CyberWire Daily - Qatar and the United Arab Emirates at loggerheads over hacking. Commonly used gSOAP IoT code vulnerable to exploitation. A data exposure risk in connected toys. And what could be in that EULA.
Episode Date: July 18, 2017In today's podcast we hear more on how Qatar has accused the UAE of hacking, and vows legal retribution—all on the strength of a Washington Post story. UAE says it didn't do it. Warnings about vulne...rabilities in commonly used IoT code. Markus Rauschecker from UMD CHHS on Facebook running afoul of European privacy laws. Tina Ladabouche, NSA GenCyber Program Manager, on the NSA’s GenCyber program, supporting summer camp programs. FBI warns of risks inherent in Internet-connected toys. And people really, really don't read those EULAs. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Cutter accuses the UAE of hacking and vows legal retribution.
The UAE says it didn't do it.
Warnings about vulnerabilities in commonly used
IoT code. The FBI warns of risks inherent in internet-connected toys. And people really,
really don't read those EULAs. I'm Dave Bittner in Baltimore with your Cyber Wire summary for
Tuesday, July 18, 2017.
Qatar continues to accuse the United Arab Emirates of hacking Qatar news agency and other targets to plan disinformation discreditable to Qatar's government.
Early on May 24, quotation praising both Hamas and Iran, and by some reports Israel as well,
appeared on various social media accounts and news sites associated with Qatar's government.
They were attributed to the Emir of Qatar.
The remarks promptly led to a diplomatic rupture between Qatar and other Gulf states,
particularly the United Arab Emirates, Saudi Arabia, and Bahrain,
who were prepared to accept them at face value in spite of Qatar's protestations that it had been hacked.
them at face value in spite of Qatar's protestations that it had been hacked.
Other minor incidents soon thereafter affected sites in Bahrain and at least one diplomatic email account in the UAE.
The U.S. FBI, which assisted Qatar's investigation of the incident, said in late May that they
believed Russian threat actors were behind the disinformation campaign.
But a report this Sunday in the Washington Post quoted anonymous members
of the U.S. intelligence community as attributing the cyber attacks to the UAE, and Cutter's
official representatives have run with that story. The Emirates continue to deny involvement,
and they're not even entirely buying that the hacking involved disinformation at all.
They say the report of Emirati involvement that appeared in the post is flatly
false, and that if you look at past statements by Qatar's rulers, well, they're consistent with what
the alleged hackers published. There have long been tensions between Qatar and its neighbors,
allies, and brethren in the Gulf. Many of those tensions are associated with Qatar's relatively
warm relations with the Muslim Brotherhood. For an indication of how wire-taught such tensions are,
consider that a government has gone on record with charges of criminality against a neighbor
that are founded on an anonymously sourced story in an American newspaper.
Here in the U.S., it's summertime, and for a lot of kids, that means summer camp.
But it's not just archery, canoeing, and ghost stories around the U.S., it's summertime, and for a lot of kids, that means summer camp. But it's not just archery, canoeing, and ghost stories around the fire.
The NSA partners with educational institutions across the country, sponsoring summer camps through their GenCyber program.
Tina Latabush is the program manager for GenCyber.
There's an extreme shortage of qualified cybersecurity professionals.
So we thought that it would be important to generate a
pipeline of individuals entering into the field, and we wanted to do that and reach students prior
to entering college. So that's why the GenCyber program was created for the K-12 student population.
And so give me an overview. What kind of things does the GenCyber program offer?
The GenCyber program is sponsored by the National
Security Agency and the National Science Foundation. And what we do is we offer grants
to universities to hold summer camps for K-12 students and teachers. And we're introducing
them to cybersecurity. We're trying to generate an interest in cybersecurity. We provide them with instruction on safe online behavior,
cybersecurity topics. We introduce them to secure programming and cybersecurity first principles.
Those are the types of things that are involved in the summer camp.
And why is it so important to reach these young women before they reach college age?
There are studies out there that show that students in the late elementary
middle school age, especially girls, develop an interest in certain topics. And we want to make
sure that they are exposed to these types of topics early on before they hit college, so they
don't stray away into another category, another subject area. We want to show them that they can
actually be involved in cybersecurity. So the program's been running for a couple of years now.
What's the feedback been so far?
The feedback has been amazing, very positive.
We have a lot of interest that's been generated throughout a couple of years.
The program has grown significantly.
2014, we had eight camps.
We increased to 43.
Last year, we had 120 camps.
And this year, we're going to have 131 camps.
And ultimately, how will you measure success?
Currently, it's a little too early to measure success because the program is so new.
However, in the future, we hope to be able to see the students entering into college
and majoring in cybersecurity subject areas and also then entering the workforce, because we want to bridge that gap
in between the number of qualified cybersecurity professionals that are needed in the workforce
and those that are entering in the field. What does a typical day look like for someone who
engages with this program? Each camp is unique within itself. We provide overarching guidance
to each one of the institutions for the camp, what the camp curriculum should look like.
And pretty much that is just to introduce cybersecurity to the participants,
whether they be students or teachers, introduce safe online behavior to them,
provide teaching methods and techniques to the teachers during the teacher camp,
and to make sure there's hands-on interactive activities during the camp.
We don't want the students just sitting in front of a computer.
We want them to be energized, and we find that hands-on engaging, learner-centered activities
is extremely effective.
That's Tina Latabush from NSA's GenCyber program.
You can find out more about the program and find a camp near you at their website.
That's gen-cyber.com.
