The CyberWire Daily Podcast 9.3.19
Ep 919 | 9.3.19

Stuxnet’s story. Watering hole was designed to attract China’s Muslim minority. USBAnywhere affects some Supermicro servers. Twitter’s CEO has his Twitter stream hijacked.


Dave Bittner: [00:00:03] A report on Stuxnet suggests there were at least five, and probably six, countries whose intelligence services cooperated the disabling cyberattack against Iran's nuclear enrichment program. The watering hole, Project Zero reported last week, seems to have affected Android and Windows as well as iOS devices and appears directed against China's Uyghur minority. The USBAnywhere vulnerability affects servers. And, no, those tweets last Friday weren't from Mr. Dorsey. 

Dave Bittner: [00:00:38]  And now a word from our sponsor, ObserveIT. The greatest threat to businesses today isn't the outsider trying to get in. It's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. Sixty percent of online attacks are carried out by insiders. To stop these insider threats, you need to see what users are doing before an incident occurs. ObserveIT enables security teams to detect risky user activity, investigate incidents in minutes and effectively respond. With ObserveIT, you know the whole story. Get your free trial at That's And we thank ObserveIT for sponsoring our show. Funding for this CyberWire podcast is made possible in part by Bugcrowd, connecting organizations with the top security researchers, pen testers and white hat hackers in the world to identify 10 times more vulnerabilities than scanners or traditional pen tests. Learn more about how their award-winning platform provides actionable insights, like remediation advice, to help fix faster, while methodology-driven assessments ensure compliance needs are met, at 

Dave Bittner: [00:01:56]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, September 3, 2019. A report in Yahoo News offers details on the Stuxnet attack against Iran's Natanz uranium enrichment plant. The authors, Kim Zetter and Huib Modderkolk, says that the U.S. CIA and Israel's Mossad approached the Netherlands' intelligence service AIVD, which had an asset close to Iran's nuclear program. According to the story, that asset, described as a mole who had been trained as an engineer, was able, over a protracted period of time, to deliver the Stuxnet attack code via USB to the air-gapped centrifuge controllers at Natanz. The centrifuges were arranged in a cascade that separated out uranium hexafluoride gas containing the fissile uranium isotope uranium-235 from that containing the far more common uranium-238. Uranium-235 can be used in fission weapons, whereas uranium-238 cannot. Since the two isotopes are chemically identical, they can only be separated by physical means, like a centrifuge. That's what the 1,700 centrifuges in the Natanz cascade were being used for. 

Dave Bittner: [00:03:13]  While the principal cooperating intelligence services were American, Israeli and Dutch, German, French and British services are also said to have participated. The agent on the ground is reported to have provided the American and Israeli services with the technical information necessary for precision targeting. Stuxnet was intended for the controllers at Natanz only, not for any of the many other users of Siemens programmable logic controllers around the world. The Dutch service became interested in Iran's nuclear program when rogue Pakistani physicist Abdul Qadeer Khan stole centrifuge designs from a Dutch company in the 1970s, used them in Palistna's nuclear program and then sold them to other aspiring nuclear states, including Libya, Iran and probably North Korea. AIVD infiltrated A.Q. Khan's supply network, which for the most part consisted of European consultants and front companies. It also succeeded in hacking email systems used by Iran's nuclear weapons program. Thus, they had assets in a position to help when friendly powers asked for assistance. 

Dave Bittner: [00:04:23]  Reports last week originating with Google's Project Zero that detailed watering hole attacks against iOS devices were amplified over the weekend. Forbes reports that the attacks also affected Android and Windows systems. There was speculation at the time of the initial reports that the attacks, while relatively indiscriminate, were intended to target specific groups. It now appears, according to TechCrunch, that the attackers were Chinese security services and the targets were China's Uyghur minority. Google has received some criticism from TechCrunch and others for what they regard as Mountain View's circumspection with respect to calling out the involvement of China's government. 

Dave Bittner: [00:05:05]  As unrest continues in Hong Kong and Beijing's reaction continues to escalate, Bloomberg and others report that Hong Kong protest organizers say that the Chinese government has mounted distributed denial-of-service attacks against LIHKG, the principal forum the protesters have used to coordinate their actions. China has represented most of the online pushback against the Hong Kong protesters as the spontaneous reaction of patriotic expatriate Chinese. And some of it is probably exactly that. But the fissures that have appeared in the Great Firewall do seem to argue that China's government did what it could to enable, encourage and organize the patriotic hacktivism. They also suggest that the government is doing a lot of its own propaganda. 

