CyberWire Daily - Russian information operations, and lessons on election security from the Near Abroad. Magneto proof-of-concept exploit. Huawei, security, and bugs. Training AI. Labor market news.
Episode Date: March 29, 2019In today’s podcast, we hear that Ukraine is preparing for this weekend’s elections while facing intense Russian information operations. Estonia’s experience with such interference may hold lesso...ns. A Magneto vulnerability, just patched, could compromise paycards on e-commerce sites. Huawei reports record profits, and comes in for sharp British criticism over slipshod engineering. Prisoners in Finland will be helping train AI. And security companies hungry for talent should take note of tech layoffs in the larger IT sector. Ben Yelin from UMD CHHS with news that law enforcement agencies are encrypting their radio communications. Guest is Lorrie Cranor, director of CyLab at Carnegie Mellon University. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/March/CyberWire_2019_03_29.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Ukraine prepares for elections this weekend,
and they'll be head in the midst of intense Russian information operations.
Estonia's experience with such interference may hold lessons.
A Magneto vulnerability just patched could compromise paycards on e-commerce sites.
Huawei reports record profits and comes in for sharp British criticism over slipshot engineering.
Prisoners in Finland will be helping train AI.
I chat with Lori Cranor.
She's director of Carnegie Mellon University's
Scilab Security and Privacy Institute.
And security companies hungry for talent
should take note of tech layoffs in the larger IT sector.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Friday, March 29th, 2019.
Happy Friday, everybody.
The first round of Ukraine's presidential election will be held this weekend,
with a runoff, should one prove necessary, scheduled for April 21st.
Ukrainian elections have been subject to Russian influence operations for years,
most notably in 2014,
and direct hacking has also been a matter of concern.
The Ukrainian Election Task Force, a monitoring group,
seems cautiously optimistic that the vote will go off as planned
and will result in a credible outcome.
The task force notes that,
unlike some other neighboring countries they might mention,
voting in Ukraine actually matters.
They also note that Russian-influenced campaigns
have been focused on the election for some time.
Moscow's general line has been that Ukraine is a violent, dangerous, radicalized place
where groups of government-inspired thugs, bandits,
will beat you, assault your wives and daughters,
and burn down your house should you show up at the polls with the wrong candidates in mind.
But such is the actual commentary from Russian government-controlled television shows on Russia One TV.
The Russian radio and television are widely consumed in Ukraine, where most speak Russian,
and where the closely related languages are for the most part mutually intelligible anyway.
Russian information operators have been active online as well.
According to the New York Times, one new tactic designed to circumvent social networks' efforts to cull inauthentic accounts
has involved paying Ukrainian citizens to allow Moscow's trolls access to their legitimate Facebook accounts.
to allow Moscow's trolls access to their legitimate Facebook accounts.
The Estonian experience with Russian attempts to meddle in elections is being cited as an example by stories published in courts and elsewhere.
The Estonian response has been complex,
but in outline it involved wider adoption of technical defenses against hacking,
assistance to political parties and candidates with network and account security,
anti-bot sweeps, and finally, public education in media literacy designed to induce skepticism
and resistance in the face of disinformation.
Security firm Sucuri has a proof-of-concept exploit for an SQL injection vulnerability
in the core of the widely used Magneto e-commerce platform.
They disclosed it privately to Magneto, which has prepared a patch.
Access can be gained without the need for authentication, the researchers say.
The risk to consumers is card skimming.
As Ars Technica points out, the vulnerability is so potentially lucrative that criminals
can be expected to exploit it in the wild as soon as they have the means to do so.
About 300,000 e-commerce sites use Magneto,
and all users are advised to apply the fix Magneto has issued.
ZDNet reported earlier this week that some criminals were apparently using a weakness
in the PayPal Payflow Pro integration with Magneto to test stolen cards for validity.
Much paycard data traded in the criminal markets are unsurprisingly outdated or simply hoaxed up,
so the hoods will do a bit of testing. Magneto urges businesses to upgrade,
lest they lose their PayPal access.
Huawei, bellwether of China's tech sector, continues to receive a mixed reception abroad.
The company is defending its security record as it reports annual sales of $100 billion.
The EU has finessed security concerns about the company's participation in 5G networks.
Australia and the US are unrepentant in their wish to keep Huawei out of their own networks,
and the U.K. has harshly criticized the company's failure to remediate security issues.
The register characterizes Huawei's efforts to address known router vulnerabilities as half-arsed.
This is an industry term, should you be unfamiliar with it.
It means roughly poorly prepared and badly executed, and it often connotes both indifference and lack of effort.
Wired expresses the current mood about risks surrounding the company's products as a feeling that it's not the back doors but the bugs that matter.
We heard similar sentiments expressed last week at the Three Seas-focused CyberSecDC conference last week.
And finally, correctional authorities in Finland have an idea for training
artificial intelligence. Have prisoners answer questions and use their answers to make the AI
smarter. The country's criminal sanctions agency has contracted with AI firm Vinu to provide the
inmates labor to the project. It's seen as a win-win-win. The jailers keep their charges busily on the road
to rehabilitation, the prisoners get learning and self-improvement, and the machines get smarter.
