Dave Bittner: [00:00:03] The U.S. Justice Department releases the redacted Mueller report. Investigators found no evidence sufficient to establish conspiracy or coordination between any U.S. persons and the Russians over the 26 (ph) campaign, but the Bears were busy. The Sea Turtle campaign sets a worrisome example of DNS manipulation. Sneaky apps have been booted from Google Play. Facebook apologizes - again. Notre Dame fired fraud. Replication in cyber research. And an act of gratuitous computer destruction.
Dave Bittner: [00:00:41] And now a word from our sponsor, ExtraHop, the enterprise cyber analytics company delivering security from the inside out. Prevention-based tools leave you blind to any threats inside your network. By adding behavioral-based network traffic analysis to your SOC, you can find and stop attackers before they make their move. ExtraHop illuminates the dark space with complete visibility at enterprise scale, detects threats up to 95 percent faster with machine learning and guided investigations that help Tier 1 analysts perform like seasoned threat hunters. Visit extrahop.com/cyber to learn why the SANS Institute calls ExtraHop fast and amazingly thorough, a product with which many SOC teams could hit the ground running. That's extrahop.com/cyber. And we thank ExtraHop for sponsoring our show.
Dave Bittner: [00:01:38] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, April 18, 2019.
Dave Bittner: [00:01:47] The long-awaited and much-discussed Mueller report on Russian influence operations during the U.S. 2016 elections was released in redacted form this morning. At a prerelease press conference, U.S. Attorney General Barr reviewed the report. He said it established there was an effort on the part of Russian intelligence services to interfere in the U.S. elections, but that no U.S. persons were found to have collaborated in that effort. He declined one reporter's invitation to talk about the origins of the investigation, which have themselves become controversial, noting that such discussion was another matter and lay outside the scope of what he was prepared to go into.
Dave Bittner: [00:02:27] Attorney General Barr also explained the redactions. There were four categories of material that were redacted. These included, first, grand jury material, whose redaction is required by law. Second, material that might compromise intelligence sources and methods was redacted. Third - and the attorney general explained that this category accounted for most of the redactions - was material whose release might impair other ongoing investigations or prosecutions. And finally, information affecting the privacy and reputation of other persons not the subject of the investigation was also redacted. The White House reviewed the redacted version of the report and declined to invoke executive privilege. The attorney general also said that a bipartisan group of members of Congress would receive an almost unredacted version; the only material they wouldn't see would be that in the first category, grand jury material, since disclosure of such information is restricted by law, and its release doesn't lie in the discretion of the Justice Department.
Dave Bittner: [00:03:29] A quick look at the report - and we stress that our look was quick, there being 448 pages in the report - reveals the following highlights, none of them unexpected. Quote, "The Russian government interfered in the 2016 presidential election in sweeping and systematic fashion," end quote. Much of that information occurred through leaks obtained by a Russian intelligence service and retailed through Guccifer 2.0 and WikiLeaks, among other channels. There was also, the investigation concluded, a Russian social media campaign designed to disparage the Clinton campaign and favor the Trump campaign. While the Trump campaign thought it would benefit from the discreditable material released through Russian efforts, the investigation did not establish that any members of the campaign conspired or coordinated with the Russians. And the Russian actors most often named will come as no surprise either. They are the Internet Research Agency and the GRU. With that, we'll leave the report with our editors for a further close reading.
Dave Bittner: [00:04:31] Researchers at Cisco Talos describe Sea Turtle, a state-directed espionage campaign that's been active since early 2017. Most of Sea Turtle's operations have been in the Middle East, and the campaign is noteworthy for its sophisticated Domain Name System manipulation. Cisco Talos divides the victims into two distinct groups. The first group includes the targets proper - energy organizations, defense establishments and foreign ministries. The second group are third parties used to reach the primary targets - telcos, ISPs and DNS registrars. CrowdStrike and FireEye had earlier described aspects of this DNS manipulation campaign. FireEye tentatively attributed it to Iran. The U.S. Department of Homeland Security issued a warning about this activity in January.
