Dave Bittner: [00:00:04:05] Venezuela sustains power outages, and the regime blames hackers and wreckers. The opposition says it’s all due to the regime’s corruption, incompetence, and neglect. Citrix loses business documents in what might have been an Iranian espionage operation. Huawei’s suit against the US gets some official cheering from Beijing. The US warns against Chinese information operations. And Russian troll farmers turn to amplification.
Dave Bittner: [00:00:37:18] Now a moment to tell you about our sponsor, Observe It. The greatest threat to businesses today isn't the outsider trying to get in. It's the people you trust, the ones who already have the keys. Your employees, contractors and privileged users. In fact, a whopping 60% of online attacks today are carried out by insiders. Can you afford to ignore this real and growing threat? With Observe it, you don't have to. See, most security tools only analyze computer network or system data, but to stop insider threats you need to see what users are doing before an incident occurs. Observe it combats insider threats by enabling your security team to detect risky activity, investigate in minutes, effectively respond and stop data loss. What to see it in action for yourself? Try Observe It for free. No installation required. Go to observeit.com/cyberwire. That's observeit.com/cyberwire, and we thank Observe It for sponsoring our show.
Dave Bittner: [00:01:41:09] From the CyberWire studios at Data Tribe, I'm Dave Bittner with your CyberWire summary for Monday, March 11th 2019. Venezuela, since the middle of last week, has suffered from an ongoing series of power grid failures. The widespread blackouts, President Nicolas Maduro told supporters Saturday, had been largely fixed. That apparently is incorrect, as reports of continued power outages continue. But the cause the current regime assigns the blackouts is interesting. President Maduro, the legitimacy of whose government is disputed by the country's National Assembly, has blamed them on US cyberattacks, aided and abetted with sabotage committed by internal wreckers.
Dave Bittner: [00:02:23:24] The opposition to Maduro and the Chavista regime, on the other hand, blames corruption, incompetence, and deteriorating infrastructure. Most outside observers, including the states belonging to the Lima Group, seem to think that the opposition probably has it right. The Lima Group, formed in 2017, represents a hemispheric attempt to manage a peaceful resolution to the crisis in Venezuela. Its members currently include Argentina, Brazil, Canada, Chile, Colombia, Costa Rica, Guatemala, Guyana, Honduras, Mexico, Panama, Paraguay, Peru, and Saint Lucia. The Lima Group has recognized the interim presidency, declared by the National Assembly, of Juan Guaido. While a cyberattack is surely a possibility, it seems unlikely. The specific allegation, evidence for which Maduro's regime says it intends at some point to refer to the UN, is that US cyber operators induced generator failure at the Guri hydroelectric dam. And the wreckers did it, too. Venezuela’s failing state has a history of irregular power delivery, although four days is a long stretch, even by recent standards. It's unlikely in the extreme that the blackouts have any causes beyond what the opposition has called out: corruption, incompetence, and collapsing infrastructure. The situation is a tragic one—the opposition says that the Maduro regime is responsible for deaths that have occurred as power failed in hospitals and other critical installations. For its part, the Maduro regime denies that any deaths have occurred, and that in any case the opposition is responsible for them. We think this story is worth your attention, however, not mainly for its political or humanitarian dimensions, as important as those are, but because it illustrates two recurring issues we see where cyber matters intersect or at least accompany kinetic effects. First, it’s a sad illustration of why critical infrastructure is so critical: a developed country is highly vulnerable to long-term disruption of power distribution. Most developed countries can cope with the sorts of shorter blackouts caused by, for example, storms, but extended outages, or repeated instances of shorter outages, have much more serious effects that cascade across a nation’s life. Thus if one were inclined to dismiss concerns about the possibility of cyberattacks on power generation and distribution as idle alarmism, think of what Venezuela is suffering now. That it’s almost certainly not the result of sabotage or hacking is beside the point. Look at the effects and consider the possibility. In the language of risk management, hacking down a power grid may be a relatively low probability event, but it’s a high consequence one.
