CyberWire Daily - Chinese influence campaigns. Egyptian spear phishing. Hundreds of million email records exposed.
Episode Date: March 8, 2019In today’s podcast, we hear that Chinese information operations on US social media are widespread. The Egyptian government launches spear phishing attacks against activists. Hundreds of millions of ...email records were found online. Chelsea Manning is back in jail. The US is retaliating for Chinese cyberespionage. And Facebook wants to change its image. Ben Yelin from UMD CHHS on a PA supreme court ruling on protection of employee’s personal information. Guest is Scott Shackelford from Indiana University on the Paris call for trust and security. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/March/CyberWire_2019_03_08.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Chinese information operations on U.S. social media are widespread.
The Egyptian government launches spear phishing attacks against activists.
Hundreds of millions of email records were found online. Chelsea Manning is back in jail.
The U.S. is retaliating for Chinese cyber espionage. And Facebook wants to change its image.
From the Cyber Wire studios at Data Tribe, I'm Dave Bittner with your CyberWire summary for Friday, March 8, 2019.
Research from Recorded Future presents details on China's social media influence operations targeted at the West.
The operations differ from Russia's influence campaigns based on the country's different national goals.
Russia's operations are primarily disruptive and destabilizing, while China's are largely positive and coordinated.
Chinese information operations are meant to present an overwhelmingly positive, benign, and cooperative image of China to Western users.
These campaigns don't show a large-scale interest in swaying
foreign elections. Rather, they focus on changing opinions about policies that are disadvantageous
to China's goals, with much of their recent messaging concerning the trade war between
China and the United States. The researchers found that just two state-run Chinese influence
accounts on Instagram
quote, reached a level of audience engagement roughly one-sixth as large
as the entire Russian IRA-associated campaign targeting the United States on Instagram, end quote.
The influence accounts also use paid advertisements on a number of American social media platforms.
While China's strategy is more pleasant than Russia's combative and
divisive attacks, Recorded Future stresses that these influence operations are not benign in
nature. Instead, they say, quote, the Chinese state has employed a plethora of state-run media
to exploit the openness of American democratic society and insert an intentionally distorted and biased narrative for hostile political purposes.
They also note that the propaganda techniques China uses in Western circles are very different from those it employs domestically,
which involve extensive censorship, content filtering, and astroturfing.
Amnesty International says the Egyptian government is responsible for a wave
of spear phishing attacks that targeted activists within the country, ZDNet notes.
State-sponsored attackers created third-party apps to launch OAuth phishing attacks against
victims' Gmail accounts. OAuth phishing is a newer form of phishing in which attackers steal
authorization tokens instead of passwords.
A number of the targets were notified by Google that government-backed attackers were targeting their accounts.
They also targeted Yahoo, Outlook, and Hotmail users.
The list of targeted individuals had significant overlaps with those targeted in a 2017 phishing campaign,
which was also linked to Egyptian state-sponsored actors.
Chelsea Manning was jailed today after refusing to answer questions before a secret grand jury.
The former Army intelligence analyst and WikiLeaks source had been subpoenaed to testify for a grand
jury investigation into Julian Assange. She'll remain in custody until she decides to testify,
or until the grand jury concludes its work, which could take up to 18 months.
The Washington Times reports that the United States has begun conducting counter-cyber attacks
against China in retaliation for Chinese cyber espionage. The U.S. hacks will likely target
trade secrets related to Chinese hypersonic technology,
since this is an area of research
where the U.S. is thought to lag behind China.
Security researcher Bob Dychenko
found more than 808 million email records
in an internet-connected MongoDB instance
without a password.
Millions of the records included personally
identifiable information as well. This data set is different from the collection series of data
dumps discovered in January. Dychenko initially thought that the data belonged to a large spam
organization, which turned out to be at least partially true. The database belonged to a
self-described email marketing firm that specializes in bypassing spam traps.
The company offers an email validation service, which checks if an email address is active by sending a test email.
The researchers notified the company and received a polite response.
The company said the database had been secured and shortly afterwards, the company's website was taken offline.
Google has disclosed more information on the Chrome zero-day vulnerability it patched in its latest update.
The flaw was apparently being used in tandem with another zero-day bug in Windows 7, which is currently unpatched.
Microsoft is working on a fix, but Google urges users to just go ahead and upgrade to Windows 10.
And finally, Facebook wants to change its image
by shifting its focus to encrypted messaging services,
where people can communicate in small private groups.
In a long blog post on Wednesday,
Mark Zuckerberg admitted that Facebook doesn't currently have a strong reputation for building privacy-protective services,
but says that the company is good at adapting to what people want.
Most observers are highly skeptical that the end result will be as good as Zuckerberg says.
The Verge says that we should take the announcement with a whole
shaker's worth of salt, since Zuckerberg has made similar statements in the past that never
came to fruition.
Others wonder how Facebook will make a profit off this type of business model, since it
ideally wouldn't be able to use targeted advertising.
