Today we're following all things Facebook—it's four o'clock: do you know where your data are? We're betting no. Neither side of the aisle seems content with the answers Mr. Zuckerberg gave to the Senate panel. He's speaking before a House panel today. Patch Tuesday notes. Cyber tensions continue to rise as kinetic and chemical tensions rise between Russia and the West. Justin Harvey from Accenture, discussing cyber hygiene blind spots. Guest is Nahuel Sanchez from Onapsis on vulnerable password recovery systems.
Dave Bittner: [00:00:00:21] A quick reminder that if you're attending the RSA conference this year, be sure to stop by in the North Hall to the Akamai booth, that's N3625, where I will be appearing daily, doing meet and greets and some interviews as well and, of course, we thank Akamai for making these appearances possible. That's Akamai, harnessing the cloud without losing control. We hope to see you there.
Dave Bittner: [00:00:24:07] All things Facebook. It's four o'clock, do you know where your data are? We're betting no. Neither side of the aisle seems content with the answers Mr. Zuckerberg gave to the Senate panel. He's speaking before a House panel today. Patch Tuesday notes. Cyber tensions continue to rise as kinetic and chemical tensions rise between Russia and the West.
Dave Bittner: [00:00:49:21] And now some notes from our sponsor, Cylance. You've heard a lot of warnings about Russian cyber operators and their threat to the power grid in the UK, North America and elsewhere. Ever wonder how they get in? Sure, there's phishing and spearphishing, those can never be discounted, but here's a twist. Cylance has determined that one of their ways into the grid is through routers. They've found that the Bears are using compromised core routers to hit government agencies and organizations in the energy, nuclear and commercial facilities, water, aviation and manufacturing sectors. That's a bigger haul than a phishnet could catch, don't you think? Go to threatmatrix.cylance.com and check out their report on Energetic DragonFly and DYMalloy Bear 2.0. You'll find it interesting and edifying. That's threatmatrix.cylance.com, and we thank Cylance for sponsoring our show.
Dave Bittner: [00:01:53:12] Major funding for the CyberWire podcast is provided by Cylance. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, April 11th, 2018.
Dave Bittner: [00:02:05:11] The news today continues to be dominated by all things Facebook, with generous dollops of big data and aspirations for a future cleansed by artificial intelligence.
Dave Bittner: [00:02:15:10] As Facebook CEO, Mark Zuckerberg, moves from the Senate's frying pan to the House's fire, it appears that Facebook permissions allowed some apps to read messages between some users and their friends. The numbers seem not to be large, at least in the context of a story that's customarily dealt in tens of millions, like the 85 million who had other data scraped by Cambridge Analytica. About 1500 users are believed to have had their messages accessed via permissions, they gave the personality quiz app used by a Cambridge University researcher in cooperation with Cambridge Analytica. The practice ended in October, 2015. Until then, the app had requested access to inboxes through the read_mailbox permission, which Facebook says it got around to fully deprecating in the fall of 2015.
Dave Bittner: [00:03:05:13] Yesterday's testimony appears to have won the social media platform few friends on either side of the aisle. Senator Maria Cantwell, a Democrat of Washington, asked questions about Palantir, the big data analytics firm whose co-founder Peter Thiel sits on Facebook's board. Her suggestion was that Facebook had colluded with Palantir to deliver data that could be used in connection with Cambridge Analytica's activities. One Palantir employee is said to have done some work for Cambridge Analytica on his own time. Beyond that, the Senator's questions were based on the a priori possibility that Mr. Thiel could have sought Facebook's help with the Trump presidential campaign. Mr. Zuckerberg answered, that issues of election interference and data privacy had come up at board meetings, and that the company was determined to get those issues right.
Dave Bittner: [00:03:54:23] Senator Ted Cruz, a Republican of Texas, asked whether Facebook's content controls exhibited a leftist bias, citing a number of conservative and religious pages that had run afoul of the company's gatekeepers. Is Facebook a neutral commons where all manner of ideas might be exchanged, or is it a corporate person exercising its First Amendment rights? Mr. Zuckerberg said, basically, that it's more neutral field than advocate. His answer was that he was "very committed to making sure that Facebook is a platform for all ideas. That is a very important founding principle of what we do. That is something that, as long as I'm running the company, I'm going to be committed to making sure is the case." He did say that, because of Facebook's location in "very liberal" Silicon Valley, there might be some sort of progressive bias, but that this wasn't his intention.
