The CyberWire Daily Podcast 3.8.19
Ep 796 | 3.8.19

Chinese influence campaigns. Egyptian spear phishing. Hundreds of million email records exposed.


Dave Bittner: [00:00:00:00] Chinese information operations on US social media are widespread. The Egyptian Government launches spear phishing attacks against activists. Hundreds of millions of email records were found onliine. Chelsea Manning is back in jail. The US is retaliating for Chinese cyber espionage and Facebook wants to change its image.

Dave Bittner: [00:00:24:08] Now I'd like to share some words about our sponsor, Akamai. You're familiar with Cloud security, but what about security at the edge? With the world's only intelligent edge platform, Akamai stops attacks at the edge, before they reach your apps, infrastructure and people. Their visibility into 178 billion attacks per day, means that Akamai stays ahead of the latest threats, including responding to zero-day vulnerabilities. With 24/7 365 security operation center support around the globe and over 300 security experts in-house, Akamai surrounds and protects your users wherever they are, at the core, in the Cloud, or at the edge. Akamai intelligent security starts at the edge.

Dave Bittner: [00:01:08:17] Learn more at And we thank Akamai for sponsoring our show.

Dave Bittner: [00:01:21:10] From the CyberWire studios at DataTribe, I'm Dave Bittner, with your CyberWire summary for Friday, March 8th, 2019.

Dave Bittner: [00:01:30:02] Research from Recorded Future presents details on China's social media influence operations targeted at the West. The operations differ from Russia's influence campaigns, based on the country's different national goals. Russia's operations are primarily disruptive and destabilizing while China's are largely positive and coordinated.

Dave Bittner: [00:01:51:19] Chinese information operations are meant to present an overwhelmingly positive, benign and cooperative image of China to western users.

Dave Bittner: [00:02:00:20] These campaigns don't show a large scale interest in swaying foreign elections. Rather, they focus on changing opinions about policies that are disadvantageous to China's goals, with much of their recent messaging, concerning the trade war between China and the United States.

Dave Bittner: [00:02:17:17] The researchers found that just two state-run Chinese influence accounts on Instagram, quote, "reached a level of audience engagement roughly one sixth as large as the entire Russian IRA associated campaign, targeting the United States on Instragram." End quote. The influence accounts also used paid advertisements on a number of American social media platforms.

Dave Bittner: [00:02:40:11] While China's strategy is more pleasant than Russia's combative and divisive attacks, Recorded Future stresses that these influence operations are not benign in nature. Instead they say, quote, "The Chinese state has employed a plethora of state-run media to exploit the openness of American democratic society and insert an intentionally distorted and biased narrative for hostile political purposes." End quote. They also note that the propaganda techniques China uses in western circles are very different from those it employs domestically which involve extensive censorship, content filtering and astroturfing.

Dave Bittner: [00:03:19:07] Amnesty International says the Egyptian Government is responsible for a wave of spear phishing attacks that targeted activists within the country, ZDNet notes. State-sponsored attackers created third party apps to launch OAuth phishing attacks against victims' Gmail accounts. OAuth phishing is a newer form of phishing, in which attackers steal authorization tokens instead of passwords.

Dave Bittner: [00:03:43:17] A number of the targets were notified by Google that government-backed attackers were targeting their accounts. They also targeted Yahoo, Outlook and Hotmail users. The list of targeted individuals had significant overlaps with those targeted in a 2017 phishing campaign, which was also linked to Egyptian state-sponsored actors.

Dave Bittner: [00:04:05:12] Chelsea Manning was jailed today after refusing to answer questions before a secret grand jury. The former Army intelligence analyst and WikiLeaks source had been subpoenaed to testify for a grand jury investigation into Julian Assange. She'll remain in custody until she decides to testify or until the grand jury concludes its work which could take up to 18 months.

Dave Bittner: [00:04:30:06] The Washington Times reports that the United States has begun conducting counter-cyberattacks against China, in retaliation for Chinese cyberespionage. The US hacks will likely target trade secrets related to Chinese hypersonic technology since this is an area of research where the US is thought to lag behind China.

Dave Bittner: [00:04:51:05] Security Researcher Bob Diachenko found more than 808 million email records in an Internet-connected MongoDB instance without a password. Millions of the records included personally identifiable information as well. This dataset is different from the Collection series of data dumps discovered in January. Diachenko initially thought that the data belonged to a large spam organization, which turned out to be at least partially true.

Dave Bittner: [00:05:17:18] The database belonged to a self-described email marketing firm that specializes in bypassing spam traps. The company offers an email validation service, which checks if an email address is active by sending a test email. The researchers notified the company and received a polite response. The company said the database had been secured and, shortly afterwards, the company's website was taken offline.

