Twitter and two-factor authentication. Privacy concerns. The US Senate Intelligence Committee reports on Russian troll farms. Turla is back with some new tricks.
Dave Bittner: [00:00:03] Twitter says it's sorry if anything might have inadvertently happened with users' email addresses and phone numbers and that it's taking steps to stop whatever might have happened from happening again, if anything actually happened. Other concerns about privacy surface elsewhere. The U.S. Senate Intelligence Committee issues its report on influence operations in the 2016 elections. And Kaspersky ties a sophisticated malware campaign to Turla.
Dave Bittner: [00:00:33] It's time to take a moment to tell you about our sponsor Recorded Future. If you haven't already done so, take a look at Recorded Future's Cyber Daily. We look at it. The CyberWire staff subscribes and consults it daily. The web is rich with indicators and warnings, but it's nearly impossible to collect them by eyeballing the internet yourself, no matter how many analysts you might have on staff. And we're betting that however many you have, you haven't got enough. Recorded Future does the hard work for you by automatically collecting and organizing the entire web by identifying new vulnerabilities and emerging threat indicators. Sign up for the Cyber Daily email to get the top trending technical indicators crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today and stay ahead of the cyberattacks. Go to recordedfuture.com/cyberwire to subscribe for free threat intelligence updates from Recorded Future. That's recordedfuture.com/cyberwire. And we thank Recorded Future for sponsoring our show.
Dave Bittner: [00:01:40] Funding for this CyberWire podcast is made possible in part by McAfee - security built by the power of harnessing 1 billion threat sensors from device to cloud, intelligence that enables you to respond to your environment and insights that empower you to change it. McAfee, the device-to-cloud cybersecurity company. Go to mcafee.com/insights.
Dave Bittner: [00:02:02] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, October 9, 2019. Twitter yesterday said it's sorry personal information submitted when setting up multi-factor authentication, quote, "may have inadvertently been used for advertising purposes," end quote. Phone numbers and email addresses were made available to Twitter's Tailored Audiences and Partner Audiences advertising system. The company says it's introduced reforms to keep this from happening again, but security experts have received the disclosure coldly. Twitter's denial that personal data was ever shared externally with our partners or any other third parties seems ambiguous. After all, if they never shared anything, where's the problem? But externally seems to be the operative word.
Dave Bittner: [00:02:51] Twitter apparently used the multi-factor authentication data to match users with advertisers' databases, the better to enable Twitter's customers to target their pitches. And those customers, remember, are advertisers and not users. A lot of people have noticed that Twitter requires that you give the company a valid phone number in order to sign up for two-factor authentication. There seems to be no good reason for this requirement. And, indeed, as Ars Technica says, a phone number isn't required by Google or GitHub or any number of other widely used services that offer two-factor authentication. Twitter wouldn't tell Ars Technica on the record why they wanted the phone numbers, but a company rep said on background that the decision to require a valid phone number was based on other unfortunate experiences with users who'd lost access to other authentication mechanisms and found themselves locked out of their account.
Dave Bittner: [00:03:45] Twitter's legal exposure is unclear. The Register says the U.S. Federal Trade Commission declined to comment. But as The Washington Post points out, the U.S. government secured a judgment against Facebook earlier this year over similar practices. The social network was using phone numbers collected for security purposes to send users messages unrelated to security.
Dave Bittner: [00:04:07] None of this is repeated to pick on Twitter. They're hardly alone, and they're hardly an outlier where targeted advertising is concerned. The Weather Channel, for example, not generally thought of as hoovering up vast quantities of personal data, is now embroiled in a lawsuit with Los Angeles. The City of Angels is suing the Weather Channel, alleging that their app made improper use of geolocation data from users' phones.
Dave Bittner: [00:04:31] Sputnik International, which knows a thing or two about the use and abuse of data, quotes a Times story about data collection in which former GCHQ director David Omand says that big internet companies like Google, Twitter and Facebook know more about individuals than GCHQ or other intelligence agencies. And if you were made uneasy by that story in Sputnik, that's probably a feature and not a bug, at least as seen from Moscow.
