Scraped data found gurgling around in an unsecured third-party database. Ransomware and election security. Spy in your pocket? (Probably not.) Guilty plea in the Satori case.
Dave Bittner: [00:00:03] A database scraped from Facebook in the bad old days before last year's reforms holds information about 419 million users. We'll talk ransomware threats to election security. We've got notes from the Billington CyberSecurity Summit. Is your phone reporting back to Mountain View or Cupertino? Probably not. And the Feds get a guilty plea in the case of the Satori botnet.
Dave Bittner: [00:00:33] And now a message from our sponsor, ObserveIT. The greatest threat to businesses today isn't the outsider trying to get in; it's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. Sixty percent of online attacks are carried out by insiders. To stop these insider threats, you need to see what users are doing before an incident occurs. ObserveIT enables security teams to detect risky user activity, investigate incidents in minutes and effectively respond. With ObserveIT, you know the whole story. Get your free trial at observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.
Dave Bittner: [00:01:24] Funding for this CyberWire podcast is made possible in part by Bugcrowd, connecting organizations with the top security researchers, pen testers and white hat hackers in the world to identify 10 times more vulnerabilities than scanners or traditional pen tests. Learn more about how their award-winning platform provides actionable insights like remediation advice to help fix faster while methodology-driven assessments ensure compliance needs are met at bugcrowd.com.
Dave Bittner: [00:01:51] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, September 5, 2019.
Dave Bittner: [00:01:59] Facebook has sustained a significant data exposure incident. TechCrunch reports that a researcher found an unsecured database that contains data on some 419 million users. The data contained, for the most part, user phone numbers linked with account IDs, but in many cases, it also included users' real names, gender and country. This isn’t, properly speaking, a Facebook breach. The data came from Facebook, but it wasn't a Facebook database. The data were scraped. The exposed database was not maintained or controlled by Facebook. Facebook said that the information appeared to have been scraped at some time before Facebook restricted third-party access to its data last year. Who scraped the data is so far unknown.
Dave Bittner: [00:02:44] The head of NSA's Cybersecurity Directorate said yesterday at the Billington CyberSecurity Summit that ransomware represents an interesting threat to upcoming U.S. elections. TheHill quotes Anne Neuberger as saying ransomware will be a focus of her directorate during the election cycle. The ongoing wave of ransomware attacks against U.S. local governments thus acquires another level of menace. The ransomware security specialists at Emsisoft have been wondering why so many of these attacks have hit Southern states like Louisiana, Texas and Florida, and they think that extortionists are choosing targets they regard as likely to pay. If that's so, this would appear to be another indication of the way the black market is responding to market forces.
Dave Bittner: [00:03:29] Here's something that mayors, city councils and county judges might also factor into their risk calculations. An IBM study concludes that taxpayers, many of whom actually also vote, pretty clearly oppose paying ransom. So, your honor, if you secure your networks and properly back up your files, you will have saved the money of thousands of registered voters. Think about it.
Dave Bittner: [00:03:53] And speaking of the Billington CyberSecurity Summit, we have our people in Washington sitting in. The theme this year is top government priorities - a call to action. And the presenters represent a strong mix of industry and government leaders. Some highlights from yesterday's presentations include a view from the U.S. Federal CISO’s perch, notes on data and artificial intelligence and some thoughts from NSA's Cybersecurity Directorate.
Dave Bittner: [00:04:19] Grant Schneider, currently the U.S. federal chief information security officer, working from the Office of Management and Budget, explained that while his organization does have oversight responsibilities, he sees it essentially as a support structure designed to enable sound cyber practices throughout the federal government. Scheider's predecessor and co-presenter Brigadier General - retired - Greg Touhill, now president of Cyxtera Federal, said that his own views shifted over the course of his service. At one time, he would have attributed most incidents to careless, negligent and indifferent people. But he eventually came to add overworked, and this may indeed be the most important risk factor.
