The CyberWire Daily Podcast 9.23.19
Ep 933 | 9.23.19
YouTube account hijacking. Facebook finds more apps misusing data. Cyber deterrence in the Gulf region. Huawei’s CFO continues to fight extradition from Canada to the US. Pentesting blues.
Transcript

Dave Bittner: [0:00:03] YouTube creators in the car community get their accounts hijacked over the weekend. Facebook finds tens of thousands of apps behaving badly with respect to priority. The social network's announcement has been coolly received in the U.S. Senate. The Gulf region continues to be a field of cyber as well as kinetic competition. Huawei's CFO is back in court today. And Iowa tries to sort out what it actually hired pen testers to do - and to whom they were supposed to do it.

Dave Bittner: [0:00:37] And now a word from our sponsor LookingGlass Cyber. Organizations have been playing a dangerous game of cyber Jenga, stacking disparate security tools, point solutions and boxes one on top of the other, hoping to improve their security posture. This convoluted and overloaded security stack can't hold up in today's micro-segmented, borderless and distributed networks. As the enterprise network grows, organizations need a flexible protection around their unique network ecosystems. By weaving security into the investments your organization has already made, formerly disjointed tools can communicate with one another to disrupt and distract the adversary without revealing your defenses. With a software-based approach to unifying your security stack, security teams can easily scale their protection to fit their needs with one integrated software solution requiring no specialty hardware. Learn more at lookingglasscyber.com/contactus. That's lookingglasscyber.com/contactus. And we thank LookingGlass Cyber for sponsoring our show. 

Dave Bittner: [0:01:45] Funding for this CyberWire podcast is made possible in part by Bugcrowd, connecting organizations with the top security researchers, pen testers and white hat hackers in the world to identify 10 times more vulnerabilities than scanners or traditional pen tests. Learn more about how their award-winning platform provides actionable insights, like remediation advice, to help fix faster while methodology-driven assessments ensure compliance needs are met at bugcrowd.com. 

Dave Bittner: [0:02:12] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, September 23, 2019. 

Dave Bittner: [0:02:21] YouTube users suffered what appears to have been an extensive and coordinated account hijacking campaign over the weekend, ZDNet warns. The car community was particularly targeted, and the attacks seem to have begun with phishing. The actors behind the hijacking seem to have been organized criminals, and the ZDNet researchers who developed the story suggest that people keep an eye on various dark web markets, since stolen accounts of this kind need to be monetized rapidly if they're to be monetized at all. 

Dave Bittner: [0:02:51] Facebook continues to deal with the fallout from the Cambridge Analytica data scandal. Late Friday, as it continued the self-examination it undertook after determining that Cambridge Analytica had handled data shared with it in ways that retrospectively, at least, posed serious issues of privacy, Facebook released fresh results of that ongoing introspection. The social network identified data collection and handling issues with tens of thousands of applications associated with some 400 app developers. 

Dave Bittner: [0:03:21] This does seem like a lot to have overlooked, especially giving the nudging Facebook has received from bad optics - to say nothing of the $5 billion encouragement to virtue offered by the U.S. Federal Trade Commission. The social network represented the results as evidence of its commitment to bring data abuse under control and rather defensively pointed out that it's had to slog through millions of apps, which is no doubt true. Still, a tally of bad-acting apps adding up to tens of thousands - give or take a few baker's dozen - is two orders of magnitude bigger than Facebook had previously suggested. 

Dave Bittner: [0:03:57] In any case, Facebook critics did not receive the news well. Take U.S. Senator Ron Wyden, Democrat of Oregon, as one example. Quote, "This wasn't some accident. Facebook put up a neon sign that said free private data and let app developers have their fill of Americans' personal info," the Washington Post quotes the senator as saying, adding his opinion that, quote, "The FTC needs to hold Mark Zuckerberg personally responsible," end quote. 

Dave Bittner: [0:04:23] Such disappointment is bipartisan. U.S. Senator Josh Hawley, Republican of Missouri, who met with Facebook supremo Zuckerberg last week about exactly this sort of problem, tweeted this reaction - and now, barely 24 hours after insisting to my face that Facebook takes personal privacy more seriously than anything else, Facebook reveals potentially massive data breaches. Part of the conversation between Mr. Zuckerberg and Senator Hawley involved the senator's suggestion that selling off WhatsApp and Instagram would help confirm that Facebook actually took data seriously. In any case, the suspension of hundreds of app developers, whom Facebook didn't name in its statement, would seem to fall short of putting your money where your mouth is. 