Dave Bittner: [00:05:53]  As we head through the second half of 2019 toward 2020, the cyber skills gap continues to challenge employers as they try to find qualified workers to fill jobs in cybersecurity. Rinki Sethi is chief information security officer at cloud data management company Rubrik. 

Rinki Sethi: [00:06:11]  In 2020, we're going to have millions of roles open for cybersecurity and not even close to that many folks in the cybersecurity workforce. And so there's going to be a very, very big talent gap. It already exists today, but it's going to get even bigger and even worse in the next few years. 

Dave Bittner: [00:06:30]  So what do you think is causing that talent gap, and what are some of the ways we can address it? 

Rinki Sethi: [00:06:34]  I remember when I first started my career, I had a computer science degree, and there was maybe one cybersecurity course and I was lucky in college that that was even offered as part of the curriculum for a computer science program. I don't think that's changed much today. And so when folks are getting technical degrees, a lot of times, there's these very defined career paths that they'll take, whether it's development or they go into a support-type role. But for cybersecurity, it's not still a well-defined career, and there are still not a lot of courses available in the education system to get young folks really acquainted with cybersecurity. 

Dave Bittner: [00:07:15]  Now, I know something that you're actively involved with is getting young girls involved in cybersecurity, opening up that career pathway for them. Can you share with us some of your efforts there? 

Rinki Sethi: [00:07:26]  I think it was a couple years ago that my daughter was playing a game on her cellphone, and it sent her a text message, asking, we need some kind of authorization code for you to get more toys for the game. And she texted back, saying, my dad's sleeping right now so let me get back to you once he's awake. And I realized being in the cybersecurity profession myself, I haven't taught my own daughter the right skills. And there's a huge gap when it comes to teaching kids about cybersecurity. They're introduced to new technology very, very early on. You see 2-, 3-year-olds with iPads and phones, and they know how to use technology. And yet we're not teaching them the most important part, which is around cybersecurity. 

Rinki Sethi: [00:08:08]  And so when I was at Palo Alto Networks, they saw the importance of, we've got to introduce this to kids at an earlier age. So we had signed a partnership with the Girl Scouts to introduce the first set of national cybersecurity badges for kindergarten through 12th grade. And the idea being that cybersecurity curriculum would be available to every single zip code in the United States, such that now these Girl Scouts would not just learn about cybersecurity but would be able to teach their communities, teach their teachers, even teach their peers, teach their parents and grandparents about cybersecurity and learn concepts early on to benefit the community. 

Rinki Sethi: [00:08:48]  But not only that - now they've been exposed to cybersecurity, and hopefully some of these girls will enter the workforce as cybersecurity professionals. And if they don't, they're at least going to carry some expertise in whatever job that they do, which is going to be very important for our future workforce. 

Dave Bittner: [00:09:04]  And what has your own experience been like? As you've been building the teams that you've led and the teams you've worked with, how do you make sure that you have an open, welcoming environment for women who want to join you? 

Rinki Sethi: [00:09:15]  That's really important. Having an environment that's inclusive not just for women but for all people of all different kinds of backgrounds, I think it's a really important thing. Obviously, it hasn't been easy for me. I've been the only woman on many cybersecurity teams. I'm proud that my - at my last company, I had a team that was 50% women and 50% men. And so - which is kind of unheard of in the cybersecurity field. 

Rinki Sethi: [00:09:40]  I think that - you know, and the way that I've done that is I go out, and when I'm recruiting for talent, I'm not just looking for those that have careers in information security. Because like I said, I think to fill the deficit that we're going to have, we're going to have to expand and look for, get creative with the type of folks we're bringing in, people with different backgrounds - with different education backgrounds, different work experience, that are really curious, that want to learn, that can then apply themselves to cybersecurity. And so I've done that. 

Rinki Sethi: [00:10:11]  You know, I remember, I've hired somebody with a journalism degree from Stanford who had led security education and awareness for me, as an example, but had run communications and PR teams in her past and then was using those skills to run an internal education and awareness program at a previous company. And I think when you get creative like that, you not only are bringing new folks into the workforce, but it creates a very inclusive environment for women and for people of different backgrounds. 

Dave Bittner: [00:10:39]  That's Rinki Sethi from Rubrik. 

Dave Bittner: [00:10:43]  Eclypsium has disclosed a family of authentication vulnerabilities it discovered in Supermicro X9 through X11 servers' baseboard management controllers. Eclypsium calls the vulnerabilities USBAnywhere. Their exploitation could enable a range of USB-based attacks. 

