Russians hacked two Florida counties. Fxmsp targets named. WhatsApp patches spyware-enabling flaws. Breach costs. Cisco patches routers. Endless Mayfly’s endless hogwash.

Dave Bittner: [00:00:03] Russian operators breached two Florida counties' voting systems but without altering vote counts. Symantec, McAfee and Trend Micro are thought to be the security vendors hit by Fxmsp cyber criminals. WhatsApp patches of flaw exploited to install spyware. The Equifax breach seems to have cost the company $1.4 billion. Companies are increasingly aware of data's potential toxicity. Cisco patches two flaws, and Endless Mayfly peddled fake news on behalf of Iran.

Dave Bittner: [00:00:33] Now a moment to tell you about our sponsor ObserveIT. The greatest threat to businesses today isn't the outsider trying to get in. It's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. According to a recent CA Technologies research report, 53% of organizations confirmed insider attacks within the last 12 months. Can you afford to ignore this real and growing threat? With ObserveIT, you don't have to. See; most security tools only analyze computer, network or system data. But to stop insider threats, you need to track a combination of user and data activity. ObserveIT combats insider threats by enabling your security team to detect risky activity, investigate in minutes, effectively respond and stop data loss. Want to see it in action for yourself? Try ObserveIT free - no installation required - at observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.

Dave Bittner: [00:01:47] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, May 14, 2019. In news that broke late this morning, Florida Governor Ron DeSantis said that he'd met with the FBI and that the Bureau confirmed that Russian operators succeeded in intruding into the voting systems of two counties in the state. He declined to name the two counties but did say that no vote tallies were affected. We'll be watching this story as it develops over the week.

Dave Bittner: [00:02:19] Bleeping Computer writes that Symantec, McAfee and Trend Micro were among the security firms allegedly breached by the Fxmsp hackers. Trend Micro says data from a test lab had been accessed by unauthorized parties but that no source code or customer information were compromised. Symantec denied being affected at all, and McAfee says it's investigating. Bleeping Computer identified the companies from unredacted Fxmsp chat logs it received from advanced intelligence researchers. There's no word yet about a rumored fourth victim, nor is there any further confirmation of whether the breach is as serious a matter as some hold it to be.

Dave Bittner: [00:03:03] WhatsApp has patched a vulnerability that permitted remote installation of NSO Group's Pegasus intercept tool. It's unknown how many phones were affected. The University of Toronto's Citizen Lab says they're aware of at least one probable case. The vulnerability is said to have affected both Android and iOS devices. NSO Group said it would not have been involved in such activity and that it's investigating. The flaw that allowed the hack was, WhatsApp explained, a buffer overflow vulnerability in the VoIP stack that permitted remote code execution through specially crafted packets sent to a target's phone number. Facebook, which owns WhatsApp, has urged users to apply the patch that's available.

Dave Bittner: [00:03:48] What's the cost of a breach? In the case of Equifax, Infosecurity Magazine reports that so far, it's cost the company $1.4 billion. Perhaps, with figures like that in mind, firms are concluding that many of the data lost in breaches needn't have been collected in the first place. A database of some 200 million individuals' information is circulating in what CSO calls the grey market. While it doesn't include such Tripwire data as Social Security, passport, driver's license or credit card numbers, it contains 42 fields of great interest but dubious direct marketing value. No one has fessed up to being the source of the leak, but speculation is centering on a third party who may have acquired the data from a credit bureau. A large number of retailers are coming around to view that it's better not to have the data in the first place.

Dave Bittner: [00:04:41] The workforce shortage facing the cybersecurity industry means it's more important than ever to spark an interest among kids in STEM. There's an organization not far from our studios here in Maryland that aims to do just that. CyberWire's Tamika Smith has the story.

Tamika Smith: [00:04:59] Sounds of robots are common in the underground workshop nestled below an office building in Maryland. It's the headquarters for a nonprofit called Hackground.

Prasad Karunakaran: [00:05:08] Now, any of the kids want to talk? I mean, it's your robot.

Tamika Smith: [00:05:09] Yeah, of course. please.

Prasad Karunakaran: [00:05:09] I shouldn't be doing the talking.

Tamika Smith: [00:05:13] What's your name?

Andrew Lye: [00:05:14] I'm Andrew Lye. I'm the - I was on - I'm on the mechanical team - helped to build this robot.

