CyberWire Daily - Zuckerberg testimony. Supply chain cyber threat to satellites. DPRK destructive malware. "Early bird" code injection. GCHQ vs. ISIS. Germany blames compromise on Russia. Salisbury attack update.
Episode Date: April 12, 2018In today's podcast we hear that Facebook's CEO Mark Zuckerberg has finished testifying on Capitol Hill, denying that Facebook sells data or that it knew what those people at Cambridge were up to with... the data they obtained. Supply chain cyber threats to satellites. North Korean destructive malware may be back. Early bird code injection. GCHQ takes on ISIS in cyberspace. Germany attributes 2017 network intrusions to Russia. International body confirms British official accounts of the Salisbury nerve agent attacks. Chris Poulin from BAH on self driving car tech that monitors the driver’s gaze to make sure they are paying attention to the road. Guest is Oren Falkowitz from Area 1 Security, looking at the Atlanta ransomware incident. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Facebook CEO Mark Zuckerberg has finished testifying on Capitol Hill,
denying that Facebook sells data or that it knew what those people at Cambridge were up to with the data they obtained.
There are supply chain cyber threats to satellites.
North Korean destructive malware may be back.
Early bird code injection.
GCHQ takes on ISIS in cyberspace.
Germany attributes a 2017 network intrusion to Russia.
And an international body confirms British official accounts of the Salisbury nerve agent attacks.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, April 12, 2018.
Facebook CEO Zuckerberg testified before the U.S. House yesterday,
deflecting suggestions that Facebook collect less information.
It's complicated, as one's relationship status so often is.
Ranking member of the House Energy and Commerce Committee, Frank Pallone, a Democrat of New Jersey,
said he was disappointed by Facebook's unwillingness to limit its automatic collection of user data.
Mr. Zuckerberg deflected the point by saying that his company's collection of data was,
quote, a complex issue that deserves more than a one-word answer, end quote.
Facebook's value, of course, lies precisely in the data that it collects and holds.
Mr. Zuckerberg clarified several times to his inquisitors that Facebook doesn't sell
data.
Taken narrowly and literally, that's true,
but most who heard the testimony regard that statement as hair-splitting.
What the Facebook CEO said was, quote,
There's a very common misperception about Facebook, that we sell data to advertisers,
and we do not sell data to advertisers. We don't sell data to anyone.
What we allow is for advertisers to tell us who they want to reach, and then we do the placement, end quote. As Motherboard pointed out, Facebook doesn't sell your data, but profits
from it. Representative Greg Walden, a Republican of Oregon, went on to say, quote, but it's also
just as true that Facebook's user data is probably the most valuable thing about Facebook. In fact,
it may be the only truly valuable thing about Facebook, end quote. TechCrunch pointed out that one surprising bit of testimony
threw some shade in the direction of Cambridge University.
Mr. Zuckerberg, asked if Facebook intended to take legal action
against Cambridge Analytica and its university partners,
didn't answer directly, but he did expand on how he disapproved
of what he'd learned
about Cambridge University's use of Facebook data for research, which he indicated he'd learned of
when The Guardian broke the story in 2015. Mr. Zuckerberg said, quote,
So we do need to understand whether there is something bad going on at Cambridge University
overall that will require a stronger action from us, end quote. He and his direct reports may not have known, but plenty of people at Facebook almost surely did.
Cambridge University wasn't amused and offered the following statement,
We would be surprised if Mr. Zuckerberg was only now aware of research at the University of Cambridge,
looking at what an individual's Facebook data says about them.
Our researchers have been publishing such research since 2013 in major peer-reviewed
scientific journals, and these studies have been reported widely in international media.
These have included one study in 2015, led by Dr. Alexander Spector-Cogan and co-authored
by two Facebook employees.
Mr. Zuckerberg's testimony is now in the books.
Congress will continue its deliberations and inquiries.
The city of Atlanta recently made headlines for falling victim to a ransomware attack
and the amount of time it's taken to get things back up and running.
Oren Falkowitz is CEO at Area One Security, and he shares his take on the situation. The city of Atlanta, like many businesses and organizations before, has become a victim of
cyber attack, in this case, ransomware. The interesting thing about ransomware attacks
is that almost 99% of them start with what's known as phishing, where users probably within the network either received an
email and clicked on a link and entered their username and password somewhere else or visited
a website or downloaded a file that got this thing kicked off. And so I think what struck a lot of
folks is how long it's taken them to get things back up and running. Yeah, absolutely. Well, I think, you know, it's inextricably tied to preparedness. In this case, the city, and I think some of the public
comments from the city have indicated that they really just weren't prepared for this,
either in preempting or taking early action to prevent the incident from happening to begin with. And secondly, from mitigating the fallout therefrom.
