Online content and terrorism. Huawei’s shifting strategy. Venezuela’s grid failure is explicable by corruption and incompetence--no hacking or sabotage required. Gnostiplayers are back. AI and evil.
Dave Bittner: [00:00:04:10] Content moderation in the aftermath of the New Zealand mosque shootings. A shift in Huawei’s strategy in the face of Five Eye, and especially US, sanctions. Corruption, neglect, and replacement of experts by politically reliable operators seems to have caused Venezuela’s blackouts. Gnosticplayers are back, with more commodity data. And AI has no monopoly on evil, natural intelligence has that market cornered.
Dave Bittner: [00:00:37:16] It's time to take a moment to tell you about our sponsor, Recorded Future. You've probably heard of Recorded Future, the real time threat intelligence company. Their patented technology continuously analyses the entire web to give infosec analysts unmatched insight into emerging threats. We subscribe to and read their Cyber Daily. They do some of the heavy lifting in collection and analysis that frees you to make the best informed decisions possible for your organization. Sign up for the Cyber Daily email and everyday you'll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today and stay ahead of cyber attacks. Go to recordedfuture.com/cyberwire to subscribe for free threat intelligence updates from Recorded Future. It's timely, it's solid and the price is right. And we thank Recorded Future for sponsoring our show.
Dave Bittner: [00:01:39:10] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, March 18th, 2019.
Dave Bittner: [00:01:48:07] Facebook has removed 1.5 million copies of video showing Friday's massacre of Muslims at prayer in New Zealand. New Zealand's Prime Minister, Jacinda Ardern, wants social network companies to do more, particularly with respect to blocking extremist, inspirational content.
Dave Bittner: [00:02:05:19] But blocking content remains an imperfectly solved problem. Either viewers object to something they've seen and report it, or an algorithm flags content as questionable.At that point human moderators make a determination. Social media platforms have difficulty handling this at scale even when they're not working with live streams, and there are few good suggestions for how live-streamed video might be moderated.
Dave Bittner: [00:02:31:04] Mobile carriers in New Zealand have blocked sites that carry, or carried, the shooter’s video. The services blocked include 8Chan, 4Chan, and LiveLeak.
Dave Bittner: [00:02:43:03] The shooting itself, and the attendant radicalization surrounding it, is under investigation in New Zealand, of course, but in other countries as well. In the UK, for example, MI5 is looking for connections between the shooter and British extremists. In general, it’s being noted that governments, even those as accustomed to cooperation as those of the Five Eyes, do better sharing foreign intelligence than they do intelligence bearing on domestic terrorist threats.
Dave Bittner: [00:03:11:19] Huawei’s lawsuit against the US Federal Government, alleging that its treatment amounts to an unconstitutional bill of attainder, isn't likely to be any more successful than a similar suit Kaspersky filed late last year. Both companies had been booted from Federal networks as security risks. But courtroom success doesn't seem to be the goal, according to the Washington Post. Huawei is appealing to the court of public opinion, particularly allied public opinion.
Dave Bittner: [00:03:38:20] The general lines of that public appeal won’t be Constitutional. There are a number of op-eds and news stories out, those appearing in the Global Times are representative, that argue that the US is really not afraid of being hacked via Huawei gear, but rather that it fears its own surveillance programs will be impeded by wider adoption of Chinese hardware and services. China’s Premier Li Kequiang said Friday that China would never ask Chinese companies to spy on its behalf, this reassurance being offered as part of an international charm offensive that featured a new law that nominally affords foreign companies more protection of their intellectual property. These reassurances are generally welcomed as nice, but few are taking them at face value.
Dave Bittner: [00:04:26:24] Venezuela's power grid has partially recovered from last week's outages. Its causes seem to have been rooted in decisions the Chavista regime has taken over the last few years that resulted in displacement of operational expertise by political pliability. Electricidad de Caracas, the country’s largest power provider, was acquired by AES in 2000, but AES was forced to sell to Petróleos de Venezuela during nationalizations in 2007. Shortly after the nationalization, power generation and distribution were folded in to Corpoelec. A move to upgrade power generation capacity in 2010 by constructing thermoelectric plants to supplement the country’s hydroelectric-based generation did not proceed happily. The Wall Street Journal notes that no-bid contracts and kickbacks to the politically well-connected became the norm.
