Huawei accused of abetting domestic surveillance in Africa. Cyber gangs adapt and evolve. Prosecutors indicate they’ll add charges to “erratic.” Bluetana detects card skimmers.
Tamika Smith: [00:00:03] Huawei is accused of aiding government surveillance programs in Zambia and Uganda. Cyber gangs are adapting to law enforcement, and they’ve turned to big-game hunting to do it. They’re also turning legitimate tools to criminal purposes. U.S. federal prosecutors indicate they intend to add charges to those alleged Capital One bank-hacker faces. And there’s a new tool out there for detecting gas pump paycard skimmers.
Dave Bittner: [00:00:35] And now a message from our sponsors ObserveIT. The greatest threat to businesses today isn't the outsider trying to get in; it's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. Sixty percent of online attacks are carried out by insiders. To stop these insider threats, you need to see what users are doing before an incident occurs. ObserveIT enables security teams to detect risky user activity, investigate incidents in minutes and effectively respond. With ObserveIT, you know the whole story. Get your free trial at observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show. Funding for this CyberWire podcast is made possible in part by Bugcrowd, connecting organizations with the top security researchers, pen testers and white-hat hackers in the world to identify 10 times more vulnerabilities than scanners or traditional pen tests. Learn more about how their award-winning platform provides actionable insights like remediation advice to help fix faster while methodology-driven assessments ensure compliance needs are met at bugcrowd.com.
Tamika Smith: [00:01:51] From the CyberWire studios at DataTribe, I'm Tamika Smith, sitting in for Dave Bittner, with your CyberWire summary for Thursday, August 15, 2019.
Tamika Smith: [00:02:01] The Wall Street Journal reports that Huawei has embedded technicians in the governments of Zambia and Uganda to help those governments organize and operate extensive domestic surveillance programs. The company has been working to gain a commanding presence in African markets.
Tamika Smith: [00:02:17] Meanwhile, Huawei denies any wrongdoing. A Huawei spokesman told the Journal the company never engaged in hacking activities, in a statement. It goes on to point out, quote, "Huawei rejects completely these unfounded and inaccurate allegations against our business operations. Our internal investigation shows clearly that Huawei and its employees have not engaged in any of the activities alleged. We have neither the contracts nor the capabilities to do so," end quote.
Tamika Smith: [00:02:46] Huawei has long been suspected of operating as a willing adjunct of Chinese intelligence and security services. The Journal does not say that the operations in Zambia and Uganda were directed by Chinese intelligence, nor does it argue that there is anything about Huawei's technology that made it particularly adaptable to surveillance. But The Washington Post notes the lessons seem to be that Huawei is willing and able to work with repressive regimes. Chinese security services have established a template for repressive surveillance against its own Tibetan and Uighur minorities. It may be that this template is now being exported.
Tamika Smith: [00:03:24] Accenture's report on trends in cybercrime suggests the possibility that criminal gangs are adapting their tactics to avoid detection and apprehension. Gangs like FIN7, the Cobalt Group and the Contact Crew are increasingly turning to what Accenture calls big-game hunting. Their attacks are growing highly targeted towards their victims. The gangs are using not only custom malware but also commodity attack tools traded on the black market. The higher-end criminals, Accenture concludes, are adapting legitimate tools like Metasploit, Cobalt Strike and Meterpreter to illicit purposes. It's also noteworthy that some of the gangs, including FIN7, have survived the arrest of some of their ringleaders and continue to prosper. There is an attack defense seesaw, and for now, the attack side seems to be rising.
Tamika Smith: [00:04:12] New research points out that, in 2020, there will be more positions in cybersecurity than people with the skills to fill them. Taylor Armerding, who writes about this topic for Synopsis, a software company, says his focus is on cybersecurity and privacy.
Tamika Smith: [00:04:29] How important are credentials in these cybersecurity fields, especially when you start talking about a forecasted shortfall?
Taylor Armerding: [00:04:36] I would say they are important, but they're not as important as other things. In fact, there was a blog post on a site called Indeed that was saying one of the problems with job postings is that they tend to demand credentials that aren't really necessary. You know, I would say that you need some tech training in that sort of stuff, but you can be trained on the job. And then, besides that, once you have done some work, credentials come with experience, I guess you'd say (laughter). You know, demonstrating that you can do a job is much, much more important than a degree or, you know, some other kind of certificate certification - things like that.
Tamika Smith: [00:05:19] Can you talk a little bit about the forecasted numbers in the shortfall? Because in your article here, it says that officials estimate the job growth in the sector is going to be at, like, 30% - 37% a year, at least through 2022, and that's conservative.
