Dave Bittner: [00:00:03] Adidas discloses a data breach affecting customers who made purchases from its U.S. website. Facebook answers congressional questions for the record and adopts a Data Abuse Bounty Program. Investigation of the Exactis data exposure incident continues, but the class action lawsuits have already begun. Algonquin College discloses a hacking incident. Tenable will hold an IPO. The U.S.-Russian summit will take up election influence ops. And FireEye says North Korea is hacking Latin American banks.
Dave Bittner: [00:00:43] And now a word from our sponsor. Who's that sponsor? you say. Well, it's none other than the mysterious team behind the spectacularly successful fake security booth at RSA 2018. You remember. It was the one with no vendor name, no badge scanning and the charismatic snake oil salesman pitching his imaginary cybersecurity cures for all that's ailing businesses around the world. So who was behind that booth? Why did they do it? Who's really sponsoring our show today? Get the answers you've been dying to hear and hear the story behind the booth at fakesecurity.com/cyberwire. That's fakesecurity.com/cyberwire. And we thank whomever it is for sponsoring our show.
Dave Bittner: [00:01:38] Major funding for the CyberWire podcast is provided by Cylance. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, July 2, 2018. Adidas laconically disclosed on their website late Thursday that, quote, "an unauthorized party claims to have acquired limited data associated with certain Adidas customers," end quote. The affected customers, whom Adidas is in the process of notifying, were ones who made purchases from its adidas.com/us site. The shoe and athletic apparel manufacturer says it became aware of the incident on June 26.
Dave Bittner: [00:02:16] The company says the data affected appear to include contact information, usernames and encrypted passwords but no credit cards. It's unclear how many customers are affected. If you're an Adidas online customer, security industry commentators are advising you to change your passwords. One possible sidelight - it's unknown if any of the affected parties are EU citizens. If they were, that would increase the German-based company's exposure to GDPR regulatory risk.
Dave Bittner: [00:02:48] Facebook has adopted a bounty system, the Data Abuse Bounty Program, in which it will pay third parties to find abuse of the data it handles. It paid $4,000 to a bounty hunter last week. Other companies are thought likely to follow suit. It's a form of crowdsourcing, analogous to the bug bounty programs that have become widely used in efforts to find and eliminate software flaws that pose security risks. Investigation of Facebook data abuse continues. The very long document Facebook delivered to the U.S. Congress Friday - 742 pages long - includes disclosures that Facebook continued to share user information with 61 app developers for some six months after it said it had shut down such access in 2015.
Dave Bittner: [00:03:36] The information shared covered users' friends. Those would be friends in the Facebook term of art meaning of the word, not in the ordinary acceptation of people one knows and with whom one enjoys a mutual liking. The friends data shared included name, gender, date of birth, city of residence or hometown, photographs and page likes. The disclosures submitted to the House Energy and Commerce Committee in response to questions for record suggests the high value such data have for marketing and other purposes and the difficulty companies like Facebook have containing it.
Dave Bittner: [00:04:13] Another company handling valuable data is Exactis, which was revealed last week to have suffered a data exposure incident. Investigation continues. The company is a data compiler, an aggregator that, according to MarketWatch, gets a great deal of its material from cookies. Exactis was discovered to have left nearly two terabytes of data exposed on the internet. The company secured the data after the exposure was discovered and reported to them by Night Lion Security founder Vinny Troia. Troia tweeted Friday that he's working with Exactis to determine whether anyone accessed the data. So far, what's known is that the data was exposed.
Dave Bittner: [00:04:52] The concerns to consumers lie mostly in the possibility of identity theft and of more plausible phishing campaigns that can be mounted with the considerable personal information held by Exactis. MarketWatch reports that Morgan and Morgan, a national law firm with headquarters in New York, has filed a class action lawsuit against Exactis in a Jacksonville, Fla., court. Morgan and Morgan's suit alleges that Exactis failed to take adequate steps to protect its data. The lawsuit seeks monetary damages and other relief for those whose data were exposed in the incident.
Dave Bittner: [00:05:29] Ontario's Algonquin College, with campuses in Ottawa, Perth and Pembroke, disclosed Friday that its servers had been hacked. In a statement, the college said, quote, "Algonquin College discovered the unauthorized and illegal access by hackers several weeks ago, and the college acted immediately to re-establish the security of the server," end quote. It will share information with staff, students, alumni and others affected as soon as it finishes sorting the incident out. The college thinks no one lost any financial information, but it's unclear on just what data was lost.
Dave Bittner: [00:06:05] In industry news, Tenable, the company known for its Nessus vulnerability scanner, has confirmed longstanding rumors by announcing its intention to take itself public. On Friday, the Maryland-based security firm filed a form S-1 with the U.S. Securities and Exchange Commission registering its intent to hold an initial public offering. The company intends to trade its shares on the Nasdaq under the symbol TENB.
