CyberWire Daily - Adobe patches a zero-day being exploited in the wild. Chinese cyber espionage, and the risks of data-sharing. Facebook default settings glitch. Industry notes.
Episode Date: June 8, 2018In today's podcast, we hear that Adobe has patched a Flash vulnerability. InvisiMole is a discrete, selective cyber espionage tool. A Facebook glitch inadvertently changed users' default privacy ...settings. Leidos exits the commercial cyber market. China is back at IP theft, and some conventional cyber espionage, too. Congress wants explanations of data-sharing with Huawei and ZTE, and it wants those companies investigated as security risks. Feds Facebook friend felons. Rick Howard from Palo Alto Networks with the winners from this year’s Cyber Security Canon gala. Guest is Cory Petty from BAH, host of the BitCoin podcast, discussing blockchain.  Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Adobe patches a flash vulnerability.
Invisimol is a discrete selective cyber espionage tool.
A Facebook glitch inadvertently changed users' default privacy settings.
Leidos exits the commercial cyber market.
China is back at IP theft and some conventional cyber espionage too.
Congress wants explanations of data sharing with Huawei and ZTE.
And it wants those companies investigated as security risks.
And the Fed's Facebook friend, felons.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Friday, June 8, 2018.
Adobe issued an emergency patch yesterday of a flash vulnerability that's being exploited in the wild.
The company credited security firm Iceberg with alerting them to the problem.
The exploit, CVE-2018-5002, is being used to backdoor a selected set of Windows machines.
Most of the exploitation has been against targets in Qatar, still in bad odor with other regional Arab powers including Bahrain, Egypt, Saudi Arabia, and the UAE,
all of whom participate in a trade embargo against Qatar.
At issue are Qatar's alleged Iranian connections, Iran of course representing a regional and religious rival to the Sunni governments in the area.
Whether you're in Qatar or Cucamonga, if you use Flash,
you'd be wise to apply Adobe's patch. ESET is analyzing Invisimol, a cyber espionage tool that can backdoor targets, engage in remote code execution, and steal audio from infected devices.
It's uncommon, and ESET offers no attribution, but the malicious malware has been found in Ukrainian and Russian computers.
A Facebook glitch inadvertently turned some 14 million users' private data public.
It changed the default settings on those accounts from private to public at the end of May,
between the 18th and the 22nd of the month.
Facebook regrets the issue and advises users to take a look at
whatever stuff they may have posted last month. Leidos becomes the latest U.S. federal contractor
to exit the commercial cybersecurity market, selling its commercial unit to the Paris-headquartered
multinational Capgemini, which hopes its acquisition will help it make further inroads into the North American market.
CrowdStrike says that after more or less abiding by a 2015 mutual undertaking with the U.S.
not to engage in the massive theft of intellectual property,
China is back at it with a vengeance.
CrowdStrike doesn't offer any particular reason for the upswing,
merely making note of what it's seeing,
but observers speculate that it's seeing, but observers
speculate that it's linked to recent trade tension between the U.S. and China. Recorded Future sees
a different potential explanation, at least a partial one. They see the shift as the result
of reshuffled agency equities after the consolidation of signals and intelligence
organizations into China's large strategic support force, a process
that began in late 2015. The strategic support force is intended to play a significant role in
China's strategy for achieving technological and economic superiority sooner rather than later
this century. And of course, the royal road to such superiority is much eased if you can simply
take the technology as it's developed.
The U.S. is aware of this, having taken official note of the matter in a March 22 report by the Office of U.S. Trade Representative.
Intellectual property isn't the only concern with respect to China's cyber operations.
They're also engaging in more obvious forms of espionage.
This afternoon, U.S. officials speaking under conditions of anonymity
told the Washington Post that Chinese intelligence services
had hacked an unnamed contractor working at the Naval Undersea Warfare Center
in Rhode Island and successfully exfiltrated sensitive data
concerning submarine operations.
There are also human intelligence concerns related to data sharing and analysis.
As the South China Morning Post sees it, cribbing from the late Baltimore novelist Tom Clancy,
extensive data sharing with Huawei in particular represents the sum of all fears for the U.S.
