CyberWire Daily - Scraped data found gurgling around in an unsecured third-party database. Ransomware and election security. Spy in your pocket? (Probably not.) Guilty plea in the Satori case.
Episode Date: September 5, 2019A database scraped from Facebook in the bad old days before last year’s reforms holds informaiton about 419 million users. The ransomware threat to election security. Notes from the Billington Cyber...Security Summit. Is your phone reporting back to Mountain View or Cupertino? Probably not, at least not in the way the Twitterverse would have you believe. And the Feds get a guilty plea in the case of the Satori botnet. Awais Rashid from Bristol University on the notion of bystander privacy. Carole Theriault speaks with Dov Goldman, Director of Risk and Compliance at Panorays on the most noteworthy third-party breaches of 2019 so far. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/September/CyberWire_2019_09_05.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A database scraped from Facebook in the bad old days before last year's reforms
holds information on about 419 million users.
We'll talk ransomware threats to election security. We've got notes from the Billington
Cybersecurity Summit. Is your phone reporting back to Mountain View or Cupertino? Probably not.
And the feds get a guilty plea in the case of the Satori botnet.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, September 5th, 2019.
Facebook has sustained a significant data exposure incident.
TechCrunch reports that a researcher found an unsecured database that contains data on some 419 million users.
The data contained, for the most part, user phone numbers linked with account IDs,
but in many cases it also included users' real names, gender, and country.
This isn't, properly speaking, a Facebook breach.
The data came from Facebook, but it wasn't a Facebook database.
The data was scraped.
The exposed database was not maintained or controlled by Facebook. Facebook said that the information appeared to have been
scraped at some time before Facebook restricted third-party access to its data last year.
Who scraped the data is so far unknown. The head of NSA's Cybersecurity Directorate said yesterday
at the Billington Cybersecurity Summit
that ransomware represents an interesting threat to upcoming U.S. elections.
The Hill quotes Ann Neuberger as saying ransomware will be a focus of her directorate during the election cycle.
The ongoing wave of ransomware attacks against U.S. local governments thus acquires another level of menace.
The ransomware security specialists
at Emsisoft have been wondering why so many of these attacks have hit southern states like
Louisiana, Texas, and Florida, and they think that extortionists are choosing targets they
regard as likely to pay. If that's so, this would appear to be another indication of the
way the black market is responding to market forces. Here's something that mayors, city councils, and county judges
might also factor into their risk calculations.
An IBM study concludes that taxpayers, many of whom actually also vote,
pretty clearly oppose paying ransom.
So, Your Honor, if you secure your networks and properly back up your files,
you will have saved the money of thousands of registered voters. Think about it. And speaking of the Billington Cybersecurity Summit,
we have our people in Washington sitting in. The theme of this year is Top Government Priorities,
a Call to Action, and the presenters represent a strong mix of industry and government leaders.
Some highlights from yesterday's presentations include a view from the U.S. Federal CISO's
perch, notes on data and artificial intelligence, and some thoughts from NSA's Cybersecurity
Directorate.
Grant Schneider, currently the U.S. Federal Chief Information Security Officer, working
from the Office of Management and Budget, explained that while his organization does
have oversight
responsibilities, he sees it essentially as a support structure designed to enable sound
cyber practices throughout the federal government. Schneider's predecessor and co-presenter,
Brigadier General Retired Greg Tuhill, now president of Six Terra Federal, said that his
own views shifted over the course of his service. At one time, he would have attributed most incidents to careless, negligent, and indifferent
people, but he eventually came to add overworked, and this may indeed be the most important risk
factor. Learning how to manage risk under these conditions is a challenge, and the government
personnel need to fully understand the new reality. Tuhill added, quote, if you use a computer or a mobile phone, you are a cyber operator
and a target, end quote.
When asked what keeps them up at night, Tuhill pointed to the exposure of critical infrastructure
to attacks against industrial control systems.
As the Internet of Things expands, risk exposure grows, and the cost of entry to threat actors
declines.
Schneider gave a one-word answer.
China.
When we talk about artificial intelligence and cybersecurity,
we need to bear in mind that this is really two topics.
One is the use of artificial intelligence in cybersecurity.
The other is the cybersecurity of AI systems themselves.
Both topics are complex, but panelists focused on the importance of AI systems themselves. Both topics are complex,
but panelists focused on the importance of data to both.
Questions of data integrity grow sharper with the deployment of AI.
Data poisoning attacks are a very real threat,
and ensuring that data are trustworthy
is a challenge, panelists thought.
