CyberWire Daily - Mark Zuckerberg testifies about Facebook, big data, and influence. Patch Tuesday notes. Deterrence or open conflict in cyberspace?
Episode Date: April 11, 2018Today we're following all things Facebook—it's four o'clock: do you know where your data are? We're betting no. Neither side of the aisle seems content with the answers Mr. Zuckerberg gave to the Se...nate panel. He's speaking before a House panel today. Patch Tuesday notes. Cyber tensions continue to rise as kinetic and chemical tensions rise between Russia and the West. Justin Harvey from Accenture, discussing cyber hygiene blind spots. Guest is Nahuel Sanchez from Onapsis on vulnerable password recovery systems. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
All things Facebook, it's 4 o'clock.
Do you know where your data are?
We're betting no.
Neither side of the aisle seems content with the answers Mr. Zuckerberg gave to the Senate panel.
He's speaking before a House panel today.
Patch Tuesday notes, cyber tensions continue to rise as kinetic and chemical tensions rise between Russia and the West.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, April 11, 2018.
The news today continues to be dominated by all things Facebook,
with generous dollops of big data and aspirations for a future cleansed by artificial intelligence.
As Facebook CEO Mark Zuckerberg moves from the Senate's frying pan to the House's fire,
it appears that Facebook permissions allowed some apps to read messages between some users and their friends.
The numbers seem not to be large, at least in the context of a story that's customarily dealt in tens of millions.
Like the 85 million who had other data scraped by Cambridge Analytica.
About 1,500 users are believed to have
had their messages accessed via permissions they gave the personality quiz app used by a Cambridge
University researcher in cooperation with Cambridge Analytica. The practice ended in October 2015.
Until then, the app had requested access to inboxes through the read mailbox permission,
which Facebook says it got around to fully deprecating in the fall of 2015.
Yesterday's testimony appears to have won the social media platform few friends on either side of the aisle.
Senator Maria Cantwell, a Democrat of Washington,
asked questions about Palantir, the big data analytics firm whose co-founder Peter Thiel sits on Facebook's board.
Her suggestion was that Facebook had colluded with Palantir to deliver data that could be used
in connection with Cambridge Analytica's activities. One Palantir employee is said
to have done some work for Cambridge Analytica on his own time. Beyond that, the senator's
questions were based on the a priori possibility that Mr. Thiel could have sought Facebook's help with the Trump presidential campaign.
Mr. Zuckerberg answered that issues of election interference and data privacy
had come up at board meetings and that the company was determined to get those issues right.
Senator Ted Cruz, a Republican of Texas,
asked whether Facebook's content controls exhibited a leftist bias,
citing a number of conservative and religious pages that had run afoul of the company's gatekeepers.
Is Facebook a neutral commons where all manner of ideas might be exchanged,
or is it a corporate person exercising its First Amendment rights?
Mr. Zuckerberg said, basically, that it's more neutral field than advocate.
Mr. Zuckerberg said, basically, that it's more neutral field than advocate.
His answer was that he was, quote,
He did say that because of Facebook's location in very liberal Silicon Valley,
there might be some sort of progressive bias, but that this wasn't his intention.
The senator's performance strikes much of the industry press as revealing interesting gaps in the lawmakers' familiarity with technology.
In fairness to the senators, however,
they're not the only ones who have trouble grasping how Facebook handles data. Wired thinks most users are in the same boat. Consider the now-deprecated
read-mailbox permission. A doctrinaire defender of contractual rights might ask,
what could anyone find to object to this? After all, you said they could look into your mailbox,
didn't you? The problem observers see with this is the complexity and opacity
of the way such permissions are embedded in terms of service.
And even Mr. Zuckerberg acknowledged before the Senate panel,
most people don't read those, let alone understand them.
It's a fair question.
If EULAs and terms of service require as much, if not more, legal advice
than does, say, the drawing of a will or drafting of a deed
or incorporating a small business,
in what meaningful sense does agreeing to them constitute informed consent?
Mr. Zuckerberg indicated willingness to accept closer government regulation of social media.
This is probably a concession to reality.
Some such regulation seems very much in the air.
But it's also a tacit acknowledgement
of the place Facebook now has in the online community. It's no longer the scrappy disruptor,
it's pre-breakup Standard Oil or Ma Bell. Regulation can preserve big incumbents at
least as readily as it can constrain them. The Facebook CEO also said he expected that
artificial intelligence should have hate speech under control within 5 to 10 years.
He avoided defining hate speech, beyond saying it was things we could all agree on,
and his technological optimism seemed to some observers not just to be doing a lot of hand-waving at the problems intentionality poses for any such program,
but also to overlook the origins of artificial intelligence in natural intelligence.
Any problems in natural intelligence are likely to find their Tin Man analog in our artificial progeny.