Dave Bittner: [00:05:00] Learning how to manage risk under these conditions is a challenge, and the government personnel need to fully understand the new reality. Touhill added, quote, "If you use a computer or a mobile phone, you are a cyber operator and a target," end quote. When asked what keeps them up at night, Schneider pointed to the exposure of critical infrastructure to attacks against industrial control systems. As the Internet of things expands, risk exposure grows, and the cost of entry to threat actors declines. Touhill gave a one-word answer - China.
Dave Bittner: [00:05:33] When we talk about artificial intelligence and cybersecurity, we need to bear in mind that this is really two topics. One is the use of artificial intelligence in cybersecurity; the other is the cybersecurity of AI systems themselves. Both topics are complex, but panelists focused on the importance of data to both. Questions of data integrity grow sharper with the deployment of AI. Data poisoning attacks are a very real threat, and ensuring that data are trustworthy is a challenge, panelists thought.
Dave Bittner: [00:06:04] And there's a temporal dimension to this. The U.S. government began collecting data from the earliest days of the republic. The Constitution, for example, mandates a census every 10 years. This means, obviously, that the government didn't - because it couldn't - build concerns about AI's use of data into its collection and storage practices. Private industry, being far younger, finds it easier to build this in. But that doesn't mean tech companies enjoy all the advantages of youth.
Dave Bittner: [00:06:32] Weighing in from the private sector, Swami Sivasubramanian, who is vice president of Amazon Web Services, compared machine learning's current state of development to the internet. He said, quote, "if the internet is still in Day 1 after 30 years, machine learning just awoke and hasn't yet had a cup of coffee," end quote.
Dave Bittner: [00:06:52] We'll have more notes from the Billington CyberSecurity Summit tomorrow.
Dave Bittner: [00:06:56] Carole Theriault has been reviewing some of the most serious breaches involving third-party risk that we've seen so far this year. From the U.K., here's her report.
Carole Theriault: [00:07:06] I was lucky enough to get the chance to speak with Dov Goldman. He is the director of risk and compliance at Panorays, a firm focused on automating third-party security management. I invited Dov to come and talk with us about the most noteworthy breaches that have happened this year so far and get his thoughts on whether these are the most dangerous cyber times we've ever faced.
Carole Theriault: [00:07:30] Dov, thank you so much for coming on the show. I appreciate the time.
Dov Goldman: [00:07:34] Oh, it's my pleasure.
Carole Theriault: [00:07:35] Now, before we get into the weeds, what has been your overall impression of 2019 so far in terms of these big breaches?
Dov Goldman: [00:07:44] Well, it doesn't take brilliance to recognize that we're seeing an increasing cadence of news about breaches. But certainly, everybody has to assume these days that their information is going to be breached or has been breached, and it's floating around somewhere where a hacker can take advantage of it.
Carole Theriault: [00:08:06] God, it's a very depressing thought, isn't it?
Dov Goldman: [00:08:09] It is. And it pretty much means that unless you're willing to live in a cave...
Carole Theriault: [00:08:14] Yeah.
Dov Goldman: [00:08:14] ...With no electricity and, certainly, no smartphone, you can't avoid this.
Carole Theriault: [00:08:20] (Laughter) OK. So of 2019 security breaches we've seen so far, to your mind, what - which one has been the most interesting?
Dov Goldman: [00:08:29] So I'll start with one that I studied - I don't know - a couple of months ago. Well, in its own way, it's quite scary. The U.S. Customs and Border Protection Agency...
Carole Theriault: [00:08:44] Yeah.
Dov Goldman: [00:08:44] ...They had a breach where it was - so it wasn't them. It was a contractor called Perceptics, and they make the systems that - at a lot of the border locations, you'll see that they're scanning your license plate. That particular organization happened to have made a few mistakes. And they claim fewer than 100,000 people were affected.
Carole Theriault: [00:09:07] Right.