As the paper puts it, quoting a tweet by Senator Marco Rubio, a Republican from Florida,
quote,
Here's an irony.
Facebook is banned in China,
where the regime isn't particularly open to platforms that facilitate social interaction.
But the government there is
thought to be interested indeed in the data Facebook holds on its users elsewhere.
Facebook did acknowledge earlier this week that it had shared access to data with a number of
Chinese companies that included Lenovo, Oppo, TCL, and of course Huawei. They did so, said
Facebook's vice president of mobile partnerships, in a controlled way.
Controlled or not, Huawei denied collecting or analyzing Facebook user data.
Few in Congress seem mollified. Indeed, the U.S. Congress appeared to be loaded for bear
in its investigations of ZTE and Huawei and their alleged U.S. partners, Facebook and Google.
Senator Warner, a Democrat from Virginia,
has promised to lead efforts to pull away the lifeline President Trump tossed ZTE.
ZTE, you will recall, was in Commerce Department hot water
for its evasion of U.S. sanctions against various pariah regimes,
especially Iran and North Korea.
It was also in hot water for lying about its dealings with those countries.
ZTE agreed, in exchange for renewed access to American products it needs to stay in business,
to pay a fine of more than a billion dollars, to overhaul its board of directors, and to install
a U.S.-designated compliance team that would look to its good behavior over the next 10 years.
But Congress intends to continue
its investigations. Security, and not sanctions evasion, is the issue with the Chinese companies.
Google seems likely to be hit with a record EU antitrust fine over the way in which it manages
apps in the Android ecosystem. The fines, which Reuters expects the European commissioners to
announce in about a
month, during the week of July 9th, are thought likely to exceed the 2.4 billion euros Google
endured last year. The 2017 fines were over the ways in which the search engine favored its own
products over those of competitors. This time, they're mostly concerned with the ways in which
Google's dominant position in Android enables it to bend app developers to its commercial will.
The U.S. Federal Trade Commission wants to hear from cryptojacking victims.
If you've been the victim of crypto mining software installed in your devices, you can let the FTC know online at ftc.gov slash complaint.
at ftc.gov slash complaint.
The commission's announcement is thought by observers to amount to the first notice by the U.S. government
that cryptojacking is illegal.
Finally, we found out, and we were asking for a friend,
that law enforcement personnel often make it a practice
of friending convicted felons on, where else, Facebook,
once such felons have served their time and are out
of the slammer. Why do they do it? To keep an eye on them. Felons, for example, aren't supposed to
own guns, yet they persist in posing with them in front of their Facebook friends. A Delaware court
ruled that the undercover practice is perfectly legal, so caveat shooter, if that is you're a felon, not that any of you would be.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of
technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Thank you. and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Rick Howard.
He's the Chief Security Officer at Palo Alto Networks.
He also heads up Unit 42, which is their threat intel team.
Rick, welcome back.
You all recently had your Cybersecurity Canon Hall of Fame gala. By all accounts,
a successful, fun evening. And you wanted to bring us up to date and share with us
who are the winners this year. Yeah, this is the culmination of the 2018 season where we actually
gave awards, the Hall of Fame awards, to the winning authors. And you know what the Canon Project
is. It's kind of a rock and roll Hall of Fame for cybersecurity
books going on for five years. And so if you're going to better
yourself this year and read some book on some new topic,
how do you decide which book you want to read? And if you go to Amazon
and look up cybersecurity books, you're going to have to choose between some 2,000 and 3,000 entries.
So how do you decide?
So here's this give back to the community service.
The committee reads the books, finds out which books you should read, and those are the ones you should start with.
Do you want to hear who won the Cannondale Awards for this year?
I'm on the edge of my seat.
I can tell.
who won the Cannon Gala Awards for this year?
I'm on the edge of my seat.
I can tell.
So the first one, it's been on the candidate list for a couple of years, right?
But we're very happy to put it in the Hall of Fame,
a book called Metasploit, the Penetration Tester's Guide by David Kennedy,
Jim O'Gorman, Devin Kearns, and Matty Aroni.
I think that's how you say his name. Now, you've heard of Metasploit before, right?
Sure.
Yeah, it's a tool that's been around for years.
It's the default tool for penetration testers.