Dave Bittner: [00:05:19] Cisco Talos finds the incident worrisome not so much in its immediate effects as in its realistic potential to undermine users' trust in the internet as such. The company includes a plea to put DNS as a whole off-limits to offensive cyber operations. They don't make this comparison, but we will. Making DNS a prohibited target would be analogous to the protection the laws of armed conflict place around such essentially civilian and humanitarian facilities as hospitals, supplies of drinking water and so on. That's a commendable aspiration, but arriving at an international consensus to leave DNS alone would seem to be a long process. It was difficult enough to get hospitals off target lists, and there is an obviousness and immediacy about hospitals that DNS just doesn't have.
Dave Bittner: [00:06:09] BuzzFeed reports that Google has booted six ad fraud apps from the Play store. The apps, thought to be a subset of a larger number of related applications engaged in similar dodgy behavior, were not only engaged in ad fraud but were also abusing user permissions in their collection of data. Some of the Android apps were popular, notably a selfie app that had more than 50 million downloads. The applications Google ejected from Play in this current round of expulsions were produced by the Chinese company, DU Group. The apps asked for a lot of permissions and obscured the nature and destination of the information they would gain access to.
Dave Bittner: [00:06:48] Cybersecurity offers employment opportunities for people with all sorts of backgrounds and work experiences. Some folks are fresh out of school, while others are looking to move into the field from another line of work. Nathan Katzenstein is a bit of a combination of both of those things. He's got over 20 years of experience in IT but decided it was time to head back to school and earn a master's in cybersecurity. He reached out to us and made the case that it's a path many are on these days, one worth sharing, so we got him on the line.
Nathan Katzenstein: [00:07:18] I wanted to get into a market or into an area space where there was a new beginning and there was a lot more to grow. But I didn't want to lose any of my back - and I wanted to leverage my experiences. So I felt that the cybersecurity area was an area that really fit well, where I could bring my IT management experiences and leverage that into this field.
Dave Bittner: [00:07:41] And so what are your aspirations when you get your master's? So where do you hope it takes you?
Nathan Katzenstein: [00:07:47] So I have a background in the energy field. I worked in the deregulated energy, electric and gas area for about 16 years. And what I'm looking to do is to get into the critical infrastructure protection.
Dave Bittner: [00:08:01] And what's your sense for the opportunities that may present themselves once you're out there looking for a job?
Nathan Katzenstein: [00:08:08] I know that it's tough to break into a new market. I'm well aware of that. As we all know, there seems to be a big gap in the skills and the market in cybersecurity. I believe the numbers I've read is that there are, like, half a million jobs that are going unfulfilled. I think maybe there's - it's an artificial gap perhaps.
Nathan Katzenstein: [00:08:32] You know, there's this joke about this man who is looking on the floor, and some good Samaritan comes by and says, gee, what are you doing? And he said - and the man says, I'm looking for my key. So the good Samaritan helps him look for the key. And after a while, he said, well, where did you drop your key? He said, oh, I dropped it across the street. But the good Samaritan says, why are we looking here? He says, well, because here we have streetlights.
Dave Bittner: [00:08:57] (Laughter).
Nathan Katzenstein: [00:08:57] So I think what companies are looking for - are they looking for a lot of requirements that maybe don't exist in the real world? For example, you want an SQL programmer, or you want a database person. You can say, I'd like somebody with 10 years SQL experience. I'd like a seven-year C# programmer. But when you look at some of the requirements for cybersecurity jobs where they're looking for an individual with 10 years of cybersecurity experience, it's very hard to find because there aren't that many out there.
Nathan Katzenstein: [00:09:32] So I believe there is this artificial gap between their requirements, but there really are individuals out there who can answer the call - maybe looking outside of the box. Maybe you're looking for individuals that, you know, like math, for example, or like to solve puzzles, because these are the types of people that can really solve cybersecurity issues for companies as well.
Dave Bittner: [00:09:57] So what are your recommendations for folks who may feel as though they want to follow a similar path to you? They want to maybe reach out to a different part of tech than they've been in before or open up some new opportunities for themselves. What are your recommendations?
