Venezuela power blackout updates. Social media and social control. Trojanized games. Free decryptor out for ransomware strain. Ads on Facebook. A look at 30 years of the web.

Dave Bittner: [00:00:03:24] An update on Venezuela and its power outages. Amplification of social media posts as a form of mass persuasion. We've got a look at how control of the Internet has replaced control of the radio station as a move in civil war and coup or counter-coup planning. Asian game makers get backdoored out of China. Decryptors are out for BigBobRoss ransomware. Senator Warren versus Facebook and Facebook versus itself. And Sir Tim Berners-Lee on the Web's 30th birthday.

Dave Bittner: [00:00:40:14] Now a moment to tell you about our sponsor, ObserveIT. The greatest threat to businesses today isn't the outsider trying to get in, it's the people you trust, the ones who already have the keys; your employees, contractors and privileged users. In fact, a whopping 60% of online attacks today are carried out by insiders. Can you afford to ignore this real and growing threat? With ObserveIT, you don't have to. See, most security tools only analyze computer, network or system data, but to stop insider threats you need to see what users are doing before an incident occurs. ObserveIT combats insider threats by enabling your security team to detect risky activity, investigate in minutes, effectively respond and stop data loss. Want to see it in action for yourself? Try ObserveIT for free. No installation required. Go to observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.

Dave Bittner: [00:01:44:13] From the CyberWire Studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, March 12th, 2019.

Dave Bittner: [00:01:52:17] If you're interested in concise expositions of the Chavista line on Venezuela's ongoing power crisis, Citizen Truth is retailing it like it's 1919, and Iran's Tasnim Agency like it's 1979. It was criminal Yankee cyber attacks and sabotage by traitorous, disloyal Venezuelans that done it, says nominal but arguably deposed President Maduro.

Dave Bittner: [00:02:18:24] The New York Times has a reflective and comprehensive account of the outages, which it sadly concludes are likely to continue for the foreseeable future, with all the suffering they produce. The Timesman on the scene who co-wrote the article, Anatoly Kurmanaev, is even clearer in his personal Twitter feed on how the blackouts probably came about. Neglect, layoffs, failure to clear brush from around transmission lines and substations, with brushfires knocking out power, load demand exceeding capacity and so on. It certainly looks like the result of infrastructure collapse, with no need to reach for sabotage or cyber attack as explanations. 21 of Venezuela's 23 states have been affected by the blackouts.

Dave Bittner: [00:03:04:09] There are two bits of overt and undeniable Yankee intervention in the crisis. The US State Department has pulled its last remaining diplomats from Caracas and the US Treasury Department has sanctioned a Russian bank for evading sanctions against the Chavista regime.

Dave Bittner: [00:03:21:07] Researchers at security firm F-Secure have been looking at Brexit posts in social media and believe they've found that at least one side of the house, the Brexit side, has had its views amplified by tweets from unspecified international actors, generally engaged in boosting causes and moods F-Secure characterizes as "right," including such populist unrest as that of France's Gilets Jaunes. Effective control over the Internet seems to have become the equivalent of what shaky regimes and their coup-plotting opponents of the mid 20th century always sought in the opening days of a crisis, control of the radio station. Online intelligence firm Recorded Future this morning released a study of how such control has played out in troubled places over the last half decade or so. Their research follows up an earlier report outlining the digital conflict that has attended Yemen's civil war. Two more Netsweeper devices have now been set up in Yemen. These devices are usually used for web content filtering, but they can be used for censorship if they're implemented with a consumer-facing Internet service provider.

Dave Bittner: [00:04:28:20] When Houthi rebels took over Yemen's capital in 2014, the country's major Internet provider fell under their control. The researchers had previously identified one Netsweeper device on the Houthi controlled network. Beyond Yemen, Recorded Future also takes a look at Internet manipulation in Venezuela, Bangladesh, Sudan and India.