But what's great about this book, it's written for beginners.
So if you're new to the craft, you can take it and learn how to become a penetration tester using this tool.
But there's also lots of information for the seasoned practitioner. So
Metasploit has made it into the Hall of Fame. All right. Who else?
Second one, Site Reliability Engineering, How Google Runs Production Systems by
Betsy Beyer, Chris Jones, Jennifer Pettoff, and Neil Richard Murphy. Now, I've been hawking this
book for the last year or two. I love this book. It is the follow-on reader.
If you've already read The Phoenix Project and you are interested in DevOps and the DevOps philosophy,
this particular book, Site Reliability Engineering, is the how-to manual.
It's how Google did it when they started their first search engine back in 2004.
They were doing this DevOps kinds of thing six years before DevOps even had a name for itself.
So if you want to figure out how to do it, that's the one to do.
Number three for my social engineers in the crowd, Unmasking the Social Engineer, the Human Element of Security by Christopher Hadnagy.
OK, now this book is for serious readers who want to understand everything they can about the topic of social engineering.
Hagnagy relies heavily on some research by Dr. Paul Ekman, the renowned psychologist, right?
This is a fantastic entry-level book for how do you do social engineering.
And so Mr. Hagnagy is in the Hall of Fame.
The fourth entry is a book called Worm by Mark Bowden. Do
you remember Mark Bowden? He's a famous author in other subjects. He is probably most famous for
writing Black Hawk Down. And yeah, and he wrote the screenplay to the movie. Right. And so he
wrote this book about the Conficker Cabal, you know, and how a bunch of people in our bunch of
network defenders in the industry
got together and tried to take that thing down it is a great slice of uh cyber security history
uh and mr bowden came out to the gala uh and we gave him his you know academy award like trophy
and he was very eloquent so and i got to interview him on on tv all right so it was fantastic it was
a highlight of my career all All right. So those four
books, go to the Canon website and start your education from there. All right. As always,
Rick Howard, thanks for joining us.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
My guest today is Corey Petty. He's a blockchain scientist at Booz Allen Hamilton
and host of the Bitcoin podcast and Hashing It Out.
When I got into this, we always wondered when people would understand or know about blockchain
or Bitcoin or cryptocurrencies. And now, based on the plethora of ICOs and the public interest they've
received, most people have heard the words but don't quite understand what it means or what they
do or the implications of what they can do. And right now, we're in a state of building the basic
infrastructure that's required for people to interface with these technologies without really
knowing it, like how we use the internet today. Now, with all of the enthusiasm, particularly with Bitcoin and sort of the,
I don't know, the gold rush, if you will, do you suppose that blockchain has suffered for that?
It seems like in some areas it's become a bit of a punchline. That's kind of a sign of the times
for me. What had happened, we created something called the ERC-20 token
and made it simple enough for people to use and interact with
without them really knowing what they're doing.
And so I liken it to us finding out how to use FHIR
and burning ourselves a little bit during the process of figuring out how to use it.
And we're going to see this happen multiple times
as we keep creating new standards and new tools people can use that's based on blockchain.
And then watch as people play around with it to see where it's useful.
What do you have your eye on? What are some of the areas of focus for you
in terms of the usefulness of blockchain?
I have a hard time not spreading myself too thin, to be honest. It's such an infrastructure level,
hard time not spreading myself too thin, to be honest. It's such a infrastructure level,
like the ground zero of how computers operate and transact digital assets that it has a finger in almost all parts of human existence, whether it be how we come together on decisions, large
decisions in a decentralized manner across the globe, how we transact value, how we send money.
I try and figure out how this is impacting things, but I really want to do it in a way that
takes trust away from an individual and puts it into a system so that greed can't be a part of it,
if that makes any sense. Yeah, it does. Where do you think we are most likely, a typical consumer,
where do you think they're most likely to see an effect on their daily lives
based on some sort of underlying blockchain technology? Initially, you'll start to see
two main things come into play where people will start to actually use them and know that they're
using them. And that's going to be with games, because games are always the first way to play
around with a new technology that enables things in a setting that isn't too daunting or scary in terms of money or problems or trust of information.
