CyberWire Daily - Facebook boots Russian trolls for being trolls. Zuckerberg will testify before Congress. Different continents, different privacy protections. YouTube shootings. Pipeline hacks. Panera Bread's incident response.
Episode Date: April 4, 2018In today's podcast, we hear that Facebook has kicked some Russian trolls out from under its bridge. Why? Because they're Russian trolls, that's why. Facebook CEO Zuckerberg will testify about data ...security before a House panel next Wednesday. Privacy for the Old World, but maybe not as much for the new. The YouTube shooting may have been motivated by anger over the platform's policies. European air traffic control problems were a glitch, not a hack. Pipeline operators recovering from IT hack. Homeland Security tells the US Senate hostile intelligence services have stingrays in Washington. Panera Bread's response to its potential data exposure. Rick Howard from Palo Alto Networks on whether security platforms are putting all of your eggs in one basket. Guest is Jim Routh, CSO at Aetna, on Model-driven security and the rise of unconventional controls. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Facebook kicked some Russian trolls out from under its bridge.
Why? Because they're Russian trolls, that's why.
Facebook CEO Zuckerberg will testify about data security before a House panel next Wednesday.
Privacy for the old world, but maybe not as much for the new.
The YouTube shooting may have been motivated by anger over the platform's policies.
European air traffic control problems were a glitch, not a hack.
Pipeline operators are recovering from an IT hack.
Homeland Security tells the U.S. Senate hostile intelligence services have stingrays in Washington, and Panera Bread's response
to its potential data exposure.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for
Wednesday, April 4, 2018.
I'm Dave Bittner with your CyberWire summary for Wednesday, April 4th, 2018.
Facebook has kicked a large number of Russian troll accounts associated with St. Petersburg's Internet Research Agency from its platform.
In total, they took down 70 Facebook accounts, 138 Facebook pages, and 65 Instagram accounts.
As reported by TechCrunch, Facebook CSO Alex Stamos, who's still with the
company despite what you may have read in the New York Times, was clear and direct about the reasons
for the takedowns. Because the Internet Research Agency uses, as Stamos put it, quote, inauthentic
accounts to deceive and manipulate people, end quote, they're not welcome. That, he said, is the
whole reason, he said, we don't want
them on Facebook. We removed this latest set of pages and accounts solely because they were
controlled by the IRA, not based on the content. So it's not content management in this case as
much as it is user management. Facebook CEO Mark Zuckerberg, having declined an invitation to
testify in London before a parliamentary inquiry into fake news,
said he will testify before the U.S. House Energy and Commerce Committee next Wednesday, April 11.
The hearings in Washington will be about consumer data protection.
Perhaps the panel will ask him why Facebook appears to be preparing to give North American users a lesser degree of privacy than people elsewhere.
The quick answer is because GDPR won't apply in the new world.
Facebook's COO Sheryl Sandberg had in January made noises
about extending the data protection and privacy measures
it was implementing to remain compliant
with the European Union's General Data Protection Regulation
to all users everywhere,
but this appears no longer to be the case.
Since U.S. law doesn't require the same degree of protection, U.S. users won't get it.
And this would seem to be something Congress would welcome some transparency on.
And sadly, yesterday, resentment over content moderation apparently took a violent turn.
A shooter wounded three before killing herself
at YouTube headquarters in San Bruno, California.
A fourth person was injured while escaping the gunfire.
All of the injured are expected to recover.
The shooter was apparently upset
by the platform's age-restricted policies.
There's been a great deal of misinformation
circulating about the shooting,
so it's worth going over what's known. policies. There's been a great deal of misinformation circulating about the shooting,
so it's worth going over what's known. San Bruno police identified the shooter as Nassim Jahafi Aghdam, 39, of San Diego. As far as the police can tell, and this contradicts earlier reports
that the shooting was a domestic violence incident, she didn't know any of the four victims,
none of whom seemed to have been specifically targeted.
She was of Iranian origin, but not, again contrary to earlier reports, a Muslim.
She was an adherent of the Baha'i faith, and investigators can find no obvious religious motivation for her attack.
She was a vegan, a bodybuilder, an artist, and a strongly committed animal rights activist.
None of these seem to provide a motivation either.
What appears to be a likely motivation to observers and now the San Bruno PD
was her anger at YouTube for age-restricting and demonetizing her exercise,
advice, anti-animal cruelty, and comedy parody videos.
