The CyberWire Daily Podcast 10.3.17
Ep 447 | 10.3.17

Fake news and information operations with no obvious solution. Equifax update. US Cyber Command vs. DPRK

Transcript

Dave Bittner: [00:00:01:03] Don't forget, at the $10 per month level you get a version of the CyberWire that is ad free. It's at patreon.com/thecyberwire.

Dave Bittner: [00:00:12:09] Bogus rumors and highly questionable claims of responsibility circulate online after the Las Vegas massacre. Google and Facebook come under pressure to moderate the content they carry. The UK prepares to pass tougher restrictions on viewing radical content. The Equifax breach gets two-and-a-half-million people bigger. And US Cyber Command is said to have disrupted North Korean intelligence networks.

Dave Bittner: [00:00:42:05] A quick note about our sponsors at E8 Security. They understand the difference between a buzz word and a real solution and they can help you disentangle them too, especially when it comes to machine learning and artificial intelligence. You can get a free white paper that explains these new but proven technologies at e8security.com/cyberwire. We all know that human talent is as necessary to good security as it is scarce and expensive, but machine learning and artificial intelligence can help your human analysts scale to meet the challenges of today's and tomorrow's threats. They'll help you understand your choices too. Did you know that while we might assume supervised machine learning, where a human teaches the machine, might seem the best approach, in fact, unsupervised machine learning can show the human something unexpected. Cut through the glare of information overload move from data to understanding. Check out e8security.com/cyberwire and find out more. And we thank E8 for sponsoring our show.

Dave Bittner: [00:01:49:08] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, October 3rd, 2017.

Dave Bittner: [00:01:59:23] ISIS has claimed responsibility for the awful massacre in Las Vegas. Its Amaq news service said that the apparent shooter, Stephen Paddock, who killed himself as police stormed his hotel room, converted to Islam some months ago. Amaq calls Paddock by the honorific name Abu Abdul Barr al-Amriki, al-Amriki, that is, the American. Very few people believe any of this to be true. The FBI is particularly skeptical, saying they've discerned no connection between Paddock and any extremist group. It seems to most very unlikely that Paddock had converted to Islam and responded to calls to strike the unbelievers.

Dave Bittner: [00:02:41:05] Responsible or not, ISIS has incorporated the attack into their inspirational narrative. It's unusual, but not completely unprecedented, for the terrorist group to assert responsibility for crimes they had nothing to do with. Several observers attribute this departure, if such it is, to desperation, and as another sign that loss of territory and credible claims of ability to govern are driving ISIS into a global diaspora, more dependent than ever on cyberspace for its continued existence.

Dave Bittner: [00:03:11:10] The claim is probably also connected to recent warnings ISIS has distributed via Telegram advising Muslims and to avoid public places in infidel lands, as the soldiers of the Caliphate intend to turn those into battlefields.

Dave Bittner: [00:03:25:15] The attack has also inflamed criticism of both Google and Facebook for being conduits of bogus news and rumor-mongering. Among the messages carried were speculations from the that the shooter was a white supremacist, but these were so implausible that they had a very short lifespan. The gunman's motivation remains a mystery. The FBI and other law enforcement organizations are going though Paddock's digital exhaust to see what it might reveal, but so far, nothing. Investigation is ongoing.

Dave Bittner: [00:03:54:06] Both Google and Facebook are clearly on their way to being considered news providers, not simply content-neutral platforms designed to exhibit whatever people happen to be saying online. Google's highlighting of search results from dubious sources prompts skepticism of Mountain View's algorithmic approach to news. Facebook, which has lately made much of its efforts to expunge bogus stories from its feeds, also fell flat in this instance.

Dave Bittner: [00:04:20:21] Observers think more human curation is the only realistic way forward for these platforms. Their methods currently are designed to highlight the most viewed and shared content, but this advertising-centric approach to sorting news clearly has its limitations. This morning, Facebook announced its intention of hiring 3,000 workers, human workers, it seems necessary to say, to monitor content.

Dave Bittner: [00:04:45:01] Facebook's acceptance of ads from Russian front organizations aimed at inflaming racial and class divisions in the US also draws criticism. The company turned over to Congressional investigators some 3,000 Russian-purchased ads bought and run during the last election cycle. Facebook has some new policies it hope will mollify Congressional critics. It will now enable users to see all the ads placed by a given advertiser, not just those the social medium's rifle-shot targeting has selected for delivery to a user's specific demographic profile. Facebook will also require proof-of-identity from those who wish to buy ads bearing on US political campaigns. The former measure seems unlikely to do advertising revenues much good. The latter will probably require a lot of labor from those 3,000 new employees to determine what counts as ad content bearing on an election.

