CyberWire Daily - App developers had access to more Facebook Group data than intended. Election security and disinformation. DarkUniverse described. Millions lost to business email compromise.
Episode Date: November 6, 2019Facebook closes a hole in Group data access. US authorities seek to reassure Congress and the public concerning the security of election infrastructure. Disinformation remains a challenge, however, as... the US prepares for the 2020 elections. Criminals catch Potomac fever as they use politicians’ names and likenesses as an aid to distributing malware. Kaspersky outlines the now-shuttered DarkUniverse campaign. And Nikkei America loses millions to a BEC scam. Justin Harvey from Accenture on automated incident response. Carole Theriault speaks with Kristen Poulos from Tripwire on protecting the IoT. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/November/CyberWire_2019_11_06.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Facebook closes a hole in group data access.
U.S. authorities seek to reassure Congress and the public
concerning the security of election infrastructure.
Disinformation remains a challenge, however, as the U.S. prepares for the 2020 elections.
Criminals catch Potomac fever as they use politicians' names and likenesses as an aid to distributing malware.
Kaspersky outlines the now-shuttered Dark Universe campaign.
And Nikkei America loses millions to a BEC scam.
And good dogs go after bad guys' data storage devices.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, November 6, 2019.
Facebook, which has been working to rein in developers' access to data,
has found that an oversight in its Groups app gave video streaming and social media management app developers access to private group member data like names and profile pictures.
About 100 developers, Facebook said in an announcement it posted yesterday,
had retained access to this information.
With privacy upgrades the social medium had instituted in April of 2018,
a group admin should have been able to authorize an app developer
to receive only such information as the group's name,
the number of users in the group,
and the content of the posts within that group.
Users, that is group members, would have had to opt in
to provide access to more personal information,
like profile pictures
and names. Facebook is cleaning up this oversight. While the 2018 changes were a response to privacy
concerns raised by such incidents as the Cambridge Analytica scandal, stopping all the holes is
obviously more difficult than Facebook had expected. The incident is regarded as a bad look
for Facebook as it prepares for future rounds
of privacy scrutiny, but the company says it's convinced the relatively small number of developers
who had the unintentional access didn't abuse it. Some of that coming scrutiny is set to occur in a
California court as the state petitions for more information on the company's privacy enhancements.
At issue are internal documents which Reuters says pertain to what was called the
switcheroo plan, under which Facebook documents divided app developers into three buckets,
existing competitors, possible future competitors, or developers that we have alignment with on
business models. So the suspicion is that the company undertook anti-competitive steps
under the guise of enhancements to privacy and user experience.
California's Attorney General has this morning petitioned the San Francisco Superior Court
to compel Facebook to comply with subpoenas for such documents.
Yesterday, the U.S. Departments of Justice, Defense, and Homeland Security joined the Director of National Intelligence, the FBI, NSA, and CISA to reassure Congress and the public that unprecedented security measures were in place to protect U.S. elections.
They warned that Russia, China, Iran, and other foreign malicious actors were expected to attempt active interference in the 2020 U.S. elections.
Some of those measures were on display in yesterday's off-off-year elections some states
held, as state and county election authorities tested new equipment and assessed their security.
There have been no reports of effective attacks against this week's vote.
FireEye CEO Kevin Mandia sees the cooperation U.S. federal and state agencies are talking about
as likely to be successful
He's encouraged by the collaboration among voting device manufacturers
and election and security authorities
But disinformation is a different matter
Mandia told CNBC's Mad Money
that the biggest problem with election security isn't hacked voting machines
but rather misinformation disseminated over social media sees mad money that the biggest problem with election security isn't hacked voting machines,
but rather misinformation disseminated over social media. He said that he was confident that voting machines would be secure during the voting. I'm not worried about vote count,
he said, adding, I'm more worried about those influence operations that you don't even know
are happening to you. Cyber Reason conducted an exercise yesterday in which two teams, Red and Blue,
attackers and defenders, simulated a campaign to disrupt an election in ways that would affect
its outcome. The attackers did so not by attempting to manipulate vote counts or directly affect
voting machinery itself. Instead, they focused on spreading disinformation designed to suppress
voter turnout or confuse election officials into disallowing
votes. This would seem consistent with other assessments security experts have offered.
Vice reports that disinformation relative to the 2020 U.S. elections is already flooding social
media, but a great deal of that disinformation is homegrown and seems firmly in the mainstream
of scurrilous electioneering that's gone on since
the first seriously contested presidential campaign, the 1800 contest between John Adams
and Thomas Jefferson. Fool, hypocrite, criminal, tyrant, weakling, atheist, libertine, coward,
and so on. A lot of that slanging was as lurid and specific, as rich in specious detail,
as anything woofed or tweeted today.
