Cyber Weekly Roundup – October 6, 2017

Written October 6th, 2017

Post Tags: Cyber, cyber news, cyber weekly roundup, cyberaware, cybersecurity, cybersecurity news, news

By Andrew Paulette and Colby Proffitt

1.) Facebook says 10 million U.S. users saw Russia-linked ads (October 2, 2017)


Summary: Some 10 million people in the United States saw politically divisive ads on Facebook that the company said were purchased in Russia in the months before and after last year’s U.S. presidential election, Facebook said on Monday.

Why it matters: While the degree to which the ads discussed in this report influenced the election is unknown, it is clear that state actors will use whatever means they can to influence the populace of other nations.  This includes the growing influence of social media, and we can expect to see these tactics integrated into the cyber “playbooks” used by nations to influence the stability of their allies and adversaries alike. Facebook’s decision to collect more information on the companies purchasing ad space on the side and making that information available will help ensure better transparency. Governments may also weigh additional re​gulation applied to purchasing political ad space on the internet, which is currently less regulated than TV and radio ads.

2.) White House wants to end Social Security numbers as a national ID (October 3, 2017)


Summary: Rob Joyce, the White House cybersecurity czar, said on Tuesday that the government should end using the Social Security number as a national identification method. “I believe the Social Security number has outlived its usefulness,” said Joyce, while speaking at The Washington Post’s Cybersecurity Summit. “Every time we use the Social Security number, you put it at risk.”

Why it matters: Establishing a cryptographic token to identify individuals instead of a static number such as a social security number would be a welcome change that would reduce the risk involved in providing proof of your identity.  In addition to a public-private key infrastructure to help reduce risk (users get the public key, only government holds private key), it may also give the federal government the ability to re-issue a cryptographic token should the private key be compromised. This is currently impossible with social security numbers, which means a single compromise is all it takes to ruin their use as a means of authentication.

3.) 6 Fresh Horrors From the Equifax CEO’s Congressional Hearing (October 3, 2017)


Summary: The initial drama over Equifax’s September data breach has mostly subsided, but the actual damage will play out for years. And indeed, there turns out to be plenty of spectacle and public controversy left. It was all on display at a Tuesday Congressional hearing, in which lawmakers questioned Equifax’s former CEO Richard Smith in an attempt to make sense of how things went so wrong.

Why it matters: The details provided by Equifax CEO Richard Smith point to numerous problems that are unfortunately not exclusive to Equifax.  A stronger foundation in some basic information security hygiene would go a long way in preventing future breaches.  Specifically, organizations need to do a better job maintaining their hardware and software asset inventories. Failing to patch your main application’s framework, regardless of security scans, is unacceptable.

It is impossible to provide effective information security to an organization if you do not have a full understanding of what you need to secure, and failure to complete this foundational step in your information security program will result in future breaches and incidents like what Equifax has just experienced.

4.) Is driverless delivery coming to USPS? (October 2, 2017)


Summary: Most Americans tend to see a driverless vehicle future as coming whether they like it or not. Citizens expect the Postal Service to deploy driverless delivery trucks. But they’re not certain that would be a good idea.

Why it matters: There’s a rapid shift away from brick and mortar retail to an order-and-deliver model. That shift, arguably initiated by Amazon, is the reason other delivery services are considering new technology as a way to provide services to their customers at a lower cost and a faster speed.

After the research described by Jake Soffronoff, USPS is still unsure whether driverless cars are an operationally feasible option. USPS considered two models: long haul trucks and neighborhood delivery trucks. Of the 2,800 people surveyed, the public didn’t really see a benefit unless they received their parcels faster or shipping was cheaper.

What this article and interview don’t discuss are the potential risks of using driverless cars. Should USPS move forward with this approach, there would likely be an actual person on the truck, but they wouldn’t be driving. While this technology might bring long-term benefits, USPS must also weigh the immediate risks. With so many examples of how driverless cars have been hacked, it’s possible that cyber criminals could not only hack into the vehicles, but also then access the delivery system and applications used by the delivery men and women.

5.) Russian Hackers Stole NSA Data on U.S. Cyber Defense (October 5, 2017)


Summary: Hackers working for the Russian government stole details of how the U.S. penetrates foreign computer networks and defends against cyberattacks after a National Security Agency contractor removed the highly classified material and put it on his home computer, according to multiple people with knowledge of the matter.

Why it matters: This story adds context to DHS’ recent mandate that all federal agencies remove Kaspersky products from their network. DHS had previously provided general statements of the risks involved in using the Russian-based antivirus software, which did little to help inform companies and the public if the risks were specific to federal organizations, or businesses and end-users. Specific examples of compromise such as this one should help inform the public and organizations of the risks involved in using the anti-virus.

In addition, the fact that classified documents were stolen from a contractor’s personal computer points to continuing challenges to keep classified information on classified networks, similar to the data spills/leaks seen with Edward Snowden and Hal Martin in recent years.

6.) Fear Not: You, Too, Are a Cybercrime Victim! (October 6, 2017)


Summary: Maybe you’ve been feeling left out because you weren’t among the lucky few hundred million or billion who had their personal information stolen in either the Equifax or Yahoo! breaches. Well buck up, camper: Both companies took steps to make you feel better today.

Why it matters: Kreb’s advice to consumers also stands true for organizations implementing their cybersecurity: ​”Assume you’re compromised, and take steps accordingly.” While many organizat​ions focus on planning a secure architecture during the initial phases for their information systems, operational realities can soon throw those plans out of whack – machines can go unpatched, privileged accounts can have too many privileges, and users clicking on email attachments they should know better than to open are a few examples of the challenges faced. Organizations need to ensure they have adequate controls in place not only to prevent intrusion into their network, but also to detect and correct incidents faster to reduce the damage from these intrusions.