CyberWire Daily - Adidas data breach. Facebook on data abuse. Investigation of Exactis data exposure continues. Algonquin College hacked. Tenable's IPO. US-Russia summit will talk election influence ops.
Episode Date: July 2, 2018In today's podcast we hear a bit about the data breach Adidas disclosed late last week. Facebook answers Congressional questions for the record and adopts a data abuse bounty program. Investigation ...of the Exactis data exposure incident continues, but the class action lawsuits have already begun. Algonquin College discloses a hacking incident. Tenable with hold an IPO. US-Russian summit will take up election influence ops. FireEye says North Korea is hacking Latin American banks. Joe Carrigan from JHU ISI reviewing a recent Black Hat survey of cyber security industry professionals. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me. website. Facebook answers congressional questions for the record
and adopts a data abuse bounty program.
Investigation of the exactus data exposure incident continues,
but the class action lawsuits have already begun.
Algonquin College discloses a hacking incident.
Tenable will hold an IPO.
The U.S.-Russian summit will take up election influence ops.
And FireEye says North Korea is hacking Latin American banks.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, July 2, 2018.
Adidas laconically disclosed on their website late Thursday that, quote,
an unauthorized party claims to have acquired limited data associated with certain Adidas
customers, end quote. The affected customers, whom Adidas is in the process of notifying,
were ones who made purchases from its adidas.com slash US site. The shoe and athletic apparel
manufacturer says it became aware of
the incident on June 26th. The company says the data affected appear to include contact information,
usernames, and encrypted passwords, but no credit cards. It's unclear how many customers are
affected. If you're an Adidas online customer, security industry commentators are advising you
to change your passwords.
One possible sidelight, it's unknown if any of the affected parties are EU citizens.
If they were, that would increase the German-based company's exposure to GDPR regulatory risk.
Facebook has adopted a bounty system, the Data Abuse Bounty Program, in which it will
pay third parties to find abuse of the data it handles.
It paid $4,000 to a bounty hunter last week.
Other companies are thought likely to follow suit.
It's a form of crowdsourcing, analogous to the bug bounty programs
that have become widely used in efforts to find and eliminate software flaws that pose security risks.
Investigation of Facebook data abuse continues. The very long document Facebook delivered to
the U.S. Congress Friday, 742 pages long, includes disclosures that Facebook continued to share user
information with 61 app developers for some six months after it said it had shut down such access in 2015.
The information shared covered users' friends, those would be friends in the Facebook term of
art meaning of the word, not in the ordinary acceptation of people one knows and with whom
one enjoys a mutual liking. The friends' data shared included name, gender, date of birth, city of residence or hometown, photographs, and page likes.
The disclosure submitted to the House Energy and Commerce Committee in response to questions for record suggests the high value such data have for marketing and other purposes, and the difficulty companies like Facebook have containing it.
companies like Facebook have containing it.
Another company handling valuable data is Exactus,
which was revealed last week to have suffered a data exposure incident.
Investigation continues.
The company is a data compiler and aggregator that, according to MarketWatch,
gets a great deal of its material from cookies.
Exactus was discovered to have left nearly 2 terabytes of data exposed on the internet. The company secured the data after the exposure was discovered and reported to them by
Night Lion security founder Vinny Troia. Troia tweeted Friday that he's working with Exactus
to determine whether anyone accessed the data. So far, what's known is that the data was exposed.
The concerns to consumers lie mostly in the possibility of identity theft
and of more plausible phishing campaigns that can be mounted
with the considerable personal information held by Exactus.
MarketWatch reports that Morgan & Morgan, a national law firm with headquarters in New York,
has filed a class-action lawsuit against Exactus
in a Jacksonville, Florida court.
Morgan & Morgan's suit alleges that Exactus failed to take adequate steps to protect its
data.
The lawsuit seeks monetary damages and other relief for those whose data were exposed in
the incident.
Ontario's Algonquin College, with campuses in Ottawa, Perth and Pembroke,
disclosed Friday that its servers had been hacked.
In a statement, the college said,
Algonquin College discovered the unauthorized and illegal access by hackers several weeks ago,
and the college acted immediately to re-establish the security of the server.
End quote.
It will share information with staff, students, alumni,
and others affected as soon as it finishes sorting the incident out. The college thinks
no one lost any financial information, but it's unclear on just what data was lost.
In industry news, Tenable, the company known for its Nessus vulnerability scanner,
has confirmed long-standing rumors by announcing its intention to take itself public.
On Friday, the Maryland-based security firm filed a Form S-1
with the U.S. Securities and Exchange Commission,
registering its intent to hold an initial public offering.
The company intends to trade its shares on the Nasdaq under the symbol TENB.
ZTE, its future still very much in doubt,
has replaced its board as part of its ongoing effort to mollify U.S. regulators and legislators.
Many observers remark that this change is more cosmetic than consequential,
and in any case the U.S. Congress at least seems very much un-mollified. The House passed its
version of the 2019 Defense Appropriations Bill
with clauses that would effectively ban ZTE and Huawei products from the government market.
