CyberWire Daily - Twitter and two-factor authentication. Privacy concerns. The US Senate Intelligence Committee reports on Russian troll farms. Turla is back with some new tricks.
Episode Date: October 9, 2019Twitter says it’s sorry is anything might have inadvertently happened with users’ email addresses and phone numbers, and that it’s taking steps to stop whatever might have happened from happenin...g again. If anything actually happened. Other concerns about privacy surface elsewhere. The US Senate Intelligence Committee issues its report on influence operations in the 2016 elections. Kaspersky ties a sophisticated malware campaign to Turla. Ben Yelin from UMD CHHS on a DARPA-inspired program exploring the possibility of using predictive technology to identify dangerous individuals. Guest is Neill Sciarrone from Trinity Cyber, discussing her career and the importance of attracting women to cyber. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/October/CyberWire_2019_10_09.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Twitter says it's sorry if anything might have inadvertently happened
with users' email addresses and phone numbers,
and that it's taking steps to stop whatever might have happened from happening again,
if anything actually happened.
Other concerns about privacy surface elsewhere.
The U.S. Senate Intelligence Committee issues its report on influence operations in the 2016 elections,
and Kaspersky ties a sophisticated malware campaign to Turla.
to Turla. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, October 9th, 2019. Twitter yesterday said it's sorry personal information submitted
when setting up multi-factor authentication, quote, may have inadvertently been used for
advertising purposes, end quote.
Phone numbers and email addresses were made available to Twitter's tailored audiences and partner audiences advertising system.
The company says it's introduced reforms to keep this from happening again,
but security experts have received the disclosure coldly.
Twitter's denial that personal data was ever shared externally with our partners
or any other third parties seems ambiguous.
After all, if they never shared anything, where's the problem?
But externally seems to be the operative word.
Twitter apparently used the multi-factor authentication data to match users with advertisers' databases.
The better to enable Twitter's customers to target their pitches.
And those customers, remember, are advertisers and not users.
A lot of people have noticed that Twitter requires that you give the company a valid phone number
in order to sign up for two-factor authentication.
There seems to be no good reason for this requirement, and indeed, as Ars Technica says,
a phone number isn't required by Google
or GitHub or any number of other widely used services that offer two-factor authentication.
Twitter wouldn't tell Ars Technica on the record why they wanted the phone numbers,
but a company rep said on background that the decision to require a valid phone number
was based on other unfortunate experiences with users who'd lost access to other authentication mechanisms
and found themselves locked out of their account. Twitter's legal exposure is unclear. The register
says the U.S. Federal Trade Commission declined to comment, but as the Washington Post points out,
the U.S. government secured a judgment against Facebook earlier this year over similar practices.
The social network was using phone numbers
collected for security purposes to send users messages unrelated to security.
None of this is repeated to pick on Twitter. They're hardly alone, and they're hardly an
outlier where targeted advertising is concerned. The Weather Channel, for example, not generally
thought of as hoovering up vast quantities of personal data, is now embroiled in a lawsuit with Los Angeles.
The City of Angels is suing the Weather Channel,
alleging that their app made improper use of geolocation data from users' phones.
Sputnik International, which knows a thing or two about the use and abuse of data,
quotes a Times story about data collection in which former GCHQ director David Omond says
that big Internet companies like Google, Twitter and Facebook
know more about individuals than GCHQ or other intelligence agencies.
And if you were made uneasy by that story in Sputnik,
that's probably a feature and not a bug, at least as seen from Moscow.
The U.S. Senate Intelligence Committee has issued the second volume of its report,
Russian Active Measures Campaigns and Interference in the 2016 U.S. Election.
The St. Petersburg-based Internet Research Agency was the focus of the committee's study.
They found that its operations were directed by the Russian government
and that its messaging was overtly supportive of then-candidate Trump.
It also found that Russian social media operations were overwhelmingly concerned with race,
with African Americans disproportionately addressed.
The goal of the information effort was, substantially,
to increase mistrust along fissures in American society.
The troll farmer's activity actually increased after Election Day.
The committee found Instagram activity increased 238%,
Facebook increased 59%, Twitter 52%,
and YouTube citations went up by 84%.
Senator Richard Burr, Republican of North Carolina,
who chairs the Select Committee on Intelligence,
summarized the study's overall conclusion,
quote,
By flooding social media with false reports, conspiracy theories, and trolls,
and by exploiting existing divisions,
Russia is trying to breed distrust of our democratic institutions
and our fellow Americans.
End quote.
The Cyber Wire's Women in Cybersecurity reception is just a few weeks away,
and leading up to that event, we're highlighting the stories of inspirational women in our industry.