Dave Bittner: [0:05:08] A poll shared with Vox by Data for Progress and YouGov Blue suggests there's an emerging bipartisan consensus that maybe it's time for the government to consider breaking up big tech. The pollsters are on the left, but the results they report don't seem too far out of line with other indications of public sentiment. They found no sharp differences among Democrats, Republicans and independents in responses to questions asking if big technology companies should be broken up in order to achieve better competition in the market. 

Dave Bittner: [0:05:39] Iran will take proposals for a Gulf regional security organization to the United Nations General Assembly's annual summit this week, The Guardian reports. The intent is to assemble a coalition of hope designed, for the most part, to exclude the U.S. and U.K. from a continuing role as protector of Iran's regional rivals. The move occurs as tensions remain high over the September 14 drone attack against Saudi oil facilities. 

Dave Bittner: [0:06:06] There were reports over the weekend that Iranian petrochemical operators had been affected by a cyberattack. Iran took the social media chatter seriously enough to issue an official denial that there had been any successful attacks. Much of the conflict in the region has involved cyber operations, CNBC observes, some of them apparently in retaliation for kinetic actions, like Iran's shootdown of a U.S. surveillance drone. The U.S. has been looking to cyber operations as an approach to deterring Iran. The New York Times notes that among the options Cyber Command has had under consideration is disruption of Iranian oil production. 

Dave Bittner: [0:06:44] Cyberattacks are attractive as a deterrent in part because of the proportionality they promise and the degree of strategic ambiguity that tends to accompany them. The difficulty of containing their effects is unattractive, as is the prospect that use of a cyberweapon is generally assumed to be tantamount to its proliferation; thus their advantages and disadvantages tend to be the opposite of those associated with kinetic weapons. We will no doubt hear more about cyber conflict as the General Assembly summit meets this week. 

Dave Bittner: [0:07:17] According to Reuters, Huawei's CFO Meng Wanzhou returns to court in Vancouver today, where her lawyers will press for details concerning her arrest. Her defense team is expected to request more information about the circumstances of Ms. Meng's arrest at the Vancouver airport. They're expected to use such information to support the contention that her rights were violated by the arrest; this, in turn, they hope to use to block her extradition to face prosecution in the U.S. on charges related to violating sanctions against trade with Iran. 

Dave Bittner: [0:07:51] And finally, the strange case of the pen testers arrested over what seems to have been a misunderstanding of the scope of their engagement has expanded into a dispute between Iowa's state government and two of the state's counties. A state agency hired security firm Coalfire to test security, and the contract is said, by the Register and others, to have extended to tailgating - that is, following employees into the building, dumpster diving and lock picking. The state court administration says that, yeah, sure, it did hire Coalfire to do these things, but that the administration, quote, "did not intend or anticipate those efforts to include the forced entry into a building," end quote. 

Dave Bittner: [0:08:34] OK, although lock picking strikes our burglary desk as being so close to forced entry as to amount to a distinction without a difference. Anywho, Iowa's Supreme Court has hired a Minnesota law firm to conduct an independent investigation. And we're happy to report that the two pen testers are out on bail. The lesson for all engaged in contracting for penetration testing - be sure everyone's clear on the scope, and if you're hiring pen testers, be sure you're testing something you own, not someone else's stuff. The two counties involved, Polk and Dallas, aren't particularly happy that the state decided to test their security. 

Dave Bittner: [0:09:18] And now a word from our sponsor ExtraHop, delivering cloud-native network detection and response for the hybrid enterprise. The cloud helps your organization move fast, but hybrid isn't easy. Most cloud security failures will fall on customers, not service providers. That's one reason enterprises value the SOC Visibility Triad, Gartner's framework that helps teams like yours scale security and business operations safely and cost-effectively. When you combine network detection and response with endpoint protection and SIM, you have the visibility, threat detection and automated response capabilities you need to secure and support cloud growth. Learn more at extrahop.com/cyber. That's extrahop.com/cyber. And we thank ExtraHop for sponsoring our show. 

