CyberWire Daily - Facebook agonistes. Really agonizing. Ad-supported apps like them some data. Sino-US trade tensions and Chinese cyber espionage. Russian wet work and disinformation. Western reprisals.

Episode Date: April 5, 2018

In today's podcast we hear that Facebook's troubles are getting worse: more people's data were scraped, deleted videos were archived by Facebook, and so on. Appthority finds a more general probl...em with ad-supported apps: they're all hungry for data. Sino-American trade disputes are thought likely to find expression in cyber espionage. China's more interested in confidential financials than in IP. Russia and the West remain at loggerheads. One tip from Sweden on countering Moscow's info ops: don't get caught dancing in yellow rain boots. Joe Carrigan from JHU on power companies charging a premium rate for bitcoin miners. Guest is Larry Cochran from Claimatic on how driverless cars and automation is changing the landscape for insurance carriers.   Learn more about your ad choices. Visit megaphone.fm/adchoices

Transcript
Discussion (0)
Starting point is 00:00:00 You're listening to the Cyber Wire Network, powered by N2K. Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions. This coffee is so good. How do they make it so rich and tasty? Those paintings we saw today weren't prints. They were the actual paintings. I have never seen tomatoes like this. How are they so red? With flight deals starting at just $589, it's time for you to see what Europe has to offer.
Starting point is 00:00:31 Don't worry. You can handle it. Visit airtransat.com for details. Conditions apply. AirTransat. Travel moves us. Hey, everybody. Dave here.
Starting point is 00:00:44 Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me. I have to say, Delete.me is a game changer. Within days of signing up, they started removing my personal information from hundreds of data brokers. I finally have peace of mind knowing my data privacy is protected. Delete.me's team does all the work for you with detailed reports so you know exactly what's been done. Take control of your data and keep your private life private by signing up for Delete.me.
Starting point is 00:01:22 Now at a special discount for our listeners. private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code n2k at checkout. That's joindeleteme.com slash N2K, code N2K. were scraped, deleted videos were archived by Facebook, and so on. AppThority finds a more general problem with ad-supported apps. They're all hungry for data. Sino-American trade disputes are thought likely to find expression in cyber espionage. China's more interested in confidential financials than in IP. Russia and the West remain at loggerheads. One tip from Sweden on countering Moscow's InfoOps,
Starting point is 00:02:27 don't get caught dancing in yellow rain boots. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, April 5th, 2018. Facebook's bad patch became yesterday even more horrible, if that can be imagined. The company acknowledged that after further review, it thinks it may have exposed 87 million users to Cambridge Analytica's data scraping. Worse yet, various apps over recent years appear to have scraped the data of about 2 billion users, as close to everybody, as makes little difference. It's worth noting again, as people have observed since the data scandal began, that such scraping doesn't represent hacking or exploitation, rather its unwelcomely creative use of a number of the platform's features,
Starting point is 00:03:16 and its users' disposition to grant too many permissions as they decline to pay attention to an unnecessarily complicated set of privacy and security settings. Facebook says it disabled one of the principal features various apps took advantage of to pull in user data. This was the search functionality that enabled users to look for people by entering their email address or phone number. They've also revoked the possibility of other third-party applications, like the widely used social media management platform Edgar posting to, for example, Facebook groups. There's also a lot more Facebook is saving in user archives
Starting point is 00:03:52 than most users suspected. After the Cambridge Analytica matter broke, many Facebook users downloaded their Facebook data archive. Why would one do that, we ask parenthetically? Here's why. Many users did so because they were considering killing their accounts entirely and wanted to retain material they'd posted to the platform. Looking at the archive, people were surprised to find that Facebook had retained a lot of
Starting point is 00:04:16 information they thought it shouldn't have, like deleted videos. And in fact, every video you ever made on the platform, whether you ever posted it or not. This discovery has been embarrassing to Facebook, which blames it on a bug and oversight and says it will do better. The optics have been very bad indeed for Facebook. CEO Mark Zuckerberg can be expected to have an interesting time next Wednesday when he testifies before a U.S. House panel looking into data privacy issues.
Starting point is 00:04:48 It's only fair to say that this sort of problem isn't confined to Facebook. Mobile security company AppThority studied iOS apps in corporate environments and found more than 24,000 advertising-supported apps are hiding their strong appetite for user data more or less in plain sight, cloaked in EULAs and complexities. As connected cars continue to be a larger part of our automotive fleet, eventually leading to self-driving cars and perhaps even driverless delivery vehicles, they've naturally drawn the attention of the insurance industry.