And there's a temporal dimension to this.
The U.S. government began collecting data
from the earliest days of the republic.
The Constitution, for example, mandates a census every 10 years.
This means, obviously, that the government didn't, because it couldn't,
build concerns about AI's use of data into its collection and storage practices.
Private industry, being far younger, finds it easier to build this in.
But that doesn't mean tech companies enjoy all the advantages of youth.
Weighing in from the private sector, Swami Siva Subramanian,
who's vice president of Amazon Web Services,
compared machine learning's current state of development to the Internet.
He said, quote,
If the Internet is still in day one after 30 years,
machine learning just awoke and hasn't yet had a cup of coffee.
End quote.
We'll have more notes
from the Billington Cybersecurity Summit tomorrow.
Carol Terrio has been reviewing
some of the most serious breaches
involving third-party risk
that we've seen so far this year.
From the UK, here's her report.
I was lucky enough to get the chance
to speak with Dov Goldman.
He is the Director of Risk and Compliance at Panerais, a firm focused on automating third-party security management.
I invited Dov to come and talk with us about the most noteworthy breaches that have happened this year so far and get his thoughts on whether these are the most dangerous cyber times we've ever faced.
Dov, thank you so much for coming on the show. I appreciate the time.
Oh, it's my pleasure.
Now, before we get into the weeds, what has been your overall impression of 2019 so far
in terms of these big breaches?
Well, it doesn't take brilliance to recognize that we're seeing an increasing cadence of news
about breaches. But certainly, everybody has to assume these days that their information is going
to be breached or has been breached, and it's floating around somewhere where a hacker can
take advantage of it. God, it's very depressing thought, isn't it?
a hacker can take advantage of it. God, it's very depressing thought, isn't it?
It is. And it pretty much means that unless you're willing to live in a cave with no electricity and certainly no smartphone, you can't avoid this. Okay. So of 2019 security breaches we've seen
so far, to your mind, which one has been the most interesting?
seen so far. To your mind, which one has been the most interesting?
So I'll start with one that I studied, I don't remember, a couple of months ago.
Well, in its own way, it's quite scary. The U.S. Customs and Border Protection Agency,
they had a breach where it wasn't them. It was a contractor called Perceptix. And they make the systems that at a lot of the border locations, you'll see that they're scanning your license
plate. That particular organization happened to have made a few mistakes and they claim fewer
than a hundred thousand people were affected. But this is a scary one, just going back to my point of
hiding in a cave. If you're going to cross a border with a car anywhere in the United States,
your license plate is going to be photographed. It's going to be matched against the database so
they can know who's crossing. And in a lot of cases, some of the same exact technology is used
for toll collection today, which we all love. Makes life easier.
And they're taking a picture of your face.
So somebody somewhere knows that you crossed the border at a particular time.
So they know your location.
They have your license plate number.
And they have a picture of you and also of the other occupants in your car.
So that's pretty scary. The fact that this was a
U.S. government agency and the fact that they had contracted this service out and there was
this contractor that was breached and the U.S. agency obviously wasn't smart enough to know that
or well, I shouldn't cast aspersions because I don't know exactly how they let this happen,
but it's obvious that they were not careful enough.
You're making a really good point there. So no matter how much you've locked down your own fort,
all the people that have keys to your kingdom may leave a door open or may do something that
just compromises your incredible security. That's a scary thought that, in theory, very professional organizations that outsource
important functions to other theoretically very professional organizations, they're in
trouble.
The other point I'll make is that there are good standards out there, standards like NIST
and ISO, but we're focused
on NIST in the U.S. context. And they clearly define some of the best practices that could have
possibly headed these breaches off at the pass. And so how do you avoid them is out there. It's
known. And if you're paying attention and you're being
diligent, maybe you avoid this. The person that's responsible for security within any firm,
be it a small mom and pop shop to a massive corporation, how is their job cut out for them?
It's complicated times right now. It is very, very difficult. They have to be everywhere
all the time. They have to be looking at technology. They have to be everywhere all the time. They have to be looking at
technology. They have to be looking at their software. They have to be looking at their people.
But add to that this important concept that you have to have these standards that you're enforcing
is to know how you can get your third parties to enforce them as well, your contractors.
Everybody who's in your greater business ecosystem
has to be considered part of what many in the industry call an attack surface.
Dove, I could talk to you all day about this. It's fascinating. Thank you so much for making
the time and coming on the show and talking to us about this.
Thank you again. My pleasure.