Dov Goldman: [00:09:07] But this is a scary one. Just going back to my point of hiding in a cave - if you're going to cross a border with a car anywhere in the United States, your license plate is going to be photographed. It's going to be matched against the database so that they can know who is crossing. And in a lot of cases, some of the same exact technology is used for toll collection today, which we all love - makes life easier. And they're taking a picture of your face.
Dov Goldman: [00:09:33] So somebody somewhere knows that you crossed a border at a particular time, so they know your location. They have your license plate number, and they have a picture of you and also of the other occupants in your car. So that's pretty scary. The fact that this was a U.S. government agency and the fact that they had contracted this service out - and there was this contractor that was breached and the U.S. agency, obviously, wasn't smart enough to know that - well, I shouldn't - I don't - I shouldn't cast aspersions 'cause I don't know exactly how they let this happen...
Carole Theriault: [00:10:11] (Laughter).
Dov Goldman: [00:10:11] ...But it's obvious that they were not careful enough.
Carole Theriault: [00:10:14] You're making a really good point there. So no matter how much you've locked down your own fort, all the people that have keys to your kingdom may leave a door open or might do something that just compromises your incredible security.
Dov Goldman: [00:10:29] That's a scary thought that, in theory, very professional organizations that outsource important functions to other, theoretically, very professional organizations - they're in trouble.
Dov Goldman: [00:10:43] The other point I'll make is that there are good standards out there - standards like NIST and ISL, but we're focused on NIST in the U.S. context. And they clearly define some of the best - in fact, the best practices that could have possibly headed these breaches off at the pass. And so how do you avoid them is out there. It's known. And if you're paying attention and you're being diligent, maybe you avoid this.
Carole Theriault: [00:11:12] The person that's responsible for security within any firm - be it a small, you know, mom and pop shop to a massive corporation - how is their job cut out for them? It's complicated times right now.
Dov Goldman: [00:11:23] It is very, very difficult. They have to be everywhere all the time. They have to be looking at technology. They have to be looking at their software. They have to be looking at their people. But add to that this important concept that you have to have these standards that you're enforcing. You have to know how you can get your third parties to enforce them as well, your sub - your contractors. Everybody who is in your greater-business ecosystem has to be considered part of what many in the industry call an attack surface.
Carole Theriault: [00:11:54] Dov, I could talk to you all day about this. It's fascinating. Thank you so much for making time and coming on the show and talking to us about this.
Dov Goldman: [00:12:01] Thank you again. My pleasure.
Carole Theriault: [00:12:03] This was Carole Theriault for the CyberWire.
Dave Bittner: [00:12:06] There are fears currently finding expression in social media that big corporations routinely eavesdrop on phone calls and ambient conversations to better serve up targeted ads. The BBC says these fears are, on balance, unfounded. The security firm Wandera studied the concerns and concluded that they were mostly hooey. Could a phone be attacked and its microphone seized by the attacker? Sure. Is spyware a threat? Yes, indeed. Have companies used human monitors to perform quality assurance on user interactions with voice AI? They have indeed. But Wandera concludes that people should relax a bit. It's not as if a silent, OK, Google reports back to Mountain View that you've been talking to a friend about hockey sticks or the best way to grow tomatoes so the world's biggest marketing company can serve you ads for ice hockey or vegetable seeds.
Dave Bittner: [00:13:00] And finally, the feds got a guilty plea from one Kenneth Schuchman, who copped to involvement in the Satori botnet. The Register calls Mr. Schuchman, who's just a tender 21 years of age, a script kiddie. Their unkind lede is, quote, "one moron down, two to go," end quote.