Dave Bittner: [00:04:51:06] Last month, Kaspersky Lab observed DNS manipulation in Venezuela that resulted in Venezuelan supporters of Juan Guaidó entering their personal information on a malicious spoofed website. In January, Bangladesh throttled all mobile data services in the country in order to limit communication before its national election. Recorded Future sees this as an attempt "to control the external narrative of the country's internal affairs," particularly by inhibiting talk of human rights abuses. This past December, Sudan cut off access to Twitter, Facebook, Instagram and WhatsApp as a rumor control move during a period of nationwide protests. India, with a well developed and relatively sophisticated level of connectivity, saw a large number of Internet disruptions. Most of the government-induced shutdowns came in response to reported terrorist or militant activity, but the researchers say the scope and regularity of the incidents inevitably raised troubling questions about control of information.

Dave Bittner: [00:05:52:12] The Johns Hopkins University Information Security Institute is hosting their 5th Annual Cybersecurity Conference for Executives. That takes place March 13th in Baltimore. One of the featured speakers is Dr. Phyllis Schneck, she's Managing Director of the Global Cyber Solutions Practice at Promontory Financial Group, an IBM company. She joins us with a preview of the presentation she'll be giving at the conference, on the role of regulation in cyber.

Dr. Phyllis Schneck: [00:06:19:05] In cybersecurity you're dealing a lot with the application of technology to enable our business and hear our banking. But if you regulate that technology too much, you could end up preventing some of the very innovation that makes the technology. So day-to-day at Promontory my team focuses with our clients at banks and other areas such as bio-technology and aviation and we say "what is your risk?" It's not about how much technology you buy, it's about what is the risk your board of directors have decided that your company is willing to take. They call it the risk appetite. How do you manage that risk? What are the things that make you, for example, a target or put you in danger, and what are the things you need to do, technology, governance, people wise, to put in place as a process, to ensure that it's not if, unfortunately, but when someone tries to intrude, steal or damage your systems electronically, how you're able to bounce right back. And this is a very important part of the safety and soundness of any infrastructure.

Dr. Phyllis Schneck: [00:07:23:15] It's really looking at your board of directors and your company and your brand and saying "how much risk am I willing to take from all the electronics that enable my world and how do I protect it. And then the big question is how much of that protection should be required and how much was up to you? And a lot of it comes to the difference between compliance and security. Compliance is not security. Regulatory compliance says you've met the requirement of a law or regulation from a government agency or a state agency or some body that says you have to meet those requirements. Then you're going to recheck the box and you demonstrate how you met them. That's not security. It's a good start, but every adversary in the world that wants to get you will look at what your compliance requirements are and go right around them. It's an easy road map to say don't try here, they had to fill that hole, where else should I look.

Dave Bittner: [00:08:18:20] I want to get your take on what I would consider to be sort of a healthy tension. I think we could agree that there's a need for a certain amount of regulation. At the same time it strikes me that it doesn't do anybody good if that relationship between government and industry is more adversarial than collaborative.

Dr. Phyllis Schneck: [00:08:37:21] So that's the big question. I think for decades people have been trying to determine that correct relationship. We're all on the same side, we want to maintain our way of life and have safe and sound systems, so I think it actually depends by sector. So for example the financial sector's always been highly regulated. The IT one historically not so much, because the makers of technology have felt that innovation could get stifled in many ways if you have too much regulation, and as a geek myself I can tell you there's a lot in truth in that. If you're told you have to have Widget A, B and C, companies will manufacture all kinds of varieties of A, B and C because they know they're going to sell, they know they'll make money. The consumers won't invest in anything outside of what they have to have because unless they are really forward thinking and willing to invest, they don't have to.

Dr. Phyllis Schneck: [00:09:40:15] So you end up with two bad things there. One is nobody's making anything new because there's no market for it, no-one cares, because the government has told you what you have to have to be secure, but the worst thing is that all the adversaries have now reverse engineered Widgets A, B and C and they have created their attacks right around it. You can always get around something. So it's about resilience, it's about understanding not if but when the storm comes to me, how I'm going to recover. In my opinion, it's about what's the minimum amount that can be required so that you're in a position to innovate towards resilience. It's a very tough balance but you have to preserve the innovation and the free market and have just enough regulation to ensure that balance of that innovation isn't causing harm.