Taylor Armerding: [00:05:36] The U.S. - the United States job shortage is an estimated 300,000 jobs; in other words, unemployment is below zero (laughter), which is kind of interesting. And worldwide that figure is in the millions. Supposedly, two years from now - one of the estimates I saw said that two years from now, the worldwide job shortage of skills will be 3.5 million. And I think that's because, as I said in that story, the threats are increasing. The bad guys and the tools that the bad guys use are more sophisticated, so the threats are expanding, they're increasing, and there is an increasing need for skilled cybersecurity workers. You may be familiar with the RSA Conference, the annual conference out in San Francisco that's probably the biggest security conference. I went to that for the first time about six years ago, and there were maybe, I think, 25,000 people; now there's close to 50,000 people. So it is a (laughter) explosively growth industry, I would say.
Tamika Smith: [00:06:41] A lot of people who are volunteering in this field of educating and working with nonprofits to help get the youth involved, they're saying there is a lack of support in the public school system and in the education system altogether. Do you have any thoughts on that?
Taylor Armerding: [00:06:59] It seems like our legacy educational system is not designed to - for rapid response. It kind of gets entrenched in a certain model, which doesn't mean it doesn't do anything well; it does a lot of things well. But when something like this happens - you know, you've got a lot of teachers who have tenure and who aren't going anywhere for anywhere from 10 to 30 years. Meanwhile, the need for tech training for - you know, for the STEM fields is explosively growing. It's one of those things that just - it's very difficult.
Taylor Armerding: [00:07:30] It's like, you know, as - one of the images is trying to turn an ocean liner on a dime or something like that. It's just not geared for rapid response. That said, it does seem like there are all kinds of initiatives within the industry. There's people who are doing mentoring. It's happening. It's just happening in a very diversified and diffuse - and it's not kind of centered on our educational establishment, which I think will change, but it ain't going to change real quick (laughter), I don't think.
Tamika Smith: [00:08:04] In your article, you mentioned the lack of diversity in this field.
Taylor Armerding: [00:08:08] Yes.
Tamika Smith: [00:08:09] How do you suggest that that challenge is tackled?
Taylor Armerding: [00:08:13] Part of it, I think, is awareness, like just about anything. When people become aware of a problem, that's at least a first step because once they're aware of it, they at least have a tendency to support or even take some initiatives themselves. I mentioned in the story a guy named Gary McGraw, for a number of years, had a podcast called "The Silver Bullet Podcast." And he decided, I think it was in 2017, to interview only women, and it was easy to find them. There were some outstanding female stars in the field.
Taylor Armerding: [00:08:45] He said - I'm quoting, "If you go to your typical panel at a conference, it's mostly men. There are women involved who can be role models, but we need to make sure that schools aren't set up to discourage that." You need to encourage minorities. You need to encourage women. They - they're just as smart as the guys are. But there has been, you know, a sense that this is a guy's field. And it must not be because there aren't enough guys to do it. You need everybody.
Tamika Smith: [00:09:11] That's Taylor Armerding from Synopsis.
Tamika Smith: [00:09:14] An update on the case of the accused Capital One Bank data breach hacker. There is a speculation that Paige Thompson, who went by the online handle Erratic, was involved in cyber incidents affecting as many as 30 other organizations. Observers speculated the other incidents may have been exaggerated, if they occurred at all. But this week prosecutors filed additional court documents indicating that they had indeed found evidence of those alleged cybercrimes compromising other organizations. The Justice Department said most of the compromised files did not contain personal information, but they informed the court that they expect it to file additional charges in the case. Thompson remains in federal custody.
Tamika Smith: [00:09:56] And some good news for cyber law enforcement. Credit card skimmers, the bane of gas station customers, can now be spotted with a tool called Bluetana. The device is the product of joint research by the University of California, San Diego, and the University of Illinois, Urbana-Champaign, with technical input from the U.S. Secret Service.
Tamika Smith: [00:10:16] Bluetana seems to enjoy a high success rate, but there are legitimate devices that can look like card skimmers to the scanner, so the system gives investigators indicators as opposed to conclusive evidence that a skimmer is present on any given gas pump. That's still valuable. Bluetana helps tell police that they should take a second look.
Tamika Smith: [00:10:35] The research surrounding Bluetana suggests why criminals find it worth their while to deploy card skimmers at gas pumps. They realize a profit quickly. A principal investigator on the project wrote, based on the prior figures, they estimate the range of per-day revenue from a skimmer is about $4,200 and, on the high end, an estimate of $60,000. And why gas pumps? For the most part, they're outdoors and unattended, so installing a skimmer is a low-risk, high-reward proposition.
Tamika Smith: [00:11:05] The U.S. Secret Service involvement isn't surprising. While the service is best known for presidential security, it's primarily responsible for investigating federal financial crimes, and it's often called in to look into cases of fraud at the gas pump. And if you're running a business in the United States, it may be worth the time to get to know your local Secret Service office.