Dave Bittner: [00:13:23] And now a word from our sponsor, KnowBe4. Today's phishing attacks have evolved way beyond spray-and-pray emails that mass target victims. Instead, the bad guys have carefully researched your organization in order to set the perfect trap, and pretexting is the key. Whether it's a phone call from an attacker impersonating your IT department or what seems like an innocuous email that ends up harvesting important credentials, the perfect pretext can lead to the bad guys owning your network before you know it. Join KnowBe4 for an exclusive webinar where Kevin Mitnick, the world's most famous hacker, and KnowBe4's chief hacking officer will show you how the bad guys craft such cunning attacks. He'll dig into tactics for reconnaissance, target selection, creating a pretext and launching an attack. And more importantly, he'll tell you what you need to know to protect your organization. Kevin will also share new demonstrations that will blow your mind. Go to knowbe4.com/pretext to register for this exclusive webinar. That's knowbe4.com/pretext. And we thank KnowBe4 for sponsoring our show.
Dave Bittner: [00:14:42] And I'm pleased to be joined once again by professor Awais Rashid. He's a professor of cybersecurity at University of Bristol. Awais, it's great to have you back. We wanted to talk today about this notion of bystander privacy. What can you share with us today?
Awais Rashid: [00:14:57] So wearables are becoming more and more common. We use them on our own person, but also, increasingly, we also use them on our companions, such as pets. The pet wearables are now, effectively, a billion-dollar industry. And all these wearables are all the time collecting data. And the question is - are they just collecting data of the person - even in the case of pets, the animal that is wearing them - but are they also capturing information from around themselves - for example, through microphones and other sensors? And that's what I mean by the notion of a bystander privacy, that you may not be the actual wearer of a wearable device, but it may still be capturing information that is pertinent to you and, in some ways, impacting the privacy of those bystanders.
Dave Bittner: [00:15:39] Yeah. It's interesting. I remember a case where there was someone who was a pizza delivery person and they got held up by someone. They got robbed of their cash. And not long after that, on Facebook, the person who robbed them came up as a possible friend because they had been in proximity of each other.
Awais Rashid: [00:15:59] Absolutely. And we see a similar trend. So we've recently done a study of pet wearable devices in this case. And in a lot of the cases, the devices are bought by users thinking that they are for their pets, and also, the privacy policies also note that the devices capture the data about the pet. But, for example, when you take your dog for a walk, the dog doesn't go for a walk by itself, right? So you go with the dog. So it...
Dave Bittner: [00:16:23] Mine certainly doesn't (laughter).
Awais Rashid: [00:16:23] Yeah. And immediately, the owner's data is implicitly being tracked. And you can see, potentially - lots of potential cases where this has implications, for example, ranging from burglars knowing when to approach a home, so, you know, to even insurance companies inferring the health profiles of pet owners in that sense. So I guess the key question here is that, as that - as we move more and more towards a world of wearables where a lot of our activities are being tracked, we also come into contact with other people. And that might implicitly - or other wearables which might implicitly, actually, track our activities or locations without us being fully cognizant of that.
Dave Bittner: [00:17:06] Yeah. It's fascinating. I mean, I think about something like dog walking, but also, I think of, you know, perhaps a married couple sharing the same car where more than one person may be accompanying that pet or that device. And so how do you separate the data coming - the associated data coming from that thing that both of them are spending time with?
Awais Rashid: [00:17:29] Absolutely. And there is also the other case whereby through the activity and locations - for example, let's stay with the dog walking example. Through the activities and locations that the dog goes to, you may be able to infer who is with the dog at a particular point in time.
Dave Bittner: [00:17:44] Yeah, that's interesting. I wonder if you could even suss out, you know, different walking styles. Do I walk my dog at a brisker pace than one of my family members does, for example?
Awais Rashid: [00:17:55] Absolutely. And there have been cases, for example, where, you know, the devices have been used to track, effectively, if dog walkers have done their job in that sense and so on. So there are privacy implications of wearables, and they're not just for those who are actually wearing them. It's also those who come into contact with them, knowingly or unknowingly.
Dave Bittner: [00:18:17] Yeah, it's fascinating. All right, professor Awais Rashid, thanks for joining us.
Dave Bittner: [00:18:25] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:18:38] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Tamika Smith, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.