Tamika Smith: [00:05:19] Andrew Lye is an eleventh grader at Reservoir High School in Maryland. Ly is one of nearly a hundred creators building robots for competition. He's very bright and slightly shy.

Andrew Lye: [00:05:31] So it uses a tank drive, which means each side is controlled by a different joystick.

Tamika Smith: [00:05:35] He says it usually takes their team six weeks to build a robot for competition, but it's just part of what Hackground does.

Prasad Karunakaran: [00:05:42] What we do is we teach classes in robotics. We teach - we run competitive teams in robotics, drones, rockets.

Tamika Smith: [00:05:52] Prasad Karunakaran is the not-for-profit's founder and visionary. He got the concept for it about a decade ago after going on an adventure to find a robotics team for his sons to join. It led him about 20 miles away from home.

Prasad Karunakaran: [00:06:07] Before even starting, I went to Baltimore. There was a robotics competition, and I was just intrigued by this competition. And in my mind, I even - I didn't remember this until my neighbor pointed it out.

Tamika Smith: [00:06:18] To anyone who knows Karunakaran, his neighbor going on a field trip with him is not uncommon. He's all about involving the community. Before Hackground, he started in his basement with the neighborhood kids and his sons - Siddharth and Anuraag (ph). Inevitably, kids grow up, and that presented a new challenge.

Prasad Karunakaran: [00:06:37] So I created two teams. So the second team was for my middle schooler. So I kind of played a little game, went to the middle school and said, hey, PTA. Can we start a robotics team here? I just wanted four kids to fill up my middle school kids' team. I had 25 kids show up.

Tamika Smith: [00:06:53] By 2014, he officially created Hackground. It's grown to be a STEM home of sorts for more than 100 students of all ages - a sign, Karunakaran says, that there's a growing interest in science, technology, engineering and math among today's youth.

Taylor Armerding: [00:07:10] The bad guys and the tools that the bad guys use are more sophisticated, so the threats are expanding. They're increasing, and there is an increasing need.

Tamika Smith: [00:07:19] This growth is exactly what Taylor Armerding writes about for Synopsys, a software company. His focus is on cybersecurity and privacy and says there'll be more positions than people with the skills to fill them.

Taylor Armerding: [00:07:33] The United States job shortage is an estimated 300,000 jobs. In other words, unemployment is below zero, which is kind of interesting. And worldwide, that figure is in the millions. One of the estimates I saw said that two years from now, the worldwide job - you know, the shortage of skills will be 3.5 million.

Tamika Smith: [00:07:57] The projected deficit is driving states, like Maryland and Michigan, and companies, like Capital One Bank and Booz Allen, to dedicate funding to STEM initiatives creating a fertile space for this expanding field. It's even a cause President Trump is making more prominent. He created the Cybersecurity and Infrastructure Security Agency Act in 2018.

Soundbite: [00:08:18] (SOUNDBITE OF ARCHIVED RECORDING)

Donald Trump: [00:08:19] The men and women of the new Cybersecurity and Infrastructure Security Agency will be on the front lines.

Tamika Smith: [00:08:24] He goes on to outline how this new department will impact homeland security.

Soundbite: [00:08:29] (SOUNDBITE OF ARCHIVED RECORDING)

Donald Trump: [00:08:29] They will partner with the private sector and all levels of government to defend America's power grids, banks, telecommunications and other critical parts of our economy.

Tamika Smith: [00:08:39] But Ron Therrien, a semi-retired computer engineer for General Electric, doesn't need a push from the president to start helping.

Ron Therrien: [00:08:46] But in the end, you actually competed very well.

Tamika Smith: [00:08:49] He's spent the last decade of his life mentoring students in the Washington, D.C., area.

Ron Therrien: [00:08:53] I mean, I had a girl that - she was wanting to go to school for music. And she came in and we moved around doing different things, and she's going to school right now to be an electrical engineer. And, you know, she thanked me for, you know, sending her down that path.

Tamika Smith: [00:09:08] This summer, one of the program students will be graduating into a new mentor role of his own. He's a robotics creator showing interest in many areas.

Prasad Karunakaran: [00:09:18] And I want to just throw a plug in for Mario. You know what this is? This is a Google Home. Mario made it here. It's a homemade Google Home.