Nathan Katzenstein: [00:10:14] So my recommendations are not to be afraid. My recommendations are, look at the market, see what area or what space you really want to and talks to you, and then go for it. You know, it's never too late in your life. There is no reason that you shouldn't go ahead and try to teach yourself new skills, whether you want to do it on your own, whether you want to go for some certification or if you really want to get a master's degree. There's no question - go ahead and do it. I think there's a lot that the market has to offer, and I think that anybody who really wants to get into it should grab it with two hands.
Dave Bittner: [00:10:55] That's Nathan Katzenstein. He's finishing up his master's in cybersecurity this summer at Utica College.
Dave Bittner: [00:11:03] Yesterday, Facebook acknowledged inadvertently uploading email contacts of a million and a half users without the users' consent. The social network regrets this, says the social network, and it says it will remove contacts uploaded in connection with its now-disenabled email password verification feature. The contacts may have found their way into data used to draw inferences for ad targeting and the People You May Know feature. Whether those inferences will also be removed is, The Guardian reports, unknown. But Facebook regrets the whole matter and resolves to do better in the future.
Dave Bittner: [00:11:41] ZeroFOX sees a wave of opportunistic scamming conducted around the Notre-Dame fire - ad fraud, direct fraud, malware installation and even stock fraud. Be concerned, and feel free to give help, but be skeptical and alert for the grifters' come-ons.
Dave Bittner: [00:11:59] The Washington Post interviews Tyler Moore, a professor of cybersecurity and information assurance at The University of Tulsa, who sees problems with the conduct of cybersecurity research. The issues apparently derive from how research uses data entangled with marketing. The University of Tulsa's study was interested in how one might determine such information as frequency and severity of attacks, the efficacy of various security products and how well various defensive tactics, techniques and procedures worked. Marketing is more concerned with persuasion than it is with replication, and much of the raw data that underlies or might underlie published research into these topics is generally not readily available. And replication, of course, would need raw data.
Dave Bittner: [00:12:45] And finally, a former student at the upstate New York College of Saint Rose, one Vishwanath Akuthota, has taken a guilty plea to charges that he destroyed 66 computers on the college's campus by inserting a USB killer into each of them. USB killers are, as the name implies, devices you insert into a USB port to overload a computer's surge protection. Such devices are readily available and easily purchased.
Dave Bittner: [00:13:13] We must ask, why? Mr. Akuthota made videos of himself strolling around campus in February, saying, I'm going to kill this guy, and then doing so. Guy, in this case, refers to a computer, not a human being. He caused over $58,000 in damages and, when sentenced, will face up to 10 years in prison and a quarter of a million dollars in fines. Given the video Mr. Akuthota took, it seems safe to say that the FBI and the Albany Police Department had little difficulty investigating the crime. Mr. Akuthota's motive is unknown, at least to the general public. Resentment? A sense of injured merit? The libido ostentandi, which is how Cicero would've translated, hey, look at me, y'all? We hear, by the way, that Cicero is all the rage in Silicon Valley these days. Around Mountain View and Sunnyvale, they think he was this cool stoic. The lulz? Maybe. As far as we can tell, it’s just another acte gratuit, which is what Jean-Paul Sartre would have called just behaving like a jerk.
Dave Bittner: [00:14:23] Time for a message from our sponsor, KnowBe4. It can take a hacker to know a hacker. Many of the world's most reputable organizations rely on Kevin Mitnick, the world's most famous hacker and KnowBe4's chief hacking officer, to uncover their most dangerous security flaws. You might ask, hey, where can I get the skinny on the latest threats? And where could I find out, what would Kevin do? Well, at KnowBe4's webinar, that's where. Kevin and Perry Carpenter, KnowBe4's chief evangelist and strategy officer, give you an inside look into Kevin's mind in this on-demand webinar. You'll learn more about the world of social engineering and penetration testing by listening to firsthand experiences and some disconcerting discoveries. You'll see exclusive demos of the latest attack ploys, find out how they could affect you and learn what you can do to stop them. Go to knowbe4.com/hacker to register for the webinar. That's knowbe4.com/hacker. And we thank KnowBe4 for sponsoring our show.