There are also potential downsides to Zuckerberg's proposed model, since the company wouldn't be able to moderate the content on its platform.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform Thank you. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Ben Yellen.
He's a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security.
Ben, always great to have you back. This was a story that came by from the National
Law Review, and it's titled, Pennsylvania Supreme Court Recognizes
Common Law Duty to Safeguard Employees' Personal Data.
What's going on here? Yeah, so this is a fascinating case. It's called Dittman v.
UPMC, which is the University of Pittsburgh Medical Center.
Some personal information was
stolen from the database that this medical center had maintained. Information from 62,000 employees,
it's a lot of people, very personal information. So social security, birthday tax information,
bank account information, etc. Some employees or former employees of UPMC
sued the hospital saying that they had a reasonable duty of care under common law
to safeguard that information. And what that means is that if they did not use reasonable care,
if they did not use the most advanced practices in protecting digital information, they would be liable in
tort for some sort of damages. And that's exactly what happened here. So the court found that the
hospital was negligent. Negligence is a common law tort. And the standard for negligence, as it has
been since basically our common law system has evolved from our British ancestors,
is whether the defendant used ordinary reasonable care.
And what this decision does is it defines ordinary reasonable care or the standard of reasonable care in the context of data security
and says that by exposing this information to breach,
by not using the best practices in terms of safeguarding personal information,
that organization or the defendant in this case is not acting according to the standard of reasonable care.
And as a result, these individuals suffered some economic losses.
And as a result, these individuals suffered some economic losses.
I think the article says that somebody used the stolen information to start false bank accounts in the names of some of the plaintiffs.
And therefore, the hospital or the medical system is going to have to compensate those victims.
What's interesting about this case is that it's applying this old common law doctrine to the modern circumstance of data privacy. And because it's the first decision of its kind across the country,
even though this is only binding on the state of Pennsylvania and its institutions, this is going
to be instructional for other courts as they deal with whether to apply that common law duty of
reasonable care to private actors who have been entrusted in safeguarding information.
So this, at least right now, is the North Star case, the groundbreaking case.
And I think this is something that other state courts and federal courts are going to look into when similar cases present themselves.
Now, the situation here is this allows folks to go
after them from a civil point of view, going after money. There's no criminal element here.
No, there's no criminal element. This is just about civil damages. So obviously,
this could be a big financial hit for the medical center, the medical institution,
to be potentially liable to a class of 62,000 employees for what is a significant economic loss.
And that includes all different types of economic damages.
That's going to be a major liability for that medical system.
Now, theoretically, what that means is just as hospitals have to take measures to protect themselves against other types of common law lawsuits,
for example, medical malpractice,
they're going to have to take proactive measures to protect the integrity of their data.
Now that they know that they are potentially liable for data breaches,
even if they're not the ones stealing the private information,
that means there's going to be an added cost on the front end
for the medical system to protect that data. And what we've seen in other torts cases is that
turns into a bit of a consumer tax. In the long run, because the hospital will have to use more
of its resources to secure that data, you know, that's
going to add to their overhead costs of doing business.
And eventually that filters down to the patients or more likely to the insurance companies.
So, you know, but that's something that's existed forever in the world of torts.
Now it's just being applied in a new manner, reflecting the digital age.
Yeah.
All right.
Ben Yellen, thanks for joining us.
Thank you.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
My guest today is Scott Shackelford.
He's chair of the Indiana University Bloomington Cybersecurity Program and director
of the Ostrom Workshop Program on Cybersecurity and Internet Governance. He joins us to discuss
Indiana University's participation in the Paris Call for Trust and Security in Cyberspace,
which was presented late last year by French President Emmanuel Macron at the Paris Peace
Forum. So the Paris Call for Trust and Security in Cyberspace was a declaration,
so it's kind of a statement of principle, that was put out during the Internet Governance Forum
that was hosted by the French government this year at UNTECO in Paris.
Because of its long leadership, again, of France in the process of building international peace and security around the world. Because the
French government wanted to show widespread support for nine particular objectives in the
Paris call, that's why they enlisted various other governments, including the Five Eyes,
including NATO, with some notable exceptions, which we can talk more about, as well as companies,
civil society, and academia. And there's nine kind of core objectives, as I mentioned, as part of this Paris call
that are kind of worth just briefly mentioning before we dive in further,
because they include a huge range of things.
So how we think about peace and security and stability in cyberspace, obviously very broad,
and includes elements like critical infrastructure protection, like the public core of the internet, undermining electoral
processes. So there's a big part of making democracy harder to hack kind of built into
this agreement, which is kind of interesting, especially when you see all the various groups
that have signed on to it, as well as agreements to deal with cyber arms control and to prevent
the proliferation of malicious cyber weapons, as well as kind of more basic calls for cyber hygiene across the board as an effort to kind of build due diligence. So again, kind of
lots of low-hanging fruit options, but it is notable the extent to which they've been able
to line up support behind these kind of core principles. And what part does an organization
like Indiana University have to play in this? I think there's a couple of useful functions
that universities can
play as part of this. One is just helping to define the field and set the table. I mean,
to this point, the folks interested in cyber peace or digital peace as a relatively small
community, and that's in part made up of peace building scholars from various disciplines. So
looking at the resolution of conflicts, for example, in regional
hotspots, Africa and otherwise, as well as those that approach it from a much more technological
perspective. So rarely has there been kind of a meeting of the minds or an opportunity to kind
of share best practices across these disciplines. So I think first and foremost, universities can
be helpful in just bringing together all of these different disciplines and starting to figure out
what is the best that we can hope for in terms of peace on the Internet.