Aghdam's social media accounts have for the most part been taken down,
but before they were, YouTube videos of her denouncing the platform for blocking kids'
access to her videos and taking away the possibility of making some money from them
were readily available. Her father is said to have warned police in another town,
by some accounts Mountain View just down the 101 from San Bruno, that he feared his daughter would attack YouTube.
Police there had questioned her when they found her sleeping in her car,
which, while unusual, isn't a crime, so she was simply sent on her way.
The story is still developing, and please remember that early reports are often confused.
We hope for the healing of the victims,
and consolation for all of the families the attack touched.
Jim Routh is the chief security officer at Aetna.
I recently had the opportunity to speak with him for the Recorded Future podcast.
One of the things we discussed was model-driven security and the rise of unconventional controls.
Here's a segment from that show.
The future of cybersecurity actually
happens to be here today, but most cybersecurity professionals aren't aware of it. And it's
largely because the technology is creeping up on them and it's not self-evident. But what's
happening to security is we're moving into a world or realm where model-driven security is an essential component for the resilient enterprise.
And our threat actors are using models and data science to attack the enterprise.
So it's model versus model.
Now, I'll start from the good guy side.
About three and a half years ago, I hired a chief data scientist dedicated to security.
Very talented guy.
Had nine years of experience in the NSA where he worked on security using data analytics.
And I asked him, at the time I thought it was the right thing to do, I asked him, build us a data lake for the enterprise for security that we could run models against and figure out
where to allocate our scarce resources to do cyber hunting to get the best bang for the buck.
Seemed to make sense. A lot of people said, yeah, yeah, that's worthwhile. That's a good
application of data science. Well, while he did that, and he did an outstanding job of that,
built 106 models in about a year and a half's time. While he did that and did exactly
what I asked him to do, we implemented eight other implementations in production of models.
These are unsupervised machine learning models driving frontline security controls,
whether it's authentication or privileged user management or email filtering or endpoint protection.
These are all cases where we implemented the technology.
It's driving frontline security control.
So it's not just producing data and results that we're analyzing.
It's actually part of the fabric of the control.
So today, privileged user monitoring is an example.
Every single registered user in the network has a behavioral score based on four different types of
behavior, physical access, email, web, browsing, entitlement information, all combined,
massive data lake that was established, a bunch of models that represent that numerically. So each individual registered user
has that. When they ask for a privilege, and we don't grant privileges indelibly. Everything has
a time frame in terms of every privilege. And when they get a privilege, we measure their actual
behavior against the pattern. We see any deviation. If it's a slight deviation, we send an email to
their boss who has the context to know what they should be doing and when. And their boss decides if it's good or bad. The green button in
the email says that's okay. If it's a red button, they hit that and the credential is automatically
revoked. But if there's a number of anomalies in terms of anomalistic events, the model decides
to revoke privilege immediately in real time without any human
intervention and initiates orchestration for a security incident. Again, no human intervention.
It allows us to essentially revoke privilege in milliseconds in real time in the case of a threat.
I know of no other system in the world that has that across the entire enterprise. We've had it
in place for about a year and a half. That's one example of what was put in place that's essentially a model, in this case several models,
driving frontline security controls. And we're seeing that more and more. We have 200 models
in production today. And we're constantly growing that catalog of models. So I see very near future,
two, three years down the road, where we'll be actually sharing models from one enterprise to another to deploy effective
security controls across enterprises, models, and data science today represents the foundation of
cybersecurity for the next decade. That's Jim Routh. He's the chief security officer at Aetna.
That's a cut down from a longer version of an interview that I had with him over on the Recorded Future podcast.
If you want to check that out, it's at recordedfuture.com slash podcast.
As you can probably tell, he's an interesting guy and they're doing some interesting work over at Aetna.
I recommend you check it out.
If you were flying in Europe late last night, you may have experienced, well, turbulence, of course,
but more to the point, some delays and disruptions.
Europe's Enhanced Tactical Flow Management System, ETFMS,
the continent's basic air traffic management system, failed late last night.
The problems were glitches, not hacks, and service was restored early this morning.
Several thousand flights were delayed, but backup systems functioned properly,
and flight safety was not compromised.
In another disruption that was in fact a hack,
four U.S. pipeline operators have now reported experiencing an attack
on their electronic data interchange, that's EDI systems.
Oneoak, Energy Transfer Partners, Boardwalk Pipeline Partners, and Chesapeake
Utilities Eastern Shore Natural Gas were all affected over the weekend and into the early
part of this week. Energy Transfer Partners and Eastern Shore identified the issue as a
third-party problem with service provider Latitude Technologies, a unit of Energy Services Group.
