CyberWire Daily - Comey's testimony calls Russian election influence operations massive and ongoing. New Android malware. Malicious hyperlinks infect with a mouse-over. Data privacy issues.
Episode Date: June 9, 2017In today's podcast we hear that whatever else former FBI Director Comey told the Senate, one thing is clear: he's convinced the Russian are fully committed to influence operations, and that they'll be... back. More on disinformation and hacking in Qatar. Fresh malware surfaces in the Android ecosystem—some but not all has been booted from the PlayStore. Mousing over a malicious hyperlink can now be an infection vector. Cryptocurrencies, money transfer, and money laundering. Ben Yelin explains Florida money laundering legislation aimed at Bitcoin. Will Ackerly from Virtru discusses privacy and the right to be forgotten, online. GDPR and some thoughts on the distinctions among anonymity, privacy, and security. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Whatever else former FBI Director Comey told the Senate, one thing is clear.
He's convinced the Russians are fully committed to influence operations and that they'll be back.
More on disinformation and hacking in Qatar.
Fresh malware surfaces on the Android ecosystem.
Mousing over a malicious hyperlink can now be an infection vector.
The GDPR and some thoughts on the distinctions among anonymity, privacy and security.
I'm Dave Bittner in Baltimore with your CyberWire summary for Friday, June 9, 2017.
Former FBI Director Comey's testimony yesterday before the U.S. Senate Intelligence Committee has proved something of a Rorschach test for media observers.
As Wired's headline writers put it,
James Comey said exactly what you wanted him to say.
There's indeed much on which partisans on both sides may fasten,
and fasten they have.
So we leave these dueling narratives to sort themselves out and turn to something less ambiguous,
Russian influence operations during the U.S. presidential elections.
Comey said, quote,
There was a massive effort to target government and near-governmental agencies, like non-profits, end quote.
The former FBI director said he became aware of the campaigns in 2015,
which would be around the time Cozy Bear began its quiet snuffling at U.S. political networks,
and long before Fancy Bear barged noisily into the Democratic National Committee's servers.
There were, Comey said, hundreds of entities targeted,
so the operations were not confined to the DNC.
Much commentary has talked up the novelty of the operation,
representing election influence as something new under the sun.
But of course it's not, and Comey was quite clear on that point,
describing such operations as representing long-standing Russian practice.
They'll be back, he noted.
To summarize some recent Russian operations post-November, they appear to have taken a swipe at President Macron's campaign in France,
and possibly at the snap elections Prime Minister May called in the UK.
called in the UK. The UK case is interesting in that there seems to have been some organized sock puppetry and Twitter mobilized in the interest of Labour leader Corbyn. Influence
efforts in France seem to have had little effect. Whatever took place in the UK was
overshadowed by terrorism and ongoing controversy over Brexit. Prime Minister May's Tories lost
seats, but she will still seek to form a government.
Another influence operation does seem to have had significant effect,
this one aimed at discrediting Qatar's government with hoaxed communications
expressing support for Zionism and Iran's Shiite Islamic Republic.
The U.S. FBI, which is assisting with the investigation,
thinks the Russians indeed are already back,
as former director Comey predicted.
In this case, there's a progression from doxing to disinformation, fake news,
and this represents an escalation in an ongoing information war.
More problems arise within the Android ecosystem to trouble enterprise users.
Zscaler reports a malicious Android package representing
itself as a cleaning app from Google, Kaze Cleaner. It secures admin rights on infected devices and
uses them to display ads, download other apps, and so forth. And Kaspersky has found rooting malware
DVMap hiding behind a simple puzzle game, Colorblock. Google has ejected this one from the Play Store.
Various security companies report seeing new malware,
Zussi, in spam campaigns.
Its payload is delivered in a malicious PowerPoint file
that infects users who mouse over links in the presentation.
Many researchers warn that this represents
a new and insidious infection vector.
You needn't click to catch this virus.
Just position the cursor over the malicious hyperlink and bam, you're caught.
Popular cryptocurrency exchange BTC-E has been sustaining
distributed denial-of-service attacks since this Monday.
Users are unhappy and the exchange can't be happy either.
Such exchanges depend on high availability
for their survival in the market.
There's now less than a year before the European Union's General Data Privacy Regulation, or
GDPR, takes full effect. It will have effect far beyond the EU, and enterprises worldwide
are working fitfully to prepare themselves. We received comments from security firm Entrepid's
Lance Cottrell in an email.
