Qatar and the United Arab Emirates at loggerheads over hacking. Commonly used gSOAP IoT code vulnerable to exploitation. A data exposure risk in connected toys. And what could be in that EULA.

Dave Bittner: [00:00:01:01] Please do check out our Patreon page at patreon.com/thecyberwire. We do appreciate the support. Thanks.

Dave Bittner: [00:00:11:12] Qatar accuses the UAE of hacking and vows legal retribution. The UAE says it didn't do it. Warnings about vulnerabilities in commonly used IoT code. The FBI warns of risks inherent in Internet-connected toys. And people really, really don't read those EULAs.

Dave Bittner: [00:00:35:13] I want to tell you about an offer from our sponsor, Cylance. Who doesn’t like augmented reality? We know we do. So if you’re going to be in Las Vegas for Black Hat this month, why not forget about the stage magic and stop by Booth 716 for some magic you can actually learn from. Cylance will let you experience augmented reality and see how you can learn from the anatomy of a cyber attack. You’ll gain real insight into how modern cyber attacks originate, how they work and how they can be prevented before they cause harm to your environment. It’s all there for you at Booth 716. Visit the event section of cylance.com in cyberspace for more on augmented reality and what it can do for security and, more importantly, in physical space at Black Hat get on over to Booth 716 and check it out for yourself. And we thank Cylance for sponsoring our show.

Dave Bittner: [00:01:32:01] Major funding for the CyberWire podcast is provided by Cylance and I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, July 18th, 2017.

Dave Bittner: [00:01:41:18] Qatar continues to accuse the United Arab Emirates of hacking Qatar News Agency and other targets to plan disinformation discreditable to Qatar's government. Early on May 24th, quotation praising both Hamas and Iran, and by some reports Israel as well, appeared on various social media accounts and news sites associated with Qatar's government. They were attributed to the Emir of Qatar.

Dave Bittner: [00:02:06:02] The remarks promptly led to a diplomatic rupture between Qatar and other Gulf states, particularly the United Arab Emirates, Saudi Arabia and Bahrain, who were prepared to accept them at face value in spite of Qatar's protestations that it had been hacked. Other minor incidents soon thereafter affected sites in Bahrain and at least one diplomatic email account in the UAE. The US FBI, which assisted Qatar's investigation of the incident, said in late May that they believed Russian threat actors were behind the disinformation campaign. But a report this Sunday in the Washington Post quoted anonymous members of the US Intelligence Community as attributing the cyberattacks to the UAE and Qatar's official representatives have run with that story.

Dave Bittner: [00:02:50:00] The Emirates continue to deny involvement and they're not even entirely buying that the hacking involved disinformation at all. They say the report of Emirati involvement that appeared in the Post is flatly false and that if you look at past statements by Qatar's rulers, well, they're consistent with what the alleged hackers published.

Dave Bittner: [00:03:09:03] There have long been tensions between Qatar and its neighbors, allies and brethren in the Gulf. Many of those tensions are associated with Qatar's relatively warm relations with the Muslim Brotherhood. For an indication of how wire-taut such tensions are, consider that a government has gone on record with charges of criminality against a neighbor that are founded on an anonymously sourced story in an American newspaper.

Dave Bittner: [00:03:35:02] Here in the US it’s summertime and, for a lot of kids, that means summer camp but it’s not just archery, canoeing, and ghost stories around the fire. The NSA partners with educational institutions across the country, sponsoring summer camps through their GenCyber program. Tina Ladabouche is the program manager for GenCyber.

Tina Ladabouche: [00:03:54:06] There's an extreme shortage of qualified cybersecurity professionals. So we thought that it would be important to generate a pipeline of individuals entering into the field and we wanted to do that and reach students prior to entering college, so that's why the GenCyber program was created, for the K through 12 student population.

Dave Bittner: [00:04:13:04] And so give me an overview, what kind of things does the GenCyber program offer?

Tina Ladabouche: [00:04:18:10] The GenCyber program is sponsored by the National Security Agency and the National Science Foundation and what we do is we offer grants to universities to hold summer camps for K through 12 students and teachers and we're introducing them to cybersecurity. We're trying to generate an interest in cybersecurity. We provide them with instruction on safe online behavior, cybersecurity topics. We introduce them to secure programming and cybersecurity first principles. Those are the types of things that are involved in the summer camps.

Dave Bittner: [00:04:51:23] And why is it so important to reach these young women before they reach college age?