Dave Bittner: [00:04:47:19] The Senators' performance strikes much of the industry press as revealing interesting gaps in the lawmakers' familiarity with technology. In fairness to the Senators, however, they're not the only ones who have trouble grasping how Facebook handles data; WIRED thinks most uses are in the same boat. Consider the now deprecated read_mailbox permission. A doctrinaire defender of contractual rights might ask, "What could anyone find to object to in this? After all, you said they could look into your mailbox, didn't you?"
Dave Bittner: [00:05:19:00] The problem observers see with this is the complexity and opacity of the way such permissions are embedded in terms of service, and even Mr. Zuckerberg acknowledged before the Senate panel, most people don't read those, let alone understand them. It's a fair question. If EULAs and terms of service require as much if not more legal advice than does, say, the drawing of a will, or the drafting of a deed, or incorporating a small business, in what meaningful sense does agreeing to them constitute informed consent?
Dave Bittner: [00:05:49:06] Mr. Zuckerberg indicated willingness to accept closer government regulation of social media. This is probably a concession to reality - some such regulation seems very much in the air- but it's also a tacit acknowledgment of the place Facebook now has in the online community. It's no longer the scrappy disrupter. It's pre-break-up Standard Oil or Ma Bell. Regulation can preserve big incumbents at least as readily as it can constrain them.
Dave Bittner: [00:06:17:07] The Facebook CEO also said he expected that artificial intelligence should have hate speech under control within five to ten years. He avoided defining “hate speech” beyond saying it was "things we could all agree on,” and his technological optimism seemed to some observers not just to be doing a lot of hand-waving at the problems, intentionality poses for any such program, but also to overlook the origins of artificial intelligence in natural intelligence. Any problems in natural intelligence are likely to find their Tin Man analogue in our artificial progeny. The Facebook CEO's testimony continues today, this time before a House panel.
Dave Bittner: [00:06:57:02] Most of us from time to time find ourselves needing to recover a lost or forgotten password, and so we rely on password recovery systems to securely reset or remind us what our chosen password is. Nahuel Sanchez is a Senior Security Researcher at Onapsis. Along with his colleague, Martin Doyhenard, they'll be presenting a session at RSA next week called, I Forgot Your Password: Breaking Modern Password Recovery Systems. Nahuel joins us for a preview of their presentation.
Nahuel Sanchez: [00:07:27:03] One important thing that we saw during our research, and I think the main issue was that there isn't any default solution to implement these kinds of mechanisms. The main challenge, I think, it's a really critical, in the sense of almost as critical as, for example, a log-in page or a log-in notification mechanism. Bots found in, in password recovery systems will lead to account takeovers or a fully compromised of the system. So, it's really complex code that is in charge of highly critical functions for a system.
Dave Bittner: [00:08:02:22] And so when you were doing your research and looking into this sort of thing, what sorts of vulnerabilities did you find?
Nahuel Sanchez: [00:08:10:16] We found different things, but the, the most complex one, or the most important were SQL injections and design error decisions.
Dave Bittner: [00:08:20:21] So, I think, having a password recovery system, I think, most people would, would acknowledge is a, is a basic function that you need to have. Do you think that there needs to be some sort of standardization of this?
Nahuel Sanchez: [00:08:32:16] I think so. I mean, as part of our research we found that there aren't default solutions and maybe that's because every, every application, or one application or business application is completely different and, and needs different functionalities for the users. But I think that there are good improvements, such as the usage of two-factor identification for password recovery mechanism in use with Google, for example, that has the options to allow users to have a secure or more secure way of resetting their, their passwords.
Dave Bittner: [00:09:07:15] That's Nahuel Sanchez. He's a Senior Security Researcher at Onapsis. Along with his colleague, Martin Doyhenard, they'll be presenting at RSA next week on April 19th. The session is called, I Forgot Your Password: Breaking Modern Password Recovery Systems.
Dave Bittner: [00:09:24:11] Patch Tuesday addressed 66 Microsoft bugs. One is an unusual keyboard issue; another is a SharePoint vulnerability that Redmond says hasn't been exploited in the wild despite its having leaked in advance of the patch.
Dave Bittner: [00:09:39:03] Editorialists urge the EU to get serious about sanctioning Russia, support for Assad in Syria being the country's most recent offense. Attacks on infrastructure by Russian operators are still widely expected. Some US officials in and around NSA and US Cyber Command hint not-so-darkly about an ability to hold Russian infrastructure at risk. We'll see what the near future holds, but it sounds as if the world is moving closer toward either deterrence or open cyber conflict.
