CyberWire Daily - A 2018 Presidential finding authorized the CIA to conduct a broad range of offensive cyber ops. Data breaches and ransomware incidents. Sloppy VPNs. SEC warns, and China woofs.
Episode Date: July 15, 2020A 2018 Presidential finding authorized extensive CIA cyber operations against Russia, China, Iran, and North Korea. Wattpad may have been breached. The SEC asks its registrants to take steps to protec...t themselves against ransomware. Free VPNs’ databases found exposed. Joe Carrigan on privacy vs. security on Android devices. Our guest is Chris Deluzio from Pitt Cyber on election security. And Beijing woofs in the direction of London over the UK’s Huawei ban. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/136 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose,
and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more. Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected. Thank you. Now at a special discount for our listeners. Today, get 20% off your Delete Me plan
when you go to joindeleteme.com slash N2K
and use promo code N2K at checkout.
The only way to get 20% off
is to go to joindeleteme.com slash N2K
and enter code N2K at checkout.
That's joindeleteme.com slash n2k, code n2k. Russia, China, Iran, and North Korea. Wattpad may have been breached. The SEC asks its registrants to take steps to protect themselves against ransomware.
A free VPN's databases are found exposed.
Joe Kerrigan on privacy versus security on Android devices.
Our guest is Chris D'Aluzio from Pit Cyber on election security.
And Beijing woofs in the direction of London over the UK's Huawei ban.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Wednesday, July 15, 2020.
A 2018 presidential finding authorized the U.S. Central Intelligence Agency
to conduct offensive cyber operations against a range of foreign
targets, according to a story running exclusively in Yahoo.
Iran, Russia, China, and North Korea figured prominently on the target list, unnamed former
government officials said.
The activities authorized extended beyond intelligence collection to include actively
disruptive measures and influence
operations.
The finding was sufficiently broad to encompass organizations credibly believed to be acting
on behalf of, or in cooperation with, hostile intelligence services.
The active measures the CIA was authorized to take included actions against financial
institutions, kinetic effects against infrastructure,
and hack-and-dump operations in which documents are taken and posted when and where they could be expected to influence opinion.
The people speaking on background for the story told the reporters that Langley had been to some extent divided on the advisability of offensive cyber operations,
but that the CIA had sought such authority for years,
going back at least two administrations.
They had expected both Presidents Bush and Obama to sign a relevant finding,
but neither did.
They had not expected such a finding from President Trump
and were pleased when it was signed, or more than pleased.
One of the unnamed former officials told Yahoo's
reporters, quote, people were doing backflips in the hallways, end quote. Former CIA General
Counsel Robert Edinger, who did speak on the record, had no knowledge of the 2018 finding,
but he did confirm that there had for some time been two camps at Langley, those who saw restraint in cyberspace as prudent and valuable,
and others who sought authority for more offensive cyber operations.
Yahoo says that neither the CIA nor the National Security Council responded to their questions.
Leaping Computer reports that popular storytelling site Wattpad may have been hacked for a 270 million record database.
The information, formerly for sale, is now being offered for free in various hacker sites.
Its authenticity is under investigation, and Wattpad has brought in security assistance to help it run down what the incident actually amounts to.
security assistance to help it run down what the incident actually amounts to.
Researchers at Comparatech say they've found that Hong Kong-based VPN provider UFO VPN left a database of user logs and API access records exposed online without passwords
or any other form of authentication to protect it. VPNor says it found an even more extensive exposure.
It wasn't just UFO VPN, but six other brands as well. FastVPN, FreeVPN, SuperVPN, FlashVPN,
SecureVPN, and RabbitVPN. They all appear to share a common developer. The data VPN Mentor says it
found exposed include PII of some 20 million users,
and it runs to such items as email addresses, clear text passwords, IP addresses, home addresses, phone models, device ID, and other technical details.
The seven apps advertised themselves as both free and no-log,
no-log meaning that they didn't collect any personal information,
but that seems not to be true.
The seven apps are connected in a number of ways.
Their branding tends to be similar,
and several of them promise military-grade security.
We're not sure either what military-grade means,
but it probably doesn't extend to leaving an Elasticsearch server
flapping in the
virtual breeze. VPN Mentor thinks they are all white-labeled versions of the same product.