Dave Bittner: [00:05:39:19] The general mood is that something must be done, but what, exactly, that might be is unclear. Those only loosely attached to the US Constitution's First Amendment see the challenge as mostly one of policy and technology. Those with a more committed view of free speech as a right see deeper and less easily solved problems.

Dave Bittner: [00:06:00:04] For its part, the UK is using a heavy hand with extremist content. A new law is expected to expose repeat viewers of terrorist sites to up to 15 years in prison, a very harsh sentence by British standards. The proposed law is expected to pass, its proponents viewing it as a necessary component of an anti-radicalization strategy.

Dave Bittner: [00:06:21:23] Insider threats come in two basic categories. There's the malicious actor, with access to your network, someone you've placed trust in, who is up to no good. And there's the inadvertent threat actor, the employee, who naively clicks on a malicious link in an email. Tony Gauda is CEO at ThinAir, where they specialize in insider threat detection and investigation.

Tony Gauda: [00:06:42:15] What organizations need is visibility. So the problem is that the internal adversaries actually have more visibility and more context as to how what information is critical and how it's used normally than what the defensive people, you know, know about. Because, if you think about it, organizations are organic, they grow over time. So that means if you deploy what's called a DLP system, which is a technology that allows you to kind of, if you write rules in the right way, it'll stop people from doing terrible things with information. The problem is is that you have to predict what terrible behavior looks like, and you have to predict what normal looks like. So if it doesn't fit in either one of these rules, then the DLP system doesn't detect that it allows the individual to walk out the front door with their critical assets.

Dave Bittner: [00:07:25:05] We sort of have, jokingly, referred to IT as the department of no. If you go to IT with a question, "Can I do this?" that they're, you know, there's a decent odds that they're going to say no. But that leads to shadow IT, where the people who are, in the organization, who just are trying to get their work done, they're going to find a workaround. How do you deal with that sort of thing?

Tony Gauda: [00:07:45:09] I think visibility is critical for that, especially in that exact scenario. So that is literally, you know, 99.9% of all organizations that exist, is that IT organizations have to decide, ahead of time, what is correct and what is not correct, and if it doesn't fit the model that IT has predicted then it's default denied. And that, of course, causes people within the organization to figure out ways on how they can circumvent it so they can, again, get their work done, because they're bonused on how productive they are, not on how secure they are, if you think about it. So the incentives are actually quite misaligned.

Dave Bittner: [00:08:17:23] What are your thoughts, in terms of proper ways or effective ways to incentivize those people for whom security might not be their top priority?

Tony Gauda: [00:08:27:10] I think you have to take a page out of the physical world. So, if you think about when you walk into a bank there are doors that exist. There are very thick steel doors and very thick bars that are on the windows, and these are what I like to call the protection technology. So these things stop you from doing things within the organization. The problem is is that when those things fail, when someone drives a truck through the front door, or the person that works in the bank decides to steal information from the bank, the only thing you have left are the observation technologies, the camera. So the camera itself doesn't replace the steel door, and the steel door doesn't replace the camera, they are complementary to each other. So, again, this goes back to visibility. If you have visibility to when people touch things and what they do with those things, then you can decide what's important and what's not important after the fact, or you can take steps to fortify your security posture, because you know exactly where your risk is concentrated. So, without visibility, again, all this other stuff is just not possible.

Dave Bittner: [00:09:25:03] I have a friend who likes to joke that nothing is foolproof to a talented fool. I wonder about, when you have clever humans who are figuring out these workarounds, and IT might not know what it is to look for. They might not know what they don't know.

Tony Gauda: [00:09:40:14] That's right. If you think about every security breach that's ever existed, all of these companies have some security technology in place. So it's not that they don't have technology in place to help combat these issues, the problem is is that the complexity in detecting human behavior when it's nefarious to the organization versus productive to the organization, is actually an extremely difficult problem. So, if you think about it, those alerts were go off, even in the targets of the world as those, you know, million or so credit card numbers were being exfiltrated. Of course, alerts were going off. The problem is the organization was inundated with alerts. So, without having the proper visibility in place, again, it just makes it extremely difficult for you to catch any of this stuff.

Dave Bittner: [00:10:24:04] That's Tony Gauda from ThinAir.

Dave Bittner: [00:10:27:14] The Equifax breach appears to have affected millions more than initially believed. The company now estimates the number of affected individuals at 145.5 million, about two-and-a-half-million more than it had previously estimated. Former CEO, Richard Smith testified his regrets and apologies to Congress yesterday. He said, "To each and every person affected by this breach, I am deeply sorry that this occurred. Whether your personal identifying information was compromised, or you've had to deal with the uncertainty of determining whether or not your personal data may have been compromised, I sincerely apologize. The company failed to prevent sensitive information from falling into the hands of wrongdoers.”

