CyberWire Daily - Facebook sues over ad fraud. Tampering with VPN connections. Russian disinformation in Lithuania.
Episode Date: December 6, 2019Facebook sues a company for ad fraud. Unix-based VPN traffic is vulnerable to tampering. Russian disinformation in Lithuania. Apple explains why new iPhones say they’re using Location Services, even... when Location Services are switched off. Researchers set a new record for cracking an encryption key. And ransomware hits a New Jersey theater. David Dufour from Webroot with a look back at 2019's nastiest cyber threats. Guest is Robert Waitman from Cisco with results from their recent Consumer Privacy Survey. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/December/CyberWire_2019_12_06.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Facebook sues a company for ad fraud.
Unix-based VPN traffic is vulnerable to tampering.
Russian disinformation in Lithuania.
Apple explains why new iPhones say they're using location services even when location services
are switched off, researchers set a new record for cracking an encryption key, and ransomware
hits a New Jersey theater.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, December 6, 2019.
Facebook filed a lawsuit yesterday against a Chinese advertising company that allegedly violated the social media platform's ad policies over the course of three years.
Facebook says the company used malware to compromise Facebook users' accounts
and then use those accounts to host ads for counterfeit products. The company was able to
continue the scheme for so long by using a technique known as cloaking, which hid the
destination of the ads from Facebook's systems. Threat Post says Facebook paid $4 million to
reimburse victims whose accounts were abused in this fashion.
Researchers at the University of New Mexico have discovered a flaw in Unix-based systems
that could allow an attacker on the local network to inject packets into a network-adjacent user's encrypted VPN connection.
The vulnerability affects Linux, FreeBSD, OpenBSD, macOS, iOS, and Android.
Linux, FreeBSD, OpenBSD, macOS, iOS, and Android. An attacker can find the target's virtual IP address by sending packets that span the entire virtual IP space and seeing which address responds
with a reset packet. The attacker can then determine precise TCP sequence and acknowledgement
numbers by spoofing packets at the targeted connection until they trigger a TCP challenge
packet. The vulnerability is fairly complex to exploit, and observers, including the Register,
don't believe we'll see it exploited in the wild any time soon. The researchers are refraining from
publishing a technical paper on the subject until they've determined a suitable mitigation for the
bug. Russian trolls have been active against public opinion in Lithuania,
with an uptick in activity noticeable since early September.
The target is NATO, and the messaging trades on Second World War fears of Germany
and Cold War fears of the U.S.
And there are the now familiar class of memes that portray local authorities as untrustworthy.
Lithuania's government is working against the disinformation,
but it's being tight-lipped about specifics on OPSEC grounds, NextGov reports.
The fake news feeds generally represent NATO troops
as a barbarian threat to the peace and safety of the locals,
and the Lithuanian government as a collection of tools and stumble-bums
who couldn't find their own fourth point of contact
with both hands and the Hubble Space Telescope.
Nope and nope, but if you say it enough, there will be someone who'll swallow it.
The disinformation campaign is instructive in that it probably foreshadows themes and tactics
that will appear in other places, particularly during election seasons.
Apple offered an explanation for why its iPhone 11s frequently show the location
services icon, even when all location services have been switched off in settings. The company
told Krebs on Security that the icon's presence is related to the phone's short-range ultra-wideband
technology, which allows the device to share files with other phones nearby. Ultra-wideband
is prohibited in a small number of countries,
including Argentina, Paraguay, Indonesia, and Russia.
The iPhone 11 uses location services to verify that the device isn't in one of those countries,
and the location data doesn't leave the user's phone.
Apple said it will include an option to switch off ultra-wideband in a future iOS release.
An international team of researchers led by the National Institute for Computer Science and Applied Mathematics in France
have broken the record for the largest encrypted key ever cracked.
The researchers used clusters of computers across several countries to factor an RSA-240 key, which is 795 bits long.
The total amount of computations required would have taken just under 4,000 years running on a single computer,
so the calculation doesn't mean modern encryption keys are at risk,
especially since most current implementations use 2048-bit keys.
Rather, as the University of California California San Diego noted in a statement,
achieving regular computational records is necessary to update cryptographic security
parameters and key size recommendations. And finally, the New Jersey Shakespeare
Theater suffered a ransomware attack which forced it to cancel the first performance of Charles
Dickens' A Christmas Carol. The theater said in a statement that,
We have no idea where anyone is sitting or when they are coming.
Therefore, we have no idea which tickets are available for sale,
and we have no information on how to contact any of our patrons at this moment in time.
The theater is doing its best to ensure that the show goes on,
but it can only sell new tickets on the night of the performance,
after patrons who pre-ordered tickets have already been seated.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is David DeFore. He's the Vice President of Engineering and
Cybersecurity at WebRoot. David, it's always great to have you back. You all recently published a
report looking back at 2019 at some of the nastiest threats
that you were tracking. What can you share with us today? Hey, David, always glad to be back.