Dave Bittner: [0:10:17] And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute, also my co-host on the "Hacking Humans" podcast. Joe, great to have you back. 

Joe Carrigan: [0:10:26] It's good to be back, Dave. 

Dave Bittner: [0:10:28] Article came by - this is from Threatpost. 

Joe Carrigan: [0:10:30] Yeah. 

Dave Bittner: [0:10:30] It's written by Elizabeth Montalbano, and it's titled "Smart TVs, Subscription Services Leak Data To Facebook And Google" (ph). 

Joe Carrigan: [0:10:39] I don't know leak is the right word. How about just send? 

0:10:42:(LAUGHTER) 

Dave Bittner: [0:10:43] Yeah, yeah. Now, you and I have spoken before, offline, about - you were looking to buy a new TV. 

Joe Carrigan: [0:10:50] Yeah. 

Dave Bittner: [0:10:51] And it's not easy to find a nonsmart TV anymore. 

Joe Carrigan: [0:10:54] It is almost impossible to find a nonsmart TV. They are almost all "smart." 

Dave Bittner: [0:10:59] Right. 

Joe Carrigan: [0:11:01] I use "smart" with air quotes around it. 

Dave Bittner: [0:11:02] OK. 

Joe Carrigan: [0:11:03] Right? Now, this article talks about - some of the data is going out to places like Google, Akamai and Microsoft, but that is probably because of the cloud services that those companies provide. 

Dave Bittner: [0:11:14] Yeah. 

Joe Carrigan: [0:11:15] So that seems legit. But then there's all kinds of other stuff going on here, like pixels that track what you're watching and report that back. But there's... 

Dave Bittner: [0:11:25] Yeah, grabbing little clips of video and phoning home with them. 

Joe Carrigan: [0:11:27] Grabbing little clips or screenshots of videos (laughter). 

Dave Bittner: [0:11:30] Remember the old days, Joe, when you'd go to your local department store, and you'd buy a television... 

Joe Carrigan: [0:11:36] Right. 

Dave Bittner: [0:11:36] ...And you'd come home, and you'd plug it in, and you'd unfurl that antenna, and you'd watch the game? (Laughter). 

Joe Carrigan: [0:11:41] It was a completely passive device. 

Dave Bittner: [0:11:43] That's right. 

Joe Carrigan: [0:11:43] All it did was receive information, right? 

Dave Bittner: [0:11:45] That's right. 

Joe Carrigan: [0:11:46] Didn't send any information. 

Dave Bittner: [0:11:47] Yeah. People stayed off your lawn back then, too. 

Joe Carrigan: [0:11:49] Yeah, yeah, that's right. 

0:11:50:(LAUGHTER) 

Dave Bittner: [0:11:51] Yeah. 

Joe Carrigan: [0:11:51] Didn't have to get out and tell so many kids to get off my lawn back then. 

Dave Bittner: [0:11:54] Yeah, yeah. 

Joe Carrigan: [0:11:56] There's an article in Consumer Reports that tells you how to turn off these tracking features, but I don't know if that will disable some of the services that you have. 

Dave Bittner: [0:12:04] Well, and let's be clear. I mean, the - part of what they're claiming here is that, in collecting all this information about you, they are providing you with better services. They're providing you with some of the things we like. We like it when Netflix, for example, recommends other shows that we might like to watch because of other things we've watched. 

Joe Carrigan: [0:12:23] Right. 

Dave Bittner: [0:12:23] It's a useful feature. 

Joe Carrigan: [0:12:25] Yeah. And I don't have a problem with Netflix recommending shows based on my Netflix viewing history. 

Dave Bittner: [0:12:29] Right. 

Joe Carrigan: [0:12:30] But if Netflix starts recommending shows based on my Amazon viewing history, then I know these two companies are collaborating and saving data. I don't know that those two companies in particular do it. 

Dave Bittner: [0:12:40] Yeah. 

Joe Carrigan: [0:12:40] But that's the kind of thing I'm talking about. You know, if it stays within the company and they're just trying to make the service better, that's fine. But if they're selling my data and profiting from me, I want that to come back in some way. 

Dave Bittner: [0:12:53] Well, and it's an interesting point is - one of the things I've read is that one of the reasons that TV's have gotten so cheap is because this is a revenue stream for them. 