Dave Bittner: [00:05:10:02] In this context it’s worth mentioning that there are recent warnings that Triton malware is still circulating, possibly in new forms. That attack code was used against petrochemical plants, but the principle remains the same. Second, as one looks at the Maduro regime’s claims, and the opposition’s counterclaims, one sees an information operation in progress. It seems the opposition’s evidence is far stronger—and we’d be willing to bet that the regime won’t be able to produce any of the evidence of hacking it says it’s going to bring to the UN. From this hack that wasn’t, it’s almost pleasant to turn to a hack that was. Although it too is a misfortune, it’s not accompanied by the degree of suffering Venezuela is undergoing this week. Citrix, the software company whose offerings, particularly in remote work solutions, have become familiar in both the private and public sector, disclosed Friday that it had sustained a data breach, probably accomplished through a password-spraying attack. The FBI has the matter under investigation, and Citrix is working to contain and mitigate the consequences of the breach. Some six terabytes of what are being called “business documents” were accessed by the attackers. Researchers at the firm Resecurity think the actor responsible was Iran's Iridium group, generally thought to be a state-sponsored espionage unit. Citrix is preparing various forms of assistance for and disclosure to its customers.
Dave Bittner: [00:06:37:24] US authorities continue to warn of the threat of both Chinese penetration of infrastructure and of Beijing's attempts at influence operations. US National Security Advisor John Bolton says that "Manchurian chips are a possibility, and a good reason to keep Chinese hardware out of infrastructure." For you kids who are younger than Mr. Bolton, “Manchurian chips” is an allusion to the 1962 movie “The Manchurian Candidate,” in which the son of a prominent American political family was brainwashed during captivity in Korea to become an assassin, deployed and triggered under the control of Red China. And that, of course, is not what you want in your 5G devices.
Dave Bittner: [00:07:18:23] Much of the concern over hardware centers on manufacturer Huawei, currently suing the US Government in Federal court with the hearty approval of the Chinese Foreign Ministry. Huawei's smaller rival ZTE faces similar suspicion, but receives less strong, overt, official support from Beijing. ZTE’s contract to provide maintenance to Telefonica Deutschland will not be renewed when it ends. Observers note that there have been complaints about the quality of service, although Telefonica did not mention these in its announcement. Other observers see the end of the contract as aligning with western skittishness over the security implications of relying on Chinese hardware. To return to US National Security Advisor Bolton, in the course of remarks in which he alluded to “Manchurian chips,” he devoted considerable attention to what he called Chinese attempts at influence operations, conducted mostly via contacts in universities and think tanks. This echoes much of what we heard at RSA: China is now spoken of as an information ops threat, along with Russia.
Dave Bittner: [00:08:24:21] Not that the Russian troll farms have been idle. Bloomberg reports that Russian trolling may have turned to amplification of existing memes, the better to evade hunts for inauthenticity. So you draw less attention to yourself, presumably, if you simply like, or thumbs up, someone else’s opinion that, say the Kree were playing Captain Marvel for a sucker when they got her to fight with the Skrell, or something to that effect.
Dave Bittner: [00:08:49:12] And besides, catfish are cheap—when the House of Zuckerberg whacks down a bunch of trolls, the trollmasters of Saint Petersburg just conjure up another lot. It’s not quite like the broom in the Sorcerer’s Apprentice, because every whacked hashtag doesn’t splinter into ten new memes, but you get the point.
Dave Bittner: [00:09:12:06] It's time to take a moment to tell you about our sponsor, Recorded Future. If you haven't already done so, take a look a Recorded Future's Cyber Daily. We look at it, the CyberWire staff subscribes and consults it daily. The web is rich with indicators and warnings, but it's nearly impossible to collect them by eyeballing the internet yourself, no matter how many analysts you might have on staff - and we're betting that however many you have, you haven't got enough. Recorded Future does the hard work for you by automatically collecting and organizing the entire web to identify new vulnerabilities and emerging threat indicators. Sign up for the Cyber Daily e-mail to get the top trending technical indicators crossing the web. Cyber News targeted industries, thread actors exploited vulnerabilities; malware, suspicious IP addresses and much more. Subscribe today and stay ahead of the cyberattacks. Go to recordedfuture.com/cyberwire to subscribe for free threat intelligence updates from Recorded Future. That's recordedfuture.com/cyberwire. And we thank Recorded Future for sponsoring our show.
Dave Bittner: [00:10:24:04] And joining me once again is Daniel Prince. He's a Senior Lecturer in Cyber Security at Lancaster University. Daniel, it's great to have you back. We wanted to talk today about cyber design and the importance of that. Why don't we start off with some descriptive stuff here. What are we talking about when we say cyber design?
