CyberWire Daily - NSA changes collection policy in a privacy-friendly direction. Latest Vault7 leaks look anodyne. Election influence concerns in Europe and the US. Blocking social media. DarkOverlord returns with extortion caper.
Episode Date: May 1, 2017In today's podcast, we hear how the NSA is revising its interpretation of Section 702 collection, to the general approval of privacy advocates. WikiLeaks drops another alleged tool from Vault7—this ...one looks like garden-variety data-loss-prevention beaconing. The UK and France are on alert for influence operations, and the US Congress takes testimony on such marketing-in-battledress. South and Southwest Asian governments move to block or censor social media. Prof. Awais Rashid from Lancaster University describes some of the risks of the cloud. The DarkOverlord returns, extorting TV and movie content owners over shows stolen from a third-party post-production company. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
NSA revises its interpretation of Section 702 collection
to the general approval of privacy advocates.
WikiLeaks drops another alleged tool
from Vault 7. The UK and France are on alert for influence operations, and the U.S. Congress takes
testimony on such marketing and battle dress. South and Southwest Asian governments move to
block or censor social media. The Dark Overlord returns, extorting TV and movie content owners over stolen shows.
I'm Dave Bittner in Baltimore with your Cyber Wire summary for Monday, May 1, 2017.
Late Friday, the National Security Agency, NSA, announced changes in how it will henceforth collect information under Section 702 of the Foreign Intelligence Surveillance Act,
the law commonly known as FISA.
The law had hitherto been interpreted to authorize collection of information
that mentioned a specific foreign intelligence target.
As NSA described the change in its Friday announcement,
quote, NSA will no longer collect certain Internet communications
that merely mention a foreign intelligence target.
This information is referred to in the intelligence community as about communication in Section 702 upstream internet surveillance.
Instead, NSA will limit such collection to internet communications that are sent directly to or from a foreign target, end quote.
are sent directly to or from a foreign target, end quote.
Instituted after an internal review of Section 702 collection that revealed lapses in compliance,
the change is intended to, as NSA puts it, quote, reduce the chance that it would acquire communications of U.S. persons or others who are not in direct contact with a foreign intelligence
target, end quote.
Privacy advocates have generally welcomed the announcement.
Among the groups commenting on the change are the Center for Democracy and Technology,
the Electronic Frontier Foundation, the American Civil Liberties Union, and the Open Technology
Institute. Most of them have gone on to say that this should make it easier for Congress to reform
Section 702, which expires at the end of this year, in a privacy-friendly direction,
or failing that, at least make it less likely that legislators will authorize increased
surveillance authority.
WikiLeaks on Friday released another tranche of its Vault 7 leaks, these purporting to
reveal a CIA document tracking tool.
The tool is called Scribbles, and it appears to watermark documents in ways that
would serve as a web beacon to determine whether a document had leaked, and if so, when it leaked,
and what users were involved. Scribbles is thought to be effective with Microsoft Office documents.
The CIA, of course, refuses to comment on this or any other Vault 7 dump, but observers note that
the technology Scribbles uses is neither surprising
nor novel, but rather a standard tool in data loss prevention efforts.
Concerns over influence operations continue to roil governments on both sides of the Atlantic.
The Sunday Times revealed that GCHQ has gone on high alert that's a journalistic characterization,
not necessarily an operational
one, to prevent cyber attacks during the run-up to the UK's June 8th general election. France's
presidential runoff is in its last week of campaigning, as voters prepare to go to the
polls on May 8th and 9th. The campaign of Emmanuel Macron has received the ministrations of Fancy Bear,
Russia's GRU. And the U.S. Congress received testimony about the information operations last week.
The Rand Corporation has published its testimony in the form of an overview of the current state of the art.
In sum, that state indicates that marketing in battle dress now effectively targets group fears, desires, and insecurities,
that barriers to entry have fallen deeply,
and that Russia maintains a lead in this form of conflict.
Facebook has noted that its platform is susceptible to use by information operators,
malicious actors, as they call them.
Various political leaders, prominently in the UK,
excoriate Facebook and other social media providers for not doing enough to tackle
hatred, although how they might do so without full-scale censorship remains unclear. Turkey's
government at least has opted for full-scale censorship, blocking Wikipedia and censoring
Twitter. And India's government is undertaking measures to ban social media in Kashmir,
how successfully remains to be seen.
