CyberWire Daily - Facebook breach details. Privacy issues and an image problem for advocates. Supply-chain-attack skepticism. Info ops, bikers, and deniable paramilitaries.
Episode Date: October 15, 2018In today's podcast, we heat that Facebook has found that fewer users than feared were affected by its breach, but that in this case "fewer" still means "a lot"—nearly thirty-million of them. Do pri...vacy advocates have an image problem? Supply chain seeding attack story draws more skeptical comment. A pipeline accident turns out not to have been a cyberattack. Estonia joins the UK and the Netherlands in an effort to clarify EU cyber sanctions. But Italy pumps the brakes. (Do Putin's Angels rejoice?) Rick Howard from Palo Alto Networks on exponential technologies, and how they could change the notion of scarcity. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/October/CyberWire_2018_10_15.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Facebook finds that fewer users than feared were affected by its breach,
but that in this case fewer still means a lot.
Do privacy advocates have an image problem?
The supply chain seeding attack story draws more skeptical comment.
A pipeline accident turns out not to have been a cyber attack.
Estonia joins the UK and the Netherlands in an effort to clarify EU cyber sanctions.
But Italy pumps the brakes.
Do Putin's angels rejoice?
From the Cyber Wire studios at Data Tribe, I'm Dave Bittner with your Cyber Wire summary for Monday, October 15th, 2018. Today's news is highlighted by some follow-up stories that
have been developing over the past few weeks. Late Friday, Facebook released more information on the cyber attack
that led it to log some 90 million users out at the end of September.
In brief, it seems that fewer users were affected than feared,
but that the information exposed was more sensitive than hoped.
Approximately 30 million people were affected.
Here's roughly how they broke down.
1 million lost nothing.
15 million lost name and contact details.
14 million lost name, contact information, and other data they had in their profiles.
Such other information included username, gender, locale, or language,
relationship status, religion, hometown, date of birth, education, and work.
Various aspects of their online activity were also revealed.
The last 10 places they checked into or were tagged in,
website, people or pages they follow, and the 15 most recent searches.
That's according to Facebook's update.
Facebook points out that people's accounts have been secured
since the social network reset access tokens about two weeks ago. The incident has pushed opinion in the U.S. a bit in the direction,
working to develop a set of national data protection regulations along the lines of
Europe's GDPR, although there's skepticism among observers about how easy it would be
for legislators to get the complex issues right. In the meantime, everyone, but especially the 30 million affected Facebook users,
should be alert to the possibility of more plausible social engineering.
For all that, a survey shows that online privacy advocates suffer from an image problem.
Research sponsored by security software firm HideMyAss
and conducted in concern with CensusWide,
surveyed over 8,000 people in France, Germany, the UK, and the US.
Their conclusion is that people, quote,
perceive privacy advocates as untrustworthy, paranoid,
male loners with something to hide, end quote,
as if they're outlaw preppers trying to get off the grid.
It's worth thinking about, and leave aside your reasonable suspicion
that a company's calling itself Hide My Ass! may not be doing its customer's image any favors.
There are plenty of reasons to value data privacy,
even if in fact you really don't have anything in particular to hide.
You don't have to be the dread pirate Roberts to see, to take an obvious
example, a social engineer who knew personal facts like your age, work history, religion,
and hometown would be able to craft more convincing spear phishing messages. And in fact,
about 14 million Facebook users now have that to worry about. And surely no more than say,
5 million of them are probably untrustworthy
paranoid male loners with something to hide, right? Bloomberg's story of a Chinese seeding
attack on the IT supply chain remains controversial, but at this point reactions
are trending strongly towards skepticism. Bloomberg has been standing by its story,
but one of those they interviewed in their follow-up piece,
Sepio's Yossi Applebaum,
told Serve the Home that he's disappointed his words were used
to reinforce Bloomberg's claims that Supermicro was compromised.
He says, quote,
I think they are innocent, end quote.
He adds, instead, it's a general problem
and not even necessarily a manufacturing one.
Attacks can occur anywhere in the supply chain.
It seems likely that the reporting will continue to unravel.
Supply chain vulnerabilities and attacks on them are a real concern, but this particular
story is not holding up well.
The September 13th lethal explosion involving the Columbia Gas Low Pressure Natural Gas Distribution System in
Massachusetts was greeted with much speculation that the tragedy was caused by a cyber attack.
But a preliminary report by the U.S. National Transportation Safety Board concludes that it
was indeed an accident. It occurred while an old section of cast iron low pressure pipe was being
replaced. The sensing lines still functioning in the section of cast iron low-pressure pipe was being replaced.