Dave Bittner: [00:04:59] The U.S. Senate Intelligence Committee has issued the second volume of its report, Russian Active Measures Campaigns and Interference in the 2016 U.S. Election. The St. Petersburg-based Internet Research Agency was the focus of the committee's study. They found that its operations were directed by the Russian government and that its messaging was overtly supportive of then-candidate Trump. It also found that Russian social media operations were overwhelmingly concerned with race, with African Americans disproportionately addressed. The goal of the information effort was substantially to increase mistrust along fissures in American society. The troll farmers' activity actually increased after Election Day. The committee found Instagram activity increased 238%, Facebook increased 59%, Twitter 52% and YouTube citations went up by 84%. Senator Richard Burr, Republican of North Carolina, who chairs the Select Committee on Intelligence, summarized the study's overall conclusion, quote, "by flooding social media with false reports, conspiracy theories and trolls and by exploiting existing divisions, Russia is trying to breed distrust of our democratic institutions and our fellow Americans," end quote.
Dave Bittner: [00:06:16] The CyberWire's Women in Cyber Security Reception is just a few weeks away. And leading up to that event, we're highlighting the stories of inspirational women in our industry. Neill Sciarrone is co-founder and president of Trinity Cyber, a company that describes their offerings as proactive threat interference. Before starting Trinity Cyber, she served in high-level roles in the aerospace and defense industries and in the White House as special assistant to the president and senior director of cybersecurity policy.
Neill Sciarrone: [00:06:44] The path that led me into running a cyber company is not a traditional path by any means. And I would say, in fact, I think that's one of the best things about it is that I didn't intend to ever run a cyber company. I will share with you, I wasn't one of those folks who started out as an engineer or studying computer science. In fact, I studied government and women's studies. But I'm curious. In fact, I probably drive people nuts with the amount of questions that I ask. And so I had a path that eventually led me where I am today. I started out in 2001 working for a little known office called the Critical Infrastructure Assurance Office. And it was hidden within the Department of Commerce. And this was back when Dick Clark, who I think you may have interviewed for one of your other podcasts...
Dave Bittner: [00:07:32] Mmm hmm. Yeah.
Neill Sciarrone: [00:07:32] ...Was part of the president's board and was working on cybersecurity. And we were working on critical infrastructure protection and cyber. As chance would have it, I wound up being able to be involved in the creation of the Department of Homeland Security and being part of the transition team that helped stand up that department and working on Title II of the Homeland Security Bill, which was at the time called the Information Analysis and Infrastructure Protection Directorate. We were at this facility called the Nebraska Avenue Complex, or the NAC as we called it, and it was these big brick buildings that were part of a former Navy installation. And they're like these huge, three-story brick buildings. You'd walk in up an alley. And you would head upstairs into what was truly the attic. And it felt like being in the attic. Everything was sort of those brown tones of an old picture. And in that environment is where we were leading the critical infrastructure protection efforts and cybersecurity efforts of the U.S. government.
Dave Bittner: [00:08:34] Not exactly the type of thing that - or how they portray on TV, right?
Neill Sciarrone: [00:08:38] No, it was definitely not what you see on TV, with the homeland kind of experience - a lot less glamorous. Had the privilege of serving President Bush and working on cybersecurity issues for him from a policy perspective, and so handling critical infrastructure protection, cybersecurity policy, information sharing with law enforcement at a time when a lot of those issues were really being developed and the policies behind them were being created. And so from there, I wound up going into the private sector. I worked for BAE Systems and eventually wound up running my own cybersecurity company.
Dave Bittner: [00:09:14] Well, I want to touch on this notion that you mentioned earlier, about you coming from a nontraditional background. I think, first of all, it seems to me like if we're ever going to close this skills gap and this employment gap that that is the kind of thing that people need to embrace. Do you agree with that? What is your take there?