That being said, you know, it's not atypical.
You know, once attackers get very deep inside your network, it is very difficult to root them out.
And it does often shut down operations.
You may recall in the Sony hack a few years ago, they resorted to using pen and paper for a little while.
This is a very common phenomenon that once you get to this point,
it's really hard to rebuild the integrity and trust within your computer systems.
Yeah, and you know, I mean, there's that old saying that an ounce of prevention is worth a pound of cure.
What do you suppose they could have done a better job with to prevent this in the first place?
It's probably a little bit too early to give a definitive statement, not knowing all of the details.
But it's clear that a greater focus on preempting phishing attacks, which is likely how these types of ransomware got into the network.
And I'm sure there are a variety of other mechanisms that we'll learn about over the coming weeks.
We hear a lot recently that the bad guys are relying on things like phishing, these human factors, to be able to get into the systems because it's inexpensive and it works.
How much of the solution to this is a technical one and how much comes down to training?
Well, training, you know, is a totally inefficient and ineffective solution for
this. You know, everybody has a training program. And if it was an effective solution, there would
be far less breaches. There is no evidence that humans can be trained to become perfect robots in
any discipline. We've done training in our armed forces. We do training in sex education. We do training in the ability to
drive cars. And we continue to see humans operate with lots of error rates there. It only takes one
person to click. This is a problem that needs to be solved with technology. It's perfectly within
our capabilities to do that, but it requires the right kind of focus. You know, the interesting thing about phishing is that over 95% of all the incidents that are
occurring around the world begin with phishing. And so it is the root cause for insecurity,
for damage, for societal collapse as it relates to cybersecurity.
And it needs to be solved with a technological approach.
The cybersecurity industry today is suffering from a lack of accountability.
Today, people are buying more and more products,
and they're not getting higher results.
And it's imperative that the people buying products
and the companies that are helping to stop this problem
really start focusing on being
accountable and going towards performance models for their solutions so that people can be assured
they're getting what they purchase. That's Oren Falkowitz from Area One Security.
North Korean destructive malware with features not seen since the 2014 Sony Pictures hack
is believed to have returned, according to documents obtained by Foreign Policy.
A Secure World Foundation report concludes that cyber attacks on satellites are likelier than the kinetic destruction of orbital platforms, despite some recent tests of early-stage anti-satellite interception technologies.
The report discerns signs of growing Chinese and Russian interest in this cyber mode of attack.
It conceives the risk as largely a supply chain problem,
with Russian or Chinese suppliers of code and subcomponents
building exploitable vulnerabilities into the satellites,
whose manufacture and operation rely on a globalized network of suppliers.
In any case, it's a lot easier to leave a debugger in a product
than it is to hit something in geosynchronous orbit with an interceptor.
The kinetic interception is flashier and splashier,
but let's not confuse cost with value.
Bricking a satellite works just as well as breaking it into small pieces.
Security firm Cyberbit reports finding what it calls a new early bird code injection technique
in which malicious code runs prior to a process's main thread.
This enables attacks to bypass many antivirus products.
The technique is appearing in the Iranian threat group's APT-33's turned-up back door,
in Carburp banking malware, and in Dorkbot malware.
Defensive techniques will no doubt evolve swiftly to handle this form of code injection,
but it's an interesting move in the offense-defense seesaw.
Britain's GCHQ says it conducted offensive cyberaction against ISIS,
successfully disrupting the terrorist group's operations and propaganda.
German authorities have cautiously attributed a campaign against the Federal Republic's government and political networks to Russian state actors.
Hans-Jörg Massen, chief of the BFV, the Domestic Counterintelligence Service,
says they can't be sure it was Fancy Bear, Russia's GRU,
and that the unlikely possibility of a false flag operation can't be entirely
ruled out, but that nonetheless they regard attribution of the attacks to Russia with
high likelihood.
Russian authorities continue to deny any involvement with the Russian nerve agent attack in Salisbury
last month, but the independent investigation they asked to reveal the whole matter as a
British provocation hasn't turned out as Moscow presumably hoped.
Laboratory investigation of samples by the Organization for the Prohibition of Chemical Weapons
found that the UK had correctly characterized the agent.
They didn't call it Novichok or say Russia did it,
but they did note that the test sample's unusually high degree of purity
strongly suggested state activity.
The OPCW statement, released last night and distributed to members this morning,
said in part, quote,
The results of analysis by OPCW-designated laboratories of environmental and biomedical samples
collected by the OPCW team confirm the findings of the United Kingdom
related to the identity of the toxic chemical that was used in Salisbury and severely injured three people, end quote. An emergency follow-up meeting requested
by the British government will be held next week. Russia has long called the attack a British
provocation, probably mounted with an assist from the U.S. and maybe the Czech Republic.