The sensing lines, still functioning in the section of pipe that was being abandoned,
interpreted the disconnection as a loss of pressure and reported this to the regulator devices,
which increased the pressure in the system beyond safe limits.
As Control Global's unfettered blog notes,
not only was this not an attack, it wasn't even a network monitoring
problem, but rather an engineering and people problem. It's worth remembering as we consider
the pipeline explosion and the supply chain seeding attack stories, that caution in explanation and
attribution are always important, and that bad things happen through accident oversight,
inattention, and negligence, as well as through malign intent.
Estonia joined the Netherlands and UK's push to clarify sanctions for cyberattacks.
Italy pushed back following its recent tendency to seek relaxation of tensions, particularly with Russia,
as opposed to pursuing confrontation or sharper deterrence.
Italy is likely to be an outlier here.
There's widespread concern about Russian cyber operations in Europe
and growing concern about the possibility of hybrid operations as well.
Foreign Affairs notes the very odd presence of a paramilitary biker gang,
the Night Wolves, that's established itself in Eastern and Central Europe.
The Night Wolves seem to be, or are feared to be, more akin to the Green Men of Crimea,
paramilitaries in Eastern Ukraine, or the PMC-Wagner mercenaries in Syria.
That is, they look like deniable proxies. The Slavic daily Prauda has been reporting since July on how the gang established a headquarters in a Slavic village,
even borrowing surplus combat vehicles under the pretense of establishing a military museum.
Those vehicles have since been repossessed, but as we say, it's a very odd story.
The Night Wolves are also known informally as Putin's Angels, and whatever they're up to, they bear watching.
This motorcycle club is not your father's crew of one-percenters, well-known on the North American highways for weekend runs, opposition to helmet laws, and north of the 49th parallel, some cigarette trafficking in high-tobacco tax Canada.
Canada. Expect various information operations to emerge positioning the Night Wolves as patriotic hobbyists, just the way the GRU officers accused of nerve agent attacks in the UK
and hacking in the Netherlands were tourists and tulip enthusiasts.
That's continued to be Moscow's story, and they're sticking to it. We'll see you next time. winning with purpose, and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point that real-time visibility is critical for security, but when it comes to our
GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist,
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Clear your schedule for you time with a handcrafted espresso beverage from Starbucks.
Savor the new small and mighty Cortado.
Cozy up with the familiar flavors of pistachio.
Or shake up your mood with an iced brown sugar oat shaken espresso.
Whatever you choose, your espresso will be handcrafted with care at Starbucks.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families
at home? Black Cloak's award-winning digital executive protection platform secures their
personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
Black Cloak. Learn more at blackcloak.io.
And joining me once again is Rick Howard. He's the Chief Security Officer at Palo Alto Networks,
and he also heads up Unit 42, which is their threat intel team. Rick, it's good to have you back. We've got an interesting topic to discuss today. We're going to talk about exponential
growth and how it applies to cybersecurity. And along the way, you've got some book recommendations.
What are we talking about here today?
Yeah, thanks, Dave, for having me back.
I picked up a couple of books this year, and I've been fascinated by the idea about it.
And the two books are called Abundance.
First one's Abundance, and it's by Peter Diamandis and Stephen Kotler, published back in 2012 and recommended by Bill Gates.
And the second one is called Exponential Organizations by Salim Ismail, Mike Malone,
and Yuri Ben-Gist. That was published back in 2014. Now, in both books, the authors discuss
these things called exponential technologies, and this is how they define them tools or systems where the power and
or speed doubles each year and or the cost drops by half each year now abundance is this radical
idea that exponential technologies okay there's ones defined by that definition i guess okay these
are the ones that double each year and the cost goes down each year, will flip our common notion about scarcity.
In the abundant future described in these two books, the cost of solar power, for example,
and the exponential technologies that drive it might become so cheap and so powerful that energy
becomes essentially free for every person on the planet. Okay. That seems really hard to believe
when you say it out loud like that, but in both books, the authors track the cost and power of those exponential technologies,
not just the energy community, but in all the exponential technologies they're looking at over
the last 25 years. And the cost
is indeed exponentially going down, or the computing power is exponentially growing.
The authors did not list cybersecurity as one of their things, but I believe that cybersecurity is
right at the beginning of exponentiation, and nobody has noticed it yet. So let me show you
what I mean. Okay. Okay. Dayamini and Ismail talk about these things called the six Ds of exponentiation.