Dave Bittner: [00:05:45:13] Google has disclosed more information on the Chrome zero-day vulnerability it patched in its latest update. The flaw was apparently being used in tandem with another zero-day bug in Windows 7 which is currently unpatched. Microsoft is working on a fix but Google urges users to just go ahead and upgrade to Windows 10.

Dave Bittner: [00:06:07:14] And finally, Facebook wants to change its image by shifting its focus to encrypted messaging services where people can communicate in small private groups. In a long blog post on Wednesday, Mark Zuckerberg admitted that Facebook, quote, "doesn't currently have a strong reputation for building privacy protective services, " end quote, but says that the company is good at adapting to what people want.

Dave Bittner: [00:06:33:19] Most observers are highly skeptical that the end result will be as good as Zuckerberg says. The Verge says that we should take the announcement with a whole shaker's worth of salt, since Zuckerberg has made similar statements in the past that never came to fruition. Others wonder how Facebook will make a profit off this type of business model since it ideally wouldn't be able to use targeted advertising. There are also potential downsides to Zuckerberg's proposed model, since the company wouldn't be able to moderate the content on its platform.

Dave Bittner: [00:07:10:14] Now a moment to tell you about our sponsor ObserveIT. The greatest threat to businesses today isn't the outsider trying to get in, it's the people you trust, the ones who already have the keys, your employees, contractors and privileged users, in fact, a whopping 60% of online attacks today are carried out by insiders. Can you afford to ignore this real and growing threat? With ObserveIT, you don't have to.

Dave Bittner: [00:07:34:23] See, most security tools only analyze computer network or system data but to stop insider threats, you need to see what users are doing before an incident occurs. ObserveIT combats insider threats by enabling your security team to detect risky activity, investigate in minutes, effectively respond and stop data loss. Wanna see it in action for yourself? Try ObserveIT for free. No installation required. Go to That's And we thank ObserveIT for sponsoring our show.

Dave Bittner: [00:08:18:09] I'm pleased to be joined, once again, by Ben Yelin. He's a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security. Ben, always great to have you back. This was a story that came by from the National Law Review and it's titled, Pennsylvania Supreme Court recognizes common law duty to safeguard employees' personal data. What's going on here?

Ben Yelin: [00:08:39:18] Yes, this is a fascinating case. It's called Dittman v UPMC, which is the University of Pittsburgh Medical Center. Some personal information was stolen from the database at the center, that this medical center had maintained. Information from 62,000 employees, that's a lot of people and very personal information. Social security, birth date, tax information, bank card information, etc.

Ben Yelin: [00:09:05:21] Some employees or former employees of UPMC sued the hospital, saying that they had a reasonable duty of care, under Common Law, to safeguard that information and what that means is that, if they did not use reasonable care, if they did not use, you know, the most advanced practices in protecting digital information, they would be liable in tort for some sort of damages and that's exactly what happened here. So the court found that the hospital was negligent.

Ben Yelin: [00:09:36:15] Negligence is a Common Law tort and the standard for negligence, as it has been since basically our Common Law system has evolved from our greatest ancestors, is whether the defendant used ordinary, reasonable care. What this decision does is it defines ordinary, reasonable care or the standard of reasonable care in the context of data security and says that by exposing this information to breach, by not using the best practices in terms of safeguarding personal information, that organization or the defendant in this case is not acting according to the standard of reasonable care.

Ben Yelin: [00:10:22:00] As a result, these individuals suffered some economic losses. I think the article says that somebody used the stolen information to start false bank accounts in the names of some of the plaintiffs and, therefore, the hospital, the medical system is going to have to compensate those victims.

Ben Yelin: [00:10:41:24] What's interesting about this case is that it is applying this old Common Law doctrine to the modern circumstance of data privacy and, because it's the first decision of its kind across the country, even though this is only binding on the State of Pennsylvania institutions, this is going to be instructional for other courts, as they deal with whether to apply that Common Law duty of reasonable care to private actors, who have been entrusted in safeguarding information.

Ben Yelin: [00:11:11:12] So this, at least right now, is the North Star case, the groundbreaking case and I think this is something that other State courts and Federal courts are going to look into when similar cases present themselves.

Dave Bittner: [00:11:24:16] Now, the situation here is, this allows folks to go after them from a civil point of view, going after money? There's no criminal element here?

Ben Yelin: [00:11:33:03] No, there's no criminal element, this is just about civil damages. Obviously, this could be a big financial hit for the medical center, the medical institution, to be potentially liable to a class of 62,000 employees for what is a significant economic loss. That includes, you know, all different types of economic damages. That's going to be a major liability for that medical system.