Or at least, street smarter. It's an alternative to the manufacture of automobile license plates
that former guests of governors tell us is the traditional occupation given to those whom the
courts have offered a period of reflection.
But a lot of other stuff has been made in prisons, too.
Packaging for various consumer products, processed meat, belts, and handcuff cases for police forces,
even for a time in the 1990s, lingerie.
Our corrections desk tells us they once knew a guy who taught a university extension course in ethics
to a student
body composed of long-term residents of a midwestern penitentiary his account of class
discussions and consultations during office hours suggests that some of the models the ai will
receive may be shall we say unrepresentative of the norms of natural intelligence anywho the folks
doing a nickel or so in Helsinki will look at the
internet and answer questions like, does this article talk about a business acquisition?
The same question would be posed to a large number of inmates, and their answers in the
aggregate will be used to converge on a right answer to help train the artificial intelligence
to do a better approximation of natural intelligence. We might suggest other questions perhaps suited to areas of local expertise
because, after all, learning is learning.
Consider, is this guy an undercover narc?
Does Charlie have a shank on him?
Is bologna on the menu today?
We note that the sample question is basically a true-false one
with a binary solution set.
Could AI also be trained using more complicated multiple-choice questions? We note that the sample question is basically a true-false one with a binary solution set.
Could AI also be trained using more complicated multiple-choice questions?
Perhaps even nested sequential questions.
Consider, is this a convenience store? If it is a convenience store, that's a place where you can
A. Buy smokes
B. Shoplift smokes
C. Jackpot the ATM
D. All of the above.
Stuff like that.
If we may end on a more serious note,
we've seen stories this week about layoffs on both U.S. coasts.
Salesforce, Oracle, and PayPal are all downsizing their workforces.
A lot of people with transferable skills are going to be searching for work,
and the security industry around both San Jose and Baltimore might do well to give them a look.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
Here, innovation isn't a buzzword. It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass
your company's defenses is by targeting your executives and their families at home? Black
Cloak's award-winning digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members
discover they've already been breached.
Protect your executives and their families
24-7, 365 365 with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Ben Yellen.
He's a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security.
Ben, it's always great to have you back.
I saw an interesting story from
Columbia Journalism Review, and this is about law enforcement organizations using encryption
on their radio communications, and some folks are not very pleased with that. What's going on here?
Yeah, so Dave, you and I are located in a pretty high crime city, unfortunately, in Baltimore,
Dave, you and I are located in a pretty high crime city, unfortunately, in Baltimore.
And the way most reporters in Baltimore get news of impending crimes or crimes already in progress is by listening to police radio, the police scanner.
This is free, open source for most police departments.
Generally, you can access it online or through various apps.
And it's a key tool for journalists because, you know, if they are listening to the scanner,
they'll hear about the initial response to an incident and they themselves can get out to provide transparency as to exactly what's happening.
What we see now, what's mentioned in this article, is that a bunch of different law
enforcement agencies across the country, this was bunch of different law enforcement agencies across the country,
this was an article about law enforcement agencies in Colorado, are encrypting those radio communications.
And that means journalists cannot access them.
Now, there are legitimate reasons to want to encrypt these communications.
It could provide a tactical advantage for officers to not have the public be able to figure out where
certain police officers are going to be deployed. I think that is a very legitimate concern.
But there is a First Amendment problem as well. Journalists aren't able to provide transparency,
accurately cover crimes and other police-involved activity if they're not able to access these scanners.
So I think it's a problem that's going to present itself increasingly as more police
departments use this encryption device.
I mean, from their perspective, you can certainly understand why they'd want to keep these
communications private, unavailable to the public, especially if criminals themselves
are reacting to
what they hear on police scanners. But it would be a major blow to journalism and to transparency
to have this tool removed. Yeah, I think it's interesting, too, because one of the aspects
that they point out here is the privacy of victims of crimes who very often will have their names and personal information read out over these radios by necessity for the police or first responders.
So there's that privacy component of it as well.
Yeah, and certainly that's a very compelling privacy interest. incumbent upon media organizations to work directly with police departments so that they
can monitor the scanner and have informal or formal agreements in place not to release
personal information. And just anecdotally, I mean, I follow a lot of different crime reporters
here in Baltimore. All of them seem very responsible about not revealing the identity
of victims or perpetrators and being somewhat circumspect
about identifying location and not asserting something as true without it being confirmed
by a source beyond the police scanner. And I think there's generally a good practice among
larger mainstream media outlets to treat the police scanner as sort of a rough sketch of
what's happening. There are a lot of false reports. There are a lot of false leads. So I think the future
solution to this problem is to have journalists work closely with police departments to protect
that personal information while still giving them access to real-time crime updates to make sure that the public is properly made aware of what's going on in their community.
And as an extension, I think it is potentially dangerous
to permanently encrypt those communications as a matter of policy
because that's a drastic solution to this problem of revealing individual private information.
Is there any legislation that swings either way on this, to this problem of revealing individual private information.
Is there any legislation that swings either way on this,
either requiring that law enforcement agencies keep these communications in the clear or specifically allowing them to encrypt?