Dave Bittner: [00:06:33] ZTE, its future still very much in doubt, has replaced its board as part of its ongoing effort to mollify U.S. regulators and legislators. Many observers remark that this change is more cosmetic than consequential. And in any case, the U.S. Congress, at least, seems very much unmollified. The House passed its version of the 2019 Defense Appropriations Bill with clauses that would effectively ban ZTE and Huawei products from the government market.
Dave Bittner: [00:07:02] U.S. National Security Adviser John Bolton said yesterday that Russian attempts to meddle in U.S. elections would be among the topics taken up during this month's summit between Presidents Trump and Putin. This was among the topics discussed during pre-summit meetings last week. According to Mr. Bolton, Mr. Putin said, quote, "there was no meddling in 2016 by the Russian state," end quote. But Bolton suggested that this amounts to a nondenial denial. As Reuters put it, that's different from saying, there was no meddling at all.
Dave Bittner: [00:07:34] It's especially worth considering in this context President Putin's musings last month that patriotic Russian hackers may have acted against nations unfriendly to Russia and that such patriotic zeal may have strained relations between such countries and Russia. Few observers believe that Russian freelance hacktivists can or do operate free of state direction any more than the volunteers and green men fighting in Ukraine and Syria have nothing really to do with the Russian army, thus a nondenial denial.
Dave Bittner: [00:08:07] And finally, FireEye CEO Kevin Mandia has offered an assessment of current North Korean cyberactivity. They're intensely focused on bank robbery and are paying particular attention to financial institutions in Latin America. As he put it, Pyongyang is hacking the hell out of Latin American banks. Some of the more prominent recent victims have been Chile and Mexico.
Dave Bittner: [00:08:36] I'd like to take a minute to tell you about an exciting CyberWire event, the fifth annual Women in Cyber Security Reception, taking place October 18 at the International Spy Museum's new facility in Washington, D.C. The Women in Cyber Security Reception highlights and celebrates the value and successes of women in the cybersecurity industry. The focus of the event is networking. And it brings together leaders from the private sector, academia and government from across the region and women at varying points on the career spectrum. The reception also provides a forum for women seeking cybersecurity careers to connect with the technical and business professionals who are shaping the future of our industry. It's not a marketing event. It's just about creating connections.
Dave Bittner: [00:09:22] We're grateful to our sponsors - Northrop Grumman, CenturyLink, Cylance, Accenture, Cooley, T. Rowe Price, VMWare, Delta Risk, SecureStrux and Edwards Performance Systems. If your company is interested in supporting this important event, we still have some great sponsorship opportunities available. We're also partnering with Maryland Art Place to have a special work of art created for the event that attendees can take home with them. As it's been in previous years, this event is invitation-only. We do it this way to ensure a mix of women with diverse backgrounds and at different career levels. If you are interested in getting an invitation to this year's event, tell us a little bit about yourself and request one at our website, thecyberwire.com/wcs. That's thecyberwire.com/wcs. We look forward to hearing from you. We hope to see you there.
Dave Bittner: [00:10:24] And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute, and he is also my co-host on the Hacking Humans podcast.
Joe Carrigan: [00:10:33] (Laughter).
Dave Bittner: [00:10:33] Joe, welcome back.
Joe Carrigan: [00:10:34] Hi, Dave.
Dave Bittner: [00:10:35] We got an interesting article that came by. This is from Nextgov, a website. And it says that only 15 percent of cyber researchers think the U.S. can defend against a critical infrastructure cyberattack according to a recent survey. What's going on here, Joe?
Joe Carrigan: [00:10:50] This is a survey they've distributed to cybersecurity professionals. They asked them a bunch of questions. And 15 percent of these people are wrong...
Dave Bittner: [00:11:01] (Laughter).
Joe Carrigan: [00:11:01] ...In my opinion. No.
Dave Bittner: [00:11:02] (Laughter) Oh, I see what you're saying.
Joe Carrigan: [00:11:04] They have their own opinions, of course.
Dave Bittner: [00:11:05] Right.
Joe Carrigan: [00:11:06] My favorite thing was that only 13 percent of the researchers believe that Congress and the White House understand the cyber threats and will take steps to further defenses, is the quote from the article.
Dave Bittner: [00:11:15] Yeah. I can't imagine all those octogenarians...
Joe Carrigan: [00:11:19] Right.
Dave Bittner: [00:11:19] ...Not understanding...
Joe Carrigan: [00:11:20] Yeah, all those people who've made careers in politics and law...
Dave Bittner: [00:11:23] Right.
