Facebook agonistes. Really agonizing. Ad-supported apps like them some data. Sino-US trade tensions and Chinese cyber espionage. Russian wet work and disinformation. Western reprisals.
Dave Bittner: [00:00:04:02] Facebook's troubles get worse: more people's data were scraped, deleted videos were archived by Facebook, and so on. Appthority finds a more general problem with ad-supported apps: they're all hungry for data. Sino-American trade disputes are thought likely to find expression in cyber espionage. China's more interested in confidential financials than in IP. Russia and the West remain at loggerheads. One tip from Sweden on countering Moscow's info ops, don't get caught dancing in yellow rain boots.
Dave Bittner: [00:00:41:04] It's time to tell you about our sponsor ThreatConnect. With ThreatConnect's in-platform analytics and automation, you'll save your team time while making informed decisions for your security operations and strategy. Find threats, evaluate risk and mitigate harm to your organization. Every day organizations worldwide leverage the power of ThreatConnect to broaden and deepen their intelligence, validate it, prioritize it and act on it. ThreatConnect offers a suite of products designed for teams of all sizes and maturity levels. Built on the ThreatConnect platform, the products provide adaptability as your organization changes and grows. If you're heading to RSA this year stop by ThreatConnect's north expo booth, 3225 for a live demo of the ThreatConnect platform and of course pick up one of ThreatConnect's famous t-shirts. And if you're not headed to San Francisco well you can register for a free ThreatConnect account or learn more by visiting threatconnect.com/free. That's threatconnect.com/free to learn more. And we thank ThreatConnect for sponsoring our show.
Dave Bittner: [00:01:57:01] Major funding for the CyberWire podcast is provided by Cylance. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire Summary for Thursday, April 5th, 2018.
Dave Bittner: [00:02:09:03] Facebook's bad patch became, yesterday, even more horrible, if that can be imagined. The company acknowledged that, after further review, it thinks it may have exposed 87 million users to Cambridge Analytica's data scraping.
Dave Bittner: [00:02:22:23] Worse yet, various apps over recent years appear to have scraped the data of about 2 billion users, as close to everybody as makes little difference. It's worth noting again, as people have observed since the data scandal began, that such scraping doesn't represent hacking or exploitation. Rather it's unwelcomely creative use of a number of the platform's features and its users' disposition to grant too many permissions as they decline to pay attention to an unnecessarily complicated set of privacy and security settings.
Dave Bittner: [00:02:55:23] Facebook says it disabled one of the principal features various apps took advantage of to pull in user data. This was the search functionality that enabled users to look for people by entering their email address or phone number. They've also revoked the possibility of other third-party applications like the widely used social media management platform Edgar posting to, for example, Facebook Groups.
Dave Bittner: [00:03:18:23] There's also a lot more Facebook is saving in user archives than most users suspected. After the Cambridge Analytica matter broke, many Facebook users downloaded their Facebook data archive. Why would one do that, we ask parenthetically? Here's why: many users did so because they were considering killing their accounts entirely and wanted to retain material they'd posted to the platform. Looking at the archive, people were surprised to find that Facebook had retained a lot of information they thought it shouldn't have, like deleted videos. And, in fact, every video you ever made on the platform, whether you ever posted it or not. This discovery has been embarrassing to Facebook, which blames it on a bug, an oversight, and says it will do better.
Dave Bittner: [00:04:02:10] The optics have been very bad indeed for Facebook. CEO Mark Zuckerberg can be expected to have an interesting time next Wednesday when he testifies before a US House panel looking into data privacy issues.
Dave Bittner: [00:04:17:02] It's only fair to say that this sort of problem isn't confined to Facebook. Mobile security company Appthority studied iOS apps in corporate environments and found more than twenty-four-thousand advertising-supported apps are hiding their strong appetite for user data more or less in plain sight, cloaked in EULAs and complexities.
Dave Bittner: [00:04:38:08] As connected cars continue to be a larger part of our automotive fleet, eventually leading to self driving cars and perhaps even driverless delivery vehicles, they've naturally drawn the attention of the insurance industry. Larry Cochran is CEO over software as a service company called Claimatic that helps companies automate insurance claims. He joins us with his thoughts on where automation and advanced technology are leading the insurance industry.
