CyberWire Daily - Fake news and information operations with no obvious solution. Equifax update. US Cyber Command vs. DPRK
Episode Date: October 3, 2017In today's podcast, we consider the bogus rumors and highly questionable claims of responsibility circulating online after the Las Vegas massacre. ISIS is especially keen to make inspirational ca...pital out of senseless killing and suffering. Google and Facebook come under pressure to moderate the content they carry. The UK prepares to pass tougher restrictions on viewing radical content. The Equifax breach gets two-and-a-half-million people bigger. Ben Yelin from UMD CHHS on Yahoo! data breach victims’ right to sue. Tony Gauda, CEO of ThinAir on dealing with insider threats. And US Cyber Command is said to have disrupted North Korean intelligence networks. Thanks for listening to the CyberWire. One of the ways you can support what we do is by visiting our sponsors. If you’d like to learn more about how small nuances in how artificial intelligence and machine learning are used can make a big difference, check out E8’s white paper. Delta Risk put together an infographic full of tips for Cyber Security Awareness Month. If you are a woman in cyber security and want make connections with others in the field, check out our own Women in Cyber Security event. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Bogus rumors and highly questionable claims of responsibility
circulate online after the Las Vegas massacre.
Google and Facebook come under pressure to moderate the content they carry.
The U.K. prepares to pass tougher restrictions on viewing radical content.
The Equifax breach gets 2.5 million people bigger.
And U.S. Cyber Command is said to have disrupted North Korean intelligence networks.
I'm Dave Bittner in Baltimore with your Cyber Wire summary for Tuesday, October 3rd, 2017.
ISIS has claimed responsibility for the awful massacre in Las Vegas.
Its Amok news service said that the apparent shooter, Stephen Paddock, who killed himself as police stormed his hotel room, converted
to Islam some months ago.
A mock calls Paddock by the honorific name Abu Abdul Bar al-Amriqi, al-Amriqi, that is
the American.
Very few people believe any of this to be true.
The FBI is particularly skeptical, saying they've discerned no connection between Paddock
and any extremist group.
It seems to most very unlikely that Paddock had converted to Islam and responded to calls to strike the unbelievers.
Responsible or not, ISIS has incorporated the attack into their inspirational narrative.
It's unusual but not completely unprecedented for the terrorist group to assert responsibility for crimes they had nothing to do with.
Several observers attribute this departure, if such it is, to desperation,
and as another sign that loss of territory and credible claims of ability to govern
are driving ISIS into a global diaspora more dependent than ever on cyberspace for its continued existence.
The claim is probably also connected to recent warnings ISIS has distributed via telegram,
advising Muslims to avoid public places in infidel lands,
as the soldiers of the caliphate intend to turn those into battlefields.
The attack has also inflamed criticism of both Google and Facebook
for being conduits of bogus news and rumor-mongering.
Among the messages carried were speculations that the shooter was a white supremacist,
but these were so implausible that they had a very short lifespan.
The gunman's motivation remains a mystery.
The FBI and other law enforcement organizations are going through Paddock's digital exhaust
to see what it might reveal, but so far nothing.
Investigation is ongoing.
Both Google and Facebook are clearly on their way to being considered news providers, not
simply content-neutral platforms designed to exhibit whatever people happen to be saying
online.
Google's highlighting of search results from dubious sources prompts skepticism of Mountain
View's algorithmic approach to news.
dubious sources prompts skepticism of Mountain View's algorithmic approach to news. Facebook,
which has lately made much of its efforts to expunge bogus stories from its feeds,
also fell flat in this instance. Observers think more human curation is the only realistic way forward for these platforms. Their methods currently are designed to highlight the most
viewed and shared content, but this advertising-centric approach to sorting news clearly has its limitations.
This morning, Facebook announced its intention of hiring 3,000 workers
—human workers, it seems necessary to say—
to monitor content.
Facebook's acceptance of ads from Russian front organizations
aimed at inflaming racial and class divisions in the U.S. also draws
criticism. The company turned over to congressional investigators some 3,000 Russian-purchased ads
bought and run during the last election cycle. Facebook has some new policies it hope will
mollify congressional critics. It will now enable users to see all the ads placed by a given
advertiser, not just those the social
medium's rifle-shot targeting has selected for delivery to a user's specific demographic profile.