Dave Bittner: [00:10:30:16] That's Phyllis Schneck from Promontory Financial Group. She's a featured presenter at the 5th Annual Cybersecurity Conference for Executives, hosted by Johns Hopkins University, March 13th in Baltimore.

Dave Bittner: [00:10:43:03] ESET has found another supply chain campaign, apparently originating within China, attempting to backdoor Asian gaming companies. ESET thinks the group is the one Kaspersky described in its 2013 report on the Winnit Operation. At least one Trojanized game, ironically called "Infestation" remains in circulation.

Dave Bittner: [00:11:04:17] Avast and Emsisoft have each released decryptors for BigBobRoss ransomware. Bravo to both companies. If you've been afflicted by BigBobRoss, go to the company sites - those would be Avast and Emsisoft - and see what they've placed out there to help you salvage your data.

Dave Bittner: [00:11:23:04] Senator Elizabeth Warren, Democrat of Massachusetts, took out an ad on Facebook calling for big tech companies like Facebook for instance to be broken up, in particular because critics say they tend to exercise a monopolistic control over information. Facebook took the ad down, citing misuse of its logo in the Senator's ad. But then Facebook put the ad back up because the company said it's in favor of "robust debate." We hope the Senator's people sent Mr. Zuckerberg's people a nice fruit basket, because that kind of self confirming publicity you really can't buy. Human curation or algorithm we don't know, but the to-and-fro is so good for the Senator that if we were peddling a conspiracy theory we'd tell everyone she and Mr. Zuckerberg arranged the whole kabuki dance just between the two of them, maybe even at the Bohemian Grove. Hashtag Monopolygate! Hashtag Wealthy Elite Kabuki! Alas, such stories really are too good to be true. There's nothing new under the sun, but rather we see "time and chance in all." Really, she just bought the ad and really they just took it down and then put it back. But why aren't the Shadow Brokers all over this story?

Dave Bittner: [00:12:38:00] Anyhow, yesterday was recognized as the 30th Anniversary of the World Wide Web, and Sir Tim Berners-Lee called for the Internet's users to help it grow up. He's generally seen as the Web's inventor, he proposed it when he was at CERN as a way of capturing information that might otherwise be lost due to personnel turnover. Sir Tim writes, in Quartz, that he sees three big problems with the Internet today. First, deliberate, malicious intent such as state sponsored hacking and attacks, criminal behavior and online harassment. Second, system design that creates perverse incentives where user value is sacrificed, such as ad-based revenue models that commercially reward clickbait and the viral spread of misinformation. And third, unintended negative consequences of benevolent design, such as the outraged and polarized tone and quality of online discourse. The first can be mitigated through laws and codes. The second calls for a redesign of systems to realign incentives. The third one is the tough one. Berners-Lee calls for "research to understand existing systems and model possible new ones, or tweak those we already have." Specimens of all three issues are on display in today's news.

Dave Bittner: [00:13:58:13] It's time to take a moment to tell you about our sponsor, Recorded Future. You've probably heard of Recorded Future, the real time threat intelligence company. Their patented technology continuously analyses the entire Web, to give infosec analysts unmatched insight into emerging threats. We subscribe to and read their Cyber Daily. They do some of the heavy lifting in collection and analysis that frees you to make the best informed decisions possible for your organization. Sign up for the Cyber Daily email and every day you'll receive the top results for trending technical indicators that are crossing the Web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today and stay ahead of cyber attacks. Go to recordedfuture.com/cyberwire to subscribe for free threat intelligence updates from Recorded Future. It's timely, it's solid and the price is right. And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:15:04:12] And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute, also my co-host over on the Hacking Humans Podcast. Joe, great to have you back.

Joe Carrigan: [00:15:14:10] It's good to be back, Dave.

Dave Bittner: [00:15:15:12] Joe, recently at the RSA Conference, the folks over at NSA released Ghidra, this is their reverse engineering tool, and you've taken a look at this.

Joe Carrigan: [00:15:26:17] I did, I downloaded it and played with it a little bit.

Dave Bittner: [00:15:29:00] What do you think?