Starting point is 00:05:22 Larry Cochran is CEO of a software-as-a-service company called Claymatic that helps companies automate insurance claims. He joins us with his thoughts on where automation and advanced technology are leading the insurance industry. Advanced driver-assisted systems include adaptive cruise controls where, you know, the automobile can determine whether you need to slow down or the car can actually slow itself down as it's approaching traffic. It can do emergency braking, recognizing before the driver that the brakes need to be applied and actually doing that. It can do cameras in the vehicles that can notice when a driver is getting drowsy and actually waking the driver up or, if necessary, applying brakes. And then telematics, which provides constant monitoring of the vehicle
Starting point is 00:06:15 and situation. For instance, if you have the vehicle as an impact and being able to transmit that information to any number of parties that can track that information. So with this first stage, the figures are that as much as a 40% fewer accidents in the next few years will result because of ADAS. And so that's potentially a very big impact. The impact on the insurance industry, which I'm a part of, it is a little bit harder to determine the potential financial impacts because with all of these new technologies also comes a lot of extra cost, and therefore the repairs to vehicles with all these technologies is much more severe. What about the potential for shifting liability? In other words, if my car is making decisions
Starting point is 00:07:13 rather than me making decisions, does that open up the possibility that liability could shift to the manufacturer for making a bad choice? Absolutely, yes. And that is going to be probably the biggest shift in the landscape of insurance that's probably happening since the invention of the automobile. Now, if one of these systems fails and a customer or consumer has been reasonably relying on that system, then there's a good chance of exposure to the OEM, the manufacturer of the device, the vehicle. And so therefore, there will be a transformation of risk being transferred from the traditional personal lines insurance carrier to the OEMs. There's a lot of opportunity here, and most companies, whether they're insurance companies or other companies involved in
Starting point is 00:08:11 providing tools, they all should be looked at in terms of redirecting high-volume routine tasks that have clear decision points and pathways over to automation and redirecting the personnel that are currently involved in doing these repetitive road types of tasks to employing them more and redirecting them more towards helping with the consumer or customer journey. And I think that's where the big opportunity is. That's Larry Cochran. He's the CEO at Claymatic. That's Larry Cochran. He's the CEO at Claymatic. As the U.S. and China squabble over tariffs, with China complaining of protectionism, and the U.S. charging China with aggressive IP theft and unfair trade practices,
Starting point is 00:09:01 U.S. officials brace for a round of renewed Chinese cyber espionage. In the ongoing round of hacking, it's not so much intellectual property the Chinese operators are after as it is business and financial information on U.S. companies. Security firm FireEye reports that the cyber espionage is particularly directed at getting bid prices, contract details, and information relevant to mergers and acquisitions. Some observers note that this seems to represent a kind of formal compliance with the letter, if not the spirit, of the non-hacking agreement China concluded with the previous administration. We're unlikely to see this kind of activity abate any time in the near future. Russia's brassy attempt to have its charges of provocation by Novichok
Starting point is 00:09:43 validated by the Organization for the Prohibition of Chemical Weapons, the OPCW, has failed, voted down 15 to 6, with 17 abstentions. Moscow has suggested that the attempt to kill former GRU officer Sergei Skripal and his daughter Yulia with a highly unusual and little-known binary nerve agent, was actually a British provocation. Or maybe an American provocation. Or probably aided and abetted by the Czechs. All of these countries have denied, of course, any such involvement, and essentially no one believes the accusation, especially not the Russian organs. But Russia sought a resolution in The Hague from the OPCW that would pressure the British government to bring Russia into investigation of the attack as a full partner.
Starting point is 00:10:30 It failed in this, and as we noted, really no one thinks anyone but Russian espionage services were involved. The list of countries voting with Russia is interesting. They're either subordinates to Russia or powers who have an independent interest in embarrassing the UK. Lining up with Moscow's bid to demand the UK conduct a joint investigation of the Salisbury nerve agent attack were China, Azerbaijan, Algeria and Iran. We'd wager a month's pay they don't believe it either. British investigators say they've identified with high confidence the lab in Russia where the Novichok agent was produced. Since high confidence doesn't mean mathematical
Starting point is 00:11:11 certainty, some of the few who actually appear to swallow the Russian line say they doubt the wet work was really Russian. Among them is UK Labour Party leader Jeremy Corbyn. We understand the itch to use any convenient stick to whack an opposing political party. Not that we approve necessarily, but at least we understand it, because we've seen the House Intelligence Committee. But this appears to argue an odd streak of Russophilia sitting beneath Mr. Corbyn's Lenin cap. Has no one told him Russia really hasn't been communist since Gorbachev dissolved the Central Committee in August of 1991? In any case, the UK and Russia are headed for a showdown at the UN.
Starting point is 00:11:52 Russia categorically denies ever having produced the Novichok agent. So tensions remain high with strong expectations that they'll find expression in cyberspace. that they'll find expression in cyberspace. The U.S. is said to be preparing sanctions against at least six Russian billionaire oligarchs with close ties to President Putin. Two of the targets are said by anonymous sources in the administration talking to Radio Free Europe, Radio Liberty, to be Alexei Miller, CEO of natural gas giant Gazprom,
Starting point is 00:12:22 and Igor Sechin, CEO of the country's dominant and state-controlled oil company Rosneft. Sanctions could be announced as early as this afternoon or tomorrow. Outgoing U.S. National Security Advisor McMaster's valediction was an unusually direct and forceful condemnation of Russian behavior and a call to impose costs on that country's government. More significantly, Director of National Intelligence Coats yesterday said that the U.S. government was seriously considering a retaliatory cyber-offensive against Russia. Previous policy statements had concentrated publicly on defensive measures.