Tina Ladabouche: [00:04:57:02] There are studies out there that show that students in the late elementary, middle school age, especially girls, develop an interest in certain topics and we want to make sure that they are exposed to these type of topics early on before they hit college so they don't stray away into another category, another subject area. We want to show them that they can actually be involved in cybersecurity.

Dave Bittner: [00:05:19:09] So the program has been running for a couple of years now. What's the feedback been so far?

Tina Ladabouche: [00:05:24:09] The feedback has been amazing. Very positive. We have a lot of interest that's been generated throughout the couple of years. The program has grown significantly. 2014, we had eight camps. We increased to 43. Last year we had 120 camps and this year we're going to have 131 camps.

Dave Bittner: [00:05:42:21] And ultimately how will you measure success?

Tina Ladabouche: [00:05:46:06] Currently, it's a little too early to measure success because the program is so new. However, in the future, we hope to be able to see the students entering into college and majoring in cybersecurity subject areas and also then entering the workforce because we want to bridge that gap in between the number of qualified cybersecurity professionals that are needed in the workforce and those that are entering in the field.

Dave Bittner: [00:06:09:19] What does a typical day look like for someone who engages with this program?

Tina Ladabouche: [00:06:13:21] Each camp is unique within itself. We provide overarching guidance to each one of the institutions for the camp, what the camp curriculum should look like and pretty much that is just to introduce cybersecurity to, to the participants whether they be students or teachers, introduce safe online behavior to them, provide teaching methods and techniques to the teachers during the teacher camp and to make sure there's hands on interactive activities during the camp. We don't want the students just sitting in front of a computer. We want them to be energized and we find that hands on engaging, learner centered activities is extremely effective.

Interviewer: [00:06:50:24] That's Tina Ladabouche from NSA's GenCyber program. You can find out more about the program and find a camp near you at their website. That's gen-cyber.com.

Dave Bittner: [00:07:03:07] If you’ll forgive a bit of self-promotion, we've been asked, “So what do I get for becoming a Producer's Circle patron of the CyberWire?" Well, unlike that membership and the ShadowBrokers' exploit of the month club, you might have been considering, not that we’d necessarily recommend signing up for that Club, Wealthy Elite, your support of the CyberWire gets you more than an eternal blue tote bag or a Guccifer 2.0 bobble hat or a DVD of Ed Snowden's greatest hits. The Producer's Circle now receives exclusive access to our new Quarterly Report. If you’d like to see a sample, go to thecyberwire.com/issues and check it out. And thanks to all the patrons who have been so generous in their support of the CyberWire.

Dave Bittner: [00:07:44:14] Returning to hacking, NotPetya continues to reverberate in the shipping and logistics sector even after the malware attack itself has been contained and remediated. Delays in receipt of various shipments are being ascribed to the attack.

Dave Bittner: [00:07:57:16] NotPetya's effect on FedEx seems, at the very least, to have put the brakes on the shipping company's full integration of its TNT acquisition. This is another reason to consider the role cyber risk assessment necessarily plays in M&A due diligence and how difficult that assessment can prove to be.

Dave Bittner: [00:08:15:19] Other insurance companies have experienced material consequences as well which gives added point to insurance giant Lloyd's assessment that a major cyber attack could inflict worldwide damages in the range of over $53 billion to over $121 billion.

Dave Bittner: [00:08:34:10] Axis Communications patched an issue Senrio researchers found with Axis high-end and widely used security cameras. Axis deserves some credit here because they're early to the patching. The flaw, "Devil's Ivy," is found in the widely used open-source code gSOAP. The problem is widespread and extends far beyond Axis. The vulnerability is likely to endure, given the notoriously low rates at which IoT devices are patched.

Dave Bittner: [00:09:02:10] Other IoT issues surface in children's toys. The FBI warns that it's probably not a good idea to give your young sons and daughters Internet connected toys. The Bureau's concerns are centered for the most part on the kinds of data such toys collect, pictures, voices, names, geolocation, and so forth. The information is for the most part collected innocently but what's collected can be compromised and it's not easy to undo the damage of a breach. It's also unlikely you'll ever patch a talking kukla, if it's unlikely to happen with security cameras, it's less likely to happen with a much-loved and chewed over teddy bear. Security firm Plixer's Michael Patterson communicated a familiar call for regulation to us in response to news of this warning. He said, quote, "Expecting consumers to do their homework before making an Internet connected toy purchase isn't going to happen." He argues there ought to be a law. If the Government can require nutrition labels on packaged food, why not collection labels on connected devices? And he adds that those, "very one-sided End User License Agreements," the EULAs that you never read, are insufficient to protect privacy.

