Facebook sues over ad fraud. Tampering with VPN connections. Russian disinformation in Lithuania.

Dave Bittner: [00:00:03] Facebook sues a company for ad fraud. Unix-based VPN traffic is vulnerable to tampering. Russian disinformation in Lithuania. Apple explains why new iPhones say they're using location Services even when Location Services are switched off. Researchers set a new record for cracking an encryption key. And ransomware hits a New Jersey theater. 

Dave Bittner: [00:00:30]  And now a word from our sponsor, KnowBe4. End-point security, firewalls, VPNs, authentication systems - we've all got them. But do they really provide the comprehensive level of security your organization needs to keep the bad guys out? Are they giving you a false sense of security? The unfortunate reality is that each of these security layers can provide hackers with a backdoor right into your organization, and KnowBe4 will show you how. They've got an exclusive webinar with Kevin Mitnick, the world's most famous hacker and KnowBe4's chief hacking officer. He'll show you the three most common causes of data breaches, he'll share demos of significant vulnerabilities in common technologies, and he'll share his top tips for security defenders. Go to knowbe4.com/vulnerabilities and register for the webinar. That's knowbe4.com/vulnerabilities. And we thank KnowBe4 for sponsoring our show. 

Dave Bittner: [00:01:30]  Funding for this CyberWire podcast is made possible in part by McAfee - security built by the power of harnessing 1 billion threat sensors from device to cloud, intelligence that enables you to respond to your environment and insights that empower you to change it. McAfee, the device-to-cloud cybersecurity company. Go to mcafee.com/insights. 

Dave Bittner: [00:01:53]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, December 6, 2019. Facebook filed a lawsuit yesterday against a Chinese advertising company that allegedly violated the social media platforms ad policies over the course of three years. Facebook says the company used malware to compromise Facebook users' accounts and then used those accounts to host ads for counterfeit products. The company was able to continue the scheme for so long by using a technique known as cloaking, which hid the destination of the ads from Facebook's systems. Threatpost says Facebook paid $4 million to reimburse victims whose accounts were abused in this fashion. 

Dave Bittner: [00:02:36]  Researchers at the University of New Mexico have discovered a flaw in Unix-based systems that could allow an attacker on the local network to inject packets into a network-adjacent user's encrypted VPN connection. The vulnerability affects Linux, FreeBSD, OpenBSD, MacOS, iOS and Android. An attacker can find the target's virtual IP address by sending packets that span the entire virtual IP space and seeing which address responds with a reset packet. The attacker can then determine precise TCP sequence and acknowledgement numbers by spoofing packets at the targeted connection until they trigger a TCP challenge packet. 

Dave Bittner: [00:03:17]  The vulnerability is fairly complex to exploit. And observers, including the Register, don't believe we'll see it exploited in the wild anytime soon. The researchers are refraining from publishing a technical paper on the subject until they've determined a suitable mitigation for the bug. 

Dave Bittner: [00:03:33]  Russian trolls have been active against public opinion in Lithuania, with an uptick in activity noticeable since early September. The target is NATO, and the messaging trades on Second World War fears of Germany and Cold War fears of the U.S. And there are the now familiar class of memes that portray local authorities as untrustworthy. Lithuania's government is working against the disinformation, but it's being tight-lipped about specifics on OPSEC grounds, Nextgov reports. 

Dave Bittner: [00:04:01]  The fake news feeds generally represent NATO troops as a barbarian threat to the peace and safety of the locals and the Lithuanian government as a collection of tools and stumblebums who couldn't find their own fourth point of contact with both hands and the Hubble Space Telescope. Nope, and nope, but if you say it enough, there will be someone who'll swallow it. The disinformation campaign is instructive in that it probably foreshadows themes and tactics that will appear in other places, particularly during election seasons. 

Dave Bittner: [00:04:31]  Apple offered an explanation for why its iPhone 11s frequently show the Location Services icon even when all Location Services have been switched off in Settings. The company told KrebsOnSecurity that the icon's presence is related to the phone's short-range Ultra Wideband technology, which allows the device to share files with other phones nearby. Ultra Wideband is prohibited in a small number of countries, including Argentina, Paraguay, Indonesia and Russia. The iPhone 11 uses location services to verify that the device isn't in one of those countries, and the location data doesn't leave the user's phone. Apple said it will include an option to switch off Ultra Wideband in a future iOS release. 