U.S. National Security Advisor John Bolton said yesterday that Russian attempts to meddle in U.S.
elections would be among the topics taken up during this month's summit between Presidents
Trump and Putin. This was among the topics discussed during pre this month's summit between Presidents Trump and Putin.
This was among the topics discussed during pre-summit meetings last week.
According to Mr. Bolton, Mr. Putin said, quote, There was no meddling in 2016 by the Russian state, end quote,
but Bolton suggested that this amounts to a non-denial denial.
As Reuters put it, that's different from saying there was no meddling at all.
It's especially worth considering in this context President Putin's musings last month that
patriotic Russian hackers may have acted against nations unfriendly to Russia,
and that such patriotic zeal may have strained relations between such countries and Russia.
Few observers believe that Russian freelance hacktivists can or do operate
free of state direction, any more than the volunteers and green men fighting in Ukraine
and Syria have nothing really to do with the Russian army. Thus a non-denial denial.
And finally, FireEye CEO Kevin Mandia has offered an assessment of current North Korean cyber activity.
They're intensely focused on bank robbery
and are paying particular attention to financial institutions in Latin America.
As he put it, Pyongyang is hacking the hell out of Latin American banks.
Some of the more prominent recent victims have been Chile and Mexico.
recent victims have been Chile and Mexico. challenges faster with agents, winning with purpose, and showing the world what AI was meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more. Do you know the status of your compliance controls right now? Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com
slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute,
and he is also my co-host on the Hacking Humans podcast.
Joe, welcome back.
Hi, Dave.
We got an interesting article that came by. This is from NextGov, a website, and it says that only 15% of cyber researchers think the U.S. can defend against a critical infrastructure cyber attack, according to a recent survey.
What's going on here, Joe?
This is a survey they've distributed to cybersecurity professionals.
They asked most questions, and 15% of these people are wrong, in my opinion.
No, they have their own opinions, of course.
My favorite thing was that only 13% of the researchers believe
that Congress and the White House understand the cyber threats
and will take steps to further defenses, is the quote from the article.
Yeah.
I can't imagine all those octogenarians not understanding yeah all those people who've made careers in politics and law
right that we've elected to office who who have never or who were as you point out were
were grew up in a time where computers weren't really a thing and furthermore they'd never
really made it their expertise to begin with yeah Yeah. Yeah. How are these guys going to protect us on this?
Yeah, it's interesting.
I mean, this was from the Black Hat folks.
They got 315 information security professionals.
These are folks who had been to Black Hat or are planning to go to Black Hat.
So these are professionals, you know.
And there were a couple of other interesting things from this report they said that 52 percent believed that
russian cyber initiatives made a significant impact on the outcome of the 2016 u.s presidential
election so about half right about half that's interesting it's interesting to me that half
don't believe that yeah i don't know where i fall on that i mean i think there was definitely
information operations going on right but i don't know. But I don't know how I would quantify how well that affected the election.
Yeah.
So that's why I would say I could not answer in the affirmative on this,
only because I don't have any data that quantifies it for me.
You're still waiting for more information to arrive.
Exactly.
All right, fair enough.
16% approve of President Donald Trump's performance so far,
while 53% disapprove.
And this was not limited to cyber issues.
So that's an interesting contrast against that last number there.
He did get rid of his cybersecurity advisor.
Right, but came out of the gate with a strong statement on cyber.
So we thought he was going to be all over this.
He's issued executive
orders since then right right now here's an interesting one 47 agree with the statement
the shortage of women and minorities in the information security profession is a concern to me
while 22 disagree and 31 are neutral so about half yeah that we need to do a better job of this. Right. And this is
something that is, for me, kind of personal. I mean, my daughter is an engineer right now,
and I don't know what the solution to this is. We need to start raising engineers. And you
certainly obviously want to have as many opportunities available to her. You don't want any doors closed on her.
Right, no, absolutely not.
Because she's a woman in the field.
Yeah, I want the most opportunities for her.
But I don't know that she's at a disadvantage now that she has an engineering degree.
I think where girls are at a disadvantage is a lot earlier in life.
And I think that's why we need to start raising our girls,
thinking of the opportunities that they're going to have down the road.
Right.
So that they even consider those positions.
So that they consider it and not only consider it, but desire it and view it as something they want to go into.
Yeah.
I mean, study after study says that the more diversity of thought you have, the better you're going to be at problem solving.
Yeah, that's true.
The data is there.
Yep.
All right.
Joe Kerrigan, as always, thanks for joining us. My pleasure, Dave.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash,
Stefan Vaziri,
Kelsey Vaughn,
Tim Nodar,
Joe Kerrigan,
Carol Terrio,
Ben Yellen,
Nick Volecki,
Gina Johnson,
Bennett Moe,
Chris Russell,
John Petrick,
Jennifer Iben,
Rick Howard,
Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided
apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.