Neil Sherony is co-founder and president of Trinity Cyber,
a company that describes their offerings as proactive threat interference.
Before starting Trinity Cyber, she served in high-level roles in the aerospace and defense industries
and in the White House as special assistant to the President and Senior Director of Cybersecurity Policy.
The path that led me into running a cyber company is not a traditional path by any means. And I
would say, in fact, I think that's one of the best things about it is that I didn't intend to
ever run a cyber company. I will share with you, I wasn't one of those folks who
started out as an engineer or studying computer science. In fact, I studied government and women's
studies. But I'm curious. In fact, I probably drive people nuts with the amount of questions
that I ask. And so I had a path that eventually led me where I am today. I started out in 2001,
working for a little knownknown office called the Critical
Infrastructure Assurance Office, and it was hidden within the Department of Commerce.
And this was back when Dick Clark, who I think you may have interviewed for one of your other
podcasts, was part of the President's Board and was working on cybersecurity. And we were working
on critical infrastructure protection and cyber. As chance would have it, I wound up being able to be involved in the creation of the Department of Homeland Security
and being part of the transition team that helped stand up that department
and working on Title II of the Homeland Security Bill,
which was at the time called the Information Analysis and Infrastructure Protection Directorate.
We were at this facility called the Nebraska Avenue Complex, or the NAC as we called it.
And it was these big brick buildings that were part of a former Navy installation.
And they're like these huge three-story brick buildings.
You'd walk in up an alley and you would head upstairs into what was truly the attic.
And it felt like being in
the attic. Everything was sort of those brown tones of an old picture. And in that environment
is where we were leading the critical infrastructure protection efforts and cybersecurity efforts of
the U.S. government. Not exactly the type of thing that or how they portrayed on TV, right?
No, it was definitely not what you see on TV
with the Homeland kind of experience.
A lot less glamorous.
I had the privilege of serving President Bush
and working on cybersecurity issues for him
from a policy perspective.
And so handling critical infrastructure protection,
cybersecurity policy,
information sharing with law enforcement
at a time when a
lot of those issues were really being developed and the policies behind them were being created.
And so from there, I wound up going into the private sector. I worked for BAE Systems
and eventually wound up running my own cybersecurity company.
Well, I want to touch on this notion that you mentioned earlier about you coming from a non-traditional background.
I think, first of all, it seems to me like if we're ever going to close this skills gap and
this employment gap, that that is the kind of thing that people need to embrace. Do you agree
with that? What is your take there? Absolutely. I think viewing cyber and viewing that as kind of a single way in which you
enter into a career from a technology path is very limiting. And so when I think about how we're
going to handle the challenge of cybersecurity in the future, I think the answer is looking at
people with diverse backgrounds. But for me, cyber is more than just the technical piece.
Cyber is big business. And so if you look at the
different roles you can play, there's owning a business, running a business, there's cyber policy,
there's cyber diplomacy, and then there's also the technical aspect. The one constant in cyber
is that everything changes. And so with constant innovation and change, a diversity of experience
and a diversity of background is needed to view these
problems in different and unique ways. And so this thought that the only path to a cyber career is
through engineering or computer science, I think is a very limiting way to look at the environment.
What's your advice to that person who is thinking about a career in cyber, either
coming up through school, maybe considering a career shift?
Maybe they don't come from that traditional background.
My first suggestion would be don't be so focused on a goal that you miss an opportunity. And so
I like to think about it like a journey and a car ride, right? So obviously you need to have
an idea of where you're going. But if you're so focused on getting there that you don't take the
side trips, you may miss a lot of opportunities in your career. And so my first
advice would be be open to the opportunities that may not seem obvious to you today and stop focusing
on a single way to get your objective achieved. The second thing that I would offer for folks is,
you know, really think about what it is that you bring to the table and be
willing to ask questions. And so the one thing I would say that really helped me in my career
is I was always willing to ask the question why and to admit what I didn't know. And so I find
oftentimes women are afraid to say they don't understand something. And I will tell you that
being brave enough to say you don't understand
is one of the most freeing experiences that you can have. In general, no one wants you to fail.
And so saying, I don't understand this, or can you explain this more to me, or why, is a very
powerful question to ask. And you'd be amazed at how much support and the answers that you get when
you're willing to start asking those questions. You have to be unafraid to fail and be willing to take chances and be willing to
do something different. And I guess if I had any message, it would be be willing to do something
different, whether that's taking a different path into cybersecurity or taking a different
approach to protecting your network and looking at things differently. Sometimes you find a better
answer. That's
Neal Schironi. She's co-founder and president of Trinity Cyber. They are presenting sponsors of
our upcoming Women in Cybersecurity reception. Kaspersky is following Reductor, a remote access
trojan that also manipulates certificates and marks outbound TLS traffic. The campaign affects
Chrome and Firefox browsers,
may have compromised ISPs,
and is tentatively attributed to the Russian threat actor Turla.