Tamika Smith: [00:09:25] It's a homemade Google Home. You made this, Mario?

Mario Morias: [00:09:28] Yeah.

Tamika Smith: [00:09:29] Does this actually work, Mario?

Mario Morias: [00:09:31] Yeah.

Prasad Karunakaran: [00:09:33] It does.

Tamika Smith: [00:09:34] Mario Morias started learning with Karunakaran when it was a small community gathering in a basement. He was about 12 then. Now he's 16 and feels ready to teach an emerging field of STEM - ethical hacking.

Mario Morias: [00:09:47] So this summer, I'm going to be running an ethical hacking camp. So I want to get kids introduced to the, like, hacking world because Hackground was built on the term that hacking isn't something that's supposed to be bad. It's supposed to be something that's educational and good.

Tamika Smith: [00:10:05] Although there's a projected shortfall in the number of people like him going into the field, there is no lack of grassroots efforts by communities and state governments preparing current generations for the rapidly changing field of technology. For the CyberWire, I'm Tamika Smith.

Dave Bittner: [00:10:22] Tamika Smith is the newest member of our CyberWire team. You'll be hearing a lot more from her in the coming weeks. We're excited to have her on board, and we hope you'll join us in welcoming her.

Dave Bittner: [00:10:33] Cisco is patching vulnerabilities discovered and reported by researchers at Red Balloon Security. One of them, called Thrangrycat, affects the trust anchor module, which is a proprietary hardware security chip Cisco has used in its equipment since 2013. The vulnerability allows attackers with root access to install back doors in Cisco devices. By itself, Thrangrycat isn't much of a problem since it does, after all, require root access. Unfortunately, another vulnerability, a remote execution flaw without a cute name - it's known only as CVE-2019-1862 - can be chained with Thrangrycat to provide the access necessary to install those back doors. Cisco products are, of course, in use worldwide, so while there are no reports of exploitation in the wild yet, it's a matter of some concern. Cisco issued fixes for both vulnerabilities yesterday.

Dave Bittner: [00:11:31] The University of Toronto's Citizen Lab has attributed a multi-year multilingual influence operation to Iran. The Lab offers its attribution with what it calls moderate confidence. The narratives being pushed were unsurprising. They are directed against the United States - the great Satan - Israel - the lesser Satan - and Saudi Arabia - the throbbing heart of what is Sunni heresy, at least from an Iranian Shiite point of view. Citizen Lab called the campaign Endless Mayfly, and therein lies a tale. The mayfly is, of course, a member of an order of primitive insect whose adults have a proverbially short lifespan - as low as five minutes, in some species - and in any case, too short for the adult imago to even enjoy a decent meal - so a day or so tops; so, too, with the stories pushed by Endless Mayfly. They swarmed, hit the internet and then were gone, like their insect namesake.

Dave Bittner: [00:12:30] Those of you who are connoisseurs of the lower-end supermarket checkout line tabloids will recognize the telltale short lifespan of the preposterously bogus news story. While Woody Woodpecker's sad last days or Minnie Mouse's amazing diet tips might have some traction - and what journalists used to call legs - the more amazing stories tend to rise to become screamer headlines but then sink without a trace, winding up probably somewhere below the Snickers bars and the astrological pamphlets. Thus, you'd think headlines like "President Obama Negotiates Trade Agreement With Space Aliens" or "Hitler, Age 92, Behind Argentina's Invasion Of The Falklands" would warrant some follow-up. You'd think, right? By the way, our supermarket checkout line desk assures us that they saw exactly those headlines in the wild back in the day. But no, you never hear of them again. Next week, they're on to something else.

Dave Bittner: [00:13:27] And that's how it was with Endless Mayfly. Their stories were less entertaining, to be sure, than intergalactic trade agreements or the secret history of late 20th-century South Atlantic conflict, but they were equally implausible and equally short-lived. They also gained little apparent traction and not much amplification on social media. So scoff if you wish, but do note that Tehran's cyber operators learned quickly and got better fast. There's every reason to think they're going to get better at information operations, too. Their basic technique was simple but proven - typosquatting with fairly convincing landing pages that mimicked those of real publications, including Bloomberg, The Guardian, The Atlantic and Politico. So you might easily misread a URL containing The Atlatnic (ph) and be left either marveling at James Fallows' scoop or wondering what in the world had gotten into him. Stay in school, friends, because as you know, spelling always counts.