In any case, they use the same Elasticsearch server, they're hosted on the same assets,
and they use a single recipient for payments, DreamFi HK Limited. VPN Mentor says,
There are a lot of excellent free VPNs out there,
but in the case of these seven,
you apparently get what you pay for.
The U.S. elections will be here before you know it.
Oh, heck, let's see here.
Hey, Siri.
Yes?
How long till the U.S. elections?
It's 111 days until then.
Okay.
Chris Deluzio is Policy Director at the University of Pittsburgh's Institute for Cyber Law, Policy, and Security, also known as Pitt Cyber.
He joins us with insights from their recent report titled, Ensuring Safe Elections.
from their recent report titled,
Ensuring Safe Elections.
Well, I think the situation in the world right now where we're confronting a public health crisis
and we in many states are dealing with primary elections
and across the country have a general election in November
that includes the election of the president,
all members of the House of Representatives,
many senators, many state officials, presents a very unique set of challenges. And many of the solutions to those
challenges require a serious infusion of resources, largely to the states, and to be really precise,
to local officials of the county or in some places, city or town level. And without those new resources,
and really that ought to come from the federal government, given the national scope of what
we're confronting, we fear that election officials who are, again, predominantly local and state
folks won't be equipped to protect our democracy and ensure that voters are able to vote safely and securely come November.
What is the spectrum that you see going from state to state? Are there states that are
much better off ahead of the pack when it comes to these sorts of things and others that need
to catch up? Well, I think states that already are doing vote by mail as a primary method of voting are, of course,
well suited to give people the best chance to vote safely during a public health crisis.
But then there are a whole lot of states that aren't the five that primarily vote by mail
that also offer no excuse absentee voting or no excuse mail voting.
And so they're also in a good position.
But of course, the devil's in the details. Are those states affirmatively sending applications or ballots? States that have things
like automatic voter registration, where you're capturing updates to people's addresses if they
interact with a government agency, say the DMV, for example. Those states have likely cleaner and
more accurate voter registration lists and thus can make a pivot or transition to a mail voting system perhaps more quickly.
And so they're in a better position.
And that's a growing number of states, but not the majority yet.
Why not shift to things like voting online?
Why the emphasis on voting by mail?
online? Why the emphasis on voting by mail? Well, the unfortunate truth is that online voting just is not secure and ready for prime time. There's, frankly, consensus among computer science experts
and others who have studied online voting and show that the unique challenges of an election,
where voters have to be, their votes are anonymous, that online voting presents too many risks,
and the hacking in particular vulnerabilities are too substantial to overcome. So it's not a
viable option for secure elections. And so we have to instead look at what technologies and
options we have. And those really are to adapt our current voting system, which is a mix in the
states of voting in person and voting by mail, to the public health crisis. And for most states,
that means expanding the ways in which voters can safely vote from home, while also making sure we
have good, reliable, and safe options for voters to vote in person who may need to.
That's Chris Deluzio from Pitt Cyber.
The U.S. Securities and Exchange Commission has issued a ransomware warning to its registrants,
which include broker-dealers, investment advisors, and investment companies.
The SEC's Office of Compliance Inspections and Examinations refers the registrants to
applicable CISA alerts. The dry deck strain
is particularly called out and suggests that they pay particular attention to incident response and
resiliency policies, procedures and plans, awareness and training programs, vulnerability
scanning and patch management, access management and perimeter security. CNBC, which has been watching Chinese state media closely,
says that Beijing is advising itself through those media to retaliate in a public and painful way
for Britain's ill-founded decision to boot Huawei from the UK's 5G infrastructure.
The state-run Global Times put it this way, waving both carrot and stick, quote, it's necessary for China to retaliate against UK,
otherwise wouldn't we be too easy to bully?
Such retaliation should be public and painful for the UK.
The paper wrote, thus the stick.
And here's the carrot, quote,
but it's unnecessary to turn it into a China-UK confrontation. The UK is not
the US, nor Australia, nor Canada. It's a relative weak link in the five eyes. In the long run,
the UK has no reason to turn against China with the Hong Kong issue fading out. End quote.
So, London, wise up. You're not as important as the US, Australia, or Canada.
Maybe a northern hemispheric New Zealand.
So the carrot's there.
We don't want no trouble, but they're actually kind of whacking Her Majesty's government with it.
Hong Kong's old news, London, and you've lost that one anyway.
So wise up and do business with Shenzhen.
We paraphrase, of pools. And a spa. And endless snacks. Yes! Yes! Yes!