Dave Bittner: [00:05:23:14] The Wall Street Journal has followed up reporting last week by the New York Times that suggests poorly maintained facilities were taken out by brush fires. Corpoelec stopped clearing fast-growing vegetation from around transmission lines and access roads about three years ago. Maduro’s regime has blamed a combination of domestic sabotage and American cyber attack. The wreckers the security services have fingered, have been relatively junior managers at Corpoelec, like Geovany Zambrano, who was detained last week by intelligence agents. His offense, one concludes from the Wall Street Journal’s coverage, seems to be that he told local media back in February that the grid was on the verge of collapse.
Dave Bittner: [00:06:07:11] Few observers now credit the regime's allegations that the outage was an American hack, or “electromagnetic attack.” Those who do are are for the most part driven by ideological sympathy. Those who do so, like the Russian or Chinese governments, do so because such accusations are a handy stick with which to beat Washington.
Dave Bittner: [00:06:27:21] More than fifty countries now recognize the Venezuelan National Assembly’s declaration that Juan Guaidó is the country’s interim president. Nicolas Maduro continues to cling to the office, however, and has directed his cabinet to turn in their resignations to effect “a profound reorganization of the methods and operation of the Bolivarian government to shield the Homeland of Bolivar and Chavez from any threat.” Future outages appear likely.
Dave Bittner: [00:06:58:17] NotPetya's effects continue to appear in victims' bottom lines. The Irish Examiner notes that TNT Express Ireland says it sustained €2.2 million in losses last year, attributable to its corporate parent's affliction with the pseudo ransomware.
Dave Bittner: [00:07:15:06] And the Gnosticplayers are back, dropping a fourth round of stolen records in their favored dark web markets. This time they’re offering over 26 million user records, names, emails, passwords, that kind of thing, all for the low, low price of 1.2431 Bitcoin. (That’s roughly 4,940 Yankee greenbacks, if you should happen to be in the market.)
Dave Bittner: [00:07:40:18] Gnosticplayers isn't feeling the love. He’s been chatting with ZDNet (and ZDNet thinks they've got the real Gnosticplayers and not some impostor). “I got upset because I feel no one is learning," Mr. Gnostic told the publication. "I just felt upset at this particular moment, because seeing this lack of security in 2019 is making me angry." He’s no longer hoping to make a quick buck and retire and in any case $4900 isn't going to get him very far, because he’s realized that other hackers have gotten there first, so instead he’s trying to get what he can from extortion. Mr. Gnostic mused, "I came to an agreement with some companies, but the concerned startups won't see their data for sale. I did it that's why I can't publish the rest of my databases or even name them." A lot of the data are probably recycled from earlier breaches. Still disturbing, but in all likelihood, commodity stuff.
Dave Bittner: [00:08:37:24] Finally, at the recent South by Southwest meetings, chess grand master Garry Kasparov offered some reflections to Fast Company about the scope and limitations of artificial intelligence. For all the talk of artificial intelligence's growing capabilities, Kasparov said, "humans still have the monopoly on evil," evil being what Kasparov would characterize as an open system. He doesn't discount the considerable capabilities that artificial intelligence exhibits and will no doubt continue to improve, but he does think it excels in closed systems. So, a monopoly of evil. Okay, we've got that going for us. Trainers of AI take note, you may well find your own vices reflected right back at you.
Dave Bittner: [00:09:28:13] And now a word from our sponsor, LookingGlass Cyber Solutions. When it comes to digital business risk, you don't want a general admission perspective. Get a backstage pass for the LookingGlass Digital Business Risk Roadshow this spring to learn the industry latest on effective third party risk management tactics to protect your employees, customers and brand, taking a proactive security posture to combat today's sophisticated threat actors and a cyber criminal mastermind's insights on manipulating your organization's cyber strengths and weaknesses. Come see LookingGlass in a city near you. The tour includes Atlanta, Charlotte, Chicago, San Francisco, New York City, DC and Houston. They hope to see you at the show.
Dave Bittner: [00:10:12:05] To learn about the roadshow and register, visit their website, lookingglasscyber.com. That's lookingglasscyber.com. And we thank LookingGlass for sponsoring our show.
Dave Bittner: [00:10:32:14] And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute and also my co-host on the Hacking Humans podcast. Joe, it's great to have you back.
Joe Carrigan: [00:10:41:17] Hi Dave.
Dave Bittner: [00:10:42:09] We've got an interesting story and this is about DARPA which is building a new open-source secure voting system and they've got $10 million to do it. What's going on here? Fill us in with the details.
