Election security and influence operations. Hacking the Fleet. Undersea cable competition. 5G worries. Calls to rein in Big Tech. UN report outlines North Korean cyber crime (there’s a lot of it).
Dave Bittner: [00:00:04:05] Election interference concerns persist around the world. Governments seek to address them with a mix of threat intelligence and attention to security basics. A US Navy report says the fleet's supply chain is well on the way to being pwned by Chinese Intelligence. Undersea cables are a center of Sino-US competition. The European Parliament warns about the Chinese threat to 5G infrastructure. More calls to rein in Big Tech, and the UN looks at North Korea and sees massive cyber crime.
Dave Bittner: [00:00:41:11] Now a moment to tell you about our sponsor, ObserveIT. The greatest threat to businesses today isn't the outsider trying to get in, it's the people you trust, the ones who already have the keys. Your employees, contractors and privileged users. In fact a whopping 60% of online attacks today are carried out by insiders. Can you afford to ignore this real and growing threat? With ObserveIT, you don't have to. See, most security tools only analyze computer, network or system data, but to stop insider threats you need to see what users are doing before an incident occurs. ObserveIT combats insider threats by enabling your security team to detect risky activity, investigate in minutes, effectively respond and stop data loss. Wanna see it in action for yourself? Try ObserveIT for free. No installation required. Go to observeit.com/CyberWire. That's observit.com/CyberWire. And we thank ObserveIT for sponsoring our show.
Dave Bittner: [00:01:45:02] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, March 13th 2019. Election interference concerns have continued to receive attention in several countries. Indonesia is the latest nation to say that its elections are coming under attack by Russian and Chinese actors. The interference Jakarta claims it's seeing runs from influence operations to the creation of ghost voters. Investigations into voter fraud are underway, since those ghost voters are fictitious persons created for the purpose of directly affecting results. The reasons for the reported interference aren't fully clear, but at least one of the objectives appears to be disruption and an attendant erosion of trust in civic institutions, and the creation of ghost voters suggests that at least one of the threat actors is interested in pushing particular electoral outcomes.
Dave Bittner: [00:02:42:02] The Swiss Post e-voting system, whose vulnerability to backdooring was revealed this week, has its users scrambling for mitigations. The system is widely used in a number of jurisdictions around the world. Some of them, like the government of New South Wales in Australia, are looking to ensure security by air gapping the systems. The issue arises from the system's mixnet, which is designed to prevent votes cast from being linked to individual voters. Unfortunately, the system is open to manipulation in ways that could alter vote tallies.
Dave Bittner: [00:03:16:14] India is preparing for a national vote and authorities there, CNN reports, are concerned that social media will become fully weaponized by contending factions and possibly by external actors. In India, weaponization is a particularly sharp metaphor. Facebook in particular has been used to organize violence along social and religious lines.
Dave Bittner: [00:03:39:24] The US House of Representatives is holding hearings on election security this week. The Department of Homeland Security's Cyber Security and Infrastructure Security Agency Director, Christopher Krebs, is testifying today. His prepared remarks echo what we heard from him last week at RSAC 2019. CISA sees considerable benefit from its ongoing engagement with state, local, territorial and tribal authorities. The testimony suggests a commitment to a strong ground game, informed by threat intelligence but concentrating on getting the security basics right.
Dave Bittner: [00:04:16:06] Venezuela's power crisis continues. Disputed President Maduro continues to blame US hacking for outages and he's ordered US Diplomats expelled. The US had already announced its withdrawal of diplomatic staff, so the Chavista leader's order has an air of "you can't quit because you're fired". The US, Senor Maduro says, conducted a "demonic electro-magnetic attack" to turn the power off in most of the country, but Maduro's hacking story finds relatively few takers. Most observers acknowledge that taking down a power grid by cyber attack is certainly possible, and that doing so is in all likelihood within the capabilities of any number of cyber powers, but they also think that Venezuela's tottering infrastructure needed no such push to bring it down. There's also the question of motive and national strategy, and neither of these seem to fit the US attack Maduro insists the US has made. But Venezuela's current agonies are instructive, nonetheless. They show the widespread suffering a long lasting interruption of electrical power can impose. Consider loss of lighting and its effect on public safety, or loss of refrigeration and its effect on food storage. An account in Wired of the difficulty of a black start, that is bringing a dead grid back online, illustrates the consequences of infrastructure collapse. Load balancing is particularly tricky, and the lack of understanding of what caused the outage in the first place renders a black start even harder.
Dave Bittner: [00:05:49:09] China, by the way, has expressed its concern that Venezuela may have come under cyber attack and has offered to restore the country's power. Even if help shows up, it won't be an easy task. An internal report to the secretary of the Navy outlines the extent to which the US believes Chinese Intelligence Services have successfully prospected both the US Navy and the contractors who support it. The report hasn't been released to the public yet and the Department of the Navy hasn't commented on it, but the Wall Street Journal has, as it said, "reviewed" the report, and they have an account of its contents. The report is said to warn that the US is under "relentless" cyber attack by China, and that these attacks pose a risk to American military and economic leadership. The Navy itself, the report is said to conclude, has neglected cyber operations in favor of its preferred kinetic operations, and that it's been particularly slow, perhaps to the point of negligence, in addressing supply chain risk. The service hasn't heeded warnings that its contractors and their sub-contractors would be targets of Chinese espionage, and so has neglected the threat to the defense industrial base that sustains the Navy's operations.