Neill Sciarrone: [00:09:36] Absolutely. I think viewing cyber and viewing that as kind of a single way in which you enter into a career from a technology path is very limiting. And so when I think about how we're going to handle the challenge of cybersecurity in the future, I think the answer is looking at people with diverse backgrounds. But for me, cyber is more than just the technical piece. Cyber is a big business. And so if you look at the different roles you can play, there is owning a business, running a business. There is cyber policy. There's cyber diplomacy. And then there's also the technical aspect. The one constant in cyber is that everything changes. And so with constant innovation and change, a diversity of experience and a diversity of background is needed to view these problems in different and unique ways. And so this thought that the only path to a cyber career is through engineering or computer science I think is a very limiting way to look at the environment.
Dave Bittner: [00:10:32] What's your advice to that person who is thinking about a career in cyber, either coming up through school, maybe considering a career shift, maybe they don't come from that traditional background?
Neill Sciarrone: [00:10:44] My first suggestion would be don't be so focused on a goal that you miss an opportunity. And so I like to think about it like a journey and a car ride, right? So obviously you need to have an idea of where you're going. But if you're so focused on getting there that you don't take the side trips, you may miss a lot of opportunities in your career. And so my first advice would be, be open to the opportunities that may not seem obvious to you today. And stop focusing on a single way to get your objective achieved. The second thing that I would offer for folks is, you know, really think about what it is that you bring to the table, and be willing to ask questions. And so the one thing I would say that really helped me in my career is I was always willing to ask the question why and to admit what I didn't know.
Neill Sciarrone: [00:11:32] And so I find oftentimes, women are afraid to say they don't understand something. And I will tell you that being brave enough to say you don't understand is one of the most freeing experiences that you can have. In general, no one wants you to fail. And so saying I don't understand this or can you explain this more to me or why is a very powerful question to ask. And you'd be amazed at how much support and the answers that you get when you're willing to start asking those questions. You have to be unafraid to fail and be willing to take chances and be willing to do something different. And I guess if I had any message, it would be willing to do something different, whether that's taking a different path into cybersecurity or taking a different approach to protecting your network. In looking at things differently, sometimes you find a better answer.
Dave Bittner: [00:12:20] That's Neill Sciarrone. She's co-founder and president of Trinity Cyber. They are presenting sponsors of our upcoming Women In Cyber Security Reception.
Dave Bittner: [00:12:30] Kaspersky is following Reductor, a remote access Trojan that also manipulates certificates and marks outbound TLS traffic. The campaign affects Chrome and Firefox browsers, may have compromised ISPs, and is tentatively attributed to the Russian threat actor Turla. The victims so far appear to be confined to Russia and Belarus. Kaspersky characterized the campaign as impressive and saying that the group behind it is in a very exclusive club with capabilities that few other actors in the world have.
Dave Bittner: [00:13:03] Patch Tuesday was relatively light. Microsoft issued 60 fixes, nine of which were rated critical. And Adobe didn't peep, not this time around.
Dave Bittner: [00:13:17] And now a word from our sponsor, ObserveIT. The greatest threat to businesses today isn't the outsider trying to get in. It's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. Sixty percent of online attacks are carried out by insiders. To stop these insider threats, you need to see what users are doing before an incident occurs. ObserveIT enables security teams to detect risky user activity, investigate incidents in minutes and effectively respond. With ObserveIT, you know the whole story. Get your free trial at observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.
Dave Bittner: [00:14:13] And joining me once again is Ben Yelin. He's the program director for public policy and external affairs at the University of Maryland's Center for Health and Homeland Security. Ben, it's always great to have you back. Story came by in The Washington Post - this was written by William Wan - titled White House Weighs Controversial Plan On Mental Illness And Mass Shootings. There's a lot to unpack here. What's going on?