Jefferson even hired a specialist to supervise the slander.
Of course, social media have an immediacy
and powers of amplification unknown
to the two principal authors of the Declaration of Independence.
Vice quotes calls for social media to take action
against domestic political disinformation
the way they have against foreign influence operations,
and in particular call for fact-checking and content moderation.
But the success Facebook and other social media have enjoyed against foreign influence campaigns has come through culling them for coordinated inauthenticity.
Moderating the content of political speech, as popular as this idea seems to have grown,
presents some obvious
problems with respect to civil liberties.
Not all politically themed campaigns are necessarily concerned with politics.
Cisco's Talos unit describes how some of them aren't connected with politics at all, except
insofar as politicians' names and likenesses serve as clickbait and fishbait.
Criminals are using political themes to
help distribute ransomware, screen lockers, and remote access Trojans. The most popular
politicians among the hoods are President Donald Trump and former Democratic presidential candidate
Hillary Clinton. Our own Carol Terrio has been looking into the security of industrial control
systems, the systems that are key components of the things that make civilized society possible.
She files this report.
So, Tripwire has recently issued some cybersecurity research
focused on industrial control systems.
These systems are, like, vital to our life, right?
Things like power stations, electricity grids, and oil plants.
Now, Tripwire's findings say that more than 90% of ICS security professionals,
these are the people that look after these systems,
are concerned about cyber attacks causing operational shutdown
or customer impacting downtime.
So I've invited Kristen Poulos,
Vice President and General Manager of Industrial Cybersecurity at Tripwire,
to highlight all the important factors that we need to know in this research.
Kristen, thank you so much for joining us.
Yeah, yeah. Thank you for having me.
Now, did I say your last name correctly?
It's Polis. You were very close.
Okay, Polis. I'm very sorry.
Tell you what, Kristen, I think I was brought up in Canada, right?
And I think that my hard Canadian living, my childhood would
prepare me to be completely cut off. But I think even a place temperate as the UK, where I live
now, it would be a total nightmare if some critical infrastructure went down.
Yeah, you know, it's incredibly scary to think about the potential out there. But what we were able to collect in the survey that we conducted was for 263
ICS security professionals, and they spanned a number of different industries. So think
manufacturing and chemical and energy. And while they certainly showed a definite concern
around cyber attacks and how that could negatively impact their way of life
and safety and quality and the productivity of their operation, we did find that a lot of them
had started making investments in ICS cybersecurity. And that was really promising to see.
So what seems to be the problem? What do you think? Why are half of them feeling that their
current investments aren't enough? Do they see all these holes and it's just that the board
don't care? Despite there being this high level of companies that have made some kind of investment
in cybersecurity, yeah, only half of them think that their investments aren't enough. You know,
at first, that's kind of promising to hear, right? Because
it means that these organizations are thinking that cybersecurity isn't just a project, but rather
it's a journey or a program that they need to maintain and sustain. But what maybe wasn't as
good to hear was that almost 70% of those companies, those same companies, believe that it would take a
significant industry event in order to convince their organizations to spend more. And so as a
member of this community, that's very alarming to hear because we don't want there to be a
catastrophic event in order to convince the boards to spend this money.
So basically what I'm hearing here is they are reluctant to make the investment.
They need a huge catastrophic event to happen somewhere for them to pull up their trousers
and go, OK, we really need to take this seriously.
And it's the cybersecurity, those responsible for cybersecurity that you spoke to that are
actually sounding the alarm.
That's exactly right.
Scary stuff.
What can we, the average Joe in the street, do with this information?
Can we lobby our representatives locally and provincially and statewide?
Absolutely.
And as a matter of fact, the more that we can have local legislative bodies and state governments talking about this and talking
about some basic cybersecurity compliance mandates, the more it can become common and widespread.
We have a good example of this actually in North America where NERCSIP governs our North American utilities, and there is some level of cybersecurity that they need to, each entity needs to be able to meet.
And so we found actually through this research that it was those individuals in the energy and utility worlds that seem to be the most aware and concerned.
And I think that is because of the standard just drives
awareness throughout those organizations. Well, hopefully this research will help drive
awareness. And hey, who knows, maybe Tripwire should start a conference just with ICS security
professionals coming together so that they can actually share ideas and share plans on how they
can actually limit their risk. That's a great idea. Collaboration in this space
is so key. I mean, yes, sure, we're all vendors and trying to make solutions that customers can
buy. But really, at the end of the day, we're trying to make the world a safer place. Couldn't
have said it better. Kristen Phyllis, thank you so much for joining us. Thank you very much.