Finally, the Verizon data breach report highlighted the growth of ransomware.
But it's worth remembering that there are other kinds of online extortion, too.
An example of blackmail unrelated to ransomware emerged over the weekend.
The Dark Overlord, an online gang that's been responsible for similar shakedowns in the past,
obtained copies of the show Orange is the New Black
and demanded that Netflix pay them an unspecified, but presumably large amount of blackmail.
Failure to pay would be met with release of the stolen and as yet unaired episodes.
Netflix did not pay, and The Dark Overlord followed through with its threat.
Variety reports that content owners other than Netflix are affected.
The Dark Overlord claims to also have episodes of The Catch, Celebrity Apprentice, NCIS Los Angeles,
New Girl, Portlandia, It's Always Sunny in Philadelphia, Breakthrough, The Arrangement, Bunked, and Bill Nye Saves the World.
The incident appears to be another example of a third-party breach.
The stolen episodes were apparently obtained by hacking a post-production company.
We heard from security firm Prevalence Jeff Hill,
who pointed out that this is a good example of the penetrate-once-compromise-many attack
we see so often in third-party risk.
Quote,
Although cybercriminals have lately made this look easy, compromising a network
without being detected takes time, patience, and expertise, not to mention a little luck.
Being able to leverage a successful attack across multiple companies that the initial
victim works for is exceptionally appealing to the bad guys.
The military has a term for a similar effect, force have been closely questioning a person of interest in Texas.
Good hunting to the feds.
Thank you. and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations, Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
Cyber threats are evolving every second
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping
unauthorized applications, securing sensitive data, and ensuring your organization runs
smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company
safe and compliant.
Joining me once again is Professor Avas Rashid.
He heads up the Academic Center of Excellence in Cybersecurity Research at Lancaster University.
Professor, welcome back.
There are certain risks posed by having data in the cloud, and we want to talk about some of those risks today.
A lot of organizations and individuals are now using cloud services for their day-to-day operations.
And of course, in general, these services are highly secure, and a lot of effort goes into securing these systems. Yet, we have to bear in mind that attackers also aim to exploit various
architectural features of the cloud to try and extract data from the cloud. There has been work
in the research community that has demonstrated that, for example, malicious virtual machines can
be placed or made co-resident on the physical machine and then attacks can be launched,
for example, against caches or the hypervisor itself to try and extract data from potential
victim machines or simply by, for example, looking at a side channel leakage in terms of
the kind of resources that that particular virtual machine may be using to try and gain
understanding on particular types of issues,
like, for example, processing times.
It's worth bearing in mind that, yes, the cloud is secure for a lot of purposes,
yet attackers can use very sophisticated tactics to try and gain access,
particularly if they have a particular target in mind.
During the transition to the cloud,
there was this whole notion that many people would say,
I like to have my server where I could see it.
I heard someone say,
I like to be able to reach out and hug my server
to know where my data is.
But what about the notion of being able to verify
that when I say that I need this data deleted
to know that in that remote location,
it actually happened? It's a very interesting question. And I'm not sure that there is an easy way to provide
that guarantee. The reason being that there are a lot of features of the cloud that are designed
to provide this ease of use in terms of storing your data and getting access to it from anywhere, anytime. But that, for example, in the first instance, requires replication of data.
There are, of course, backup features available within the cloud, automatic backup features.
And for a lot of different purposes, cloud providers will, for honest reasons, handle your data in a lot of different ways.
So when you're trying to delete that data, ultimately,
if you want what you would call assured deletion, then you have to have some kind of a guarantee
that all possible copies of the data have been destroyed. And it is very, very difficult to do
because, for example, if you delete your virtual machine from the cloud, the space may not be
reclaimed straight away. It will
be reclaimed at a future allocation time. In many cases, there are delayed deletion requirements in
place in a lot of terms and references. So, for example, when you delete your data from the cloud,
it doesn't actually get deleted straight away in a lot of the cases from services such as Dropbox,
because if you've done it by mistake, you can actually go
back and recover it. So there are recovery periods, these kind of features in place.
So all these features mean that as users, unless we have a very clear picture of what happens with
our data, we cannot be sure. But also, even if cloud providers wish to provide those guarantees,
it's really, really difficult, given the very nature of the cloud architecture,
to provide those guarantees. All right, Professor Avas Rashid, thanks for joining us.
And now, a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal
devices, home networks, and connected lives. Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And that's the Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Thank you.