Ben Yelin: [00:11:59:13] Now, theoretically what that means is, just as hospitals have to take measures to protect themselves against other types of Common Law lawsuits, for example medical malpractice, they're going to have to take proactive measures to protect the integrity of their data. Now that they know that they are potentially liable for data breaches, even if they're not the ones, you know, stealing the private information, that means there's going to be a added cost on the front end for the medical system to protect that data.

Ben Yelin: [00:12:34:24] What we've seen in other torts cases is that turns into a bit of a consumer tax. In the long run, you know, because the hospital will have to use more of its resources to secure that data, you know, that's gonna add to their overhead costs of doing business and eventually that filters down to the patients or, more likely, to the insurance companies.

Ben Yelin: [00:12:57:02] But that's something that's existed forever in the world of torts, now it's just being applied in a new manner, reflecting the digital age.

Dave Bittner: [00:13:05:04] Yes. Alright, Ben Yelin, thanks for joining us.

Ben Yelin: [00:13:09:01] Thank you.

Dave Bittner: [00:13:14:02] Now I'd like to share some words about our sponsor Cylance. AI stands for Artificial Intelligence, of course, but nowadays, it also means All Image, or Anthropromorphized Incredibly. There's a serious reality under the hype but it can be difficult to see through to it. As the experts at Cylance will tell you, AI isn't a self-aware Skynet ready to send in the Terminators. It's a tool that trains on data to develop useful algorithms and, like all tools, it can be used for good or evil.

Dave Bittner: [00:13:25:11] If you'd like to learn more about how AI is being weaponized and what you can do about it, visit and check out their report, Security using AI for Evil. That's We're happy to say that their products protect our systems here at the CyberWire and we thank Cylance for sponsoring our show.

Dave Bittner: [00:14:13:04] My guest today is Scott Shackelford. He's Chair of the Indiana University Bloomington Cybersecurity Program and Director of the Ostrom Workshop Program on Cybersecurity and Internet Governance. He joins us to discuss Indiana University's participation in the Paris Call for Trust and Security in Cyberspace which was presented late last year by French President Emmanuel Macron at the Paris Peace Forum.

Scott Shackelford: [00:14:39:00] So the Paris Call for Trust and Security in Cyberspace was a declaration, so it's kind of a Statement of Principal that was put out during the Internet Governance Forum that was hosted by the French Government this year at UNESCO in Paris, because of its long leadership, again, of France and the process of building international peace and security around the world.

Scott Shackelford: [00:15:00:02] Because the French Government wanted to show widespread support for nine particular objectives in the Paris Call, that's why they enlisted various other governments, including the Five Eyes, including NATO, with some notable exceptions which we can talk more about, as well as companies, civil societyand academia. And there's nine kind of core objectives, as I mentioned, as part of this Paris Call that are kind of worth just briefly mentioned before we dive in further; because they include a huge range of things.

Scott Shackelford: [00:15:27:15] So how we think about peace and security and stability in cyberspace, obviously very broad and includes elements like critical infrastructure protection, like the public core of the Internet, undermining electoral processes so there's a big part of making democracy harder to hack kind of built into this agreement which is kind of interesting, especially when you see all the various groups that have signed on to it as well as agreements to deal with cyber arms control and to prevent the proliferation of malicious cyber weapons as well as kind of more basic calls for cyber hygiene across the board as an effort to kind of build due diligence.

Scott Shackelford: [00:16:04:00] Again, king of lots of low hanging fruit options but it is notable the extent to which they've been able to line up support behind these kind of core principles.

Dave Bittner: [00:16:11:15] And what part does an organization like Indiana University have to play in this?

Scott Shackelford: [00:16:17:02] I think there's a couple of useful functions that universities can play as part of this. One is just helping to define the field and set the table. I mean, to this point, the folks interested in, you know, cyber peace or digital peace is a relatively small community and that's in part made up of peace building scholars from various disciplines so looking at the resolution of conflicts, for example, in regional hot spots, Africa and otherwise as well as those that approach it from a much more technological perspective. So rarely has there been kind of a meeting of the minds or an opportunity to kind of share best practices across these disciplines.

Scott Shackelford: [00:16:51:19] So then first and foremost, universities can be helpful in just bringing together all of these different disciplines and starting to figure out what is the best that we can hope for, in terms of peace on the Internet and then we can think more about, you know, how can we get there more realistically? So I think it's part of a gathering function that's really helpful and universities are also, I think, really helpful to have as part of this process because, you know, we're training the next generation of cybersecurity professionals right now, that are gonna go out there and be at the front lines of how this process unfolds in the 21st century so having not only faculty, but having the students involved, I think, is just essential. That's one thing we're trying to do here through a new cybersecurity clinic that we've created.