Joe Carrigan: [00:10:56:01] This came out on March 14th and exactly two days before on March 12th, on Motherboard they had an article about researchers finding a critical backdoor in the Swiss online voting system. But this is not an online voting system. This is an in-person voting system. DARPA has contracted with a company called Galois, spelled G-A-L-O-I-S. It's named after a French mathematician. Basically what they're doing is they're developing two systems for voters. And the one that's covered most in this article, is about the one that generates ballots for voters. So you're going to walk in, there's going to be an electronic representation of the ballot in front of you and you're going to make your votes on the electronic machine. And then the machine will print out a paper representation of what you voted. There will be no barcodes on this. Because that's one of the concerns that people have, is that if the counting machine is going to read a barcode on how I voted, humans can't read that. So if I present the voter with how they actually voted and then tamper with their votes in the barcode, and that's what gets tallied, that's no good.
Joe Carrigan: [00:12:05:19] So, this doesn't have a barcode. It actually reads the ballot, the same way the user does. It looks at the boxes that the user checked and tallies up the votes. So then when the user takes the ballot over to the scanner, the scanner will scan the ballot and print out a receipt with a cryptographic token on it. And that cryptographic token then can be used to say that, yes, your votes were included and n they were included properly in the tally.
Dave Bittner: [00:12:35:22] So your receipt is this cryptographic token. And what do you check that against?
Joe Carrigan: [00:12:40:24] You check it against a website that will be published after the election.
Dave Bittner: [00:12:44:01] So after the fact you can go and use this cryptographic token to verify that what they have you down for is correct?
Joe Carrigan: [00:12:52:22] You can't actually see who you voted for. Because that actually provides someone with a means to coerce somebody else. So I can say, Dave, you better vote for my candidate in the next election, or I'm going to beat you up. Now give me your receipt and let me see who you voted for. So they don't show you that. But they do show you that your votes were tallied properly. But I don't know how they go about proving it. It probably has something to do with the cryptographic system that's involved.
Dave Bittner: [00:13:19:18] Is it a good thing that this is open-source?
Joe Carrigan: [00:13:22:09] That's a great thing. They're going to be taking it to DEF CON. They're going to be sending it out to universities. The biggest problem I've always had with these electronic voting machines is that they are not open-source. People have found vulnerabilities in these that were easily exploitable and the manufacturers of these systems didn't do much about it.
Dave Bittner: [00:13:40:10] Are they private companies?
Joe Carrigan: [00:13:41:19] They're private companies, exactly. And Galois will not be manufacturing these voting machines either, they're just going to release the standard. And this is kind of an issue I have with this entire project, is they're going to release the standard out to other companies to produce the voting machines with the software and, allegedly, the hardware. So if this system breaks, this is where it's going to break. It's going to break where other people manufacture it.
Dave Bittner: [00:14:06:00] So what they're doing here is trying to get as many eyes on this as possible? Part of what they're after is to try to re-establish trust in these systems because certainly after some of our recent elections, I think some of that's been eroded.
Joe Carrigan: [00:14:18:10] Right. I've told stories about when we had the Diebold machines here in Maryland and somebody looked at my ticket that I handed them. And he sent me to a voting machine that nobody else had used while I was there and nobody else was using while I was there. And each one of those individual Diebold machines was its own ballot box. So how do I know that they didn't just reset that machine when I was done? So I like the idea where they have one vote counting machine in an election site and it's like the old ballot box. It's essentially an electronic ballot box and not only that, but there actually is a physical paper record of the ballot in the ballot box.
Dave Bittner: [00:14:56:19] It's an interesting program. Certainly it's going to get a lot of attention as it moves its way through the process but it seems like a good thing. Joe Carrigan, thanks for joining us.
Joe Carrigan: [00:15:07:16] It's my pleasure, Dave.
Dave Bittner: [00:15:12:15] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com. Don't forget to check out the Grumpy Old Geeks podcast where I contribute to a regular segment called Security Hah! I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find Grumpy Old Geeks where all the fine podcasts are listed. And check out the Recorded Future podcast which I also host, the subject there is Threat Intelligence and every week we talk to interesting people about timely cyber security topics. That's at recordedfuture.com/podcast.
Dave Bittner: [00:15:54:05] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cyber security teams and technology. Our CyberWire editor is John Petrik. Social media editor, Jennifer Eiben. Technical editor, Chris Russell. Executive editor, Peter Kilpe. And I'm Dave Bittner. Thanks for listening.