The victims so far appear to be confined to Russia and Belarus.
Kaspersky characterized the campaign as impressive
and saying that the group behind it is in a very exclusive club
with capabilities that few other actors in the world have.
Patch Tuesday was relatively light.
Microsoft issued 60 fixes, nine of which were rated critical.
And Adobe didn't peep, not this time around.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives
and their families at home?
Black Cloak's award-winning
digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives
are compromised at home,
your company is at risk.
In fact, over one-third of new members discover they've already been breached. Protect your executives are compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Ben Yellen.
He's the Program Director for Public Policy and External Affairs at the University of Maryland Center for Health and Homeland Security.
Ben, it's always great to have you back. Story came by in the Washington Post. This was written by William Wan, titled White House Ways Controversial Plan on Mental Illness and Mass Shootings.
There's a lot to unpack here. What's going on?
There's a lot to unpack here. What's going on? techniques and risk analysis to identify threats to our national security before they prevent
themselves. What the president is considering, and to be fair, it's something that's also being
considered by key Democratic presidential candidate, Vice President Joe Biden, is a
corollary, the Health Advanced Research Project Agency, which would do similar work for identifying people who might be a danger
to themselves or to somebody else. And it would use the same types of techniques,
would do some sort of digital monitoring, use some digital monitoring, perusing of social media
posts, some other intelligence gathering techniques to create profiles of people who might present a risk
for mental illness and therefore might be more prone to commit acts of mass violence. So this
is really in response to some of the high profile mass shooting incidents that we've seen in the
past couple of months. Yeah, I think what caught my eye in terms of the cyber element in it is using smart devices like our phones and our watches to detect when mentally ill people could turn violent.
They have a proposal called Safe Home because nothing in government can exist without an acronym.
This is one of the worst acronyms I've ever heard, but you go ahead and read it.
Yeah, SAFEHOME stands for
Stopping Aberrant Fatal Events
by Helping Overcome Mental Extremes.
Like, that's not a thing.
That just sounds made up.
Yeah, so I think, you know,
you look at technology like Apple Watch, for example,
which has this useful capability of detecting whether or not you may be on the brink of having some sort of cardiac event.
Right.
And it can warn you and it could even call 911 if it detects that you had a cardiac event and you've fallen down.
And I think we all think that's really great.
This is related to that, but different. can find their civil liberties being taken away or being put on some sort of all-encompassing
watch list where their behavior would merit even more scrutiny. Obviously, the terms of service of
some of these technology companies will always say they'll comply with appropriate government
regulations. And if the government starts to get involved in extracting this data as part of a
surveillance program, then that might have
a chilling effect. People might be less willing to use these devices. Perhaps they'll seek other
means of social media communications to avoid detection. So yeah, I mean, I think the difference
between the use you talked about and what's being discussed here is the data collected here could really be used against the user of those devices.
And I think it would be more justified if we knew that such a program would work.
The research, according to this article and other articles I've seen, is really mixed.
Obviously, you're going to have a lot of false positives when you set up any sort of database like this so probably hundreds of thousands of people are going to be tagged as having mental
health difficulties and we're going to have to as a government sift through and figure out which ones
present a danger to themselves and to others and it's hard to know exactly how to do that when a
person hasn't committed a violent act in the first place. So somebody who is at a
gun store and has an elevated heart rate, obviously going to be suspicious, but maybe if that exists
for 100 people, only 10 of those people would... And I'm just making these numbers out of thin air
for the purposes of an example, but maybe 10 out of 100 of those people would be planning a mass shooting and right i could imagine somebody who's uh at a gun store with an elevated
heart rate because they're excited that they're going to buy a friend or a relative the birthday
present that they've always wanted birthday present of their dreams absolutely so how do you sift
through all of this data to determine who is actually a risk when the only information you have is preliminary? So, you know, if we are going to invade civil liberties, we better be
doing it for a really good purpose. If there was a foolproof way to stop mass shootings using this
type of technology, I think it might be more justified. But because these types of programs,
you know, at least the literature says have not been successful in mitigating mass shootings and don't have their intended effects, you know, it's harder to justify the invasion of civil liberties.
All right. Well, Ben Yellen, thanks for joining us.
Thank you.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed. Listen for us on your Alexa smart speaker too. The CyberWire podcast is
proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building
the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is
Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you
back here tomorrow. Thank you. hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.