Dave Bittner: [00:17:33:04] Do you have any sense for what kind of timeline this effort is on?

Scott Shackelford: [00:17:37:11] It's an ongoing process. The first Paris Peace Forum, obviously, was this past November. There is a follow-up that's going to be scheduled for the following year so we're going to be expecting an update this coming November. Before then, I've been told that the French Government, probably, is going to announce an expanded list of supporters but the exact timing of when that's going to actually happen is still a bit unknown.

Scott Shackelford: [00:18:01:09] The Paris Call is also probably going to get a little bit of traction and some discussion at major forums that are going to be going on throughout 2019. It's going to be kind of an ongoing process of, of kind of socializing the concept, figuring out, you know, who is supportive and those that have already declared their support, trying to deepen, deepen those ties and build, you know, alliances between these like-minded stakeholders around the world.

Dave Bittner: [00:18:26:16] And where do we stand in terms of participation from the US Government?

Scott Shackelford: [00:18:30:11] So far, as you and your listeners might already be aware, the US Government has not signed up to the Paris Peace Forum and the Paris Call for Trust and Security in Cyberspace which is a, a bit of an outlier at this point, considering that the rest of the Five Eyes, even Australia, has signed up to it at this point.

Scott Shackelford: [00:18:49:21] You know, there is some concern there, I think, on the US Government side. I don't, of course, want to speak for them about how it could iintersect with various recent policy changes on the part of the US Government, including kind of freeing their hands a little bit on the offensive side from US Cyber Command so it's going to be interesting to see how it plays out and if there's andy-- if there's sufficient, you know, international pressure to kind of change, change minds, frankly, in the Trump administration about, about the call.

Scott Shackelford: [00:19:19:18] Regardless of the US Government, there are a variety of, you know, US stakeholders, both major technology companies like Microsoft, universities, of course, like IU, Tufts and otherwise and a whole range of centers and other nerve centers across the country that have signed up. So kinda-- it's similar to what we're seeing kinda played out, to an extent, in the climate change context or, even though we're not getting a lot of leadership from the Federal Government right now, when it comes to climate change policy, we're seeing a lot of action, you know, state, local, private sector and civil society groups getting involved. I think we're seeing a similar outcome and a similar kind of setup right now in the cybersecurity context as well.

Dave Bittner: [00:19:58:20] And so what, ultimately, do you think will come from this? Are we heading towards international treaties, or agreements? How do you suspect this is going to play out over time?

Scott Shackelford: [00:20:09:07] It would be wonderful to have a crystal ball and I wish mine was not, you know, as opaque as it is, frankly. There have been proposals for some time, for example, for a Digital Geneva Convention, or new international treaties, even just updating the Budapest Convention, which is the Council of Europe Convention on Cybercrime would be helpful.

Scott Shackelford: [00:20:27:10] It's tough. It's touch to get agreement on new treaties, there is not a lot of even foundational support for what types of things a new treaty frankly should regulate. We saw that with competing US and Russian resolutions about these international codes of conduct for cybersecurity this last October at the UN. That's something Russia's been pushing for a long time. The US is trying to get more countries on record for how they think international law should apply to cyberspace which would be, I think, kind of a helpful step in building out state practice there.

Scott Shackelford: [00:21:01:06] So I think, you know, you're, you're seeing this as a step in the direction of further clarifying the norms, which can, in turn, gradually, you know, crystallize state practice and then kind of lay the groundwork for an eventual treaty. But when you look at, you know, how this played out after, for example, World War One and the initial kind of Paris peace process here, we had some agreements, we had unfortunately World War Two intervene before finally we got the UN Charter.

Scott Shackelford: [00:21:28:05] I don't think we're hopefully going to be leaning toward anything that dramatic, you know, in cyberspace. My hope is that there is not going to be any, anything that's going to shock the system to that extent, to galvanize action but, you know, it remains to be seen whether this kind of, you know, slow bleed of, of attacks, myriad and otherwise, are going to be enough to make people stand up, you know, or whether it's going to require something else for an eventual treaty to be negotiated. But I think the Paris Call really is, is a helpful step forward but that's all it is. It's just a step in the right direction.

Dave Bittner: [00:22:01:12] That's Scott Shackelford from Indiana University.

Dave Bittner: [00:22:09:13] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at The CyberWire podcast is proudly produced in Maryland, out of the startup studios of DataTribe where they're co-building the next generation of cybersecurity teams and technology.

Dave Bittner: [00:22:31:19] Our CyberWire editor is John Petrik, social media editor, Jennifer Eiben, technical editor, Chris Russell, executive editor, Peter Kilpe. And I'm Dave Bittner. Thanks for listening.