Great being here. Yeah, so we did this report. Our threat researchers, they did a great job
pulling this information in three main areas. The inbox, you know, we're talking about emails
and phishing there, botnets, and then the big one, as everyone is probably we're talking about emails and phishing there botnets and then the big one as
everyone is probably sick of talking about ransomware um and ransomware let's start with
that one we you know some of the biggest things we saw uh were with um emotet and trick bot um
one of the most successful did a lot of financial damage uh to governments and small businesses um
so very very successful strain of ransomware. The cyber
criminals are getting really, really good at deploying this stuff. Gancrab, I don't know if
folks have heard that, but that's a ransomware as a service, David, which is kind of a terrifying
thing if you think about it. Continues to be very successful. And we've seen over $2 billion on that service alone. And we saw this evolution with cyber attacks as a
service with DDoS attacks and botnets. And now that we're seeing it in ransomware as well,
it's increasingly becoming a problem that we're getting better at protecting against,
but still exists. And your number one recommendation for ransomware?
Oh, the number one absolute bar nothing recommendation for ransomware? Oh, the number one absolute bar nothing
recommendation for ransomware is to back up your data and make sure your backups are in a safe
place that you can recover from. If you have a good backup solution that can back up in the cloud,
that's great. If you can back them up offline, that's great. And I want to be super clear when
we talk about backup, we're not talking about services
that sync files across your machines so that you can share those files. I mean, a lot of people
feel like that's a backup, but if ransomware gets a hold of those files, they can potentially be
synced across all of your devices. You really need a real robust backup solution.
Well, let's move on to phishing. What are you tracking there?
So we're seeing, you know, the continued increase in phishing. And, let's move on to phishing. What are you tracking there? So we're seeing, you know,
the continued increase in phishing. And, you know, David, I've been talking to a lot of folks about
phishing and it's kind of just come to, you know, an epiphany I had that phishing is in essence,
the scam. And it's a scam that's been going on for, you know, probably the beginning of time.
And it's just that computers and technology
have become the mechanism for delivering that,
whether you're getting phished through the phone,
whether you're getting phished through SMS or text messages,
whether you're getting phished through email,
which is the number one way we see.
Phishing is simply someone trying to scam you,
and now they're able to use a lot more technology components
to get that information
out of you all right well how about botnets you guys are tracking that as well yeah so botnets
we're we're again seeing an increase in and you and i've talked about this before david but it's
it's one of those things where what's old is new um we'd seen a huge decrease in botnets in the early 2010s because folks had become very, very good at detecting and preventing those on Windows platforms.
But as we've seen the growth of IoT infrastructures and more sophisticated organizations building botnets, we're seeing a lot more growth in that area. I would say at the moment, what we're seeing are kind of
flagship projects where they're going out and testing the capabilities of what they could do.
And I would guess over the next year or two, we'll see some fairly large botnets attacking
large IoT infrastructures and things like that as they really hone in their skills
on being able to attack these new environments.
What about crypto mining and crypto jacking?
You know, I think a couple years ago we thought that that was perhaps the future,
but it seems as though they've died down some.
So, yeah, those are dying down.
And I'm going to be honest, I've never been a big worrier of crypto mining and crypto jacking. It does use your, you know, your resources,
some power maybe, and maybe some CPU utilization on your computer memory like that. But the thing
about crypto mining and crypto jacking is if you typically shut down a browser, it goes away.
And the biggest thing that made, you know, we sit around some of the folks here at WebRoot,
we sit around and we talk about how cyber criminals can make money in crypto mining and crypto jacking.
They're trying to make money straight away by using your machine for mining.
But a lot of these folks aren't doing malicious activity in the traditional sense where they're trying to infect your machine with malicious software.
So, yes, it's it's annoying.
It's one of those annoyances like a virus that plays a song. It is using your CPU cycles. But we haven't seen a lot of malicious activity around folks who are doing crypto mining and crypto jacking.
All right. Well, the report is the revival of ransomware. WebRoot reveals 2019's nastiest threats. You can find that on the WebRoot website. David DeFore, thanks for joining us.
Great being here, David.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping
unauthorized applications, securing sensitive data, and ensuring your organization runs
smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
My guest today is Robert Waitman.
He's Director of Data Privacy at Cisco.
His team recently published their Consumer Privacy Survey,
highlighting the top areas where consumers continue to struggle to understand how companies are handling their personal data and how far Data Privacy Trust has progressed, if at all.
Well, a number of things have been on our mind looking at the privacy market and how our customers are responding to changing conditions and regulations.
conditions, and regulations. We know that privacy is an important topic for our customers and would like to continue to share research and thought leadership around topics that matter to
them. So whether they're joining a WebEx or whether they are interacting with Cisco either
directly or indirectly, it's something that matters to them. So that was really foremost.
Secondly, we've done some research in the corporate side over the past three years,
looking at the benefits of privacy beyond compliance. Organizations which have gotten
operational efficiency, organizational agility, they've gotten to be more secure because having
their data houses in order has reduced some of the costs and implications of breaches.