This was Carol Theriault for the Cyber Wire.
Kaspersky yesterday published a study of a previously unremarked APT, Dark Universe,
which operated quietly between 2009 and 2017.
The researchers see links between Dark Universe and script found in the Shadow Brokers 2017
Lost in Translation leak.
The APT's victims are located, Kaspersky says, in Syria, Iran, Afghanistan, Tanzania,
Ethiopia, Sudan, Russia, Belarus, and the United Arab Emirates.
Both civilian and military organizations were targeted.
The researchers think Dark Universe may have a connection to the Aita Duke campaign, which
targeted Tibetan and Uyghur minorities in China. The researchers also think that Dark Universe
shut down when its techniques were blown by the shadowbroker's Lost in Translation leaks.
Finally, here's a BEC scam pricey enough to send shivers down the back of any CFO.
Nikkei America, the New York-based subsidiary of
Japan's Nikkei Media Group, acknowledged late last week that it had acted on instructions
received in a business email compromise scam to transfer $29 million to a fraudster account. Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash
careers to learn more. Do you know the status of your compliance controls right now? Like,
right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. Thank you. $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of
new members discover they've already been breached. Protect your executives and their families 24-7,
365, with Black Cloak. Learn more at blackcloak.io.
And I'm pleased to be joined once again by Justin Harvey.
He's the Global Incident Response Leader at Accenture.
Justin, it's great to have you back again.
I wanted to touch base with you today about incident response, but specifically about automated incident response.
Can you give us some insights there?
Well, clearly, as an incident responder, I don't want to be replaced by a robot or automation, but it's very relevant to what we're seeing in the field with commercial
and government entities today. When we look back a few years ago where there wasn't as much
automation, there were large security operation centers that were heavily dependent
upon a steady stream of people. You bring them in as a level one, you teach them how to do level one
in the SOC, then they work up and they get promoted to level two and they're using paper-based
playbooks and they know when an event comes in, oh, I need an alt tab and I need to go to this screen
and pull this additional information up and augment the data in order to pass it up to the next level.
But what we are seeing in the field and many large corporations and entities are saying
is that that is not sustainable.
It's not sustainable because there are simply not enough people in the industry to fill
all of these roles.
And because of that, it creates a negative
effect where you're always worried about, well, if I hire these people and I train them, are they
going to leave? And then it becomes a retention problem. So one way to address that and also one
way to get your response times down is to automate a lot of the rote steps that these lower level analysts are doing. And typically
in the SOC pyramid, you've got a lot of level ones, you've got fewer level twos, and you've got even
fewer level threes. And what I'm talking about here for automated incident response is really
targeting those level one and level two analysts. And the way that this is manifested is that let's take a case study.
Let's look at, we all know that command.exe should not be run from Internet Explorer. That's
indicative of an attacker that is spawning a process from your browser. Well, if you haven't
automated your SOC, that alert that comes through into your SIM might say
command.exe has been spawned from a browser.
And it would require a human to A, look through their list of alerts, find that alert, and
then take action on it.
And that action could be an additional investigation.
It could be quarantining that endpoint.
It could even be killing that Internet Explorer process.
that endpoint. It could even be killing that Internet Explorer process.
But what automation enables us to do is put together quite a few rules, if you will,
that when the automation piece of the SIM sees that inbound alert, it will automatically trigger based upon a set of conditions and do the quarantining or take care of the killing the
process or even inserting a rule
into a firewall. And then the higher levels of security operations center workers can just look
at the results of those automation steps. In that particular case, is this a matter of
the automation sort of buying you time where it reports to you and says, hey, we noticed this
thing. I did these things. Now it's time for you to check it out and see what's actually going on here.
Dave, that is a very astute point.
It is critical that humans are always overlooking the automation.
We can't ever assume that automation is going to take care of everything.
There are still certain conditions where automation can either break or not quite do the job.
still certain conditions where automation can either break or not quite do the job. So it's very important for higher level security operations center workers to check the work
of the automated incident response and verify that in fact, A, it did what it's supposed to do,
and B, why did it do that? Why did command.exe spawn from a browser? And so you're right,
it does buy you time in order to stop an
adversary because the adversary is going to say, well, my command.exe was killed. What else can I
do? And they might try some other steps that might not be covered under the automation. So it's very
important to be able to have experienced incident responders look over the roll-up data.
All right. Well, Justin Harvey, thanks for joining us.
Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company
safe and compliant.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Ivan, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Thank you.