CyberWire Daily - Data breaches and data exposure. Privacy legislation. Improperly collected phone call records destroyed.
Episode Date: June 29, 2018In today's podcast we hear that Ticketmaster UK's hacking incident will provide an interesting GDPR test case. Data aggregator Exactis left nearly two terabytes of personal and business information... exposed on the publicly accessible Internet. NSA destroys telephone call data collected in ways it can't square with applicable law. California hastily passes a data protection law. Ave atque vale Harlon Ellison. And our condolences to the victims of the shooting at the Capital Gazette in Annapolis. Dr. Charles Clancy from VA Tech’s Hume Center, discussing his recent congressional testimony concerning supply chain security. Guest is Dr. Mansur Hasib, discussing his book Cybersecurity Leadership. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Ticketmaster's UK hacking incident will provide an interesting GDPR test case.
Data aggregator Exactus left nearly two terabytes
of personal and business information exposed.
NSA destroys telephone call data collected
in ways it can't square with applicable law.
California hastily passes a data protection law.
Farewell, Harlan Ellison,
and our condolences to the victims of the shooting
at the Capital Gazette in Annapolis.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday,
June 29th, 2018. The breach at Ticketmaster UK, disclosed Wednesday, is likely to prove an interesting test case for GDPR enforcement. The company says the incident was due to JavaScript coding in a payment site chat
application, and that this coding was the work of a vendor, Inventa. Inventa says, for its part,
that it never intended its software to run on anything as sensitive as a payments page,
and that Ticketmaster should never have used the bespoke code in that fashion.
Both companies agree that the problem has been cleaned up.
Ticketmaster said it discovered the malware on June 23,
but UK digital bank Monzo says it began noticing a pattern of paycard fraud
developing as early as April 6.
By April 12, Monzo believed it had
traced the problem to Ticketmaster and so informed them. This is the point at which the case will be
interesting from the perspective of the EU's General Data Protection Regulation. Under the
rules that came into full effect on May 25th, the company has 72 hours to report a breach.
The incident appears to have straddled the implementation date of GDPR,
but if the commissioners accept Monzo's April 12th warning as the time the clock should have started
and not the June 23rd discovery date Ticketmaster UK announced,
the case may prove a sticky and unpleasant one from the standpoint of regulatory risk.
and unpleasant one from the standpoint of regulatory risk.
Marketing and data aggregation firm Exactus inadvertently exposed its dossiers on 230 million Americans, essentially every U.S. citizen.
The data include, according to Wired, phone numbers, addresses, dates of birth,
estimated income, number of children, age and gender of children,
education level, credit rating,
interests, and so on. Other data include religion and smoking habits. Apparently no pay card or
social security numbers, so you got that going for you, America. In addition to the 230 million
individuals, Exactus also had data on 110 million business contacts. The researcher who found the X-Actis information, Vinny Troia, founder of Night Lion Security,
noticed the nearly two terabytes of data in the course of a Shodan search that was sampling
publicly accessible Elasticsearch databases.
He was surprised by the extent of the information kept by X-Actis.
was surprised by the extent of the information kept by Exactus.
Troia informed both Exactus and the FBI of his discovery last week,
and Exactus has since secured the data.
It's not clear that the exposed data were accessed and used for fraud or other criminal purposes.
So far, at least, that seems not to have been the case.
But the sheer scope of information collected, aggregated, and analyzed on people, most of whom had never even heard of Exactus, is striking.
Heck, we hadn't heard of them.
The company's slogan is People Data for a Digital World, and they describe themselves as a leading compiler and aggregator of premium business and consumer data, with over 3.5 billion records updated monthly, our universal data
warehouse is one of the largest and most respected in the digital and direct marketing industry.
They say their services work like this, quote, our unique triple validation data process
triangulates every consumer record, individual contacts, not just household, against three
active transactional files, assuring you the highest levels of accuracy across postal, End quote.
Their company blog has no entries more recent than February 12th of this
year, so there's no obvious comment on the data exposure. This is, however, the kind of thing
privacy advocates are always warning about. A company you know nothing about collects data on
you and uses it to develop a detailed profile that can be used for marketing or who knows what other purposes.
If this were an NSA database, the streets would fill with torches and pitchforks.
NSA, by the way, just announced that on May 23rd, the agency, quote,
began deleting all call detail records, CDRs, acquired since 2015 under Title V of the Foreign Intelligence Surveillance Act.
NSA analysts noted technical irregularities in some data received from telecommunications service providers.
Since they weren't able to distinguish properly from improperly acquired data,
they elected to delete all of it.
But to return to exactus for a moment,
it seems likely that incidents like this will prompt
a wave of privacy regulation. California is surfing a bit ahead of that wave this week,
as the legislature in Sacramento hastily passed a bill that will phase in extensive privacy
regulations by 2020. The motivation for the quick and unanimous vote, and the governor's equally
quick action in signing it,
appears to have been a wish to forestall even more stringent privacy protections
that would have appeared as a ballot initiative up for vote by the state's citizens.
ISPs, and especially tech companies of the Silicon Valley tribe, were opposed to such regulation.