Ben Yelin: [00:14:37] So in our Department of Defense, we have what's called the Defense Advanced Research Projects Agency. And that exists to identify threats to our national defense before they become actual threats to our national defense, so using both surveillance techniques and risk analysis to identify threats to our national security before they prevent themselves. What the president is considering - and to be fair, it's something that's also being considered by key Democratic presidential candidate Vice President Joe Biden - is a corollary, the Health Advanced Research Project Agency, which would do similar work for identifying people who might be a danger to themselves or to somebody else. And it would use the same types of techniques, would do some sort of digital monitor - use some digital monitoring, perusing of social media posts, some other intelligence gathering techniques to create profiles of people who might present a risk for mental illness and therefore might be more prone to commit acts of mass violence. So this is really in response to some of the high-profile mass shooting incidents that we've seen in the past couple of months.
Dave Bittner: [00:15:53] Yeah, I think what caught my eye in terms of the cyber element in it is using smart devices like our phones and our watches to detect when mentally ill people could turn violent. They have a proposal called SAFEHOME because nothing in government can exist without an acronym. SAFEHOME...
Ben Yelin: [00:16:14] Yeah, this is one of the worst acronyms I've ever heard. But you go ahead and read it.
Dave Bittner: [00:16:18] Yeah. SAFEHOME stands for stopping aberrant fatal events by helping overcome mental extremes.
Ben Yelin: [00:16:25] Like, that's not a thing.
Dave Bittner: [00:16:26] (Laughter).
Ben Yelin: [00:16:28] That just sounds made up.
Dave Bittner: [00:16:30] Yeah. So I think, you know, you look at technology like Apple Watch for example, which has this useful capability of detecting whether or not you may be on the brink of having some sort of cardiac event.
Ben Yelin: [00:16:45] Right.
Dave Bittner: [00:16:45] And it can warn you. And it could even call 911 if it detects that you had a cardiac event and you've fallen down. And I think we all think that's really great. This is related to that but different.
Ben Yelin: [00:17:00] Yeah. I mean, part of that is for the heart monitoring, presumably that's done for a person's own good, their own health. When we're talking about observing mental illness, potentially that would lead to somebody being arrested, confined, their civil liberties being taken away or being put on some sort of all-encompassing watchlist, where their behavior would merit even more scrutiny. Obviously the terms of service of some of these technology companies will always say they'll comply with appropriate government regulations. And if the government starts to get involved in extracting this data as part of a surveillance program, then that might have a chilling effect. People might be less willing to use these devices. Perhaps they'll seek other means of social media communications to avoid detection. So yeah, I mean, I think the difference between the use you talked about and what's being discussed here is the data collected here could really be used against a user of that - of those devices.
Ben Yelin: [00:18:05] And I think it would be more justified if we knew that such a program would work. The research, according to this article and other articles I've seen, is really mixed. Obviously, you're going to have a lot of false positives when you set up any sort of database like this. So probably hundreds of thousands of people are going to be tagged as having mental health difficulties, and we're going to have to, as a government, sift through and figure out which ones present a danger to themselves and to others. And it's hard to know exactly how to do that when a person hasn't committed a violent act in the first place. So somebody who has - is at a gun store and has an elevated heart rate, you know, obviously going to be suspicious. But maybe if that exists for 100 people, only 10 of those people would - and I'm just making these numbers out of thin air for the purposes of an example - but maybe 10 out of 100 of those people would be planning a mass shooting. And...
Dave Bittner: [00:19:00] Right. I could imagine somebody who's at a gun store with an elevated heart rate because they're excited that they're going to buy a friend or a relative the birthday present that they've always wanted.
Ben Yelin: [00:19:10] The birthday present of their dreams, absolutely.
Dave Bittner: [00:19:11] Yeah.
Ben Yelin: [00:19:12] So how do you sift through all of this data to determine who is actually a risk when the only information you have is preliminary? So, you know, if we are going to invade civil liberties, we better be doing it for a really good purpose. If there was a foolproof way to stop mass shootings using this type of technology, I think it might be more justified. But because these types of programs, you know, at least the literature says have not been successful in mitigating mass shootings and don't have their intended effects, you know, it's harder to justify the invasion of civil liberties.
Dave Bittner: [00:19:48] All right. Well, Ben Yelin, thanks for joining us.
Ben Yelin: [00:19:51] Thank you.
Dave Bittner: [00:19:56] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:20:09] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carol Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.