Joe Carrigan: [00:11:24] ...That we've elected to office who have never - or who were - as you point out, were - grew up in a time where computers weren't really a thing. And furthermore, they'd never really made it their expertise to begin with.
Dave Bittner: [00:11:35] Yeah.
Joe Carrigan: [00:11:37] Yeah. How are these guys going to protect us on this?
Dave Bittner: [00:11:40] Yeah. It's interesting. I mean, this was from the Black Hat folks. They got 315 information security professionals. These are folks who had been to Black Hat or are planning to go to Black Hat. So these are professionals, you know. And there were a couple of other interesting things from this report. They said that 52 percent believed that Russian cyber initiatives made a significant impact on the outcome of the 2016 U.S. presidential election, so about half.
Joe Carrigan: [00:12:06] Right, about half.
Dave Bittner: [00:12:07] That's interesting. It's interesting to me that half don't believe that. I mean...
Joe Carrigan: [00:12:12] Yeah, I don't know where I fall on that.
Dave Bittner: [00:12:13] Yeah.
Joe Carrigan: [00:12:13] I mean, I think there was definitely information operations going on.
Dave Bittner: [00:12:17] Right.
Joe Carrigan: [00:12:17] But I don't know how I would quantify how well that affected the election.
Dave Bittner: [00:12:24] Yeah.
Joe Carrigan: [00:12:25] So that's why I would say I could not answer in the affirmative on this only because I don't have any data that quantifies it for me.
Dave Bittner: [00:12:32] You're still waiting for more...
Joe Carrigan: [00:12:34] Yes.
Dave Bittner: [00:12:34] ...Information to arrive.
Joe Carrigan: [00:12:35] Exactly.
Dave Bittner: [00:12:35] All right, fair enough. Sixteen percent approve of President Donald Trump's performance so far while 53 percent disapprove. This was not limited to cyber issues.
Joe Carrigan: [00:12:45] OK.
Dave Bittner: [00:12:45] So that's an interesting contrast against that last number there.
Joe Carrigan: [00:12:48] He did get rid of his cyber security adviser.
Dave Bittner: [00:12:51] Right - but came out of the gate with a strong statement on cyber. So we thought he was going to be all over this.
Joe Carrigan: [00:12:57] And he's issued executive orders since then.
Dave Bittner: [00:13:00] Right. Right. Now here's an interesting one. Forty-seven percent agree with the statement, the shortage of women and minorities in the information security profession is a concern to me, while 22 percent disagree and 31 percent are neutral. So about half...
Joe Carrigan: [00:13:16] Yeah.
Dave Bittner: [00:13:16] ...Think that we need to do a better job of this.
Joe Carrigan: [00:13:18] Right. And this is something that is, for me, kind of personal. I mean, my daughter is an engineer right now. And I don't know what the solution to this is.
Dave Bittner: [00:13:30] Right.
Joe Carrigan: [00:13:31] We need to start raising engineers.
Dave Bittner: [00:13:33] And you certainly, obviously, want to have as many opportunities available to her - you don't want any doors closed on her just because of...
Joe Carrigan: [00:13:39] Right. No, absolutely not.
Dave Bittner: [00:13:40] ...Because she's a woman in the field.
Joe Carrigan: [00:13:43] Yeah. I want the most opportunities for her. But I don't know that she's at a disadvantage now that she has an engineering degree. I think where girls are at a disadvantage is a lot earlier in life. And I think that's why we need to start raising our girls thinking of the opportunities that they're going to have down the road.
Dave Bittner: [00:14:00] Right, so that they even consider those positions.
Joe Carrigan: [00:14:02] Exactly, so that they consider it and that - not only consider it, but desire it and view it as something they want to go into.
Dave Bittner: [00:14:08] Yeah. I mean, study after study says that the more diversity of thought you have, the better you're going to be at problem solving. So...
Joe Carrigan: [00:14:14] Yeah, that's true.
Dave Bittner: [00:14:15] The data is there.
Joe Carrigan: [00:14:16] Yep.
Dave Bittner: [00:14:17] All right. Joe Carrigan, as always, thanks for joining us.
Joe Carrigan: [00:14:19] My pleasure, Dave.
Dave Bittner: [00:14:24] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor VMWare, creators of Workspace ONE intelligence. Learn more at vmware.com.
Dave Bittner: [00:14:53] Don't forget to check out the "Grumpy Old Geeks" podcast where I contribute to a regular segment called "Security, Ha." I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the "Recorded Future" podcast, which I also host. The subject there is threat intelligence. And every week, we talk to interesting people about timely cybersecurity topics. That's at recordedfuture.com/podcast.
Dave Bittner: [00:15:21] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.