Dave Bittner: [00:07:05:12] The US continues to warn its allies against the threat Chinese manufacturers, especially Huawei, pose to infrastructure. The EU seems to have moved toward agreement with the US assessment. The European Parliament has taken official notice of the threat to 5G networks Huawei and ZTE might pose. Whether this leads to a ban or not remains to be seen. In the US, congress is considering legislation that would lead universities to exclude Huawei and Russian security firm Kaspersky from networks where they might have an opportunity to collect information on sensitive research.
Dave Bittner: [00:07:41:01] Easily overlooked, perhaps because underwater, is that portion of the telecommunications infrastructure that takes the form of undersea cables. Those cables are proving a fresh field for Sino-American competition, as Huawei's efforts to develop a pervasive share in that market draw attention. Australian authorities have, for several years, expressed reservations over Chinese companies' involvement in undersea cables, and Australia's concerns have regional impact, as many of the telecoms cables serving south west Pacific nations connect through that country.
Dave Bittner: [00:08:16:14] Doctor Kevin Du is a professor in the Department of Electrical Engineering and Computer Science at Syracuse University. Over the past 15 years or so, he's developed over 30 hands on lab exercises for cyber security education. They call them SEED Labs. Those labs are now being used by over 800 schools in more than 60 countries.
Doctor Kevin Du: [00:08:38:09] When I was a student we did a lot of hands on work, but when I started teaching security I also wanted to do a similar thing, because I strongly believe that students learn better from doing stuff rather than just learning from the files and the textbook. So I was looking around, I was trying to find some of the hands-on lab that I could use, but at that time the security was at the beginning stage. There were not many labs that it can use. There were some, but in order to use them, probably gonna spend a whole month just to learn how to use those labs. At that time, I was thinking maybe I can just develop a few for my own class. I wrote a proposal to NSF for a small grant and that's how it got started. And then three years later I said, "oh this is great", I got five labs and many people actually liked that, my students liked that, so how about make it 30. So I started to build up and I got another grant, so that grant is a medium-sized grant that allowed me to actually build up the last 30 labs. Initially it was only for my own use, but gradually I put it on the web and other professors, they also like to use the lab. A few years ago I got another grant from NSF, allowing me to provide a training workshop so I can train the other people that use that. I used the money basically to fly in other professors to Syracuse so we have a four-day workshop. Nowadays I think at least 800 schools, I cannot track everybody, but 800 people told me that they are using the lab, but there are many schools that simply use the lab, they don't tell me, which is perfectly fine, you don't need to tell me.
Dave Bittner: [00:10:24:06] So it's been a big success. You call these SEED labs, that's S-E-E-D, and it's spread around the world. Why do you think this hands-on approach is the way to go?
Doctor Kevin Du: [00:10:35:23] Because when you do things, actually the things they are doing are fun. Cyber security itself is a very fun thing to do. We talk about attack, we talk about defense. Students feel this is so interesting, why can't I try it myself? Of course, without getting myself into trouble. Now, if you can teach a student how to do this, they will understand better how the attacker works, and then in return they can actually develop a better defense mechanism.
Dave Bittner: [00:11:05:08] And what kind of feedback have you been getting from the students who have been taking advantage of these, as well as some of the professors around the world?
Doctor Kevin Du: [00:11:12:00] Very, very positive. So students, they told me the lab has helped them a lot. Some students said when they go out for a job interview, what the companies ask, they can immediately connect with my lab, the knowledge they gain from the lab. Actually, these days some of the students told me, when they go to do an interview at those companies, they just took out some of my SEED Lab and asked them to work on the labs and they were laughing. And we did that in the class. So, that's kind of the feedback and also from the other professors the feedback is, they all know designing a lab takes a lot of time, because it taken me 15 years, 16 years to develop these 30 labs that I can share with others. So if any professor wants to start from scratch, every single lab is gonna probably take them a few months to develop. So having those labs and they can immediately download my lab and they can use that for free, that saves them a lot of time. So, a lot of the feedback, they basically say I saved their time so they can focus on teaching instead of spending so much time developing the lab that I have developed. At Syracuse University, of course, we focus a lot on the education. So if we can teach well, if students learn from our teaching, that's definitely aligned very well with the mission of Syracuse University. And from the deans, from the department, the chair, they're very very supportive of this project.
Dave Bittner: [00:12:47:18] That's Doctor Kevin Du from Syracuse University. You can find his free SEED Labs online.
Dave Bittner: [00:12:56:07] Microsoft's patches yesterday addressed 64 issues, 17 of which Redmond rated critical. Two of the patches fixed zero-days exposed recently by Google's Project Zero.