This was Carol Theriault for The Cyber Wire. There are fears currently finding expression in social media
that big corporations routinely eavesdrop on phone calls
and ambient conversations to better serve up targeted ads.
The BBC says these fears are on balance unfounded.
The security firm Wanderra studied the concerns
and concluded that they were mostly hooey.
Could a phone be attacked and its microphone seized by the attacker?
Sure.
Is spyware a threat?
Yes, indeed.
Have companies used human monitors to perform quality assurance
on user interactions with voice AI?
They have, indeed.
But Wandera concludes that people should relax a bit.
It's not as if a silent OK Google reports back to Mountain View
that you've been talking to a friend about hockey sticks or the best way to grow tomatoes,
so the world's biggest marketing company can serve you ads for ice hockey or vegetable seeds.
And finally, the feds got a guilty plea from one Kenneth Shushman, who copped to involvement in the Satori botnet.
copped to involvement in the Satori botnet.
The register calls Mr. Shushman,
who's just a tender 21 years of age, a script kitty.
Their unkind lead is, quote, one more on down, two to go, end quote. All sellers. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more. GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. Savor the new small and mighty Cortado. Cozy up with the familiar flavors of pistachio.
Or shake up your mood with an iced brown sugar oat shaken espresso.
Whatever you choose, your espresso will be handcrafted with care at Starbucks.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home? Black Cloak's award
winning digital executive protection platform secures their personal devices, home networks,
and connected lives. Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Professor Awais Rashid.
He's a professor of
cybersecurity at University of Bristol. Awais, it's great to have you back. We wanted to talk
today about this notion of bystander privacy. What can you share with us today?
So wearables are becoming more and more common. We use them on our own person, but also increasingly,
we also use them on our companions such as pets. The pet wearables
are now effectively a billion-dollar industry. And all these wearables are all the time collecting
data. And the question is, are they just collecting data of the person, or even in the case of pets,
the animal that is wearing them, or are they also capturing information from around themselves,
for example, through microphones or other sensors? And that's what I mean by the notion of a bystander privacy, that you may not be the
actual wearer of a wearable device, but it may still be capturing information that is
pertinent to you and in some ways impacting the privacy of those bystanders.
Yeah, it's interesting.
I remember a case where there was someone who was a pizza delivery person, and they got held up by someone.
They got robbed of their cash.
And not long after that, on Facebook, the person who robbed them came up as a possible friend
because they had been in proximity of each other.
Absolutely. And we see a similar trend.
So we've recently done a study of pet wearable devices in this case. And in a lot of
the cases, the devices are bought by users thinking that they are for their pets. And often the
privacy policies also note that the devices capture the data about the pet. But for example,
when you take your dog for a walk, the dog doesn't go for a walk by itself, right? So you go with the
dog. Mine certainly doesn't. No. And there is immediately the owner's data is implicitly being tracked.
And you can see potentially lots of potential cases where this has implications, for example, ranging from burglars knowing when to approach a home to even insurance companies inferring the health profiles of pet owners in that sense. So I guess the key question
here is that as we move more and more towards a world of wearables where a lot of our activities
are being tracked, we also come into contact with other people and that might implicitly,
or other wearables which might implicitly actually track our activities or locations
without us being fully cognizant of that. Yeah, it's fascinating. I mean, I think about something like dog walking, but also I think of
perhaps a married couple sharing the same car where more than one person may be accompanying
that pet or that device. And so how do you separate the associated data coming from
that thing that both of them are spending time with?
Absolutely. And there is also the other case whereby through the activity and locations,
for example, let's say with the dog walking example, through the activities and locations
that a dog goes to, you may be able to infer who is with the dog at a particular point in time.
Yeah, that's interesting. I wonder if you could even suss out different walking styles.
Do I walk my dog at a brisker pace than one of my family members does, for example?
Absolutely.
And there have been cases, for example, where the devices have been used to track effectively
dog walkers have done their job in that sense and so on. So there are privacy
implications of wearables and they're not just for those who are actually wearing them. It's also
those who come into contact with them knowingly or unknowingly.
Oh, it's fascinating. All right, Professor Awais Rashid, thanks for joining us.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And that's the Cyber Wire.
For links to all of today's stories,
check out our daily briefing
at thecyberwire.com.
And for professionals
and cybersecurity leaders
who want to stay abreast
of this rapidly evolving field,
sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow. Thank you. and data products platform comes in. With Domo, you can channel AI and data
into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps
tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com Learn more at ai.domo.com.
That's ai.domo.com.