Dave Bittner: [00:10:10:06] And speaking of EULAs, free Wi-Fi provider Purple conducted an experiment that turned out about as one might expect. They embedded clauses in their EULA giving them to right to assign community service to users. Such service included, cleansing local parks of animal waste, providing hugs to stray cats and dogs, manually relieving sewer blockages, cleaning portable lavatories at local festivals and events, painting snail shells to brighten up their existence and scraping chewing gum off the streets.

Dave Bittner: [00:10:39:18] More than 22,000 users cheerfully clicked through. One, count them, one, person actually read and declined the EULA. We'd ask our community outreach staff for advice but for some reason they're down the hall in the conference room doing something with snails and paintbrushes. Weird, huh?

Dave Bittner: [00:11:04:04] Now some news from our sponsor, Cylance. Cylance has integrated its artificially intelligent Cylance Protect engine into VirusTotal. You’ll know VirusTotal as the free online service that analyses files and URLs to identify viruses, worms, Trojans and the other kinds of badness antivirus engines and websites scanners pick up. Well, Cylance has pledged to help VirusTotal in its mission of making the security industry more perceptive, and the Internet a safer place. It’s like public health for cyberspace. Free tools and services help keep everyone’s risk down. Cylance sees their predictive approach to security as a contribution to the fight against cyber attacks and they’re now fully integrated as one of the analysis engines available in VirusTotal. Visit cylance.com and look at their blog for more on their contribution to our online immune system. And we thank Cylance for sponsoring our show.

Dave Bittner: [00:12:03:19] And I'm pleased to be joined once again by Markus Rauschecker. He's the cybersecurity program manager at the University of Maryland's Center for Health and Homeland Security. Markus, we saw a story come by about Facebook in that they were found to have broken some data privacy laws in several European countries and actually they're being investigated in a couple more. What's going on here?

Markus Rauschecker: [00:12:23:24] This seems to be a-- kind of a story that we hear again and again. We know generally that Europe has very strict privacy laws and, in this case, certain European countries are investigating Facebook for violating certain privacy laws within those countries. Facebook is arguing that it does not necessarily have to comply with some of these national laws because really they argue that their presence in Europe is located and specific to Ireland and that they have to follow Ireland law because their main office is located in Dublin. There is certainly going to be a lot of debate about that, especially because Facebook does, of course, have some presence in a lot of the other European countries, physical presence in a lot of these other European countries, but the fact of the matter is, right now the fines for violating some of these privacy laws are very-- relatively low, especially for a company such as Facebook which has about $30 billion in revenue per year. But Europe is looking to change that. The fines for violating some of these privacy laws will go up in the future, in fact next year, May 2018, we'll see the, the initiation of the European General Data Protection Regulation. That is going to make it a lot more costly if a company is found to have violated data privacy laws, European data privacy laws which will certainly give a company that's operating in these countries a lot more reason to look at their privacy policies and their practices to make sure that they are in compliance.

Dave Bittner: [00:13:57:22] It is an interesting argument from Facebook's point of view. I mean, if you compare it-- it's obviously not a direct comparison, but I think of, like, a pharmaceutical company, you know, if their factory was in Dublin, Ireland that wouldn't mean that they didn't have to comply with the drug safety rules in Germany or France or any other country where they sold their product.

Markus Rauschecker: [00:14:15:24] Oh, absolutely yeah. You know, we always see this kind of fundamental debate when it comes to online services and online presence and whether or not that can be completely equated to a physical presence. Some argue that it's not the same thing and others certainly argue that it is. So there's a lot of room there for legal analysis and, you know, we will have to see how things develop.

Dave Bittner: [00:14:45:04] Alright, Markus Rauschecker, thanks for joining us.

Dave Bittner: [00:14:50:03] And that's the CyberWire. For links to all of today's stories, along with interviews, our glossary, and more, visit thecyberwire.com. Thanks to all of our sponsors who make the CyberWire possible, especially our sustaining sponsor, Cylance. You can find out more about how Cylance can help protect you through the use of artificial intelligence at cylance.com. Don't forget to check out the Recorded Future podcast where I am also the host. The subject there is threat intelligence. We're pretty proud of it and we think it's worth your time. Check it out at recordedfuture.com/podcast. And thanks to all of our Patreon supporters. You can find out how you can help support the CyberWire at patreon.com/thecyberwire.

Dave Bittner: [00:15:29:04] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Social media editor is Jennifer Eiben. Technical editor is Chris Russell. Executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.