Dave Bittner: [00:05:16]  An international team of researchers led by the National Institute for Computer Science and Applied Mathematics in France have broken the record for the largest encrypted key ever cracked. The researchers used clusters of computers across several countries to factor an RSA-240 key, which is 795 bits long. The total amount of computations required would have taken just under 4,000 years running on a single computer, so the calculation doesn't mean modern encryption keys are at risk, especially since most current implementations use 2,048-bit keys. Rather, as the University of California San Diego noted in a statement, achieving regular computational records is necessary to update cryptographic security parameters and key size recommendations. 

Dave Bittner: [00:06:04]  And finally, the New Jersey Shakespeare Theatre suffered a ransomware attack which forced it to cancel the first performance of Charles Dickens' "A Christmas Carol." The theater said in a statement that we have no idea where anyone is sitting or when they are coming. Therefore, we have no idea which tickets are available for sale. And we have no information on how to contact any of our patrons at this moment in time. The theater is doing its best to ensure that the show goes on, but it can only sell new tickets on the night of the performance after patrons who pre-ordered tickets have already been seated. 

Dave Bittner: [00:06:41]  And now a word from our sponsor, ExtraHop - delivering cloud-native network detection and response for the hybrid enterprise. The cloud helps your organization move fast, but hybrid isn't easy. Most cloud security failures will fall on customers, not service providers. Now that network detection and response is available in the public cloud, it's finally possible to close the visibility gaps inside your network. ExtraHop Reveal(x) Cloud brings cloud-native network detection and response to AWS, helping security teams spot, contain and respond to threats that have already breached the perimeter. Request your 30-day free trial of Reveal(x) today at extrahop.com/trial. That's extrahop.com/trial. And we thank ExtraHop for sponsoring our show. 

Dave Bittner: [00:07:39]  And joining me once again is David Dufour. He's the vice president of engineering and cybersecurity at Webroot. David, it's always great to have you back. You all recently published a report looking back at 2019 at some of the nastiest threats that you were tracking. What can you share with us today? 

David Dufour: [00:07:55]  Hey, David. Always glad to be back. Great being here. Yeah, so we did this report. Our threat researchers, they did a great job pulling this information in three main areas - the inbox, you know, we're talking about emails and phishing there, botnets, and then the big one, as everyone is probably sick of talking about, ransomware. 

David Dufour: [00:08:16]  And ransomware, let's start with that one. You know, some of the biggest things we saw were with Emotet and TrickBot - one of the most successful, did a lot of financial damage to governments and small businesses. So very, very successful strain of ransomware. The cybercriminals are getting really, really good at deploying this stuff. GandCrab - I don't know if folks have heard that, but that's a ransomware-as-a-service, David, which is kind of a terrifying thing if you think about it - continues to be very successful. And we've seen over $2 billion on that service alone. And, you know, we saw this evolution with cyber-attacks-as-a-service, with DDoS attacks and botnets, and now that we're seeing it in ransomware as well, it's increasingly becoming a problem that we're getting better at protecting against but still exists. 

Dave Bittner: [00:09:06]  And your No. 1 recommendation for ransomware? 

David Dufour: [00:09:09]  Oh, the No. 1 absolute bar nothing recommendation for ransomware is to back up your data, and make sure your backups are in a safe place that you can recover from. If you have a good backup solution that can back up in the cloud, that's great. If you can back them up offline, that's great. And I want to be super clear. When we talk about backup, we're not talking about services that sync files across your machines so that you can share those files. I mean, a lot of people feel like that that's a backup. But if ransomware gets a hold of those files, they can potentially be synced across all of your devices. You really need a real robust backup solution. 

Dave Bittner: [00:09:49]  Well, let's move on to phishing. What are you tracking there? 

David Dufour: [00:09:51]  So we're seeing, you know, the continued increase in phishing. And, you know, David, I've been talking to a lot of folks about phishing, and it's kind of just come to, you know, an epiphany I had that phishing is, in essence, the scam. And it's a scam that's been going on for, you know, probably the beginning of time. And it's just that computers and technology have become the mechanism for delivering that. Whether you're getting phished through the phone, whether you're getting phished through SMS, a text messages, whether you're getting phished through email, which is the No. 1 way we see, phishing is simply, you know, someone trying to scam you. And now they're able to use a lot more technology components to get that information out of you. 

Dave Bittner: [00:10:34]  All right. Well, how about botnets? You guys are tracking that as well. 