With savings of up to 40%
on Transat South packages,
it's easy to say, so long to winter.
Visit Transat.com or contact your
Marlin Travel Professional for details.
Conditions apply. Air Transat.
Travel moves us.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies, like Atlassian and Quora,
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Joe Kerrigan. He's from the Johns Hopkins University Information
Security Institute and also my co-host over on the Hacking Humans podcast. Joe, great to have you back. Hi, Dave.
Interesting article came by.
This is from the folks over at Android Central,
an online website written by Jerry Hildenbrand.
And the title is Security Isn't Privacy,
and You Can Have One Without the Other.
Yep.
It's a titillating title there, Joe.
What's your take on this article?
I like this article a lot.
It embodies everything I like about Android and everything I dislike about it.
And Jerry makes a good point here, that Android is one of the most secure operating systems ever.
And the reason it's one of the most secure operating systems ever is because it's open source. It has a lot of eyes, eyeballs looking
at the code. There are people looking for exploits. And when they find the exploits,
they sell them to Google, who then patch the exploits or vulnerabilities rather, not the
exploits. And Google does a very good job of keeping this operating system secure because it is so integral to their business model, right?
They need to make sure that by secure that only the intended people have access to the device.
Now, that's where privacy comes in because one of those intended people is Google.
people is Google. And Jerry points out in this article that you are making an economic decision to trade your data to Google. And he makes a point that Google doesn't sell your data to
third-party providers, but they use that data to build a profile of you that is remarkably accurate.
I was going to say it too.
Maybe a distinction without a difference in this case.
Well, I don't think, I think it's more of a distinction.
I think there's more of a difference.
Yeah, they're going to, you know, they can break down their demographics like we've never had the opportunity in the history of, in human history to break down demographics like
this before, right?
And Target adds such a group of people that are interested in a particular,
that we get the highest return on the advertising dollars that we possibly can.
Okay.
So from the business standpoint, it's a really good proposition.
The question is, do you, as an Android user,
want to be targeted with that level of specificity.
And if not, maybe you make a different selection.
Yeah.
Maybe you make a different decision. Jerry makes some good points here.
I mean, you look at apps like Google Photos, which is something that I use.
Right.
And boy, the functionality of that is great.
It really is an enhancement over other photo apps that I've used to be able to
just go in and do a plain text search for anything, you know, dogs in the snow, boom,
all the pictures of your dog in the snow. Right, right. It's, it's, it's wonderful. But like you
said, the, the trade-off there is that you're, I'm giving them access to those photos to do
machine learning training and all
the different sort of things that they want to do with them. But I've made that decision that it's
worth it. Right, exactly. And that's really the important thing is we have to make that decision
consciously, right? And a lot of us don't do that. A lot of us just go, ooh, cool, and it's free?
Yeah, kind of. It's kind of free. You're paying for it
with your behavior and your personality and your location and your likes and your dislikes.
Well, and I think also an important point here is that this is okay as long as there's another
choice. In other words, if Google were the only game in town, if they had a true monopoly
and Android was the only mobile operating system that had any meaningful market share,
well, I think we'd have a different value equation there. And perhaps Google would operate
differently because they wouldn't have the competitive pressures that they have now
to not go too far. Yeah, maybe they would sell your data at that point.
Yeah.
Because that would be incredibly lucrative.
And when I say sell your data, I mean actually take the data that they built about you
and transfer that to a third party for money.
Not sell your data like I'm going to sell advertising to Dave
because the advertiser wants specifically to reach Dave and people like Dave.
Right.
It's interesting to me, this article points out this notion that security isn't privacy. And I think that's an important point because I think that's something a lot of folks
overlook. They kind of group the two things together. And I think it's important to have
a distinction in your mind that they're not the same thing.
I agree 100%. That is a very important distinction that we all need to be aware of.
Like I said earlier, security is,
I want to make sure who can access the device
is an authorized user.
I want to make sure that they can't do anything remotely
to get access to it.
These are the kind of things we think about as security.
Privacy is, nobody knows my data but me.
And that is not what you're getting when you're
getting an Android phone. Yeah. Yeah. And it's possible to have your privacy compromised securely.
Yes, absolutely. All right. Well, again, the article is security isn't privacy and you can
have one without the other. It's over on Android Central. Joe Kerrigan, thanks for joining us.
My pleasure, Dave.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to