But we wanted to understand what the consumer side of that would be. How do the consumers react to this and how does that play into some of these issues?
We may see sales delays, for example, that organizations are coming to us and having
questions about how we use their data. And that is paralleled by what we saw on the consumer side,
where more and more consumers are asking questions about how their data is being used
and are willing to make choices when they perhaps are less comfortable with it. So that really drove us to get into this. And then I just
say, finally, we at Cisco want to continue to be leaders in this space. I mean, the idea of having
appropriate and ethical use of data is something that we all care about and helps create the kind
of world that we all want to live in. Well, let's go through the survey together. What were some of
the key findings? Yeah, a number of things that we saw in looking at this survey pool, and again, this was a global survey drawing on 2,600 respondents across 12 countries.
And one of the first and biggest things we found was the emergence of more consumers who are willing to do things to help protect their data.
I think it's been in the press for a while that consumers say they care about privacy, but it doesn't necessarily translate into action.
So what we tested was people who say they care about privacy, say that they're willing to spend
time or money to do things to try to protect their data better. And finally, to take a third and most
important test, have they made choices? Have they changed providers or others who they work with because of their perhaps lack of comfort with the data policies or data practices of these organizations? And the answer to that was yes. And so what we found is a full 32 insight coming to the market because, again, we haven't seen before evidence of large numbers of consumers who, in fact, have made choices, spending money, doing things, making changes in order to protect their data.
And so we talk a lot about that and what that might mean for the future and why it's so important to companies to think about that third of their customers who today are already making choices.
How should companies be
acting in order to keep them? What should they perhaps be doing to embrace or encourage
customers who may be not happy with what they're getting elsewhere to come to them?
It's a big opportunity and threat for companies to think about.
So, do you see this as being sort of a shift from security or privacy being an obligation to perhaps being a competitive advantage?
Absolutely.
This started off being a compliance-driven activity where organizations felt they had to check the box to do certain things,
to be ready for GDPR or other privacy regulations in their country.
And what we found, both looking at the corporate side and the individual side,
is that there's so many other benefits that go well beyond that compliance idea.
For organizations, it's all of the benefits they may get, not just avoiding fines that haven't so
far been very significant or affecting most companies. And for consumers, it's not a check
the box exercise of saying, yeah, you know, I met with some regulation. It's about treating their
data properly. And this is so much now part of the brand. You know, one of these things that
these privacy actives, this group of people that we've identified, have said is that they see how
their data is being treated as an indication of how they themselves are being treated. It's a
component of the brand and of the overall customer experience. And they won't even go to a company.
Ninety-one percent of them said, we won't even buy from a company if we don't trust how our data is going to be
used. So it's well beyond that, okay, did you meet some requirement or check the box? And it's very
much about the trust, the brand, the customer experience, and the overall relationship that
the company has with you. So what are the take-homes then for those on the professional
side who are responsible
for this data? What can they learn from your findings? Well, I think the first and biggest
thing is to understand where they stand with respect to their own customer base. If 32% of
the worldwide population is now taking action, every company should be thinking about what it
means for their own customer base. Is this something that they are doing well and exceeding
the customer's expectations? Or perhaps not, and they need
to make some changes. A good example of this is just being clear and transparent with how
your data is being used. It's actually something at Cisco we put a lot of effort on to try
to tell people exactly how data is used in any of our products and services. And of course,
we encourage all companies to do the same. We believe in that simplicity and transparency
is very important to the customer. And if you want to keep them as customers and perhaps grow that base,
that's very important. It's all about that trust. And then finally on this, I think the biggest
concern that many consumers still have, and many of them are still saying, despite all this, I'm
still not sure that I can fully protect my data, you know, is giving them sort of the tools to get
that simple and transparent view.
You know, don't make it hard for them to figure out how you're using their data.
Go the extra mile, maybe perhaps what's more than what's required to build that comfort
level and let all of your customers know what rights they have and what protections they
have with respect to how you're using their data.
You know, aside from that 32% number, which I personally, I find surprising, I wouldn't
have expected it to be that high.
I mean, were there any other surprises in the survey?
Anything that you learned that you didn't expect?
Well, you're right to comment on the 32%, exactly how we're seeing that being a big
change from what people have seen before.
I think it may be the beginning of an even larger group of people.
So in addition to the 32% that met all three of our tests,
there's another 35% of the population out there
that met the first two tests.
They said they care about privacy.
They said they're willing to act by spending time and money.
They see privacy as a buying factor,
but they haven't yet done that third test
of actually making a change.
I think as this continues, if companies don't do the right things, we're going to see many more of
them make that change. And we could be looking at not at 32%, you know, but it's something north of
two-thirds of the population who are taking a more active stance with respect to protecting their
data. I think that's a big story, and I wouldn't ignore a third, but I certainly would recommend
everybody thinking about what the world looks like when two-thirds of your customer base are knowledgeable and willing to make choices to protect their
information. That's Robert Waitman, Cisco's Director of Data Privacy, on their Consumer
Privacy Survey. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you
back here tomorrow.
Thank you. measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.