Dave Bittner: [00:10:14:13] And now a bit about our sponsors at VMware. Their trust network for Workspace ONE can help you secure your enterprise with tested best practices. They've got eight critical capabilities to help you protect, detect and remediate. A single open platform approach, data loss prevention policies and contextual policies get you started. They'll help you move on to protecting applications, access management and encryption, and they'll round out what they can do for you with microsegmentation and analytics. VMware's white paper on A Comprehensive Approach to Security Across the Digital Workspace, will take you through the details and more. You'll find it at the thecyberwire.com/vmware. See what Workspace ONE can do for your enterprise security: thecyberwire.com/vmware, and we thank VMware for sponsoring the CyberWire.
Dave Bittner: [00:11:14:21] And I'm pleased to be joined once again by Justin Harvey. He's the Global Incident Response Leader at Accenture. Justin, welcome back. You know, you and I have spoken about cyber hygiene from time to time and today you wanted to make the point that some people have some surprising blind spots when it comes to that.
Justin Harvey: [00:11:31:06] Yes. When I think about cyber hygiene, I think about having the right trained people, and the right technology, and the right processes to shore up your cyber defense posture or your cybersecurity program, which means plugging even the smallest holes. And if you're not focused on doing cyber defense or cybersecurity well in your organization, you might have a few of these blind spots. And one of the potential dangers out there are the adventation and the usage of what we call PUPs - potentially unwanted programs.
Justin Harvey: [00:12:11:14] PUPs, these days, can come in many forms. They can, it can be adware, which has been around for over a decade; it can be spyware, clickware. It could be simply a dropper that responds to a request to participate in a distributed denial-of-service attack, or a botnet in the future or, even, cryptocurrency mining software. You could have some software and it's just essentially creating, printing money for cybercriminals out there.
Justin Harvey: [00:12:42:10] These potentially unwanted programs are sucking your resources. They are drawing CPU, they're drawing power, and they're also diverting the focus of your security operations center team or your incident response team in working through cases here. Because, essentially, many times you don't know if you have a potentially unwanted program, or if the alert is a potentially unwanted program, or if it's a, a real threat, so it devotes time and effort from your security operations center or your incident response team.
Justin Harvey: [00:13:16:00] The, the true danger here is you have no idea who has a foothold on your system at this point. You know that you may have a potentially unwanted program. Let's take the most benign of examples. It brings up a window every day, and it says, "Go to this site," or it consistently tries to change your homepage from Google to somewhere where they're harvesting the clicks. The problem with this is that you have no idea who that is, and what we are seeing is a trend where cybercriminals are deploying these; they're keeping them low profile and they're actually profiling the victims. Some victims are part of large multinational or global companies, where they're actually selling those footholds to nation states or other cybercriminals who will pay top dollar for entry into our organization.
Justin Harvey: [00:14:11:21] The second thing is, where there's smoke there's fire. Those potentially unwanted programs have to get onto your enterprise's systems somehow, either through users clicking on the wrong links - that denotes the need for better email security, better security awareness training, et cetera. Or they're coming in via a vulnerability, or exploiting a vulnerability that is latent within the server or the workstation to date. So, those are a couple of things to keep in mind, and why it's so important to keep your cyber hygiene up to snuff.
Dave Bittner: [00:14:45:12] Justin Harvey, thanks for joining us.
Justin Harvey: [00:14:48:12] Thank you.
Dave Bittner: [00:14:53:03] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you through the use of artificial intelligence, visit cylance.com. And thanks to our supporting sponsor, VMware, creators of Workspace ONE intelligence. Learn more at vmware.com.
Dave Bittner: [00:15:15:03] The CyberWire podcast is proudly produced in Maryland out of the start-up studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our show is produced by Pratt Street Media. With editor John Petrik. Social media editor Jennifer Eiben. Technical editor Chris Russell. Executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.
Copyright © 2019 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
Cylance is revolutionizing cybersecurity with products and services that proactively prevent, rather than reactively detect the execution of advanced persistent threats and malware. Learn more at cylance.com
VMware is a global leader in cloud infrastructure and business mobility. Built on VMware's industry-leading virtualization technology, our solutions deliver a new model of IT that is fluid, instant and more secure. Learn more.