CyberWire Daily - YouTube account hijacking. Facebook finds more apps misusing data. Cyber deterrence in the Gulf region. Huawei’s CFO continues to fight extradition from Canada to the US. Pentesting blues.
Episode Date: September 23, 2019YouTube creators in the “car community” get their accounts hijacked over the weekend. Facebook finds tens of thousands of apps behaving badly with respect to priority--the social network’s annou...ncement has been cooly received in the US Senate. The Gulf region continues to be a field of cyber as well as kinetic competition. Huawei’s CFO is back in court today. And Iowa tries to sort out what it actually hired pentesters to do (and to whom they were supposed to do it.) Joe Carrigan from JHU ISI on smart TV privacy concerns. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/September/CyberWire_2019_09_23.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
YouTube creators in the car community get their accounts hijacked over the weekend.
Facebook finds tens of thousands of apps behaving badly with respect to priority.
The social network's announcement has been coolly received in the U.S. Senate.
The Gulf region continues to be a field of cyber as well as kinetic competition.
Huawei's CFO is back in court today.
And Iowa tries to sort out what it actually hired pen testers to do and to whom they were supposed to do it.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, September 23, 2019.
YouTube users suffered what appears to have been an extensive and coordinated account
hijacking campaign over the weekend, ZDNet warns. The car community was particularly targeted, and the attacks seem to have begun
with phishing. The actors behind the hijacking seem to have been organized criminals, and the
ZDNet researchers who developed the story suggest that people keep an eye on various dark web
markets, since stolen accounts of this kind need to be monetized rapidly,
if they're to be monetized at all.
Facebook continues to deal with the fallout from the Cambridge Analytica data scandal
late Friday as it continued the self-examination it undertook after determining that Cambridge
Analytica had handled data shared with it in ways that, retrospectively at least,
posed serious issues of privacy, Facebook
released fresh results of that ongoing introspection.
The social network identified data collection and handling issues with tens of thousands
of applications associated with some 400 app developers.
This does seem like a lot to have overlooked, especially given the nudging Facebook has
received from bad optics,
to say nothing of the $5 billion encouragement to Virtue offered by the U.S. Federal Trade Commission.
The social network represented the results as evidence of its commitment to bring data abuse under control,
and rather defensively pointed out that it's had to slog through millions of apps, which is no doubt true.
Still, a tally of bad-acting apps adding up to tens of thousands, give or take a few baker's dozen, is two orders of magnitude bigger than Facebook had
previously suggested. In any case, Facebook critics did not receive the news well. Take U.S. Senator
Ron Wyden, Democrat of Oregon, as one example. Quote, this wasn't some accident. Facebook put up
a neon sign that said
free private data and let app developers have their fill of Americans' personal info. The Washington
Post quotes the senator as saying, adding his opinion that, quote, the FTC needs to hold Mark
Zuckerberg personally responsible, end quote. Such disappointment is bipartisan. U.S. Senator
Josh Hawley, Republican of Missouri, who met with Facebook's Supremo Zuckerberg last week about exactly this sort of problem, tweeted this reaction.
And now, barely 24 hours after insisting to my face that Facebook takes personal privacy more seriously than anything else, Facebook reveals potentially massive data breaches.
reveals potentially massive data breaches.
Part of the conversation between Mr. Zuckerberg and Senator Hawley involved the senator's suggestion that selling off WhatsApp and Instagram
would help confirm that Facebook actually took data seriously.
In any case, the suspension of hundreds of app developers,
whom Facebook didn't name in its statement,
would seem to fall short of putting your money where your mouth is.
A poll shared with Vox by Data for Progress and YouGovBlue would seem to fall short of putting your money where your mouth is.
A poll shared with Vox by Data for Progress and YouGovBlue suggests there's an emerging bipartisan consensus that maybe it's time for the government to consider breaking up big tech.
The pollsters are on the left, but the results they report don't seem too far out of line with other indications of public sentiment.
