CyberWire Daily - Facebook agonistes. Election meddling. Livestreamed hack gets cancelled.
Episode Date: October 1, 2018In today's podcast we hear an update on Facebook's data breach, including EU inquiries, Congressional attention, FTC scrutiny, and user unhappiness. The threat of Chinese election meddling seems to be... a matter of concern in the US Intelligence Committee. And, despite promises, there was no livestreamed obliteration of much of anything yesterday. Rick Howard from Palo Alto Networks on rebooting the kill chain. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/September/CyberWire_2018_10_01.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Ah, Facebook.
They're facing EU inquiries, congressional attention,
FTC scrutiny, and user unhappiness.
The threat of Chinese election meddling EU inquiries, congressional attention, FTC scrutiny, and user unhappiness.
The threat of Chinese election meddling seems to be a matter of concern in the U.S. Intelligence Committee.
And despite promises, there was no live-streamed obliteration of pretty much anything yesterday.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, October 1st, 2018.
Wired has published a useful summary of what's known about Facebook's large data breach, disclosed last Friday.
On September 16th, the company noticed an unusual spike of users accessing Facebook and began an internal inquiry. On September 25th,
they determined that someone had exploited a set of vulnerabilities in Facebook's View As feature,
the one that lets you see your profile as others see it. The bugs interacted in what the company
calls a complex way, and they think whoever the so far unidentified hackers were exhibited an unusual degree of sophistication.
On September 28th, Facebook disclosed that some 50 million accounts
have seen some compromise of personal information.
No criminal abuse of that information is so far known to have occurred.
The bugs the hackers exploited came into existence during a 2017 upgrade.
It's worth noting that the investigation is in its early phases,
and it's possible the breach may either be worse than believed
or that other issues will turn up as people continue poking around.
One hopes that things aren't so bad,
and it is possible that there will turn out to be no criminal abuse,
but that hope seems, relatively speaking, weaker than the fears. After all, the criminals got something, and presumably they're
not mere hobbyists collecting PII the way others collect stamps. The incident has drawn more
regulatory scrutiny from the European Union. Ireland's Data Protection Commission, which serves as Facebook's lead privacy regulator for the EU,
announced Saturday that it has required the company
provide more information about the incident,
including which European residents appear to be affected.
Fines under GDPR could reach $1.63 billion.
The UK has also told Facebook CEO Mark Zuckerberg that they want him to testify before
Parliament about what some MPs call the terrible disrespect shown British citizens' data.
Industry reaction to the Facebook breach has been to approve generally of the company's incident
response, while deploring the missteps that permitted the exploitation in the first place.
while deploring the missteps that permitted the exploitation in the first place.
The company was able, for example, to meet the EU's 72-hour deadline for breach disclosure,
which some think will be a point in Facebook's favor when and if the EU decides to levy a fine,
perhaps turning a whack on the head into a tap on the wrist.
But it's early in the investigation to make any forecasts. In a separate action, the European Parliament is considering initiating an audit of Facebook
over its entanglement with the Cambridge Analytica data scandal.
Last week's disclosure seems to have largely undone whatever good was worked by COO Sandberg's testimony before the U.S. Senate.
The U.S. Federal Trade Commission wants some
answers, which is rarely a good thing for the company being asked to provide them,
and comprehensive U.S. privacy legislation seems, at least today, likelier. The current FTC inquiry
into Facebook predates Friday's disclosure and addresses the question of whether involvement
with Cambridge Analytica violated a settlement Facebook reached with the FTC back in 2011.
As FTC Commissioner Rohit Chopra told Gizmodo,
quote,
these companies have a staggering amount of information about Americans.
Breaches don't just violate our privacy,
they create enormous risks for our economy and national security.
The cost of inaction is growing, and we need answers, end quote. And Facebook's handling of phone numbers users presented with to use as a second authentication factor has also provoked controversy.
The numbers are used to enable SMS authentication.
Researchers at Northeastern University and Princeton University say they've determined that Facebook uses those phone numbers to improve ad targeting.
Gizmodo calls the practice shadow contact information.
Facebook doesn't really say they do this,
but they did answer a question from TechCrunch as follows,
quote,
We use the information people provide to offer a better,
more personalized experience on Facebook, including ads.
We are
clear about how we use the information we collect, including the contact information that people
upload or add to their own accounts. You can manage and delete the contact information you've
uploaded at any time. The company also suggested that if you are unhappy with the uses it puts the
phone number you give it for SMS authentication purposes,
then you're always free to turn off two-factor authentication.