Dave Bittner: [00:14:32] Now a moment to tell you about our sponsor ThreatConnect. Designed by analysts but built for the entire team, ThreatConnect's intelligence-driven security operations platform is the only solution available today with intelligence, automation, analytics and workflows in a single platform. Every day, organizations worldwide use ThreatConnect as the center of their security operations to detect, respond, remediate and automate. With all of your knowledge in one place, enhanced by intelligence, enriched with analytics, driven by workflows, you'll dramatically improve the effectiveness of every member of the team. Want to learn more? Check out their newest e-book, "SOAR Platforms: Everything You Need to Know About Security, Orchestration, Automation and Response." The book talks about intelligence-driven orchestration, decreasing time to response and remediation with SOAR and ends with a checklist for a complete SOAR solution. Download it at threatconnect.com/cyberwire. That's threatconnect.com/cyberwire. And we thank ThreatConnect for sponsoring our show.

Dave Bittner: [00:15:47] And joining me once again is Daniel Prince. He's a senior lecturer in cybersecurity at Lancaster University. Daniel, it's great to have you back. We wanted to talk today about asymmetric information and attacker-defender dynamics. There's a lot to unpack there. What do you have to share with us today?

Daniel Prince: [00:16:04] Well, thanks for having me back on. So this came from working with one of my heavily cut economics colleagues here at the university and generally having conversations around this idea from economics of asymmetric information and what that does to markets and different parties and how they behave. And we're reflecting on what happens in cybersecurity, and particularly with sort of a cyber risk management hat on or a defender hat on. Oftentimes as a defender, we obviously know a large proportion of our network. We can start to think about how we would attack it, but we have a significant amount of information about that network. If you have the total map of the network, you can plot the best and most logical route. But for attackers, they incrementally - typically, incrementally build up a picture over time of the network that you have and the systems that you have. So they start out with much less information. That results in, potentially, attack pathways and ways they attack the network, which seem illogical to the defender but very logical to the attacker because they have incomplete and impartial information. The result of that is just thinking about, actually, how do we use that to our advantage as a defender?

Dave Bittner: [00:17:25] Yeah, it's interesting. I'm reminded of that old parable about, you know, the group of blind men trying to describe an elephant by feel. And each of them approaches a different part of the creature, and so they have a different description because each of them has an incomplete part of the whole.

Daniel Prince: [00:17:40] Yeah. And that's - I think that's sort of the heart of the problem. And one of the key things that we need to do as defenders is to think about how we can use this to our advantage in terms of designing the responses but also be aware of that because what we think to be the most likely attack pathway will bias to defending against that pathway. But we've got to remember that as an attacker, they may not ever see that pathway. In your analogy, they may not ever see the trunk. So if they only see four legs, then they're only going to develop an attack strategy which will deal with four legs. But if the most prominent thing that we think about is the trunk, we are only going to ever defend the trunk. And it seems, you know, very simplistic when you kind of go through it. But, actually, I think a lot of people, when they're developing defense strategies or defense technologies or defense systems, because they have that complete picture, that biases them to develop the defenses in certain ways, which, perhaps, may not ever be triggered because the attacker might not see the whole of the network.

Dave Bittner: [00:18:43] How important is it to get a fresh set of eyes on your network, to get an outsider or perhaps a third party to take a look at it without that insider information?

Daniel Prince: [00:18:52] Well, I think that's very important. In terms of the whole idea of penetration testing and vulnerability assessments, this idea of having an external party acting as that attacker, as that particular threat agent, is really useful. And we've seen really strong examples of that - for example, the SEPA scheme that's used in the U.K. now being exported more widely, which takes an intelligence-led attack - interesting approach - where, you know, they take an intelligence approach to try and identify the types of attackers which will come up against an organization in an attempt to really mimic that attacker behavior so that we can get a real sense of how attackers would approach that network and open up those avenues of attack, which, perhaps, because we know more about the network than we think we do, do tend to cause us to not quite think about and maybe go in a different direction.

Dave Bittner: [00:19:45] All right. Daniel Prince, thanks for joining us.

Dave Bittner: [00:19:52] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at observeit.com.

Dave Bittner: [00:20:05] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell. Our staff writer is Tim Nodar, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.