They found no sharp differences among Democrats, Republicans, and Independents
in responses to questions asking if big technology companies should be broken up
in order to achieve better competition in the market.
Iran will take proposals for a Gulf regional security organization
to the United Nations General Assembly's annual summit this week, The Guardian reports.
The intent is to assemble a coalition of hope designed for the most part to exclude the U.S. and U.K.
from a continuing role as protector of Iran's regional rivals.
The move occurs as tensions remain high over the September 14th drone attack against Saudi oil facilities.
There were reports over the weekend that Iranian
petrochemical operators had been affected by a cyber attack. Iran took the social media chatter
seriously enough to issue an official denial that there had been any successful attacks.
Much of the conflict in the region has involved cyber operations, CNBC observes, some of them
apparently in retaliation for kinetic actions like Iran's
shootdown of a U.S. surveillance drone. The U.S. has been looking to cyber operations as an approach
to deterring Iran. The New York Times notes that among the options Cyber Command has had under
consideration is disruption of Iranian oil production. Cyber attacks are attractive as a
deterrent in part because of the proportionality
they promise and the degree of strategic ambiguity that tends to accompany them.
The difficulty of containing their effects is unattractive, as is the prospect that use of a
cyber weapon is generally assumed to be tantamount to its proliferation. Thus, their advantages and
disadvantages tend to be the opposite of those
associated with kinetic weapons. We will no doubt hear more about cyber conflict as the
General Assembly's summit meets this week. According to Reuters, Huawei CFO Meng Wanzhao
returns to court in Vancouver today, where her lawyers will press for details concerning her
arrest. Her defense team is
expected to request more information about the circumstances of Ms. Meng's arrest at the Vancouver
airport. They're expected to use such information to support the contention that her rights were
violated by the arrest. And this, in turn, they hope to use to block her extradition to face
prosecution in the U.S. on charges related to violating sanctions against
trade with Iran. And finally, the strange case of the pen testers arrested over what seems to
have been a misunderstanding of the scope of their engagement has expanded into a dispute between
Iowa's state government and two of the state's counties. A state agency hired security firm
Coal Fire to test security, and the contract
is said, by the register and others, to have extended to tailgating, that is, following
employees into the building, dumpster diving, and lockpicking. The state court administration says
that, yeah, sure, it did hire Coal Fire to do these things, but that the administration, quote,
did not intend or anticipate those efforts to include the forced entry into a building, end quote.
Okay, although lockpicking strikes our burglary desk as being so close to forced entry
as to amount to a distinction without a difference,
anywho, Iowa's Supreme Court has hired a Minnesota law firm to conduct an independent investigation,
and we're happy to report that the two pen testers are out on bail.
A lesson for all engaged in contracting for penetration testing.
Be sure everyone's clear on the scope, and if you're hiring pen testers,
be sure you're testing something you own, not someone else's stuff.
you're testing something you own, not someone else's stuff. The two counties involved, Polk and Dallas, aren't particularly happy that the state decided to test their security.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of
technology. Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose,
and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
careers to learn more. Do you know the status of your compliance controls right now? Like,
right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you
get security questionnaires done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over one
third of new members discover they've already been breached. Protect your executives and their families 24-7,
365, with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Joe Kerrigan. He's from the Johns Hopkins University Information
Security Institute, also my co-host on the Hacking Humans podcast. Joe, great to have you back.
It's good to be back, Dave.
Article came by, this is from Threat Post.
It's written by Elizabeth Montalbano,
and it's titled,
Smart TV Subscription Services Leak Data to Facebook and Google.
I don't know if leak is the right word.
How about just send?
Yeah, yeah.
Now, you and I have spoken before offline about you were looking to buy a new TV.
Yeah.
And it's not easy to find a non-smart TV anymore.
It is almost impossible to find a non-smart TV. They're almost all smart.
Right.
I use smart with air quotes around it.