If you'll forgive a bit of self-promotion, we've been asked, so what do I get for becoming a
producer circle patron of the Cyber Wire? Well, unlike that membership in the Shadow Brokers
Exploit of the Month Club you might have been considering, not that we'd necessarily recommend
signing up for that club, wealthy elite, your support of the Cyber Wire gets you more than an eternal blue tote bag
or a Guccifer 2.0 bobblehead or a DVD of Ed Snowden's greatest hits.
The Producers Circle now receives exclusive access to our new quarterly report.
If you'd like to see a sample, go to thecyberwire.com slash issues and check it out.
And thanks to all the patrons who've been so generous in their support of the Cyber Wire.
Returning to hacking, NotPetya continues to reverberate in the shipping and logistics sector,
even after the malware attack itself has been contained and remediated.
Delays in receipt of various shipments are being ascribed to the attack.
NotPetya's effect on FedEx seems, at the very least,
to have put the brakes on
the shipping company's full integration of its TNT acquisition. This is another reason to consider
the role cyber risk assessment necessarily plays in M&A due diligence and how difficult that
assessment can prove to be. Other insurance companies have experienced material consequences
as well, which gives added point to insurance giant Lloyd's assessment
that a major cyber attack could inflict worldwide damages
in the range of over $53 billion to over $121 billion.
Axis Communications patched an issue Senrio researchers found
with Axis high-end and widely used security cameras.
Axis deserves some credit here because they're early to the patching.
The flaw, Devil's Ivy, is found in the widely used open source code GSOAP.
The problem is widespread and extends far beyond Axis.
The vulnerability is likely to endure, given the notoriously low rates at which IoT devices are patched.
Other IoT issues surface in children's toys.
The FBI warns that it's probably not a good idea to give your young sons and daughters Internet-connected toys.
The Bureau's concerns are centered for the most part on the kinds of data such toys collect
– pictures, voices, names, geolocation, and so forth.
The information is for the most part
collected innocently, but what's collected can be compromised, and it's not easy to undo the damage
of a breach. It's also unlikely you'll ever patch a talking kukla. If it's unlikely to happen with
security cameras, it's less likely to happen with a much-loved and chewed-over teddy bear.
Security firm Plixers' Michael Patterson communicated a familiar call for regulation to us in response to news of this warning.
He said, quote, expecting consumers to do their homework before making an internet-connected toy
purchase isn't going to happen. He argues there ought to be a law. If the government can require
nutrition labels on packaged food, why not collection labels on connected devices? And he adds that those very one-sided end-user license agreements, the EULAs
that you never read, are insufficient to protect privacy. And speaking of EULAs, free Wi-Fi provider
Purple conducted an experiment that turned out about as one might expect. They embedded clauses
in their EULA giving them the right to assign community service to users.
Such service included cleansing local parks of animal waste,
providing hugs to stray cats and dogs,
manually relieving sewer blockages,
cleaning portable lavatories at local festivals and events,
painting snail shells to brighten up their existence,
and scraping chewing gum off the streets.
More than 22,000 users cheerfully clicked through.
One, count them, one person actually read and declined the EULA.
We'd ask our community outreach staff for advice, but for some reason they're down the
hall in the conference room doing something with snails and paintbrushes.
Weird, huh?
and paintbrushes.
Weird, huh?
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose,
and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility
is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies
like Atlassian and Quora
have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber
for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their
families at home. Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Marcus Roshecker.
He's the Cybersecurity Program Manager at the University of Maryland Center for Health and Homeland Security.
Marcus, we saw a story come by about Facebook and that they were found to have broken some data privacy laws in several European countries, and actually they're being investigated in a couple more.
What's going on here?
This seems to be kind of a story that we hear again and again. We know generally that Europe has very strict privacy laws, What's going on here? doesn't necessarily have to comply with some of these national laws because really they argue
that their presence in Europe is located and specific to Ireland and that they have to follow
Ireland law because their main office is located in Dublin. There's certainly going to be a lot of
debate about that, especially because Facebook does, of course, have some presence in a lot of
the other European countries, a physical presence in a lot of the other European countries, a physical presence in a lot of these other European countries. But the fact of the matter is right now, the fines for violating some of
these privacy laws are relatively low, especially for a company such as Facebook, which has about
$30 billion in revenue per year. But Europe is looking to change that. The fines for violating some of these privacy laws will go up in the future.
In fact, next year, May 2018, we'll see the initiation of the European General Data Protection Regulation.
That's going to make it a lot more costly if a company is found to violate data privacy laws, European data privacy laws, which will certainly give a company that's operating in
these countries a lot more reason to look at their privacy policies and their practices to
make sure that they're in compliance. It's an interesting argument from Facebook's point of
view. I mean, if you compare it, it's obviously not a direct comparison, but I think of like a
pharmaceutical company, you know, if their factory was in Dublin, Ireland, that wouldn't mean that they didn't have to comply with the
drug safety rules in Germany or France or any other country where they sold their product.
Oh, absolutely. Yeah. You know, we always see this kind of fundamental debate when it comes to
online services and online presence, and whether or not that can be completely equated to a physical presence.
Some argue that it's not the same thing, and others certainly argue that it is.
So there's a lot of room there for legal analysis,
and we'll have to see how things develop.
All right. Marcus Roschecker, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, a cybersecurity solution trusted by businesses
worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
And that's The Cyber Wire. We are proudly produced in Maryland by our talented team
of editors and producers. I'm Dave Bittner. Thanks for listening. needs AI solutions that are not only ambitious, but also practical and adaptable. That's where
Domo's AI and data products platform comes in. With Domo, you can channel AI and data into
innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate
your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.