Larry Cochran: [00:05:04:14] Advanced Driver Assisted Systems include adapted cruise controls where, you know, the automobile can determine whether you need to slow down or that the car can actually slow itself down as it's approaching traffic, can do emergency braking, you know, recognizing before the driver that the brakes need to be applied and actually doing that. Cameras in vehicles that can notice when a driver is getting drowsy and actually waking the driver up, or if necessary applying brakes and then telematics which provides, you know, constant monitoring of the vehicle in situations, for instance, if the vehicle has an impact and being able to transmit that information to any number of parties that can track that information.
Larry Cochran: [00:05:55:14] So with this first stage, the figures are that as much as a 40% fewer accidents in the next few years will result because of ADAS and so it's potentially a very big impact. The impact on the insurance industry which I'm a part of, it is a little bit harder to determine, you know, the potential financial impacts because with all of these new technologies also comes a lot of extra cost, and therefore the repairs to vehicles with all of these technologies is much more severe.
Dave Bittner: [00:06:36:02] What about the potential for shifting liability, in other words if my car is making decisions, rather than me making decisions, does that open up the possibility that liability could shift to the manufacturer for making a bad choice?
Larry Cochran: [00:06:51:10] Absolutely, yes, and, and that is going to be probably the biggest shift in the, the landscape of insurance that's probably happened since the invention of the automobile. Now if one of the systems fails and a customer, consumer, has been, you know, reasonably relying on that system then there's a good chance of exposure to the OEM, the manufacture of the device, the vehicle, and so therefore there will be a transformation of risk being transferred from the traditional personal lines insurance carrier to the OEMs.
Larry Cochran: [00:07:33:17] There's a lot of opportunity here and most companies whether they're insurance companies or other companies involved in providing tools, they all should be looked at in terms of redirecting high volume routine tasks that have clear decision points and pathways over to automation and redirecting the personnel that are currently involved in doing these repetitive road types of tasks, to employing them more and redirecting them more towards helping with the consumer or customer journey and I think that's where the big opportunity is.
Dave Bittner: [00:08:09:23] That's Larry Cochran, he's the CEO at Claimatic.
Dave Bittner: [00:08:16:06] As the US and China squabble over tariffs, with China complaining of protectionism and the US charging China with aggressive IP theft and unfair trade practices, US officials brace for a round of renewed Chinese cyber espionage. In the ongoing round of hacking, it's not so much intellectual property the Chinese operators are after, as it is business and financial information on US companies. Security firm FireEye reports that the cyber espionage is particularly directed at getting bid prices, contract details and information relevant to mergers and acquisitions. Some observers note that this seems to represent a kind of formal compliance with the letter, if not the spirit of the non-hacking agreement, China concluded with the previous administration. We're unlikely to see this kind of activity abate any time in the near future.
Dave Bittner: [00:09:08:11] Russia's brassy attempt to have its charges of provocation by Novichok validated by the Organization for the Prohibition of Chemical Weapons (the OPCW) has failed, voted down 15 to 6, with 17 abstentions.
Dave Bittner: [00:09:23:08] Moscow has suggested that the attempt to kill former GRU officer Sergei Skripal and his daughter Yulia with a highly unusual and little known binary nerve agent was actually a British provocation. Or maybe an American provocation. Or probably aided and abetted by the Czechs. All of these countries have denied, of course, any such involvement and essentially no-one believes the accusation, especially not the Russian organs. But Russia sought a resolution in the Hague from the OPCW that would pressure the British government to bring Russia into investigation of the attack as a full partner. It failed in this, and, as we noted, really no one thinks anyone but Russian espionage services were involved. The list of countries voting with Russia is interesting. They're either subordinates to Russia or powers who have an independent interest in embarrassing the UK. Lining up with Moscow's bid to demand the UK conduct a "joint investigation" of the Salisbury nerve agent attack were China, Azerbaijan, Algeria and Iran. We'd wager a month's pay they don't believe it either.