Latitude Technologies has restored most of the
affected services but it's waiting until investigation is farther along before offering
an account of how the hackers got in the attackers hit the edi that latitude provides not the
operators operational technology the edi is essentially a customer contact and data exchange
system used for billing scheduling and routing and routing deliveries, and the like.
It did not affect industrial control systems, as far as we know.
Some observers in the security industry speculate that the hackers' intention
was to pivot from the IT to the OT,
but there's no direct publicly available evidence yet that this occurred.
The U.S. Department of Homeland Security told the Senate
that some foreign intelligence services, hostile ones,
are operating illicit Stingray intercept systems,
mostly in Washington, but in other cities as well.
And finally, Panera Bread is receiving poor reviews
for its handling of the vulnerability in its online sales system
that exposed customers to data loss.
The company apparently at first dismissed the researcher who told them they had a problem.
They misread him as a scammer, so the problem persisted from late August into this week.
The company is in the process of remediating the issue now.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting Thank you. and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
Thank you. were talking about the whole notion of security platforms and you were singing the praises of security platforms. And since then, some folks have pointed out that could it possibly be that
security platform is really putting someone in a monopoly situation? If you're putting all of
your eggs into one basket, this notion of having a monopoly could be problematic. What's your
response to that? Well, it's funny you mentioned that because after I did your show the last time, other folks
had mentioned to me that there was actually a paper written back in
2003 by some cybersecurity luminaries like
Dan Gere and Bruce Schneier and a bunch of other really smart people.
It wasn't about security. It was about the perceived notion that Microsoft
was a monopoly on the operating system level.
And their whole thesis was that if we only have one operating system, if a vulnerability is discovered, the impact could be exponential around the world.
So they didn't like that idea.
So there's a whole genetic diversity thing, right, from an organism point of view.
Well, I mean, that's why vendor in depth was invented by the security people, because we don't want to be in that situation.
So when I advocate for a security platform, which what I mean by that is we're trying to take everything that we're trying to do now with all these point products.
As I go around talking to people, even small organizations have 20 security products deployed.
You know, medium-sized ones have 50 to 60, and big ones like big banks, they have over 125, right?
That is a lot to manage, and the whole industry is kind of at a tipping point where they can't manage one more box.
So I'm advocating to bring everything under one platform so they can make it easier.
But it does sound like I'm going against the most brilliant minds in the industry.
So I was feeling pretty bad about
myself. And then I went back and reread the Monopoly paper. And it turns out, when you
read what Dan Geer and Bruce Schneier and team recommended,
it turns out that I'm right on the money for what they
are talking about, how to fix the situation. right on the money, okay, for what they are talking about how to fix
the situation. Go on. Come on. Yeah. All right. So the monopoly paper recommends three things
that the industry do to lower the risk of a single vendor operating system. Okay. So the first one
was publish interface specifications to major functional components of its code. All right.
So that would work on the operating system.
That is exactly what the security platform does.
Platform vendors open their APIs to anybody who wants to connect to it.
So we go along, or Platform Play goes along with the number one recommendation from the
Monopoly paper.
Okay.
Number two, in the Monopoly paper, they say this, foster development of plug
and play technology that provides alternative sources of functionality. So that is exactly
the direction the platform vendors are heading. Last one, work with a consortium of vendors to
define specifications and interfaces for future developments. Again, this is exactly what all of
the security platform vendors are doing.
All of them, I'm talking about Palo Alto Networks, Cisco, Checkpoint, Fortinet, and Cisco, all
belong to the Cyber Threat Alliance and are building new sharing protocols and platforms
so that prevention orchestration, the sharing of new intelligence and the deployment of
new prevention controls is done automatically at the vendor level so that network defenders don't have to manage it themselves.
So I think the platform parallels nicely what they recommended in the monopoly paper.
To be clear, though, you still have to pick a vendor platform that you trust
that will stay on top of all the technology and to continue integrating with other vendors.
But by doing that, you come closer to the goal of automatic
integration and orchestration, and that will cause you less wasted time for your staff,
and it reduces the amount of complexity in your environment.
All right. Rick Howard, as always, thanks for joining us.
Thank you, sir. It was good.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you
time and keep you informed. Listen for us on your Alexa smart speaker too. The CyberWire podcast is
proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building
the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is
Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you
back here tomorrow. Thank you. hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.