Joe Carrigan: [00:15:30:07] I'm impressed, Dave. This is a good tool, from the hour and a half to two hours I spent playing with it. You will need to install a JDK of some kind in order to get it to run. I just had the Runtime Environment so that didn't seem to work, but I just downloaded the open source JDK or the open Java, whatever it is now, and that seemed to work just fine. So there's no real hurdles, you can just go out and download this thing. The first thing I did was decompile a program that was on my hard drive, just to look at it and see if it worked and it worked pretty well. The next thing I did was I took a look at some code I had written for an AVR Solution. So AVR is microcontroller architecture. If you've ever heard of the Arduino Board, at its center it has an AVR processor. It used to be Atmel, now it's Microchip. So I just took one of my own files that had been compiled in AVR and loaded it up in this tool and told it it's an AVR file, and sure enough it disassembled it and then even put up some C Code that looks pretty similar to what I wrote.

Dave Bittner: [00:16:41:02] What if you didn't know that this code was AVR Code? Would it try to figure out what it was?

Joe Carrigan: [00:16:47:04] No, it didn't know what to do with it until I told it it was AVR Code. I did have to tell it it was AVR Code but you'll be knowing that it's AVR Code if you're pulling it off an AVR Chip.

Dave Bittner: [00:16:57:19] I see. Interesting. What do you make of this that NSA has put this out there in the wild and open sourced it?

Joe Carrigan: [00:17:07:24] I don't know. That's a good question, why did they do this? Maybe it's because they're trying to make this kind of a tool more available. There is a tool like this called IDA Pro but you have to buy not only IDA Pro, but the Hex-Rays Component to get everything that's available in this Ghidra product and those are prohibitively expensive.

Dave Bittner: [00:17:30:16] I have heard some speculation that this allows folks to come into NSA for a career, being pre-trained on one of their primary tools. So rather than having to train them in-house, you just open up that more people will come in knowing how to use the tools that NSA uses.

Joe Carrigan: [00:17:49:01] I think a better theory might be that if more people have access to these tools, we'll find these vulnerabilities faster and then we can fix them. Of course there's always the thing that if they're releasing this, what are they not releasing!

Dave Bittner: [00:18:00:09] Yes! But I think it's an interesting contribution to the community, certainly there are PR aspects to it of making NSA seem a little less mysterious and close doored, you know, that they're sending this out there for people to use, contributing to the community so I think that's an interesting aspect of it.

Joe Carrigan: [00:18:19:15] I would agree.

Dave Bittner: [00:18:20:13] And of course you cannot help when anything like this comes out, there's the speculation that the true purpose from NSA is to include this with some sort of back door where they'll be able to see everything that we're doing!

Joe Carrigan: [00:18:35:16] It's funny you say that, because as soon as I started this thing up I got a message that said "Java wants to open a connection to the Internet" and I said "no." But that was probably for the updating software. I don't know that that was actually Ghidra doing that.

Dave Bittner: [00:18:50:18] I guess there are a couple of little bugs in there, the way it comes out of the box configured that makes people raise their eyebrows.

Joe Carrigan: [00:19:01:13] You know what, you could decompile it with itself and see what it says.

Dave Bittner: [00:19:06:13] It's Ghidras all the way down.

Joe Carrigan: [00:19:08:19] Right?

Dave Bittner: [00:19:09:19] It's an interesting development and an interesting little bit of software for folks to be able to use.

Joe Carrigan: [00:19:16:09] I'd say go out and play with it, if nothing else. It's free, it's totally free.

Dave Bittner: [00:19:21:02] Yes. Joe Carrigan, thanks for joining us.

Joe Carrigan: [00:19:23:14] It's my pleasure.

Dave Bittner: [00:19:28:15] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com. The CyberWire Podcast is proudly produced in Maryland, out of the Startup Studios of DataTribe, where they're co-building the next generation of Cybersecurity teams and technology. Our CyberWire Editor is John Petrik, Social Media Editor, Jennifer Eiben, Technical Editor, Chris Russell, Executive Editor, Peter Kilpe and I'm Dave Bittner. Thanks for listening.