David Dufour: [00:10:37]  Yeah. So botnets, we're again seeing an increase in - and you and I have talked about this before, David, but it's one of those things where what's old is new. We'd seen a huge decrease in botnets in the early 2010s because folks had become very, very good at detecting and preventing those on Windows platforms. But as we've seen, the growth of IoT infrastructures and, you know, more sophisticated organizations building botnets, we're seeing a lot more growth in that area. I would say at the moment, what we're seeing are kind of flagship projects where they're going out and testing the capabilities of what they could do. And I would guess within the next year or two, we'll see some fairly large botnets attacking large IoT infrastructures and things like that as they really hone in their skills on being able to attack these new environments. 

Dave Bittner: [00:11:33]  What about cryptomining and cryptojacking? You know, I think a couple of years ago, we thought that that was perhaps the future, but it seems as though they've died down some. 

David Dufour: [00:11:42]  So, yeah. Those are dying down. And I'm going to be honest, I've never been a big worrier of cryptomining and cryptojacking. It does use your, you know, your resources, some power maybe and maybe some CPU utilization on your computer memory like that. But the thing about cryptomining and cryptojacking is if you typically shut down a browser, it goes away. And the biggest thing that made - you know, we sit around - some of the folks here at WebRoot, we sit around and we talk about how cybercriminals can make money. 

David Dufour: [00:12:14]  In cryptomining and cryptojacking, they're trying to make money straight away by using your machine for mining. But a lot of these folks aren't doing malicious activity in the traditional sense, where they're trying to infect your machine with malicious software. So, yes, it's annoying. It's one of those annoyances, like a virus that plays a song. It is using your CPU cycles. But we haven't seen a lot of malicious activity around folks who are doing cryptomining and cryptojacking. 

Dave Bittner: [00:12:41]  All right. Well, the report is The Revival of Ransomware: Webroot Reveals 2019's Nastiest Threats. You can find that on the Webroot website. David Dufour, thanks for joining us.

David Dufour: [00:12:51]  Great being here, David. 

Dave Bittner: [00:12:57]  And now a word from our sponsor, the upcoming Cybersecurity Conference for Executives. The Johns Hopkins University Information Security Institute and Ankura will host this event on Wednesday, March 25, in Baltimore, Md. on the Johns Hopkins Homewood Campus. You can find out more at isi.jhu.edu and click on Sixth Annual Cybersecurity Conference for Executives. Learn about the dos and don'ts of risk management with industry leaders and other cyber professionals. Check out the details at isi.jhu.edu. Click on the Sixth Annual Cybersecurity Conference for Executives. And we thank the Johns Hopkins University Information Security Institute for sponsoring our show. 

Dave Bittner: [00:13:47]  My guest today is Robert Waitman. He's director of data privacy at Cisco. His team recently published their Consumer Privacy Survey, highlighting the top areas where consumers continue to struggle to understand how companies are handling their personal data and how far data privacy trust has progressed, if at all. 

Robert Waitman: [00:14:05]  Well, a number of things have been on our mind looking at the privacy market and how our customers are responding to changing conditions and regulations. We know that privacy is an important topic for our customers and would like to continue to share research and thought leadership around topics that matter to them. So whether they're joining a WebEx or whether they are interacting with Cisco, either directly or indirectly, it's something that matters to them. So that was really foremost. 

Robert Waitman: [00:14:32]  Secondly, we've done some research in the corporate side over the past three years looking at the benefits of privacy beyond compliance. Organizations which have gotten operational efficiency, organizational agility, they've gotten to be more secure because having their data houses in order has reduced some of the costs and implications of breaches. But we wanted to understand what the consumer side of that would be. How do the consumers react to this, and how does that play into some of these issues? 

Robert Waitman: [00:14:59]  We may see sales delays, for example, that organizations are coming to us and having questions about how we use their data. And that is paralleled by what we saw on the consumer side, where more and more consumers are asking questions about how their data is being used and are willing to make choices when they perhaps are less comfortable with it. So that really drove us to get into this. 

Robert Waitman: [00:15:19]  And then I just say, finally, we at Cisco want to continue to be leaders in this space. I mean, the idea of having appropriate and ethical use of data is something that we all care about and helps create the kind of world that we all want to live in. 

Dave Bittner: [00:15:31]  Well, let's go through the survey together. What were some of the key findings? 

Robert Waitman: [00:15:36]  Yeah, a number of things that we saw in looking at this survey pool - and again, this was a global survey drawing on 2,600 respondents across 12 countries. And one of the first and biggest things we found was the emergence of more consumers who are willing to do things to help protect their data. I think it's been in the press for a while that consumers say they care about privacy, but that doesn't really translate into action. So what we tested was people who say they care about privacy, say that they're willing to spend time or money to do things to try to protect their data better, and finally, to take a third and most important test - have they made choices, have they changed providers or others who they work with because of their perhaps lack of comfort with the data policies or data practices of these organizations? And the answer to that was yes. 