Tracking, he argues, is here to stay, because collecting user data drives the Internet economy.
Innovation in data collecting will continue its seesaw competition with law and regulation.
Cottrell said, quote,
The GDPR is focused on notice, consent, control, and security.
Websites need to let users know what is being collected.
Users must opt in to having their data collected and stored.
They have a right to have their information deleted
and to take it to another website.
Finally, businesses have an obligation to protect the data they collect.
End quote.
We'll see stricter breach reporting requirements, he believes,
and users will have a right to ask that their data be deleted,
but he thinks not many people will take the trouble to ask that they be forgotten.
The main effect users will see are notices that the websites they visit
are collecting all kinds of information.
You can agree, or you can get off the site.
A lot of vendors are enhancing the privacy features of their products,
but there are distinctions to be made here among privacy, anonymity, and security.
Intrepid's Cottrell would like to remind everyone that these changes won't necessarily make you more secure.
He notes, for example, that the intelligence tracking prevention capability Apple's Safari browser boasts
will help with privacy, but it's far short of giving you anonymous surfing.
Quote, it should reduce the creepy experience of seeing a product you looked at in an online store So, maybe less creepy, but not at all anonymous.
The internet still knows it's you, even if it's not always showing you ads for veterinary products to help care for your pet wombat.
And you just had to post pictures of Sammy the pet wombat
on all your social media accounts, didn't you?
After all, Sammy is just too cute to keep to yourself.
Calling all sellers.
Salesforce is hiring account executives
to join us on the cutting edge of technology.
Here, innovation isn't a buzzword. It's a way of life. Thank you. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies, like Atlassian and Quora have continuous
visibility into their controls with Vanta. Here's the gist. Vanta brings automation to
evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. who puts her career on hold to stay home with her young son. But her maternal instincts take a wild and surreal turn as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of
solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach
can keep your company safe and compliant.
Joining me once again is Ben Yellen.
He's a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security.
Ben, welcome back. A story came by on the Miami Herald about Florida pushing towards being able to go after people who use Bitcoin,
having them face money laundering charges.
What do we need to know about this?
Sure. So before this law was considered, and it has been passed by both houses of the Florida State Legislature,
people using Bitcoin for nefarious activities, for drugs or prostitution,
were not subject to prosecution under state money laundering laws because under
florida state law bitcoin didn't qualify uh as money under the under the legal definition
if this bill were to pass it would bring into parity the definition of money so if somebody
used a bitcoin to procure drugs or to procure some other sort of illegal services, they would be subject to
prosecution for money laundering. And I think it's an effort to modernize our laws to recognize that
these online currencies can function as actual currency. But there's some pushback on this. I
saw there was a gentleman named Charles Evans, who's an economist and a virtual currency expert,
said that before long, we're going to see coat checks, tickets to Disney World,
and discount coupons regulated as money in Florida.
What's your take on that?
Yeah, so there is a potential slippery slope argument.
I think what that professor has argued is that Bitcoin isn't actually money.
It's not protected by the Federal Reserve.
It's not issued as a currency.
It's more like a piece of property,
like any sort of valuable piece of property
that can be traded for anything else.
And I think that's a valid viewpoint.
I think when somebody makes a slippery slope argument,
I'm always suspicious because in most cases, we don't actually follow the slope.
I don't think there's going to be any effort at the state legislature to arrest people for selling coat checks and tickets to Disney World. really does serve as a currency replacement, as opposed to any sort of piece of tangible property,
which may in limited circumstances, you know, fill in for currency, but it's not, it doesn't to the
same degree that Bitcoin does. I mean, there are millions of transactions online where Bitcoin is
the means of exchange. And I think the state of Florida is recognizing that the laws have to
conform to that reality. And so let's say Florida enacts this law.
Would other states be expected to follow?
I think Florida might be the first in a long line of states who seek to remedy this problem.
What a criminal statute for money laundering is trying to prevent is the sale of goods and services that society has deemed undesirable or illegal. And if we are not able
to prosecute because the currency uses an online currency instead of an actual Federal Reserve
issued currency, I think the purpose of our money laundering laws wouldn't be fulfilled in the same
way. So I think it's important for other states to look
at what Florida is doing and potentially modernize their laws to bring these Bitcoin-type online
currencies into the legal framework. All right, Ben Yellen, as always, thanks for joining us.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. Thank you. Learn more at blackcloak.io.