The first one is called digitization.
Okay.
And that means once a technology becomes digitized, it is easy to access, share, and distribute.
Like solar power went digital about 25 years ago.
Okay.
This means that all the data collected from solar panels and all the devices it takes to
manage them have been put online. Before the technology went digital, maintenance and repairs
were all manual. But with the data online, solar farms can now remotely monitor and maintain their
systems. And some are even using machine learning algorithms to anticipate problems automatically.
So in the early days of the cybersecurity space, vendors sold network defenders hardware appliances to perform one or more blocking functions down the intrusion kill chain.
Today, many vendors have already started to collect their customer data and process it in the cloud.
So that's the change.
They are starting to transform themselves from hardware manufacturers into software as a service companies where they deliver security
servers from the cloud. This is digitization. The next one's deception. So after digitization,
growth is deceptively small until the numbers break the whole number barrier. So if the speed
of your exponential technology grows from like 0.34 to 0.68, nobody will notice that.
But once it grows to like 1.088 or something like that,
that's crossing the whole number barrier. And when it doubles 10 times more, it starts to become a
very big number. The point to note is that the growth is not linear. It is exponential. And this
is exactly what's happening to solar energy and the exponential technologies that drive it. And
it is the phase that the cybersecurity industry is in right now. We're in the deception phase. All right. So the third D is disruption.
So this is after the whole number barrier is broken, the existing market is disrupted by
the new market's effectiveness and cost. And here's where it gets interesting. The next D is
demonetization. Okay. Exponential technologies increasingly become
cheaper. In 1998, residential solar power installation cost was about $12 per watt.
17 years later, the cost has been reduced by two-thirds. In the cybersecurity space,
one spenders can deliver point product solutions as SaaS services from the cloud. The cost of
hardware, maintenance, and training for each product practically goes to zero. All the security apps run over existing
infrastructure. Yes, you pay for maintenance and training of the initial infrastructure,
but you don't have to pay for it for each point product deployed. So the price of everything
starts to get reduced, which leads us to the next phase, dematerialization. Physical products get removed.
In energy, more people move to solar power.
Oil company refineries will start to vanish.
The reliance on utility companies to distribute power start to disappear, too,
replaced by the individual homeowner's ability to generate and store their own power.
In the cybersecurity space, hardware point products start to disappear.
All right.
And so that's the first five. And the last one is the one that's kind of, you know, pie in the sky.
It's called democratization. And once the first five Ds happen, the technology price becomes so
cheap that anybody can have it. Solar power and the technology that supports it becomes
essentially free. All right. So Diomedes and Ismail predicted this could happen in the next 10 years in the energy sector.
The trick for the energy sector then is how does your business receive revenue from a formerly scarce resource
when it flips to being abundant everywhere?
In the cybersecurity space, open source cloud delivered security applications will emerge in much the same way
as point product open source projects happen today.
Tools like Bro intrusion detection systems and NMAP and Metasploit, just to name three.
The tools will become free.
The data will become what is valuable.
And everything will run on the underlying platform.
So those are the six Ds.
How does that sound?
Does that make sense to anybody?
It's a lot to take in, but I certainly think, I mean, the thing in solar is interesting.
I also think about things like the music industry where, you know, the scarcity of having to go to the record store to buy your favorite album for an $18 CD.
And now you have all the world's music available to you for $10 a month on your mobile device.
So certainly we've seen this sort of disruption before
as data becomes available and, to your point, essentially free.
Diamindis and Ismail make a strong case that exponential technologies
will help solve some of the world's grandest challenges.
But they didn't include cybersecurity in their set,
but it's clear to me that cybersecurity is just beginning down
the six
Ds of exponentiation, right? And like Diomenes and Ismael's grand challenges, I expect cybersecurity
to move through these six Ds fairly quickly, most likely in the same time frame as solar power,
most likely in the next 10 years. The future is exciting.
Yeah, well, it certainly is. And I'll tell you, you know, Rick, as we both know, everything on the Internet is forever.
So I'm looking forward to 10 years from now.
One of our listeners reaching out and sending an email to you and me with a recording of this and giving us a score on how it turned out.
But it's certainly going to be interesting to watch, right?
Interesting times as always.
That's great.
It's always great to be a futurist predictor because, you know, it doesn't matter.
You can make up anything you want because no one will remember it.
Yeah, that's right.
That's right.
All right.
Well, as always, Rick Howard, thanks for joining us.
Thank you, sir.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and
securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe
and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
Thank you. Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you.