Dave Bittner: [00:11:02]  Krebs on Security summarizes reports that attackers running phishing expeditions are paying increased attention to cloud providers. In the case he discusses, the criminals were seeking credentials belonging to United Rentals customers. They used a malicious link and a spoofed email that in fact sent the recipient to United Rentals' site but that also installed a malware package in the process. 

Dave Bittner: [00:11:27]  Finally, Twitter's CEO, Jack Dorsey's, Twitter account was hijacked Friday afternoon to display racist messages. The company fixed the problem, which it blamed on issues with Mr. Dorsey's cellphone carrier, within an hour and a half. The messages are said to have been puerile. The Verge says a group calling itself the Chuckle Squad claimed responsibility. The Chuckle Squad also hit a range of YouTube celebrities with similar hacks last week. Law enforcement has been notified, and the Chuckle Squad may soon be given the opportunity to giggle its way through a sabbatical at Club Fed. 

Dave Bittner: [00:12:08]  Now a word from our sponsor, KnowBe4. Email is still the No. 1 attack vector the bad guys use, with a whopping 91% of cyberattacks beginning with phishing. But email hacking is much more than phishing and launching malware. Find out how to protect your organization with an on-demand webinar by Roger A. Grimes, KnowBe4's data-driven defense evangelist. Roger walks you through 10 incredible ways you could be hacked by email and how to stop the bad guys. And he also shares a hacking demo by KnowBe4's chief hacking officer Kevin Mitnick. So check out the 10 incredible ways and learn how silent malware launch, remote password hash capture and rogue rules work, why rogue documents, establishing fake relationships and compromising a user's ethics are so effective. Details behind clickjacking and web beacons, and how to defend against all of these - go to to watch the webinar. That's And we thank KnowBe4 for sponsoring our show. 

Dave Bittner: [00:13:26]  And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute, also my co-host over on the "Hacking Humans" podcast. Joe, always great to have you back. 

Joe Carrigan: [00:13:35]  Dave, it's always great to be here. 

Dave Bittner: [00:13:36]  We are in the midst of back-to-school season. 

Joe Carrigan: [00:13:39]  Yes, we are. We had our orientation this past week. 

Dave Bittner: [00:13:43]  At Hopkins. 

Joe Carrigan: [00:13:43]  Yep, at Hopkins, where we had all of our different, like, new student orientations. We have a bunch of different orientations, like undergrad. The ISI has their own orientation. And I was present at that, so yeah... 

Dave Bittner: [00:13:53]  Is there any sort of onboarding when it comes to getting the students on to the networks on campus and all that sort of stuff. What kind of stuff do you do? 

Joe Carrigan: [00:14:02]  Yep. All that stuff has to happen. That stuff happens, like, in the last couple of weeks of August. We have our own network at the Information Security Institute because, as you might imagine, (laughter) we do some stuff that the Hopkins security team doesn't want happening on their network. 

Dave Bittner: [00:14:18]  All right. I see. 

Joe Carrigan: [00:14:19]  So we are actually outside of the Hopkins network. And we have engineers that manage that network as well. And because we're not part of that network, we have to have all of the students signed up for their own domain access within the MSSI network. MSSI is the actual degree that we give out. It's a master of science in security informatics. 

Dave Bittner: [00:14:42]  OK. 

Joe Carrigan: [00:14:43]  And so, yeah, we have to go through this process of setting up user accounts, getting agreements from the users, the students, on how they're going to use the system appropriately, telling them if you really think you're going to set up something that could be potentially malicious, we need to know about that in advance. 

Dave Bittner: [00:14:57]  Right. 

Joe Carrigan: [00:14:57]  And we have a special place where you can put that that's really not even associated with the - with our network, so... 

Dave Bittner: [00:15:03]  I see. 

Joe Carrigan: [00:15:04]  And from time to time, we do get telephone calls from network security going, what's going on over there? 'Cause we're getting complaints. 

Dave Bittner: [00:15:11]  It's a really interesting thing to think about how folks in the education industry... 

Joe Carrigan: [00:15:18]  Yeah. 

Dave Bittner: [00:15:18]  ...Have this huge onboarding every year. 

Joe Carrigan: [00:15:21]  Right. And there is a lot of personal information that goes into this process. 

Dave Bittner: [00:15:25]  Oh. 

Joe Carrigan: [00:15:25]  And these people - you know, just think about signing a kindergartner up for school. You have to give them a bunch of information. You have to give them the name, the address, the parents' names, who's eligible to pick them up. 

Dave Bittner: [00:15:35]  There's medical information. 

Joe Carrigan: [00:15:36]  Medical information - you have to have vaccination records and things like that. 