Dave Bittner: [00:10:30:09] British investigators say they've identified, with high confidence, the lab in Russia where the Novichok agent was produced. Since "high confidence" doesn't mean "mathematical certainty," some of the few who actually appear to swallow the Russian line say they doubt the wet work was really Russian. Among them is UK Labour Party leader Jeremy Corbyn. We understand the itch to use any convenient stick to whack an opposing political party - not that we approve, necessarily, but at least we understand it, because we've seen the House Intelligence Committee - but this appears to argue an odd streak of Russophilia sitting beneath Mr. Corbyn's Lenin cap. Has no one told him Russia really hasn't been communist since Gorbachev dissolved the Central Committee in August of 1991?
Dave Bittner: [00:11:17:18] In any case the UK and Russia are headed for a showdown at the UN. Russia categorically denies ever having produced the Novichok agent.
Dave Bittner: [00:11:26:16] So tensions remain high with strong expectations that they'll find expression in cyberspace.
Dave Bittner: [00:11:33:07] The US is said to be preparing sanctions against at least six Russian billionaire oligarchs with close ties to President Putin. Two of the targets are said, by anonymous sources in the Administration talking to Radio Free Europe | Radio Liberty, to be Aleksei Miller, CEO of natural gas giant Gazprom and Igor Sechin, CEO of the country's dominant (and state-controlled) oil company Rosneft. Sanctions could be announced as early as this afternoon or tomorrow.
Dave Bittner: [00:12:04:00] Outgoing US National Security Advisor McMaster's valediction was an unusually direct and forceful condemnation of Russian behavior and a call to impose costs on that country's government. More significantly, Director of National Intelligence Coats yesterday said that the US Government was seriously considering a retaliatory cyber offensive against Russia. Previous policy statements had concentrated, publicly, on defensive measures. The principal offenses being mentioned in these discussions of possible retaliation are attempts to influence US elections and cyber reconnaissance that amounts to battlespace preparation of the US power grid.
Dave Bittner: [00:12:42:22] So what can be done to counter Russian information operations? It's got an oddly paradoxical quality, simultaneously asserting "We didn't do it, you did," and "But look at what we can do." We'd call it "dialectical," but then the Russians haven't been dialectical materialists since August 1991.
Dave Bittner: [00:13:03:04] Sweden actually has long experience with this, mostly deriving from its long-running attempts to keep Soviet and, later, Russian submarines out of its Baltic territorial waters. Whenever they caught one, Russian authorities would piously deny it, calling the whole business either fabricated for purposes of provocation or made up by mentally disturbed figures who happened to hold Swedish office. Former Swedish defense chief retired General Sverker Göranson advises not answering the disinformation directly, but rather presenting evidence of your own claims. He also advises having more than one official present your case.
Dave Bittner: [00:13:41:10] He commented to Defense One "Russian media found a video snippet of me in yellow rain boots dancing to an ABBA song that they showed over and over. Their message to the Swedish public was ‘the person in charge of your country is a clown whom you can’t trust.’ They were ridiculing those in charge at all levels.” So have more than one person talking and stay away from the yellow boots.
Dave Bittner: [00:14:11:12] Now I'd like to share some words about our sponsor Akamai. You've heard of the zero trust security model, well Akamai is the expert in deploying zero trust architectures to address the evolving security threats you face every day, that's because they're all the cloud experts. Akamai's approach to security was built for the cloud because it was born in the cloud. In the age of zero trust networks the enterprise network is no longer the perimeter, the entire cloud is the perimeter, with no inside or outside and the threats can come from anywhere and anyone at anytime. Akamai's zero trust security model accelerates secured digital transformation, protecting your business and enabling growth. Visit Akamai.com/zerotrust to learn more. That's akamai.com/zerotrust.
Dave Bittner: [00:15:01:23] And if you're going to RSA this year stop by and say hi to me and the CyberWire team at the Akamai booth, North Hall Booth 3625. We hope to see you there and we thank Akamai for sponsoring our show.
Dave Bittner: [00:15:22:09] And joining me once again is Joe Carrigan. He's from The Johns Hopkins University Information Security Institute. Joe welcome back!
Joe Carrigan: [00:15:28:22] Thanks Dave.
Dave Bittner: [00:15:29:14] So I saw an interesting article come by on Ars Technica and this was about the New York state public service commission, those are the people who run the power companies in New York.
Joe Carrigan: [00:15:38:15] Right.
