are there particular aspects of infosec, the people that it attracts and the conditions under which folks are working, that make this a particular issue?

Amanda Berlin: [00:21:15] Oh, definitely. When I was doing a bunch of the research that I was doing - and I never thought I'd ever read this many medical journals - I found - it's called the Savanna-IQ interaction hypothesis. It basically talks about how people with higher intellect and IQ tend to have more mental health issues. And then with the mental health issues, they also tend to self-medicate more - pills, alcohol, prescription, nonprescription drugs, whatever. It amazed me.

Amanda Berlin: [00:21:45] A lot of the work that we do, we're kind of - I mean, a lot of us are isolated, right? Like, I work from home. I don't really have a whole lot of interaction with people. So you kind of lose - you know, you feel isolated. You feel like there's nobody else that are going through the same thing that you are, and then you're just, like, stuck behind your keyboard forever, without that human interaction, and that can lend to it as well - you know, long work hours, stressful situations, that kind of stuff.

Dave Bittner: [00:22:14] I wonder, what sort of progress are you seeing on the employer's side of things? Is there a recognition that folks who are having issues with these sorts of things, that they can come to their employers and say, you know, I need some assistance here, or you know, we need health care that provides for these sorts of things?

Amanda Berlin: [00:22:35] I've heard some awesome stories from people that are actually - have full-blown mental health wellness programs going on in their company. I think there's a lot more openness with - at least it seems like a lot of the startups (laughter) because, I mean, if you've ever worked for a startup, they're fricking (ph) crazy, right?

Dave Bittner: [00:22:56] Right.

Amanda Berlin: [00:22:56] You're working nonstop, and you're super passionate about whatever you're doing, otherwise you wouldn't be working for a startup. It seems like a lot more of them care, whereas the institutions that have been around for a while might not necessarily.

Dave Bittner: [00:23:11] What are your recommendations for folks who may be sitting back and thinking that maybe they're dealing with something? They have some anxiety, some depression, some of the other things we've described here, but they're hesitant to come out and talk to anybody about it. Where do they begin? What sort of resources are available that they can start down a path of healing?

Amanda Berlin: [00:23:32] There are so much (laughter). There is so much out there that I didn't even realize, you know, until I started looking at this kind of stuff. You know, the National Suicide Prevention Line has, you know - if you need someone right now, you can call them. You can chat with them online. Like, I hate calling people on the phone, so (laughter) I don't blame people if they want to just chat with them in a DM or whatever. But there's places like NAMI, which is the National Alliance on Mental Illness, that has a whole bunch of information as well, and you can kind of learn more, and you know, they'll provide, like, coping techniques, right?

Amanda Berlin: [00:24:08] So there's different stuff that works for every person, with every level of any mental health whatever they have, right? Because just because you have panic attacks or depression or bipolar or schizophrenia or whatever doesn't mean, you know, you're completely broken. You know, all of our mental health is important, whether you have something or not. But there's way more than that, you know. There's a whole lot more coping mechanisms that you can use. And then there's definitely, like, professional help. One of the things that we talked about in the village that we ran, we had somebody come and talk about all the stigmas of going to a therapist.

Dave Bittner: [00:24:47] Right, right.

Amanda Berlin: [00:24:47] And kind of what it's actually like to go to a therapist (laughter), and the difference between psychiatry and psychology and therapy. So it's just, you know, learning about it. I think that even if you don't have something, I guarantee you someone you know does, and that's when communication, you know, also comes into play.

Dave Bittner: [00:25:08] That's Amanda Berlin. You can find out more about Mental Health Hackers by visiting their website. It's mentalhealthhackers.org.

Dave Bittner: [00:25:21] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com.

Dave Bittner: [00:25:33] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe, and I'm Dave Bittner. Thanks for listening.