Russia's London embassy has also issued a statement in response to Yulia Skripal's decision to decline a visit from Russian consular personnel to check on her welfare.
This decision is understandable, one might think, in view of her experience with nerve agent poisoning.
And anyway, as she put it, if she decides she wants to talk to them, they're not difficult to reach.
The Russian embassy says that it suspects that Ms. Skripal is being held by British security services.
As they put it, quote,
the document only strengthens suspicions that we are dealing with a forcible isolation of the Russian citizen.
Quote.
Nobody really believes this,
but the episode shows the degree to which it's apparently possible to double down on the disinformation
when the brakes are beating the boys. buzzword. It's a way of life. You'll be solving customer challenges faster with agents, winning
with purpose, and showing the world what AI was meant to be. Let's create the agent-first future
together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Chris Poulin. He's the Director of Connected
Product Security at Booz Allen Hamilton. Chris, welcome back. I saw an interesting article come
by from Ars Technica, and it was singing the praises of the latest Cadillac
that has a feature called Super Cruise,
which is one of many of these self-driving systems
that some of the high-end cars have.
Some of the things that struck me about this Cadillac system
was that it has sensors built into the steering wheel
that keep an eye on you while you're driving,
and specifically
while this auto driving system is engaged to make sure that you are keeping your gaze on the road.
So it's actually monitoring your attention. And I think it's fascinating how many sensors are in
these new cars. Yeah, you know, it's interesting. I don't think that a lot of the consumer automobile
owners actually understand how many sensors are either in the car or being considered.
So, for example, there are sensors to monitor your heart rate to detect if you're having a heart attack while you're driving or some sort of some heart condition.
There are scales in the seat to detect whether or not you're the same passenger as you were before.
There are analytics to detect the type of driving you know so effectively the car is trying to get to
know you and so it's that's an opportunity i think it's it's great in many cases you know so if you're
looking for teenage drivers and who are more apt to text maybe that i even if they're not engaging
the supercruise they it can detect whether or not they're paying attention
or they're texting their friends or whatever.
So it's great in that sense.
But there's also the privacy concern,
and it kind of freaks people out, quite honestly.
You know, there's always that trade-off,
and I think you and I have talked about that before,
which is the functionality versus privacy.
And how do you get past,
and I know this is not exactly
what the Uncanny Valley is all about,
but it's pretty close, which is that even though the cars don't look like humans, which is technically what
Uncanny Valley is characterized as, it's still a smart automobile. And so when do people get beyond
the creepy feeling that the vehicle knows too much about them or that their Echo Dot knows too much
about them or their Google Home,
you know, is listening in on them. So we're kind of in this weird little area. We're getting
acclimated. And I heard a story, maybe from you, by the way, that elevators used to have elevator
operators back in the whatever, 1920s and 30s. Were you the one who told me this?
I was. I was. But go on. It's a good story.
Yeah, because even though the elevators could, in fact, operate autonomously, you know, people could do what they do now, which is press the button and the elevator would operate without the operator.
They felt more comfortable with someone who was an expert to actually operate the elevator.
Right.
And so it's sort of this interim step.
It's this, it bridges you between something you're familiar with and something that
you're not. And I, that's, what's happening with the automotive industry right now. And I actually
heard somebody, I know I'm going a little bit off topic. I was listening to the radio and these,
the hosts were talking about the fact that they're not technical people, you know, that, uh, there
are autonomy, a full autonomy. I believe if I read or I heard this correctly as being has been
legislated, it as being allowed in California
or some places in California for some cars. And so they were like, oh, I'm never going to get into a
self-driving vehicle. And then one of the hosts said, well, what happens if it's snowing out?
And I find that an odd thing to think about in a negative way, because humans are notoriously
awful at driving in the snow. In fact, I think that those same hosts were talking about how bad
people drive in the snow and the rain in the first place.
And so vehicles are going to be better at doing that than humans are in the first place
once you get beyond certain technical challenges that, you know, I think we're either past
or we're right on the verge of passing.
So I think it's kind of interesting that there is this perception that humans are still better
at doing things than machines are in some cases. Yeah, no, it's interesting. It'll be interesting to see how
that transition goes. Chris Poulin, thanks for joining us. Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted
by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total
control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default deny approach can keep your company safe and compliant.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker too. The Cyber Wire podcast is
proudly produced in Maryland out of the startup studios of Data Tribe, where they're co-building
the next generation of cybersecurity teams and technologies. Our amazing Cyber Wire team is
Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol
Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, Thank you. that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.