They seem likely to be less than happy with what actually passed,
but it appears better than what they would have been faced with had the initiative gone through. Motherboard rather
sourly grumps that lobbyists' fingerprints are all over the bill that passed, so big tech may
not have quite dodged a bullet, but at least it only winged them. Finally, two sad notes, one somber, the other tragic. The somber news is the passing of
Harlan Ellison at the age of 84. The science fiction writer was famous for his short stories,
screenplays, and novellas, of which I Have No Mouth and Must Scream was an early classic that
came to be called the cyberpunk genre. The tragic news is of our neighbors in Annapolis,
the staff of the Capital Gazette newspaper.
Five were killed and several others injured yesterday
by a gunman who felt he'd been defamed by the paper's accurate reporting
several years ago concerning his criminal conviction.
On a personal note, earlier in my career,
I spent time working side-by-side with John McNamara,
one of the five killed.
He was a talented writer, for sure,
but he was also a lot of fun to be around,
and he was a genuinely caring and curious man.
He deserved better than this.
His story should not have ended this way.
We extend our condolences to the victims. May the families and friends of those killed
receive consolation in their mourning. May those injured receive healing. Thank you. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies,
access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal
devices, home networks, and connected lives. Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Dr. Charles Clancy.
He's the director of the Hume Center for National Security and Technology at Virginia Tech.
Dr. Clancy, welcome back.
You recently had the opportunity to give testimony before Congress.
Bring us up to date here. What were you there for?
It was a hearing held by the Energy and Commerce Committee entitled
Telecommunications, National Security, and Global Competitiveness.
titled Telecommunications, National Security, and Global Competitiveness.
So it was really looking at how can we as a country protect the supply chain for our telecommunications infrastructure,
particularly buying foreign manufactured switches and routers and cell phones,
what impact that has on national security,
at the same time how to help make the U.S. telecommunications market,
both the vendors and the operators, competitive in a global landscape, particularly as we're moving towards 5G.
And is this related to the stories we've seen about Huawei and ZTE?
Yes, indeed it is.
And so there's obviously been a lot of pressure on Huawei and ZTE as two specific companies that have raised concerns. So right now we have a
rulemaking pending in the FCC that would prevent public money from being used to subsidize Huawei
and ZTE equipment purchased by smaller telecommunications companies. There's pending
language in the National Defense Authorization Act that would prevent the U.S. government from buying service from any
telecommunication operator that had any Huawei or ZTE equipment in their networks, which would
affect all the carriers, all the major telecommunications carriers, that is, here in the
United States. And there's also the belief that the White House will be coming out soon with an
executive order that will provide some specific prohibitions around Huawei and ZTE specifically. Now, what was your impression from the folks that you were testifying in front
of? What was the amount of understanding and receptiveness they had to the messages you were
delivering? Well, I think everyone understands the risks from a national security perspective,
but I think it was a very useful conversation with the committee and with the other witnesses.
I think we really helped with formulating this concept that a blacklist of two specific companies, Huawei and ZTE, may provide some near-term wins, both in terms of national security and in terms of politics, but that a much more nuanced approach to supply chain security is necessary if we're going to tackle this problem at scale. If not Huawei and ZTE, then different companies could pop up tomorrow,
next week or next year that would have similar concerns. And at the same time, if you look at
the supply chain of the modern iPhone, there are over 700 suppliers of parts into that device
from 30 different countries. And so whether it's the assembly of the iPhone or it's the fact that two-thirds of our chip manufacturing
is happening in Taiwan and China,
there are a lot of concerns associated with the supply chain.
And while Huawei and ZTE are two specific examples of that,
we really need a risk-based approach to assess end-to-end supply chain.
Certainly those two companies have done things that demonstrate
that they are potentially bad actors, but it's a much more complicated problem than that.
All right. Dr. Charles Clancy, thanks for joining us.
My pleasure.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity.
Thank you. and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
My guest today is Dr. Mansoor Hasib.
He's Program Chair for Graduate Cybersecurity Technology at University of Maryland University College.
He's a popular public speaker and opinion writer and author of the book Cybersecurity Leadership.
As I was visiting conference after conference, I was finding that there was, first of all, confusion about what the word cybersecurity means.
If you asked 10 different people, they would come up with 10 different definitions. There was no authoritative definition available anywhere.
And the other thing was people were too focused on the technology pieces, and they were forgetting about the people and the leadership aspects of it.
And so I felt like that is what I had done for 30 plus years.
I always developed my entire strategy around the people because the ultimate cybersecurity of any organization depends on the behavior of the people.
And if you cannot engage the people, it doesn't matter how much you spend on technology. At that time that I wrote the
book and I was starting to speak about it, hardly anybody was doing it. Now it seems like leadership
and governance is becoming big. And a lot of people have recognized that this is a very important
field. And maybe this is the most important field.
Now, how do you suppose the various paths that people take to positions of leadership,
how does that inform how they approach leadership? Coming up different pathways,
do you think that, what's the influence there? Yeah, that's a very good observation. Actually,
different pathways will probably influence if you're coming from a computer science background, you think cybersecurity is all computer science.