Joe Carrigan: [0:13:03] Right. 

Dave Bittner: [0:13:03] They can lower the price of the TV because they're making money on the back end selling your data. 

Joe Carrigan: [0:13:07] Yep, selling your data. Absolutely. There is a solution, though. When your TV says, hey, let's connect to your network, just say no. 

Dave Bittner: [0:13:15] I suppose you could go at it in a different way. Rather than having the TV connect directly, you could use one of the other devices; you could use a Roku or an Apple TV or something like that. 

Joe Carrigan: [0:13:26] Right. Roku is listed in here as sending information out based on its channels. 

Dave Bittner: [0:13:30] You could use an Apple TV. 

Joe Carrigan: [0:13:31] Apple TV, yeah. 

Dave Bittner: [0:13:34] (Laughter) Yeah. 

Joe Carrigan: [0:13:34] I don't know, Dave. 

Dave Bittner: [0:13:36] I'm sure they all do it to varying degrees. 

Joe Carrigan: [0:13:38] Right. 

Dave Bittner: [0:13:38] One of the things that caught my eye that I thought was concerning was - I believe it's in the Samsung privacy notice, where they warn you to be careful what you say in front of your television. 

Joe Carrigan: [0:13:48] (Laughter) Right. Any personal information might be transmitted to third parties - if you're having a personal conversation. I mean, Dave, who among us really actually has personal conversations in their own home? 

Dave Bittner: [0:13:58] I have a smart TV in my bedroom, Joe. This is, you know - so. 

Joe Carrigan: [0:14:02] That is the worst place to have a smart TV, I think. 

0:14:05:(LAUGHTER) 

Dave Bittner: [0:14:05] But we like to watch Netflix on it, so. 

Joe Carrigan: [0:14:07] I actually do not have a TV in my bedroom. 

Dave Bittner: [0:14:10] See - there's the trap. There's the trap. 

Joe Carrigan: [0:14:11] Yep. 

Dave Bittner: [0:14:11] Well, I think, you know, one thing in looking around for nonsmart TVs, first of all, you're going to pay more... 

Joe Carrigan: [0:14:18] Right. 

Dave Bittner: [0:14:18] ...For a TV that doesn't have these features, which is... 

Joe Carrigan: [0:14:20] Which I'm happy to do, actually. 

Dave Bittner: [0:14:21] ...Counterintuitive. But there you go. This is the world we live in. 

Joe Carrigan: [0:14:24] Right. 

Dave Bittner: [0:14:25] But also, if you look for industrial monitors. 

Joe Carrigan: [0:14:29] Right. 

Dave Bittner: [0:14:29] Like retail display monitors, the types of monitors that they use, like, at your McDonald's.... 

Joe Carrigan: [0:14:33] Right, exactly. 

Dave Bittner: [0:14:33] ...For displaying the menu - those sorts of things. 

Joe Carrigan: [0:14:35] Or perhaps a computer monitor. 

Dave Bittner: [0:14:36] A computer monitor would work fine with one of these external boxes. 

Joe Carrigan: [0:14:39] Right, yep. 

Dave Bittner: [0:14:40] So you do have options, but - and you can opt out, they say. 

Joe Carrigan: [0:14:44] Yeah. 

Dave Bittner: [0:14:45] But, of course, the default - when you buy one of these and set it up... 

Joe Carrigan: [0:14:48] You're automatically opted in. 

Dave Bittner: [0:14:49] You're automatically opted in. So beware. 

Joe Carrigan: [0:14:52] (Laughter). 

Dave Bittner: [0:14:53] If privacy is important to you, you might want to spend a little more money on either a TV or an external box or, at the very least, take the time to make sure that the settings are what you want them to be. 

Joe Carrigan: [0:15:05] Absolutely. 

Dave Bittner: [0:15:06] Yeah. All right. Well, Joe Carrigan, thanks for joining us. 

Joe Carrigan: [0:15:08] It's my pleasure, Dave. 

Dave Bittner: [0:15:13] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com. 

Dave Bittner: [0:15:26] Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security, Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the "Recorded Future" podcast, which I also host. The subject there is threat intelligence, and every week, we talk to interesting people about timely cybersecurity topics. That's at recordedfuture.com/podcast. 

Dave Bittner: [0:15:54] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.