And then we can think more about, you know, how can we get there more realistically.
So I think as part of a gathering function, that's really helpful.
And universities are also, I think, really helpful to have as part of this process because, you know,
we're training the next generation of cybersecurity professionals right now that are going to go out there
and be at the front lines of how this process unfolds in the 21st century.
So having not only faculty, but having the students involved, I think is just essential.
That's one thing we're trying to do here through a new cybersecurity clinic that we've created.
And do you have any sense for what kind of timeline this effort is on?
It's an ongoing process.
The first Paris Peace Forum,
obviously, was this past November. There is a follow-up that's going to be scheduled for the
following year. So we're going to be expecting an update this coming November. Before then,
I've been told that the French government probably is going to announce an expanded list
of supporters, but the exact timing of when that's going to actually happen is still a bit
unknown. The Paris call is also probably going to get a little bit of traction and some discussion
at major forums that are going to be going on throughout 2019. It's going to be kind of an
ongoing process of kind of socializing the concept, figuring out, you know, who is supportive and those
that have already declared their support, trying to deepen those
ties and build alliances between these kind of like-minded stakeholders around the world.
And where do we stand in terms of participation from the U.S. government?
So far, as you and your listeners might already be aware, the U.S. government has not signed up
to the Paris Peace Forum and the Paris Call for Trust and Security in Cyberspace,
which is a bit of an outlier at this point, considering that the rest of the Five Eyes,
even Australia, has signed up to it at this point.
You know, there's some concern there, I think, on the U.S. government side.
I don't, of course, want to speak for them about how it could intersect with various recent policy changes on the part of the U.S.
government, including kind of freeing the hands a little bit on the offensive side from U.S. Cyber
Command. So it's going to be interesting to see how it plays out and if there's any, if there's
sufficient international pressure to kind of change minds, frankly, in the Trump administration
about the call. But regardless of the actual U.S.
government, there are a variety of U.S. stakeholders, both major technology companies
like Microsoft, universities, of course, like IU, Tufts, and otherwise, and a whole range of centers
and other nerve centers across the country that have signed up. So it's similar to what we're
seeing kind of play out to an extent in the climate change context,
where even though we're not getting a lot of leadership from the federal government right now,
when it comes to climate change policy, we're seeing a lot of action at state, local, private sector,
civil society groups getting involved.
I think we're seeing a similar outcome and a similar kind of setup right now in the cybersecurity context as well.
And so what ultimately do you think will come from this? Are we heading towards
international treaties or agreements? How do you suspect this is going to play out over time?
It's wonderful to have a crystal ball, and I wish mine was not as opaque as it is, frankly.
There have been proposals for some time, for example, for a digital Geneva Convention or
new international treaties,
even just updating the Budapest Convention, which is the Council of Europe Convention on Cybercrime, would be helpful.
It's tough. It's tough to get agreement on new treaties.
There is not a lot of even foundational support for what types of things a new treaty, frankly, should regulate.
types of things a new treaty, frankly, should regulate. We saw that with competing U.S. and Russian, you know, resolutions about the International Code of Conduct for Cybersecurity
this last October at the U.N. That's something Russia's been pushing for a long time. The U.S.
is trying to get more countries on record for how they think international law should apply
to cyberspace, which would be, I think, kind of a helpful step in building out
state practice there. So I think, you know, you're seeing this as a step in the direction of further
clarifying the norms, which can in turn gradually, you know, crystallize state practice and then kind
of lay the groundwork for an eventual treaty. But when you look at, you know, how this played out
after, for example, World War I and the initial kind of Paris peace process here.
We had some agreements. We had, unfortunately, World War II intervene before finally we got
the UN Charter. So I don't think we're hopefully going to be leading toward anything that dramatic,
you know, in cyberspace. My hope is that there's not going to be anything that's going to shock
the system to that extent, to galvanize action. But, you know,
it remains to be seen whether this kind of, you know, slow bleed of attacks, Marriott and
otherwise, are going to be enough to make people stand up, you know, or whether it's going to
require something else for an eventual treaty to be negotiated. But I think the Paris call really
is a helpful step forward. But that's all it is.
It's just a step in the right direction.
That's Scott Shackelford from Indiana University.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing
CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri,
Kelsey Vaughn, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben
Yellen, Nick Volecki, Gina Johnson,
Bennett Moe, Chris Russell, John
Petrick, Jennifer Iben, Rick Howard,
Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided
apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.