Starting point is 00:13:01 The principal offenses being mentioned in these discussions of possible retaliation are attempts to influence U.S. elections and cyber reconnaissance that amounts to battle space preparation of the U.S. power grid. So what can be done to counter Russian information operations? It's got an oddly paradoxical quality, simultaneously asserting we didn't do it, you did, and but look at what we can do. We'd call it dialectical, but then the Russians haven't been dialectical materialists since August 1991. Sweden actually has long experience with this, mostly deriving from its long-running attempts to keep Soviet and later Russian submarines
Starting point is 00:13:42 out of its Baltic territorial waters. Whenever they caught one, Russian authorities would piously deny it, calling the whole business either fabricated for purposes of provocation or made up by mentally disturbed figures who happened to hold Swedish office. Former Swedish Defense Chief Retired General Sverker Göransson advises not answering the disinformation directly, but rather presenting evidence of your own claims. He also advises having more than one official present your case. He commented to Defense One, quote, Russian media found a video snippet of me in yellow
Starting point is 00:14:17 rain boots dancing to an ABBA song that they showed over and over. Their message to the Swedish public was, the person in charge of your country is a clown whom you can't trust. They were ridiculing those in charge at all levels, end quote. So, have more than one person talking and stay away from the yellow boots. Calling all sellers.
Starting point is 00:14:44 Salesforce is hiring account executives to join us on the cutting edge of technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers to learn more. Do you know the status of your compliance controls right now? Like right now?
Starting point is 00:15:18 We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
Starting point is 00:16:05 That's vanta.com slash cyber for $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home? Black Cloak's award winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk. In fact, over one third of new members discover they've already been breached. Protect your executives and their families 24-7, 365, with Black Cloak.
Starting point is 00:16:54 Learn more at blackcloak.io. And joining me once again is Joe Kerrigan. He's from the Johns Hopkins University Information Security Institute. Joe, welcome back. Thanks, Dave. So I saw an interesting article come by on Ars Technica, and this was about the New York State Public Service Commission. Those are the people who run the power companies in New York. power companies in New York, they have decided that they can charge Bitcoin mining companies more for electricity than other folks. So the commission has said it's okay for power companies to charge more.
Starting point is 00:17:35 Yes. Yes. Interesting. It is interesting. This is not uncommon in the power world. They will charge industrial users of power more money for electricity during the day. In fact, I remember a show I was watching on Discovery Channel about metal recyclers who ran an arc furnace, which uses an ungodly amount of power, but they would work solely at night
Starting point is 00:17:58 because that's when the power company would cut them a break on their rates. Right, right. So off peak time, you get the power for cheaper. cut them a break on their rates. Right, right. So off peak time, you get the power for cheaper. One of the interesting things in this article was that evidently in New York, a lot of the electricity is hydroelectric. Right. And so the communities look at this hydroelectric power as a local limited resource. And it is a limited resource. So when you exceed your hydroelectric capacity, you have to bring in... You have to go out and buy power from the rest of the grid. Right. Presumably at a much higher cost. And that's why electricity is cheap, comparatively cheap in these areas. So these Bitcoin folks
Starting point is 00:18:34 look all over the nation and decide, well, where's electricity cheap? They go to New York, where it's cheap, and now they're chewing up all the hydroelectric power. Everybody ends up paying more for electricity. Right, because they have to buy more power. now they're chewing up all the hydroelectric power, everybody ends up paying more for electricity. Right, because they have to buy more power. So they're essentially subsidizing, the people of the area are subsidizing these Bitcoin miners. So it's not an uncommon practice to charge people more money for their electrical usage, particularly if they're using more.
Starting point is 00:18:59 I don't know how you're going to determine that organization A is a Bitcoin miner and organization B is not a Bitcoin miner. Or if somebody is mining Bitcoin personally, you know, without having a large amount, are you going to charge them more too? It seems like it's a very convoluted situation. Maybe they just go with how much you use and charge you more based on how much you use. Yeah, it was another interesting point in this article was that one of their determining factors was that they said the cryptocurrency mining results in few local jobs. Almost no local jobs. Yeah. It's, I mean, because it's all automated. Right, right. So there's not a really a public good in the use of this local resource. Again, the hydroelectric power. Another interesting thing they pointed out is a precedent. They say in Boulder, Colorado,
Starting point is 00:19:46 marijuana growers are charged an extra about two cents per kilowatt hour because of all the power they use for their grow lights and ventilation systems and air conditioners and so on. And again, we're seeing this. There's a lot of precedence for this. This is not uncommon for certain industries to be charged
Starting point is 00:20:01 more for power because they're big users of power. Yeah, all right. Interesting stuff. It is using the free market at work to incentivize people to either come or go away. Right. All right. Joe Kerrigan, thanks for joining us. It's my pleasure. Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity.
Starting point is 00:20:28 That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And that's the Cyber Wire.
Starting point is 00:21:14 For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker too. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
Starting point is 00:22:14 That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.