If you come from the social sciences background, which is what I did, you then see that cybersecurity is mostly about business because the whole technology environment exists to fulfill an organization's mission.
Without fulfilling the mission, technology is completely useless.
So I have always focused on what is the mission of the organization
and do we have an ROI for it and how do we justify the expenditures
and how do we strategically see multiple years ahead of us?
So, yes, I think the way people enter the field
may influence it heavily, even right now,
the way it's taught at various schools.
So, for example, if cybersecurity is part of a computer engineering program
or a computer science program,
you might find that all they're focusing
on is the technology aspects and maybe even a very small slice of the technology aspects of
the field. Whereas if cybersecurity is housed in a business school or a school by itself,
you will probably find that people approach it from a more holistic interdisciplinary point of view
cybersecurity is very interdisciplinary so it's in my opinion it should never be run out of a
computer science program because cybersecurity is not computer science let's let's dig into that
tell me more what's your perception of that so you you probably saw in the very first chapter
of the book it's all about cybersecurity And I talk about cybersecurity has three primary goals, confidentiality, integrity, and availability. Those goals
are fulfilled through the strategic use of three types of tools. One are people,
then you have policy, and then finally technology. The other most important aspect,
if you saw the model over there where I talk about
that you have to look at the mission of the organization. So the cybersecurity strategy for,
let's say, a healthcare organization is going to be radically different from the cybersecurity
strategy of, say, a journalistic organization or an education organization or a mom and pop pizza
shop.
Definitely they're going to be very different. So the mission makes a huge difference.
The data, the information that each of these organizations are dealing with is also going
to be different. So you're going to need to have the risk calculation and the risk calculation is
going to be different. And the risks are of two types. They're positive as well as negative.
And then finally, you have to have governance.
Governance means you have to shape the behavior of the people
through some culture, some training, whatever that may be.
But if the people, so to give you a very simple example,
you probably saw that example in my book also.
Let's say you have a security system in your home.
All right, so that's technology. But that security system is completely useless unless the people in
your home actually arm the security system and then know how to use it. And when you do the
security system, you cannot just fortify a single window or a single door. Your security has to be thought out carefully. And part of it also is
when you have guests in your home or visitors, well, are they being trained in your security
system? So that the people aspect, the governance aspect, they're very important. And then the final
point is that cybersecurity is a process and a culture. So you have to perpetually improve over
time because if you don't improve, what happens is that the people that are trying to get into
your system, well, they're going to figure out a way because every system has vulnerabilities.
And if you'd never change, it's like a sitting duck. So this is the crux of cybersecurity. And
if people don't approach it from this holistic point of view and then take care of people, policy, and technology in that order, they will never succeed.
You can spend as much as you want on technology and it will never work.
So that is why people coming out of computer science programs only focusing on the technology and maybe just a small slice of it usually will not develop a holistic strategy.
One of the things that struck me as I was reading the book is time and time again you come back and emphasize the importance of having fun for an organization,
for yourself personally, and the importance of that as a leader.
Can you describe for us why the emphasis there?
Why does it matter so much to you?
Excellent point.
So one of the things that I did was that, as I described cybersecurity,
notice one of the things that I stressed on was that perpetual learning and innovation.
And that perpetual learning and innovation comes from people. If I'm a happy
person, then what happens? Basically, at the end of the day, I am a glob of chemicals.
So when I'm happy, there's a whole bunch of happy kinds of chemicals that are flowing through my
entire body. A happy person is actually much, much more innovative. They will learn more. They
will do more. They will be working without even feeling like that they're working because all
these happy chemicals are flowing through their body. There's a whole body of neuroscience that
talks about how the attitude of a person makes a bigger difference in their success than their knowledge and skills.
Because if you're a happy person and your attitude towards your job is you're having fun and you're
enjoying it, guess what? You will learn whatever it is that you need to do very quickly.
Because this field involves perpetual learning, you will learn.
Why do I learn every day?
Because I'm having fun.
I enjoy this.
The people that I'm interacting with are fun.
So they teach me things and I teach them things.
So it's almost like a game.
And that's what I found over the 30 years that I ran organizations.
I was trying very hard not to lose people because it's much easier to have your cybersecurity strategy for your organization if you can retain the people that you hire.
Mainly because I view people as investments.
I invest more and more knowledge into them.
As they stay longer, they understand the company more.
They know where we're headed. We can work as a team better because think about multiple players
in a team. If the players never practice together, they're not going to win. It doesn't matter if
you have superstars or not. So a bunch of reasonably mediocre players playing well together
can actually win against a bunch of
superstars that don't know how to play together so that was why i felt like building the team
making sure they were having fun helped me in retention because if people were having fun
they usually wouldn't be looking around even to see if there were other opportunities because
the problem is that if your people are constantly looking around for other opportunities,
their focus is not on your organization or your job or their job.
Their focus is on something else.
And that's when it's a recipe for disaster.
That's Dr. Mansour Hasib.
The book is Cybersecurity Leadership. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Thanks for listening. We'll see right back. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.