Dave Bittner: [00:15:39]  Yeah. 

Joe Carrigan: [00:15:40]  So that's PHI, right? And all this information is then stored, presumably, on a computer system. Most school districts in the country are smaller than 2,500 students, right? Because here in Maryland, our school districts are organized by county. 

Dave Bittner: [00:15:54]  Right. So they're bigger than most other places. 

Joe Carrigan: [00:15:57]  Right. Like, we live in Howard County, so there's a Howard County public school system and - but in other parts of the country, it's not like that. It's - school districts are much smaller organizations. And because they're much smaller organizations, they have less money, which means they don't have as much money for securing the data that they're collecting from these people. 

Dave Bittner: [00:16:15]  And that can make them a target. 

Joe Carrigan: [00:16:16]  And that can make them a target. In fact, it frequently does. 

Dave Bittner: [00:16:19]  Well, let me ask you this. I mean, you have kids who are around college age. 

Joe Carrigan: [00:16:24]  Yes, I do. 

Dave Bittner: [00:16:24]  If you're sending them off to school, in addition to whatever the school is providing, what would you do to set them up for success from a cybersecurity point of view? 

Joe Carrigan: [00:16:35]  You mean what would I do that I haven't already been doing for the past 10 years or... 

Dave Bittner: [00:16:39]  Well, yeah. I mean, you know, I don't know. Do you have the talk with them, the security talk? You're heading off to a bigger world (laughter). 

Joe Carrigan: [00:16:47]  Right. 

Dave Bittner: [00:16:48]  And, you know, there are going to be people who are going to try to steal your things. 

Joe Carrigan: [00:16:52]  Yeah. You know, when my son was in high school, I got him a cheap Chromebook that was sufficient to get him through high school and did everything he needed to do. I like the Chromebook because the security is constantly being updated. I think Google does a good job with it. You could argue that Google is using all that information for data mining, and that's a risk I'm aware of. 

Dave Bittner: [00:17:11]  Right. 

Joe Carrigan: [00:17:12]  But I've decided that's OK with me. That's why I go with Chromebooks for my son when he was in high school. Now he's in college. He's using a laptop that's a personal computer-style laptop. So he's beyond the Chromebook. My daughter, who is now graduated from college and actually completed the cybersecurity track in her computer engineering degree, I think she's probably good. 


Dave Bittner: [00:17:35]  She doesn't - she's telling you what to do. 

Joe Carrigan: [00:17:38]  Right. 

Dave Bittner: [00:17:38]  Yeah. OK. Fair enough. 

Joe Carrigan: [00:17:38]  She's saying yeah, this is... 

Dave Bittner: [00:17:40]  (Laughter) Right. OK. 

Joe Carrigan: [00:17:41]  And she's also grown up with me and my wife, and we all have a healthy dose of skepticism on a regular basis. My son's that way as well. 

Dave Bittner: [00:17:48]  Yeah. 

Joe Carrigan: [00:17:49]  He just might not be as technically astute. 

Dave Bittner: [00:17:52]  All right. Well, I mean, it's a good time to sort of take stock, I think, and make sure, as you send those kids out into the world, whether it be, you know, high school, middle school or even off to college, check in with them. Just have a conversation. Make sure that they're where they need to be in terms of security. 

Joe Carrigan: [00:18:07]  Yeah. And be careful about the information you give to the school. You know, if they're asking for your Social Security number - I don't know if they would ask for that - don't give them that. 

Dave Bittner: [00:18:15]  Joe, when I was in college, my Social Security number was my student ID. 

Joe Carrigan: [00:18:23]  Mine, too. 

Dave Bittner: [00:18:23]  (Laughter) It just makes me think about how many legacy bits of paperwork and records are on file... 

Joe Carrigan: [00:18:29]  Yep. 

Dave Bittner: [00:18:29]  ...On campus that all tie back to my Social Security number. 

Joe Carrigan: [00:18:32]  Yes. 

Dave Bittner: [00:18:33]  Yeah. Yeah. Good times. Good times. All right. Joe Carrigan, thanks for joining us. 

Joe Carrigan: [00:18:37]  It's my pleasure. 

Dave Bittner: [00:18:42]  And that's the CyberWire. 

Dave Bittner: [00:18:44]  Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at 

Dave Bittner: [00:18:55]  Don't forget to check out the "Grumpy Old Geeks" podcast where I contribute to a regular segment called Security Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the "Recorded Future" podcast, which I also host. The subject there is threat intelligence. And every week, we talk to interesting people about timely cybersecurity topics. That's at 

Dave Bittner: [00:19:24]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Tamika Smith, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.