Dave Bittner: [00:15:39:01] They have decided that they can charge bitcoin mining companies more for electricity than other folks.
Joe Carrigan: [00:15:47:18] So the commission has said it's okay for power companies.
Dave Bittner: [00:15:50:14] Correct.
Joe Carrigan: [00:15:51:04] To charge more, yes.
Dave Bittner: [00:15:52:13] Yes. Interesting.
Joe Carrigan: [00:15:54:05] It is interesting. This is not uncommon in the power world, they will charge industrial users of power more money for electricity during the day. In fact I remember a show I was watching on Discovery Channel about metal recyclers who ran an arc furnace which uses an ungodly amount of power but they would work solely at night because that's when the power company would cut them a break on their rates.
Dave Bittner: [00:16:18:11] Right, right. So off peak time you get the power for cheaper. One of the interesting things in this article was that evidently in New York a lot of the electricity is hydroelectric.
Joe Carrigan: [00:16:28:11] Right.
Dave Bittner: [00:16:29:05] And so the communities look at this hydroelectric power as a local limited resource
Joe Carrigan: [00:16:36:00] And it is a limited resource.
Dave Bittner: [00:16:37:16] So when you exceed your hydroelectric capacity you have to bring in extra capacity.
Joe Carrigan: [00:16:41:21] You have to go out and buy power from the rest of the grid.
Dave Bittner: [00:16:43:24] Right.
Joe Carrigan: [00:16:44:13] Presumably at a much higher cost.
Dave Bittner: [00:16:46:07] And that's why electricity is cheap, comparatively cheap in these areas, so these bitcoin folks look all over the nation and decide where's electricity cheap.
Joe Carrigan: [00:16:55:17] Right.
Dave Bittner: [00:16:56:00] They go to New York where it's cheap and now they're chewing up all hydroelectric power, everybody ends up paying more for electricity.
Joe Carrigan: [00:17:02:22] Right because they have to buy more power. So the people of the area are subsidizing these bitcoin miners. So it's not an uncommon practice to charge people more money for their electrical usage, particularly if you're using more. I don't know how you're going to determine that organization A is a bitcoin miner and organization B is not a bitcoin miner.
Joe Carrigan: [00:17:22:24] Or if somebody's mining bitcoin personally, you know, without having a large amount, are you going to charge them more too? It seems like it's a very convoluted situation, maybe they just go with how much you use and charge you more based on how much you use.
Dave Bittner: [00:17:37:17] Yeah there was another interesting point in this article, was that one of their determining factors was that they said the crypto currency mining results in few local jobs.
Joe Carrigan: [00:17:47:00] Oh, almost no local jobs.
Dave Bittner: [00:17:48:10] Yeah.
Joe Carrigan: [00:17:49:05] I mean because it's all automated.
Dave Bittner: [00:17:51:08] Right, right. So there's not really a public good in the use of this local resource, again the hydroelectric power. And another interesting thing they pointed out is a precedent. They say in Boulder, Colorado, marijuana growers are charged an extra, about 2 cents per kilowatt hour because of all the power they use for the grow lights, inhalation systems and air conditioners and so on.
Joe Carrigan: [00:18:12:04] And again we're seeing there's a lot of precedence for this. This is not uncommon for certain industries to be charged more for power because they're big users of power.
Dave Bittner: [00:18:20:22] Yeah. All right, interesting stuff, using the free market at work to incentivize people to either come or go away.
Joe Carrigan: [00:18:28:15] [LAUGHS] Right.
Dave Bittner: [00:18:30:00] All right, Joe Carrigan, thanks for joining us.
Joe Carrigan: [00:18:31:21] It was my pleasure.
Dave Bittner: [00:18:36:21] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you through the use of artificial intelligence visit cylance.com. And thanks to our supporting sponsor VMWare creators of Workspace ONE Intelligence. Learn more at the vmware.com.
Dave Bittner: [00:18:59:01] The CyberWire podcast is proudly produced in Maryland out of the start up studios of DataTribe where they're code building the next generation of cybersecurity teams and technology. Our show is produced by Pratt Street Media, with editor John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe and I'm Dave Bittner. Thanks for listening.
Dave Bittner: [00:19:20:02] Now where did I put my yellow boots.