Facebook will also require proof of identity from those who wish to buy ads bearing on U.S.
political campaigns. The former measure seems unlikely to do advertising revenues much good.
The latter will probably require a lot of labor from those 3,000 new employees to determine what counts as ad
content bearing on an election. The general mood is that something must be
done but what exactly that might be is unclear. Those only loosely attached to
the US Constitution's First Amendment see the challenge as mostly one of
policy and technology.
Those with a more committed view of free speech as a right see deeper and less easily solved
problems. For its part, the UK is using a heavy hand with extremist content. A new law is expected
to expose repeat viewers of terrorist sites to up to 15 years in prison, a very harsh sentence
by British standards.
The proposed law is expected to pass, its proponents viewing it as a necessary component
of an anti-radicalization strategy.
Insider threats come in two basic categories.
There's the malicious actor with access to your network, someone you've placed trust
in who is up to no good, and there's the inadvertent threat actor, the employee who naively clicks on a malicious link in an email. Tony Goda is CEO
at Thin Air, where they specialize in insider threat detection and investigation. What organizations
need is visibility. So the problem is, is that the internal adversaries actually have more visibility
and more context as to how what information is critical and how it's used normally than what the defensive people know about. Because if you think about it,
organizations are organic. They grow over time. So that means if you deploy what's called a DLP
system, which is a technology that allows you to kind of, if you write rules in the right way,
it'll stop people from doing terrible things with information. The problem is that you have to
predict what terrible behavior looks like, that you have to predict what terrible behavior
looks like, and you have to predict what normal looks like. So if it doesn't fit either one of
these rules, then the DLP system doesn't detect that it allows the individual to walk out the
front door with their critical assets. We sort of have jokingly referred to IT as the department of
no. And if you go to IT with a question, can I do this,
that there, you know, there's a decent odds that they're going to say no. But that leads to shadow
IT, where the people who are in the organization who just are trying to get their work done,
they're going to find a workaround. How do you deal with that sort of thing?
I think visibility is critical for that, especially in that exact scenario. So that is
literally, you know, 99.9% of all organizations
that exist, is that IT organizations have to decide ahead of time what is correct and what
is not correct. And if it doesn't fit the model that IT has predicted, then it's default denied.
And that, of course, causes people within the organization to figure out ways on how they can
circumvent it so they can, again, get their work done, because they're bonused on how productive they are, not on how secure they are, if you think about it.
So the incentives are actually quite misaligned.
And what are your thoughts in terms of proper ways or effective ways to incentivize those
people for whom security might not be their top priority?
I think you have to take a page out of the physical world.
So if you think about, you know, when you walk into a bank, there are doors that exist, right? There are very thick steel doors and very thick bars that are on the windows. And these are what I like to call the protection technologies. So these things stop you from doing things within the organization.
drives a truck through the front door, or the person that works in the bank decides to steal information from the bank, the only thing you have left are the observation technologies, the camera.
So the camera itself doesn't replace the steel door, and the steel door doesn't replace the
camera. They're complementary to each other. So again, this goes back to visibility. If you have
visibility to when people touch things and what they do with those things, then you can decide
what's important and what's not important after those things, then you can decide what's important
and what's not important after the fact. Or you can take steps to fortify your security posture
because you know exactly where your risk is concentrated. So without visibility, again,
all this other stuff is just not possible. I have a friend who likes to joke that nothing
is foolproof to a talented fool. And I wonder about when you have clever humans who are
figuring out these workarounds, and IT might not know what it is to look for. They might not know
what they don't know. That's right. If you think about every security breach that's ever existed,
all of these companies have some security technology in place. So it's not that they
don't have technology in place to help combat these issues.
The problem is, is that the complexity in detecting human behavior when it's nefarious to the
organization versus productive to the organization is actually an extremely difficult problem.
So if you think about it, there's alerts that go off even in the targets of the world as those
million or so credit card numbers were being exfiltrated. Of course alerts were going off. The problem is the organization was inundated with
alerts. So without having the proper visibility in place, again, it just makes it extremely
difficult for you to catch any of this stuff. That's Tony Gota from Thin Air.
The Equifax breach appears to have affected millions more than initially believed.
The company now estimates the number of affected individuals at 145.5 million,
about 2.5 million more than it had previously estimated.