Daniel Prince: [00:10:40:16] This has really come from some of the work that I've been doing with my multi-disciplinary PhD students who are working in international relations and technology areas. One of the things that they have been looking at is the idea of military design and this is really an emergent movement trying to understand how innovation can actually flow through military organizations to really get to the front line - war fighters. The interesting thing there is they're really incorporating design methodologies, like human-center design, to try to understand the needs and the problems of the front line of war fighters. It made me think about the types of challenges that we have in cyber security in terms of thinking how do we actually design cyber security products and services and how do we design the actual systems? I was reflect on a lot of my own practice and thinking that, actually, a lot of the stuff that we do is really taking existing products and services and taking more of an architectural approach. How do we combine these things together to provide a secure solution without really thinking about the design methodologies that sit behind that. Therefore, I am really interested in understanding how things like human center design and other design methodologies can really benefit in the very early stages of thinking about how we address cyber security solutions.
Dave Bittner: [00:12:03:16] It's really interesting. I think about things like password managers where the less effort required, the more likely I am to use that password manager on a regular basis.
Daniel Prince: [00:12:15:05] That is certainly true. There has been a lot of usability work undertaken by colleagues such as Angela Sass and others around thinking about how security and usability can go hand in hand. There is a very famous piece of academic work called Why Johnny Can't Encrypt" looking at why, a long time ago, people don't use a PGP encryption for e-mail. However, one of the interesting things about a lot of design methodologies is that it really challenges whether we are asking the right questions. An interesting point that's come from my discussions is this idea that actually who is the user of security? Now oftentimes we think it's actually the people that are buying security, but equally we could turn that question around on its head and say that the attackers are really the users of security and what we need to be doing is thinking about how we design for the attackers to make it harder for them rather than just being easier for the users. Therefore, it's this idea that actually design thinking for this space can actually open up new avenues of conversation and discussion around actually what are better cyber security solutions rather than just going well these are the components that we have and how can we put them together to produce a cyber security solution?
Dave Bittner: [00:13:28:02] Let's dig into that. When you say designing for the attackers, what would be exposed to them? How would design affect what they're up to?
Daniel Prince: [00:13:36:12] Arguably, the attackers are the ones that are actually consuming the security solutions on a day-to-day basis. They are trying to consume the activities of the firewall in terms of what it actually is doing, for example, in terms of protecting and preventing malicious traffic going through it. When we're thinking about designing an overall solution, are we actually thinking about how the attacker might approach this particular problem? How the attacker might actually try and breach the security protections that we put in place? It's almost, in some ways, the reverse. We don't want to make it usable for the attacker. That changes the nature of the conversations we have. It changes the philosophical nature of how we're designing. I think it's important to think about the attacker as really the root of a lot of the cyber security activities that we undertake so that we can actually prevent escalations in attacks.
Dave Bittner: [00:14:35:05] It's interesting. I wonder too about the competitive advantage of companies who focus on this, on the importance of design rather than just what's under the hood or in addition to what's under the hood. That could be an advantage for them.
Daniel Prince: [00:14:49:16] Certainly. You have to just look at classic examples like Apple and Microsoft and the various corporate wars at that level. Apple focused heavily on the idea of design and design thinking in human centered design and we're seeing other large corporates really pushing this idea of design thinking as a way to help to solve some of the more challenging and radical problems that we're seeing in computer science more generally, not just cyber security. It's really important to start that conversation much earlier and really start to use design thinking and design methodologies to challenge some of the assumptions that we're making around the technologies that we're using, the attackers and the way they're approaching us and then also the users and the way they're defending.
Dave Bittner: [00:15:36:24] Daniel Prince, thank you for joining us.
Dave Bittner: [00:15:43:13] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, Observe It, the leading insider threat management platform. Learn more at observeit.com. Don't forget to check out the Grumpy Old Geek's podcast where I contribute to a regular segment called Security Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find Grumpy Old Geeks where all the fine podcasts are listed and check out the recorded future podcast which I also host. The subject there is threat intelligence and every week we talk to interesting people about timely cyber security topics. That's at recordedfuture.com/podcast. The CyberWire podcast is proudly produced in Maryland out of the start up studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik. Social media editor, Jennifer Eiben. Technical editor, Chris Russell. Executive editor, Peter Kilpe. And I'm Dave Bittner. Thanks for listening.