And you'll also see it in things like social networks, especially with the modern cry of how people use the data you give them when interacting with the centralized social networks that we have today.
when interacting with the centralized social networks that we have today.
Blockchain-based social networks don't have that problem because in a quality blockchain network,
the user still controls the data.
Now, let's dig into that a little bit.
When you say a quality blockchain social network, what do you mean by that?
One that's run in a trustless manner. The word blockchain is a very general term.
And what people typically associate with it is either bitcoin or
ethereum or maybe one of the few other open trustless networks which have to operate in a
manner that you basically don't trust anybody you're interacting with and the system runs okay
but there's also a long string of experiments and attempts for people to write permissions
and trusted networks that don't
offer the same types of guarantees, but they're all under the same moniker blockchain. So it's
really hard to kind of digest and grok the difference between these things if you don't
understand that type of concept. What would the most obvious benefits be for a user of that sort
of network? Not having their data mined or not having to care about who
can make decisions on the types of transactions you'd like to do or who you'd like to interact
with. Right now, in a lot of these centralized services that we use, they're free because you're
the product. It's not one of those things where the person who uses it gets the control, the
information they put into that network.
It ends up putting a lot of power and a lot of profit into the hands of the people who
own the network, as opposed to a decentralized network where that value is usually spread
across the people who actually use it and not the people who administer it.
You know, we had a listener write in with a question, and I think it may be a good one
for you.
So a listener write in with a question, and I think it may be a good one for you.
They were asking, how do you deal with the tension between GDPR, which includes the right to be forgotten,
and something like the blockchain where information can't be easily deleted?
Or it can't be deleted whatsoever.
Yeah.
That's going to be an interesting concept. And in the current state of blockchains,
the thing that you use to interact with them is a pseudonymous address
or just a string of numbers
that ends up being your user ID, if you will.
Your personal information attached to that address
can be obfuscated or hidden
so that people don't really need to know who you are
when you interact with the blockchain and how you use it. Further along the lines, we'll have things that require more
information about the link between that user ID and the person who owns it, which could have
pretty interesting consequences in terms of the right to be forgotten in such things, because
open and public blockchains get their trustlessness from the fact that they can't
be changed. And I think it's more along the lines of we need a change in the social interactions
and how we think about using applications needs to be changed. We can't assume that because we
interact with something, it can be deleted later because that's the way it's always been.
So take us through the Bitcoin podcast.
What do you talk about there and what do you hope your audience gets out of that one?
We started out creating that show because we felt that the majority of media surrounding Bitcoin and blockchain, it was just Bitcoin when we started, so it's called the Bitcoin podcast,
was overly technical and focused on a few projects that were the front runners of the entire ecosystem.
We wanted to get a voice of everyone in the entire ecosystem. So we've made it a point to
interview everyone, the leaders, the creators, the people who trade things, the people who use it,
that's changed their lives in various ways. So we try and cast a very wide net in the types
of information we put on that podcast.
And I think we've been successful with it.
Are there any particular insights that have struck you over the course of doing the show?
Things that you learned that you didn't expect when you were going into it?
I always heard the things that, or the ideologies that people pushed when this technology started becoming larger and larger and larger.
As the different networks have been created, I've realized that they're all wrong.
They're not necessarily wrong.
They're just not complete.
There is, I think it's arrogant to say you know what blockchain will look like in the future.
Because every time someone said that, we've done something to make it look different.
Every time someone said that, we've done something to make it look different.
And it's so young and there's so much to be learned and figured out that you have to take it at a grain of salt and roll with the punches. When we first started, Bitcoin was the only thing that existed.
And so people thought anything that tried to be like Bitcoin would automatically fail or was an intruder.
to be like Bitcoin would automatically fail or was an intruder. And over time, we've seen Ethereum grow and grow and grow and become something that is a very viable, useful network that is different
than Bitcoin. And it's not one chain to rule them all. It's more along the lines of many things to
do, many types of applications and interaction. And so the future of what this whole thing is
going to become is beyond my scope or understanding.
And anyone who says they understand, I think, is naive.
That's Corey Petty from Booz Allen Hamilton.
Don't forget to check out his podcasts, The Bitcoin Podcast and Hashing It Out.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, Thank you. that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps
tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.