Reaction to this suggestion has been generally chilly,
since two-factor authentication is widely regarded as a sound security practice,
and besides, what are they going to do with that phone number you gave them in the first place?
We would probably do well to remember that Facebook's business model involves using its free service to target advertisers toward its users. If you're a Facebook user,
you're aware of this, surely. There's nothing wrong with advertising, but it's good to be
clear with people about what you're doing with respect to targeting. Turning to election security,
it appears there will be no further congressional
action before the U.S. midterms, which some lament, given widespread concerns about vulnerabilities
in electronic voting systems. There may simply not have been enough time to do anything for 2018,
and in any case, there are important jurisdictional and even constitutional issues at play.
Voting is for the most part a state and not a federal matter.
President Trump last week took a shot at China for the threat he said it posed to U.S. elections.
Congressional woofing from across the aisle aside,
the concerns he expressed are not apparently out of step with those within the U.S. intelligence community.
There seems to be,
the Voice of America says, a tendency by the Chinese government to follow the Russian influence
operations playbook. Security firm FireEye has noticed, for example, an uptick of Chinese
spear phishing directed at think tanks and other targets that would be of political as opposed to
economic interest. It's also worth noting that, like the Russian operations,
these are influence operations as opposed to, for example,
manipulation of vote counts or databases.
The Russian influence operations in the 2016 election cycle
seem to have as their goal the sowing of mistrust.
Whether Chinese operations will have a tighter focus remains to be seen.
And finally, to return to Facebook,
that guy in Taiwan who was going to livestream his obliteration of Mark Zuckerberg's official Facebook page over the weekend
decided against doing so.
Instead, Mr. Shang Shi Huang applied for a bug bounty.
On Sunday, according to Bloomberg, which is watching the goings-on,
Shang said,
quote, I'm canceling my live feed, I have reported the bug to Facebook, and I will show proof when I get a bounty from Facebook, end quote. In the meantime, he posted to his own Facebook account
this little bit of self-examination, quote, I shouldn't try to prove myself by toying with
Zuck's account, end quote. It's not known whether Shang and Zuck are on a nickname basis,
but signs point to no.
I mean, we're not on a nickname basis ourselves.
And besides, Zuck has other fish to fry this week.
Calling all sellers. Thank you. and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Rick Howard.
He's the chief security officer at Palo Alto Networks,
and he also heads up Unit 42, which is their threat intel team.
Rick, welcome back.
We wanted to talk today about the kill chain,
specifically this notion of rebooting the kill chain.
Let's start with some basic stuff here.
What is the kill chain, first of all?
Sure. Hey, Dave, thanks for having me back.
The intrusion kill chain was based on a paper written by the Lockheed Martin researchers back
in 2010. It was this grand realization that there are humans behind every attack and that it isn't
just one single thing they have to succeed in to accomplish their mission. They really have to accomplish several things down this thing they call the kill chain.
And it's basically they recon their victims for potential weaknesses.
Then they craft some weapon that will leverage those weaknesses and they deliver it to some end point in the victim's network.
And that could be a laptop, a server, printer, a fax machine, anything that they can get a foothold. Then they trick the victim, some user in there to
running that weapon and establish a beachhead on one of the endpoints. Now, they have not
succeeded yet. They haven't accomplished their mission, but now they're inside the network.
And what they normally do then is establish some command and control channel back out to the Internet to download additional tools.
Once they get that done, they usually move laterally in the victim's network looking for the data they've come to steal or destroy.
And once they find it, then they exfiltrate it out the command and control channel.
So that's essentially what the intrusion kill chain is.
Does that recollect what you know about it? Sounds good to me, but
how do we go about rebooting that? Well, we all thought when that paper came out that that was
going to change the industry for the good, and it did for the most part. The model is fantastic,
but what happened is we failed to remember the human part of those adversaries, okay? What
manifested in the industry is that we started
sharing indicators of compromise in bags, you know, big giant bags, right. And with no context
about what the adversary was doing and where it was even on the intrusion kill chain, just, Hey,
this is bad. And, you know, we should, you know, do something about it. Right. And that made us
get into this, I don't know, this treadmill of activity
where we have so many of these things coming in that we can never keep up,
and we always feel like we are never catching up, and that is true.
So rebooting it is to try to get back to the idea,
and this is what the Cyber Threat Alliance,
it's kind of a sharing intelligence group for security vendors,
and Unit 42, the Palo Alto Networks Threat
Intelligence team has been advocating for the past five years. Try to flip the equation again,
get back to embracing the adversary idea. So from a practical point of view, what does this look like?