Former CEO Richard Smith testified his regrets and apologies to Congress yesterday.
He said, quote, To each and every person affected by this breach, I am deeply sorry that this occurred.
Whether your personal identifying information was compromised,
or you've had to deal with the uncertainty of determining whether or not your personal data may have been compromised,
I sincerely apologize.
The company failed to prevent sensitive information from falling into the hands of wrongdoers.
The SEC breach also got
slightly worse, very slightly. The commission now says it's determined that two individuals
had their personal data exposed. They're being provided with identity protection.
The U.S. is said to have conducted a shot across the bow DDoS attack against North Korea at the
end of September.
An administration source told the Washington Post that U.S. Cyber Command disrupted Pyongyang's principal intelligence service, the Reconnaissance General Bureau,
with a distributed denial-of-service attack that ran from September 22nd
until this past Saturday, September 30th.
Perhaps coincidentally, but probably not,
a Russian telco has since
given the DPRK more bandwidth. TransTelecom has run a big pipe from Vladivostok.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting
edge of technology. Here, innovation isn't a buzzword. It's a way of life. You'll be Thank you. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies
like Atlassian and Quora have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn as she discovers the best yet fiercest part of
herself. Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures. Stream Night Bitch January 24 only on Disney+. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Ben Yellen.
He's a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security.
Ben, welcome back.
Interesting article came by via Engadget.
This story broke that a U.S. judge has said that the victims of the Yahoo data breach have the right to sue. Tell us what's going on here. So this is about the doctrine of standing.
In order to make it into court, to get to the merits of the case, a person has to suffer some
sort of particularized injury. And that's the legal notion of standing. What Yahoo tried to argue is that the people whose data was breached or were breached did not have standing because they couldn't allege with any sort of particularity that they themselves were injured.
What this judge said and what I think was a pretty persuasive argument is that not only did they suffer present injury and that they had to purchase
additional security measures to protect the integrity of their data, but they also will
be suffering potential future injury due to the fact that they are going to have to take
additional measures beyond ones that they've already taken to make sure their data is not
stolen again.
This can include the cost of both financial resources and time resources.
I mean, a person's time.
And those count as particularized injuries under our standing doctrine.
The key here from a legal perspective is that the speculative injury is not very attenuated.
Famously, there was a case, Clapper v. Amnesty International,
attenuated. Famously, there was a case, Clapper v. Amnesty International, where individuals who suspected that the government was surveilling them electronically tried to sue the government,
and the Supreme Court said that they couldn't allege with any particularity that they themselves
were getting injured. And even if they were, the injuries they alleged were not 100 percent likely to happen, but are not even 90 percent likely to happen.
They were too attenuated. They would involve too many hypotheticals.
Here, the injuries aren't very attenuated. They're likely consequences of getting one's data breached.
So I think this was a very wise decision from the federal judge.
a very wise decision from the federal judge.
And, you know, this got me thinking.
Actually, we were talking about this over on the Grumpy Old Geeks podcast about how there's generally a settled amount in terms of insurance settlements and various government
agencies of what the value of a human life is.
If a life is lost, there are some values that people have sort of settled on.
I think right now it's around $9 million. And I wonder if we're heading towards a time where a breach of your personal information
has a set value placed on it. Yeah, I mean, that's what's particularly interesting about this is now
because standing has been established, I think we'll be able to see what happens
when this case reaches the merits. And yeah, I've wondered about that as
well. Can you put a definitive monetary value on the value of somebody's data? And it's not just
tangible value in terms of the hardware or the software. It's also intangible value in terms of
what our devices and what data reveals about our personal lives. So those can be hard to quantify, but those are also
particularized injuries. So yeah, I'm very curious to see how the court comes down on that issue.
All right. We'll keep an eye on it. Ben Yellen, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
Hello, dearest listener.
In the thick of the winter season, you may be in need of some joie de vivre.
Well, look no further, honey, because Sunwing's Best Value Vacays has your budget-friendly escapes all the way to five-star luxury.
Yes, you heard correctly.
Budget and luxury all in one place.
So instead of ice scraping and teeth chattering, choose coconut sipping and pool splashing.
Oh, and book by February 16th with your local travel advisor or at...
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. ambitious, but also practical and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.