Dave Bittner: [00:15:36] And I'm pleased to be joined once again by Robert M. Lee. He's the CEO at Dragos. Robert, I wanted to take a little bit of a walk down memory lane with you. I wanted to address how some of these industrial control systems worked in the days before computers. How was the security handled? And were things easier back then, or harder, or just different?
Robert M: [00:15:57] Yeah, I think it's fair to say that it was different. I see a lot of discussion now of almost trying to take us back. Oh, let's go more analog. And I'll come back to that point and where there is good discussion happening but also some concern.
Robert M: [00:16:10] So industrial control systems predate, really, computer systems. They predate IP-based networks and internet and DARPA and ARPANET. And a lot of folks would hearken back to some of the early control systems. And I think the classic, like, textbook example is the water clock in Egypt, you know, I mean, like, obviously a long time ago.
Robert M: [00:16:31] But when we're talking about the modern control system, really, we start seeing, like, the '70s and '80s as being the introduction of the modern-ish industrial control system. And, obviously, at that time, we are still talking, like, more computer-like systems of a system that is able to take an input and an output and actually have control over that in some mechanism. But we're looking more of zero communications. We're looking at analog devices. We're looking at even, in some cases, manual control systems and the ability to operate and control the plant, obviously with much more manpower.
Robert M: [00:17:07] The risk that has been associated with a lot of the industrial control systems today is in their connectivity. But a lot of risk existed before that as well. And this is where I think the balance is important, going back to that initial comment I made, where I think it is fair - there's some really good work going on in the community, like CCE, which is this idea of cyber-informed, consequence-driven engineering, and which is, hey - I mean, it's far more complex than this, and I know National Labs has done a lot of good work on this. But let me really simplify it to a basic statement, which is, A, the process controller that's running our valve to an important part of our infrastructure, or let's just say the programmable logic controller that is involved in the safety of our system in a gas turbine facility.
Robert M: [00:17:54] Should it also be able to run Microsoft Paint and PowerPoint? You know, that's basically the argument, which is, you know, these common operating systems are coming on that can do a lot of different things. Like, do we really want what's controlling a really important system to be a common operating platform? Can we not do more design-driven, like, understanding that we get purpose-built systems for some things, or even in some rarer cases, manual systems? Do we really need your safety system talking to a domain controller? And I think that is a really good discussion happening, and I think it's important.
Robert M: [00:18:27] On the converse of that, though, I don't want it to swing too far because our infrastructure has been modernized and is being modernized in a way that has added to the overall value. And it's not just a business value. Look; things like manual operations and, I would say, more simple control systems dictated so much more human interaction. And especially in environments that are, like, petrochemical or chemical manufacturing and paper and pulp and others, you know, there's loss of life and injuries that come from dealing with highly dangerous-type environments. And a lot of the automation that we went to and connectivity that we went to was not only about driving business value but also driving safety.
Robert M: [00:19:10] And so the idea that - I see congressmen and politicians throw this out all the time now - oh, if a cyberattack happens, we'll just go back to the manual operations, and we'll do that because Ukraine did that to recover. It's like, yeah, Ukraine had to do that to recover at a couple sites. We're not doing manual operations across multiple regions of the power grid in the U.S. if an attack happens, and you don't want to have to because you could really get people hurt.
Robert M: [00:19:32] And so from the memory trip, things look a lot better than they were, I think, from a security aspect. But things were a lot worse than they are now in terms of safety and reliability. We've never had a more safe and reliable infrastructure than we do today. And we need to allow security to complement that. And we need to have design-build systems and make sure we are making smart choices. But we got to strike that balance because there are definite pros and cons, and they matter in this world.
Dave Bittner: [00:19:57] Robert M. Lee, thanks for joining us.
Dave Bittner: [00:20:03] And that's the CyberWire. For links to all of today's stories, check out our CyberWire Daily News Brief at thecyberwire.com.
Dave Bittner: [00:20:10] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:20:22] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell. Our staff writer is Tim Nodar, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.