All right. So the idea is that network defenders should be deploying prevention and detection
controls at all locations on the intrusion kill chain designed specifically for all known adversary campaigns.
In other words, we need to get off this treadmill of just looking at, you know, non-related indicators of compromise and actually do something specific for the adversaries that are attacking us.
This is an important idea, right, because the network defender community already comprehends much about how adversaries run their attack playbooks. For all the new adversaries out there making
headlines, most of the techniques they use are not new. And we estimate collectively in the Cyber
Threat Alliance that we probably as a community understand approximately around 99% of what the
adversaries are doing on any given day, right? So that's an amazing stat. The challenge,
though, has been how do we organize that information and share it with the world at large?
And it turns out this is way more complicated than it sounds. You know, just share it. How
hard can it be, right? So after much debate, okay, within Unit 42 and the Cyber Threat Alliance,
we agreed that this is what constitutes an adversary playbook.
So you're ready? I'm ready. Okay, here, I'm going to hit you with it. Okay. First,
an adversary playbook is one or more adversaries. And when I say that, I'm not saying I want to
attribute the adversary. We don't really care that it's the Russians or the Chinese or even
Joe down the street, just an acknowledgement that there are humans behind the attack with
motivations and a mission. So one or more adversaries who run one or more campaigns,
and campaigns are delineated by timeframes. An adversary may run a campaign from June to July
and then stop for a bit, change a little something in the next one. It's mostly the same,
but they might change a little piece of it and then run a second campaign, you know, from August to September. So one more cyber
adversary is running one more campaigns. And then in that attack sequence down the intrusion kill
chain, they use a variety of techniques to attack their victims. All right. So we try to collect all
those. And then finally, when they run those attacks on their victims' networks, they leave indicators of compromise in their wake when they do.
So we collect all that.
We wrap all that up, including the techniques.
And we use MITRE's attack framework, okay, to standardize on the language so that we're not making it up as we go.
And we wrap all that into a STIX2 package and share that with the Cyber Threat Alliance and anybody else who wants to grab it.
Now, if you want to see what these things look like, just use Google to search for unit 42 playbook viewer.
And you see we've published 90 of these things.
So you can look at them and grab them if you want.
But here's the thing.
The current theory by the Cyber Threat Alliance is the number of active playbooks running on the Internet on any given day is probably less than 100.
Some of us think it's less than 50. Right. And that is a number we can get our hands around.
If we could capture and maintain all the adversary playbooks, if it's less than 100, that's a thing or a problem we can solve. So our mission here then is to build and maintain
all the known adversary playbooks that exist in the world so that the network defenders of the
world can automatically deploy prevention and detection controls to their defensive posture
in real time. And that's the key. We're all moving to orchestration and automation. We need to be
able to collect the intelligence in a way that it can be automatically processed and deployed to our prevention controls.
And indeed, that is the reason Palo Alto Networks helped build the Cyber Threat Alliance in the first place.
Unit 42 is cranking them out as fast as we can.
So far, we've built nine this past year, and we're on track to publish about 36 of them by the end of 2019.
and we're on track to publish about 36 of them by the end of 2019.
So the Alliance consists of vendors who can already update their own products with the latest prevention and detection controls down the intrusion kill chain
based on shared adversary playbooks.
Now, if Alliance members are contributing to and sharing intelligence
for all known adversary playbooks running on the Internet,
their shared customers, the communal base of customers that we all have, okay, know about 99% of what's going to happen in the world, okay?
Even if something is new, the alliance can deploy prevention controls to shared customers around
the world in minutes to hours. And that would be an amazing capability if we can get all that
done. We're not quite there yet. We need more vendors in the alliance.
So here's the ask, David, okay?
If any of your listeners are buying security kit this year,
they should be asking their vendors
why they are not members of the Cyber Threat Alliance.
And if I can be so bold and insist that you not buy them
unless they are part of the alliance, okay?
It just makes the entire community more safe,
and that's the direction we should be going.
All right. Well, it's a compelling pitch.
Rick Howard, thanks for joining us.
Thank you, sir.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, Thank you. and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
a smart speaker too.
The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios
of Data Tribe,
where they're co-building
the next generation
of cybersecurity teams
and technologies.
Our amazing Cyber Wire team
is Elliot Peltzman,
Puru Prakash,
Stefan Vaziri,
Kelsey Vaughn,
Tim Nodar,
Joe Kerrigan,
Carol Terrio,
Ben Yellen,
Nick Volecki,
Gina Johnson,
Bennett Moe,
Chris Russell,
John Petrick,
Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. Pure AI agents connect, prepare, and automate your data workflows, helping you gain insights,
receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.