Dave Bittner: [00:11:11:24] The SEC breach also got slightly worse, very slightly. The Commission now says it's determined that two individuals had their personal data exposed. They're being provided with identity protection.

Dave Bittner: [00:11:25:12] The US is said to have conducted a shot-across-the-bow DDoS attack against North Korea at the end of September. An Administration source told the Washington Post that US Cyber Command disrupted Pyongyang's principal intelligence service, the Reconnaissance General Bureau, with a Distributed Denial-of-Service attack that ran from September 22nd until this past Saturday, September 30th. Perhaps coincidentally, but probably not, a Russian telco has since given the DPRK more bandwidth. TransTelekom has run a big pipe from Vladivostok.

Dave Bittner: [00:12:04:15] Now I'd like to tell you about a new infographic from our sponsor, Delta Risk. Delta Risk is a National Cyber Security Awareness Month champion. As we kick off NCSAM, they put together a handy 31 day cybersecurity calendar full of tips to help the public protect themselves and their communities online. Throughout the month of October, Delta Risk will post additional infographics and blogs that address weekly NCSAM themes to educate and spread awareness around important cybersecurity topics. You can view the infographic by visiting deltarisk.com/31days-infographic. Delta Risk LLC, a Chertoff Group company, is a global provider of cybersecurity services to commercial and government clients. Learn more about Delta Risk by visiting deltarisk.com. And again, that link for the infographic is, deltarisk.com/31days-infographic. And we thank Delta Risk for sponsoring our show.

Dave Bittner: [00:13:08:20] Joining me, once again, is Ben Yelin. He's a Senior Law and Policy Analyst at the University of Maryland Center for Health and Homeland Security. Ben, welcome back. Interesting article came by via Engadget. This story broke that a US judge has said the victims of the Yahoo! Data breach have the right to sue. Tell us what's going on here?

Ben Yelin: [00:13:28:06] So this is about the doctrine of standing. In order to make it into court, to get to the merits of the case, a person has to suffer some sort of particularized injury, and that's the legal notion of standing. What Yahoo! Tried to argue is that the people whose data was breached, or were breached, did not have standing because they couldn't allege, with any sort of particularity, that they themselves were injured. What this judge said, and what I think was a pretty persuasive argument, is that not only did they suffer present injury, in that they had to purchase additional security measures to protect the integrity of their data, but they also will be suffering potential future injury due to the fact that they are going to have to take additional measures, beyond ones that they'd already taken, to make sure their data is not stolen again. This can include the cost of both financial resources and time resources, I mean, a person's time, and those count as particularized injuries under our standing doctrine.

Ben Yelin: [00:14:32:02] The key here, from a legal perspective, is that the speculative injury is not very attenuated. Famously, there was a case, Clapper v. Amnesty International, where individuals who suspected that the government was surveilling them electronically, tried to sue the government. And the Supreme Court said that they couldn't allege, with any particularity, that they themselves were getting injured and, even if they were, the injuries they alleged were not 100% likely to happen, were not even 90% likely to happen. They were too attenuated, they would involve too many hypotheticals. Here, the injuries aren't very attenuated. They're likely consequences of getting one's data breached. So, I think this was a very wise decision from the Federal judge.

Dave Bittner: [00:15:21:18] This got me thinking, and actually we were talking about this over on the Grumpy Old Geeks podcast, about how there's generally, a settled amount, in terms of insurance settlements and various government agencies, of what the value of a human life is. If a life is lost, there are some values that people have sort of settled on. I think right now it's around $9 million. I wonder if we're heading towards a time where a breach of your personal information has a set value placed on it?

Ben Yelin: [00:15:52:05] Yeah. I mean that's what's particularly interesting about this, is now because standing has been established, I think we'll be able to see what happens when this case reaches the merits. Yeah, I've wondered about that as well. Can you put a definitive monetary value on the value of somebody's data? And it's not just tangible value in terms of the hardware or the software, it's also intangible value in terms of what our devices and what data reveals about our personal lives. So, those can be hard to quantify, but those are also particularized injuries. So, yeah, I'm very curious to see how the court comes down on that issue.

Dave Bittner: [00:16:31:02] Alright, we'll keep an eye on it. Ben Yelin, thanks for joining us.

Dave Bittner: [00:16:36:10] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com.

Dave Bittner: [00:16:48:21] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.