The Facebook CEO's testimony continues today, this time before a House panel.
Most of us, from time to time, find ourselves needing to recover a lost or forgotten password,
and so we rely on password recovery systems to securely reset or remind us what our chosen password is.
Noel Sanchez is a senior security researcher at Onapsis.
Along with his colleague, Martine Donard, they'll be presenting a session at RSA next week called
I Forgot Your Password? Breaking Modern Password Recovery Systems.
Noel joins us for a preview of their presentation.
One important thing that we saw during our research, and I think the main issue, was that there isn't any default solution to implement these kind of mechanisms. The main challenge, I think, is really critical in
the sense that it's almost as critical as, for example, a login page or a login authentication
mechanism. Bugs found in password recovery systems will lead to account takeovers or
a full compromise of the system. So it's really complex code that is in charge of highly critical functions for a
system. And so when you were doing your research and looking into this sort of thing, what sorts
of vulnerabilities did you find? We found different things, but the most complex one or the most
important were SQL injections and design error decisions. So I think having a password recovery system, I think most people would acknowledge is a
basic function that you need to have.
Do you think that there needs to be some sort of standardization of this?
I think so.
I mean, as part of our research, we found that there aren't default solutions.
And maybe that's because every application
or web application or business application,
it's completely different and needs different functionalities
for the users.
But I think that there are good improvements,
such as the usage of two-factor authentication
for password recovery mechanism,
get used with Google, for example,
that has that option to allow users to have a secure
or a more secure way of presenting their passwords. That's Noel Sanchez. He's a senior security
researcher at Onapsis, along with his colleague, Martin Donard. They'll be presenting at RSA next
week on April 19th. The session is called, I Forgot Your Password, Breaking Modern Password
Recovery Systems. Patch Tuesday addressed 66 Microsoft bugs. One is an unusual keyboard issue.
Another is a SharePoint vulnerability that Redmond says hasn't been exploited in the while,
despite its having leaked in advance of the patch. Editorialists urge the EU to get serious about sanctioning Russia,
support for Assad in Syria being the country's most recent offense.
Attacks on infrastructure by Russian operators are still widely expected.
Some U.S. officials in and around NSA and U.S. Cyber Command
hint not so darkly about an ability to hold Russian infrastructure at risk.
We'll see what the near future holds,
but it sounds as if the world is moving closer toward either deterrence or open cyber conflict.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their
families at home. Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Justin Harvey.
He's the Global Incident Response Leader at Accenture.
Justin, welcome back.
You know, you and I have spoken about cyber hygiene from time to time. And today you wanted to make the point that some people have some surprising blind spots when it comes to that.
I think about having the right trained people and the right technology and the right processes to shore up your cyber defense posture or your cybersecurity program, which means
plugging even the smallest holes.
And if you're not focused on doing cyber defense or cybersecurity well in your organization,
you might have a few of these blind spots.
And one of the potential dangers out there are the adventation in the usage of what we call
pups, potentially unwanted programs. Pups these days can come in many forms. It can be adware,
which has been around for over a decade. It can be spyware, clickware.
It could be simply a dropper that responds to requests to participate in a distributed denial
service attack or a botnet in the future, or even cryptocurrency mining software. You could
have some software on them that's just essentially creating, printing money
for cyber criminals out there. These potentially unwanted programs are sucking your resources.
They are drawing CPU, they're drawing power, and they're also diverting the focus of your security
operations center team or your incident response team in working through cases here.
Because essentially, many times you don't know if you have a potentially unwanted program
or if the alert is a potentially unwanted program or if it's a real threat.
So it devotes time and effort from your Security Operations Center or your incident response team.
The true danger here is you have no idea who has a foothold
on your system at this point. You know that you may have a potentially unwanted program.
Let's take the most benign of examples. It brings up a window every day and it says,
go to the site, or it consistently tries to change your homepage from Google to somewhere where they're harvesting the
clicks. The problem with this is that you have no idea who that is. And what we are seeing is a
trend where cyber criminals are deploying these, they're keeping them low profile, and they're
actually profiling the victims. Some victims are part of large multinational or global companies.
Well, they're actually selling those footholds to nation states or other cyber criminals
who will pay top dollar for entree into your organization.
The second thing is where there's smoke, there's fire.
Those potentially unwanted programs have to get onto your enterprise's system somehow,
either through users clicking on the wrong links.
That denotes the need for better email security, better security awareness training, etc.
Or they're coming in via a vulnerability or exploiting a vulnerability that is latent within the server or the workstation to date.
So those are a couple things to keep in mind and why it's so important to keep your cyber hygiene up to snuff.
Justin Harvey, thanks for joining us.
Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly
and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your Thank you. Thanks for listening.
We'll see you back here tomorrow. Thank you. AI and data into innovative uses that deliver measurable impact. Secure AI agents connect,
prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.