Dave Bittner: [00:11:32] Now a moment to tell you about our sponsor ThreatConnect. Designed by analysts but built for the entire team, ThreatConnect's intelligence-driven security operations platform is the only solution available today with intelligence, automation, analytics and workflows in a single platform. Every day, organizations worldwide use ThreatConnect as the center of their security operations to detect, respond, remediate and automate. With all of your knowledge in one place, enhanced by intelligence, enriched with analytics, driven by workflows, you'll dramatically improve the effectiveness of every member of the team. Want to learn more? Check out their newest e-book, "SOAR Platforms: Everything You Need to Know About Security, Orchestration, Automation and Response.” The book talks about intelligence-driven orchestration, decreasing time to response and remediation with SOAR and ends with a checklist for a complete SOAR solution. Download it at threatconnect.com/cyberwire. That's threatconnect.com/cyberwire. And we thank ThreatConnect for sponsoring our show.
Dave Bittner: [00:12:49] And I'm pleased to be joined once again by Malek Ben Salem. She's the senior R&D manager for security at Accenture Labs. It's always great to have you back. You and I have been talking about the trip you recently made to RightsCon. And one of the topics of discussion there was how to deal with disinformation campaigns online. What can you share with us?
Malek Ben Salem: [00:13:08] Yeah, so one of the interesting conversations in that conference was about, you know, freedom of expression on the internet versus censorship - the voices that are asking now for more control and more moderation of what gets published on the internet, in particular, after the - all the disinformation campaigns that we've seen throughout election cycles - for instance, that video of Nancy Pelosi a few months ago. So the question is, how can we fight disinformation; whether there are any viable approaches, techniques; and can we do it without censorship - right? - without turning into - while keeping the internet the way we know it - as a platform for free expression.
Dave Bittner: [00:13:53] What were some of the ideas tossed around?
Malek Ben Salem: [00:13:56] It seems that there is a consensus that we definitely need to develop standards of internet transparency and integrity. We also need to limit space for impersonators. Existing platforms - anybody can create an unlimited number of accounts in an anonymous manner. The question is, do we need to have more checks to check that the people creating accounts are really, you know, physical people as opposed to bots - right? - that can start building or propagating information without them representing people in the real world? So they don't reflect the public opinion and the real world.
Dave Bittner: [00:14:41] Right. But then I suppose there's a - there are legitimate needs for anonymity online as well.
Malek Ben Salem: [00:14:47] Absolutely. Yeah. And that's really one of the advantages of the internet that gets also, I guess, reflected by the development of platforms like Blockchain and Ethereum, where you see platforms being created that are decentralized, distributed and people can join anonymously. That reflects the need for anonymity. It's still a trade-off. I don't think anybody would say that we need to completely remove the ability for people to interact in an anonymous manner, but limiting the space for impersonators is what's needed - limiting that space meaning checking for bots that really have more harmful impact.
Dave Bittner: [00:15:31] Yeah. I mean, what a challenge to try to have, you know, community standards when you have, truly, a global community.
Malek Ben Salem: [00:15:38] Especially as we see, also, that the impersonation techniques are changing and are evolving, right? Now you see these bots infiltrating authentic social groups, right? So it's not like, you know, one bot that's broadcasting wrong information on their own, but they're really infiltrating the more closed groups and domestic social media dialogue. How do you detect that? It's not straightforward, but I think we need to do more research and come up with some ways of, again, not completely limiting this, but perhaps limiting the space for these impersonators.
Dave Bittner: [00:16:16] Yeah, it strikes me, too, that there's - one of the things that by automating - the ability to automate these things - that that enables an asymmetry that I don't know that we had to deal with before, that the scale and velocity at which folks who are out there to spread misinformation and so forth - it can do so. It's a different ballgame than it used to be.
Malek Ben Salem: [00:16:37] Absolutely. The automation of the fast propagation of these - of this misinformation is at an unprecedented scale - but also, the automation of generating misinformation, automatically generating defects, right? We've never seen that before - automatically generating videos that mimic a real person that look, really, like a real person and that are hard to detect in real time. That's an absolutely new challenge. And it will continue to grow as we make use of, you know, GANs - general adversarial networks - to perform or to build these deepfakes. So it's a challenge that will continue to grow, and we need to work with the social media companies to come up with some common standards where we can identify these deepfakes and synthetic data.
Dave Bittner: [00:17:31] Interesting stuff for sure. Malek Ben Salem, thanks for joining us.
Malek Ben Salem: [00:17:34] Thank you, Dave.
Tamika Smith: [00:17:40] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at observe it.com.
Tamika Smith: [00:17:52] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Dave Bittner, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Tamika Smith. Thanks for listening. We'll see you tomorrow.