Dave Bittner: [00:13:09:18] A report to the UK's Treasury doesn't directly advocate breaking up Big Tech companies, but it's not good news for them either. The report advocates returning control of individual persons' data to the individuals themselves, and this is regarded as posing a direct threat to the business models of companies like Google and Facebook.
Dave Bittner: [00:13:30:16] Finally, not all nation state hacking is either sabotage or espionage. Sometimes it's just plain theft. That's the case with North Korea. A report commissioned by the United Nations Security Council finds that Pyongyang is using cyber crime as a principal mode of sanctions evasion and revenue enhancement. The DPRK follows the fashionable money. The report says a lot of its efforts have gone into compromising coin miners and cryptocurrency exchanges.
Dave Bittner: [00:14:04:07] It's time to take a moment to tell you about our sponsor, Recorded Future. You've probably heard of Recorded Future, the real time threat intelligence company. Their patented technology continuously analyses the entire web to give infosec analysts unmatched insight into emerging threats. We subscribe to and read their Cyber Daily. They do some of the heavy lifting and collection and analysis that frees you to make the best-informed decisions possible for your organization. Sign up for the Cyber Daily email and every day you'll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today and stay ahead of cyber attacks. Go to recordedfuture.com/CyberWire to subscribe for free threat intelligence updates from Recorded Future. It's timely, it's solid and the price is right. And we thank Recorded Future for sponsoring our show.
Dave Bittner: [00:15:10:06] And joining me once again is Emily Wilson. She's the VP of research as Terbium Labs. Emily, great to have you back. We are going back and revisiting some stuff about Equifax which has popped up again in the news recently. What's the latest?
Emily Wilson: [00:15:26:08] We are going back to Equifax and I think unfortunately we're going to keep going back to Equifax for a while. What got my attention was a story from Yahoo talking about some legislative agenda that congress is looking to kick off now in this new term, revisiting the Equifax question and this is the credit reporting agency question. It's a question about having done enough in the wake of the Equifax breach. What got my attention was a quote from Maxine Waters, who is now coming in to head the House Financial Services Committee, saying that the Equifax question isn't closed. She's gonna come back to this and it's not done yet and we're going to see this continue to be brought up. So my question is this. What does that look like? If we're talking about revisiting the Equifax question, if we're talking about going back and making sure more is done, are we talking about justice? What does justice look like in this? We are talking about making amends in this case? We talk a lot, and we hear a lot about how we are moving forward as a country toward better data privacy or better data regulations. In December there were 15 Senators who introduced the US Data Privacy Law that they want to try and push through here, but what does that look like in practice? What do we want that to be?
Dave Bittner: [00:16:47:05] And how do you measure damage to begin with?
Emily Wilson: [00:16:49:06] How do you measure damage? When something like this happens, if you have something like an Equifax where the issue is broad and far reaching and not just because of the number of people, but because it's a credit reporting agency. It's a required service, effectively. Is it enough to chastise? Is it enough to fine? Is it something where you want to put individuals in jail for this? Are we talking about prevention? Are we talking about making payments to people who have been harmed by this as some sort of payback for their damage? I saw a piece this morning from the TechTarget blog, and the title stuck with me. "Are US hacker indictments more than justice theater?". Is this theater? Is this performative? And not because people don't intend for it to be impactful. I think people intend for this to actually make a difference but are we going to get there? What does that look like?
Dave Bittner: [00:17:50:01] I mean, over on the Grumpy Old Geeks podcast we joke, sadly, about how no one ever goes to jail.
Emily Wilson: [00:17:58:07] No, of course not, because we wave our hands and we find some way to decide that it's not an individual's responsibility. That there needs to be better oversight. There needs to be more consistent practices. There needs to be more education and more support, and I'm not saying that to be dismissive of those things. Those things are important, but we have to at some point do better. We have to at some point make an example of someone, and again, when it comes to something like Equifax, it's not like you can just opt out of the credit reporting agencies.
Dave Bittner: [00:18:33:07] Right. Which is an interesting thing in an era where we are focusing on privacy, to have this system that we depend upon, that you cannot opt out of.
Emily Wilson: [00:18:46:20] No, you can't. You can't really opt out of it. The best you can do is request that they freeze your credit, which, great, OK, that means that no one can open a new line of credit, but your information is still valuable. The information they have on you in that category of "lifetime data", there's very useful information here. There's information that identifies you. There's information that you need to transact with the world, and we're talking about these big behemoth organizations that I'm sure have phone trees 20 minutes long and don't seem to be doing too poorly as a result of this, because again, it's the next level of too big to fail.
Dave Bittner: [00:19:23:22] Well it's interesting to see that some legislators still have their eyes on this and perhaps long-term something good will come of it. Thanks for bringing it to our attention. Emily Wilson.
Dave Bittner: [00:19:40:10] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Lean more at observit.com. The CyberWire podcast is proudly produced in Maryland, out of the start up studios of DataTribe, where they're co-building the next generation of cyber security teams and technology. Our CyberWire editor is John Petrik. Social Media Editor, Jennifer Eiben. Technical Editor, Chris Russell. Executive Editor, Peter Kilpe and I'm Dave Bittner. Thanks for listening.