My guest today is Will Ackerley.
He's the founder of Virtru, a security company that specializes in privacy and data security.
He joins us today to discuss recent changes in the ways internet service providers can handle your private data,
changing privacy regulations in the EU, and the notion of there being a right to be forgotten online. There's been a lot of uncertainty about the future in the United States, clearly with
how ISPs are going to be regulated moving forward. Can they sell your data? Can they do whatever they want with it? And then, you know, in Europe,
with GDPR coming into force in 2018, a lot of questions about how that's going to have an impact
on companies really everywhere in terms of enforcing the obligations that they have. And
GDPR in particular has a section around the right to be forgotten, where if an individual wants,
they can say not only,
hey, I want my data back for portability, but rather, I don't want you to have my data anymore
and have guarantees around that. So I think it's becoming a lot more thought about by companies,
by lawmakers and individuals. How is it shaking out? You know,
we see some of the large companies who sort of take the side on the privacy as a priority.
And then obviously some of the other large providers say, no, we're going to use as much data as possible to be able to sell ads to you or be able to customize our presentation of the things we present to you.
Is there any sense for what direction is sort of winning out in that tension between them?
Yeah, I think the natural market dynamics over the last decade or so has been working really
in the favor of the large companies that are gathering our data and monetizing at scale.
The Economist had two articles really where they said that data this century is what oil was for the last century.
And that really bears out if you look at companies with incredibly large market caps.
Facebook is one where, in a sense, your data is what gives them value. The European law and lawmakers have said, as lawmakers, as a very
large market, they have an opportunity that they're seizing upon to say, look, where market
forces might not be working in favor of consumers, where consumers might think they don't have a
choice or they're not feeling necessarily the consequences at an individual level or what have you, there is some momentum
that direction. And I think there is a huge opportunity to demonstrate that from a technical
standpoint, it is possible to take that law and memorialize it in a way where individuals,
regardless of what might happen tomorrow, will have a persistent control over their data.
These large service providers are international companies.
So how will the restrictions in Europe affect their processes,
how they handle privacy here in the United States?
Is it going to be easier for them to adopt one standard
so that they don't have to worry about data flying back and forth
or inadvertently finding itself overseas?
Yeah, I think generally the way companies we've seen are doing this is if they have a requirement
that has any value elsewhere, they're going to deploy it across their entire infrastructure.
It also is just from a cost-saving standpoint, right? You don't want to have to maintain
two separate frameworks. So you have really what amounts to a high watermark
in a lot of cases.
And so you have, in a sense, trickle-down effects
where they put the work in, the NRE is done, right?
That non-recurring engineering cost
to solve the problem in one place
means that much higher likelihood
it'll be used elsewhere.
So I'm optimistic.
There are a lot of companies that
I've talked to who are excited about the opportunity actually to put control very
aggressively back into the hands of the individual. There are some companies that say,
look, this is impractical. This is too short of a time frame and are really, really pushing back.
But I do see some people leaning forward and saying, no, this is really short of a time frame and are really really pushing back but i do see some
people leaning forward and saying no this is really going to be good for the individual
swinging back to the the notion of the right to be forgotten with so much data being stored in
the cloud at other places how can a service provider guarantee to an individual that a
piece of data has actually been deleted. I think about the
distributed nature of storing all that data and even that it's duplicated and backed up and
locked away places. How can that promise be trusted? Yeah, that's a great question. In a lot
of cases, you're still going to have to trust the providers with your data.
There are cases where we can move that ball forward and you can have actual confidence because the data that you submit into the cloud can start its life encrypted.
If you take cloud storage or even email, for instance, you can encrypt the files that you share and the emails that you send in a way where your providers never have access to begin with.
So those can start their life in a way where they don't have access and it's in a sense already forgotten.
And you can start from that position and say, okay, from that point, I can then affirmatively make choices around under what conditions that data can get unlocked and provide additional value and insight.
But where your data, even if it's backed up on a tape or on, you know, copied globally, if that data is encrypted with a key that you control, if you delete that key, then you can have a cryptographic guarantee that all of those copies are inaccessible.
a cryptographic guarantee that all of those copies are inaccessible.
There are caveats, obviously, in terms of if someone else has already unlocked it, what sort of strength of protection is there in terms of the obligation not to store that
key somewhere.
But there are techniques out there.
Our thanks to Will Ackerley from Virtru for joining us today.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for
listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable
impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
alerts and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.