The one piece of legislation that is cited is just a proposed piece of legislation.
That is by a representative in the state of Colorado, a Republican representative
who has introduced a House bill to prohibit law enforcement agencies from using encryption.
He says that the use of encryption should not be ritualistic, but should be only used in
extraordinary circumstances. So far, that bill has not been enacted. That legislator proposed it in the last
session of the Colorado State Legislature. It was bottled up in committee. You know, and I think
there is a tendency to give deference to law enforcement, particularly when it comes to these
tactical issues. And I think, obviously, they have a large sway over state legislators. You know,
I don't see a quick legislative fix to this issue of encrypting police radio
communications. All right. Well, it's one we'll keep an eye on. Ben Yellen, thanks for joining us.
Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
My guest today is Lori Cranor.
My guest today is Lori Cranor.
She's a professor at Carnegie Mellon University in Computer Science and Engineering and Public Policy and director of their Scilab Security and Privacy Institute.
Earlier in her career, she served as chief technologist at the U.S. Federal Trade Commission,
was co-founder of Wombat Security, and served on the board of directors for the Electronic Frontier
Foundation. She joined us from Carnegie Mellon in Pittsburgh. We have lots of security and privacy
work across departments and each department runs its own programs, hires its own faculty,
but we formed Scilab because we wanted to have a way of coordinating all these efforts and bringing people together to collaborate.
And so through Scilab, we're able to coordinate.
We also have some larger collaborative research efforts that involve people across multiple departments.
And we have some collaborative space.
And so we have people all sitting together from engineering and computer science, all sitting side by side in the SciLab
space. And so what's the focus on security and privacy? Why is that an important area for
Carnegie Mellon to make this sort of investment? Well, security and privacy are increasingly
important as more and more things go online and our world is increasingly digital,
protecting security is critical
for our infrastructure, for everything.
Privacy is also something which I think
has become increasingly important,
both because there are more privacy threats out there now,
but also there's more privacy regulation
and needs to comply with
privacy laws. And so there's a lot of research needed into what are the best ways to protect
security and privacy. So this is a really important area for research. There's also
a big need to hire people in these areas and so Carnegie Mellon is
doing our best to produce lots of excellently qualified graduates who can
go out into the security and privacy workforce. Yeah and it's my understanding
that a particular area of success for Carnegie Mellon has been encouraging
women and minorities, people of color, to participate in the program. So you've
seen some numbers that you can be proud of. Yeah, we've been working really hard to
improve the diversity of our computer science and engineering programs more generally,
as well as in the security and privacy area. So our undergraduate computer science program is now 50-50 women and men, which is really amazing and has come a long way.
And so what's your take on the notion that we have this shortage of qualified people in the security industry?
in the security industry? So it seems that we do need to educate more people in this area.
And the number of women and minorities in the security area is just ridiculously low. I mean,
it's much lower than computer science in general. I just got back from the RSA conference and you look around and you just don't see that many women there.
So we're missing out on an opportunity. Half of our population is not really considering this as a career choice.
So that seems like kind of an obvious place to go to try to increase our ranks.
And does that outreach extend back to high schools and middle schools trying to create that
pipeline into universities like yours? Absolutely. I think people are ruling out
certain careers, you know, in elementary school and middle school. And so if we
can spark that interest among middle schoolers, we have a much better chance of convincing them to enroll in technical
programs later on. And so there are many great efforts trying to encourage young girls and
people of color at those lower age levels. At Carnegie Mellon, we have tech nights for girls every Monday
night for middle school girls in the area. We're also running this cybersecurity challenge
for middle school and high schoolers called PICO-CTF. And we have thousands of students
around the world are participating in this program.
What's your advice to folks out there who want to encourage young women and people
of color to pursue these sorts of careers in security? What sorts of things can they do to
make that an easier pathway for them? Yeah, I think, you know, part of it is to have mentoring
and role models and help women and people of color see themselves in
these types of careers by seeing examples that there there are diverse
people in these careers. We also need to make sure that we take down barriers and
remove some of the hostility that there's been in the past. You know I've
been to security conferences where it was
hostile to women there, where I definitely felt very uncomfortable being in those situations.
And that was a few years ago. And the good news is that I think things are changing.
That I think when I go to security conferences now, I do feel a lot
more comfortable there and I think a lot of efforts are made to make sure that these are
more inclusive environments, but we still have a ways to go.
So at Carnegie Mellon, we have a master's program in privacy engineering and this is
actually the only program like this anywhere in the world,
where we're actually educating technical students to take on privacy engineering roles,
which are becoming increasingly common at companies, especially in light of GDPR.
And then the other thing I wanted to mention was the Carnegie Mellon, we have a big focus on the
human side of security and privacy.
We have a course on usable privacy and security, and we have a lot of research which combines the core technology of security and privacy with the social science and psychology and human side of security and privacy, which is really important.
and human side of security and privacy, which is really important.
That's Lori Cranor.
She's a professor at Carnegie Mellon University in Computer Science and Engineering and Public Policy,
and she's director of their Scilab Security and Privacy Institute.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
Thank you. measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.