Robert Waitman: [00:16:26]  And so what we found is a full 32% of consumers met all three of those tests. And to me, that's a brand-new insight coming to the market, because, again, we haven't seen before evidence of large numbers of consumers who, in fact, have made choices - spending money, doing things, making changes - in order to protect their data. And so we talk a lot about that and what that might mean for the future and why it's so important to companies to think about that third of their customers who today are already making choices. How should companies be acting in order to keep them? What should they perhaps be doing to embrace or encourage customers who may be not happy with what they're getting elsewhere to come to them? It's a big opportunity and threat for companies to think about. 

Dave Bittner: [00:17:11]  So do you see this as being sort of a shift from security and - or privacy being an obligation to perhaps being a competitive advantage? 

Robert Waitman: [00:17:20]  Absolutely. This started off being a compliance-driven activity, where organizations felt they had to check the box to do certain things, to be ready for GDPR or other privacy regulations in their country. And what we found, both looking at the corporate side and the individual side, is that there's so many other benefits that go well beyond that compliance idea. For organizations, it's all of the benefits they may get, not just avoiding fines that haven't so far been very significant or affecting most companies. And for consumers, it's not a check-the-box exercise of saying, yeah, you know, I met with some regulation. It's about treating their data properly. 

Robert Waitman: [00:17:57]  And this is so much now part of the brand. You know, one of these things that these privacy actives, this group of people that we've identified, has said is that they see how their data is being treated as an indication of how they themselves are being treated. It's a component of the brand and of the overall customer experience. And they won't even go to a company - 91% of them said we won't even buy from a company if we don't trust how our data is going to be used. So it's well beyond that OK, did you meet some requirement or check the box? And it's very much about the trust, the brand, the customer experience and the overall relationship that the company has with you. 

Dave Bittner: [00:18:32]  So what are the take-homes then for those on the professional side who are responsible for this data? What can they learn from your findings? 

Robert Waitman: [00:18:40]  Well, I think the first and biggest thing is to understand where they stand with respect to their own customer base, is if 32% of the worldwide population is now taking action, every company should be thinking about what it means for their own customer base. Is this something that they are doing well in exceeding the customer's expectations? Or perhaps not, and they need to make some changes. 

Robert Waitman: [00:19:00]  You know, a good example of this is just being clear and transparent with how your data is being used. It's actually something at Cisco we put a lot of effort on to try to tell people exactly how data is used in any of our products and services. And of course, we encourage all companies to do the same. We believe in that simplicity and transparency is very important to the customer. And if you want to keep them as customers and perhaps grow that base, that's very important. It's all about that trust. 

Robert Waitman: [00:19:22]  And then finally on this, I think the biggest concern that many consumers still have - and many of them are still saying, despite all this, I'm still not sure that I can fully protect my data - you know, is giving them sort of the tools to get that simple and transparent view. You know, don't make it hard for them to figure out how you're using their data. Go the extra mile, maybe perhaps what's more than what's required to build that comfort level and let all of your customers know what rights they have and what protections they have with respect to how you're using their data. 

Dave Bittner: [00:19:53]  You know, aside from that 32% number, which I - personally I find surprising. I wouldn't have expected it to be that high. Were there any other surprises in the survey? Anything that you learned that you didn't expect? 

Robert Waitman: [00:20:06]  Well, I - and you're right to comment on the 32%, exactly how we're seeing that being a big change from what people have seen before. I think it may be the beginning of an even larger group of people. So in addition to the 32% that met all three of our tests, there's another 35% of the population out there that met the first two tests. They said they care about privacy. They said they're willing to act by spending time and money. They see privacy as a buying factor, but they haven't yet done that third test of actually making a change. 

Robert Waitman: [00:20:35]  I think as this continues, if companies don't do the right things, we're going to see many more of them make that change. And we could be looking not at 32%, you know, but at something north of two-thirds of the population who are taking a more active stance with respect to protecting their data. I think that's a big story. Again, I wouldn't ignore a third, but I certainly would recommend everybody thinking about what the world looks like when two-thirds of your customer base are knowledgeable and willing to make choices to protect their information. 

Dave Bittner: [00:21:01]  That's Robert Waitman, Cisco's director of data privacy, on their Consumer Privacy Survey. 

Dave Bittner: [00:21:11]  And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com. 

Dave Bittner: [00:21:23]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Elliott Peltzman, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.