Okay. Right. Now, this article talks about some of the data is going out to places like Google, Akamai
and Microsoft, but that is probably
because of the
cloud services that those companies provide.
Yeah. So that seems legit.
But then there's all kinds of other stuff
going on here, like pixels
that track what you're watching
and report that
back. Yeah, grabbing little clips
of video. Grabbing little clips or screenshots of videos.
Remember the old days, Joe,
when you'd go to your local department store
and you'd buy a television and you'd come home
and you'd plug it in and you'd unfurl that antenna
and you'd watch the game.
It was a completely passive device.
All it did was receive information.
That's right.
Didn't send any information.
Yeah, people stayed off your lawn back then.
Yeah, yeah, that's right.
I didn't have to get out and tell so many kids to get off my lawn.
Yeah, yeah.
There's an article in Consumer Reports that tells you how to turn off these tracking features,
but I don't know if that will disable some of the services that you have.
Well, and let's be clear.
I mean, part of what they're claiming here is that in collecting all this information about you,
they're providing you with better services.
They're providing you with some of the things we like.
We like it when Netflix, for example, recommends other shows that we might like to watch
because of other things we've watched.
That's a useful feature.
Yeah, and I don't have a problem with Netflix recommending shows based on my Netflix viewing history. Right. But if Netflix starts
recommending shows based on my Amazon viewing history, then I know these two companies are
collaborating and saving data. I don't know that those two companies in particular do it, but
that's the kind of thing I'm talking about. If it stays within the company and they're just
trying to make the service better, that's fine. But if they're selling my data and profiting from me, I want that to come back in some way.
Well, it's an interesting point is one of the things I've read is that one of the reasons that TVs have gotten so cheap is because this is a revenue stream for them.
They can lower the price of the TV because they're making money on the back end selling your data. Selling your data, absolutely. There is a solution though
when your TV says, hey, let's connect to your network. Just say no.
I suppose you could go at it in a different way. Rather
than having the TV connect directly, you could use one of the
other devices. You could use a Roku or an Apple TV or something like that.
Roku is listed in here as sending information out based on its channels. You could use a Roku or an Apple TV or something like that. Roku's listed in here as sending information out based on its channels.
You could use an Apple TV.
Apple TV, yeah. I don't know, Dave.
I'm sure they all do it to varying degrees. One of the things that caught my eye that I
thought was concerning was, I believe it's in the Samsung privacy notice, where they
warn you to be careful what you say in front of your television.
Any personal information might be transmitted to third parties if you're having a personal
conversation.
I mean, Dave, who among us really actually has personal conversations in their own home?
I have a smart TV in my bedroom, Joe.
This is, you know, so...
That is the worst place to have a smart TV, I think.
But we like to watch Netflix on it.
So I actually do not have a TV in my bedroom think. But we like to watch Netflix on it.
I actually do not have a TV. There's the trap.
There's the trap.
Well, I think one thing in looking around for non-smart TVs, first of all, you're going to pay more for a TV that doesn't have these features.
Which I'm happy to do, actually.
Which is counterintuitive, but there you go.
That's the world we live in.
Right.
But also, if you look for industrial monitors.
Right.
Like retail display monitors,
the types of monitors that they use
like at your McDonald's
for displaying the menu,
those sorts of things.
Or perhaps a computer monitor.
A computer monitor would work fine
with one of these external boxes.
Yep.
So you do have options,
and you can opt out, they say.
But of course, the default,
when you buy one of these and set it up.
You're automatically opted in.
You're automatically opted in.
So beware.
If privacy is important to you, you might want to spend a little more money on either a TV or an external box.
Or at the very least, take the time to make sure that the settings are what you want them to be.
Absolutely.
Yeah.
All right.
Well, Joe Kerrigan, thanks for joining us. My pleasure, Dave.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri,
Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious,
but also practical and adaptable.
That's where Domo's AI
and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.