In last week’s episode of Task Force 7 Radio, host George Rettas, president and CEO of Task Force 7 Radio and Task Force 7 Technologies, and Co-host Thomas Pageler, CSO of BitGo, dove right in to the most popular news headlines keeping cyber security professionals up at night. Continuing the conversation in Episode #72, the duo discusses one of the great mysteries in cyber security over the last year: What happened to the 143 million records stolen in the September, 2017 Equifax Breach?
But before getting to that story, Rettas and Pageler first talked about Google's payout of $3.4 million dollars in bug bounty awards for the year 2018. According to Pageler, Google should be paying out even more because they are a huge company and it’s not that much money to them. On last week’s TF 7 episode Rettas and Pageler touched on the topic of bug bounties and Pageler reiterated here: You’re basically getting third-party, independent views for a lot less than trying to hire coders who then become institutionalized. This way, you get eyes on your products from individuals who can look at them differently.
According to Rettas, Google launched this Vulnerability Rewards Program (VRP) in 2010, where researchers have uncovered bugs in Chrome and other Google products. In 2015, the program was launched for Android products. This $3.4 million payout went to 1,319 individuals from 78 countries. The largest amount rewarded was $41,000 just to one individual. This posed the question from Rettas: “What would have happened if Google didn’t have this program?”
See Related, “Actionable Insights: Google Extension, Android Caution And Apple Fix”
Pageler said that Google accomplishes two major goals with this: First, it provides incentives for individuals to go look in the first place. Maybe it’s a student who likes to look into things, knows they can look into Google products and find issues — knowing there is a reward at the end. Second, there are people who just find mistakes. They’re not necessarily fraudsters, but since they know there’s a payment for the information they stumble upon, they may give up that information (it’s worth the time). For example, the local police offer rewards in the same way. Individuals may witness a crime and think it’s not worth the time or effort, but may step forward if there’s some sort of reward involved.
To Bug Or Not To Bug?
Similarly, Rettas and Pageler touched on Apple's decision to award a 14-year-old for discovering a Group FaceTime exploit, while at the same time exposed a researcher who refuses to help Apple mitigate a vulnerability he discovered in their macOS system because he doesn't agree with their bug bounty policies.
On one hand, the teen that discovered the FaceTime glitch now has huge potential. Apple is compensating him with some money so he can go to college and get some training; he could start his own company, or go into code reviewing, pen testing, etc. There’s a huge market for this and Apple reward to him for finding this issue just demonstrates it.
Although Rettas said that it’s unclear what they will compensate family. If you look at their compensation program, it can be anywhere from $25,000 to $200,000 based on the criteria noted.
“To your point,” said Pageler, “that’s the kind of thing you might not find when you’re in the corporate box. This kid thought outside the box, but what’s really great about it is if he applies this anywhere, he’ll be picked up by any company. He has the potential to make sure we secure everything.”
On the other hand, in the case of the researcher withholding information from Apple for a macOS vulnerability, it shows the negativity that can come bug bounties. There are successes in the news and people are enjoying those successes, but Rettas was reading an article that exposed a researcher who won’t share a macOS bug as a protest. Here’s the problem according to Rettas: “Bug bounty hunters start to think they’re in charge, that they’re the ones who are calling the shots. This may start to show the weakness in bug bounty programs.” If a researcher steals data, and doesn’t have to expose that data (or refuses to), it starts to sound more like ransom.
Pageler said that if Apple doesn’t want to pay for this information, then the researcher involved needs to accept it and back away at that point. “You can’t go exploit it, you’re causing it to become illegal,” he said. “If you’re not part of the company and doing it in a legitimate way, then it becomes a legal problem.”
Pageler advises that organizations need to look at their bug bounty policies:
- The policy needs to be online and part of risk and governance.
- It should explain what the company will pay for and the details it’s looking at.
- If something is not defined online, there needs to be a contact listed to look at it further.
“Taking customer data is not allowed,” he reiterated, and Rettas agreed adding that: “It needs to be laid out in a clear way.”
Election Tampering And The Role Of Social Media
The hosts next unpacked the situation around the vulnerability of Israel's voting system, as they discussed Twitter and Facebook's responsibility in weeding out foreign intelligence agencies who intend on influencing elections of free countries, and they discussed what the United States should do to prevent foreign interference in the election process.
While Rettas noted that Israel has a huge reputation of being at the forefront of innovation when it comes to cyber security, recent articles have been saying that their voting system has the potential to be attacked. The responsibility for protecting the voting system is divided between “at least nine different entities, leaving coordination and collaboration at the heart of any cyber security challenges that they have,” said Rettas. “It exposes a major concern about hackers and intelligence agencies being able to manipulate elections of free societies.”
Rettas interpreted this to define two very different and disparate problems with election tampering:
- Intelligence agencies [to me] seem that they’re launching these public influence operations on social media platforms like Facebook and Twitter to spread misinformation and try to influence voters to vote in a way that they see advantageous to their own agenda. “A lot of times they just want to cause internal strife – they don’t care who wins, they just want everyone to turn on each other (similar to what’s going on here in the U.S. in my opinion).”
- The other issue is the actual compromising of the voting system itself, through these unknown (and maybe even known) vulnerabilities. “Altering the vote count or the re-count of votes in some cases … which can be an internal nightmare.”
In fact, there are already claims that hundreds of un-named accounts have been uncovered. It’s really serious as other countries are being blamed and/or becoming involved. Therefor, it posed the question: should the government get involved and talk to social media outlets to take down these fake accounts that are made to influence voting?
While Facebook and Twitter may not have the manpower to handle this undertaking (or the motivation), Pageler said that there are some areas where the government can step in and help. For example, in California, you cannot set up fake emails or accounts for the purpose of hiding your identity. If that’s happening, then it’s a violation. The government should look at what laws are in place that can be enforced with social media companies and “keep it at that.” If the government goes in and tries to control social media accounts, then it’s not following laws.
Pageler added that “at the end of the day, I can go tell people whatever I want and influence the vote – it’s too nebulous. If you say there are laws where we need to know who’s on the other side, there’s no issue with that.”
See Related: "Tackling The Latest Cyber Security Headlines"
Rettas then went back to questioning whether or not social media platforms have the motivation to even help with election tampering. Pageler said that it’s in their best interest to make sure they follow the laws (freedom of speech), but without manipulation. Pageler predicts that we’ll probably see a transition to social media companies where there’s a user review system. “We’ll see a move to that naturally because consumers want to trust social media more.”
Rettas asked if the government should set up a team to monitor social media. Pageler answered that we need special team, but not just with a social media focus – for voter fraud in general. He added that we need cyber unit that is dedicated holistically and doesn’t get furloughed.
Even with AI, robotics and other of the latest technologies, do social media platforms even have the capacity to remove fraudulent accounts? Rettas and Pageler explained that they do “get it wrong sometimes,” and can end up blocking someone who is legitimate. This can still have an impact on our elections.
Finally Rettas brought up the fact that our voting platform itself is being tampered with. There were suspicions that the primaries in Israel were already compromised. There were discrepancies between the number of votes counted, and how many people actually voted. Eventually it was exposed that this was a security breach that showed that the results were affected due to tampering. So, tampering with e-voting like this could potentially change the outcome of events to come, which can even lead to conflict.
“One thing is for certain – we have to do something [about securing e-voting] because the vulnerability of our election system and the lack of confidence of our ability to hold free and secure elections is ripping our country apart,” Pageler asserted.
And both agreed that: “Everyone is screaming about Russian hackers, and yet we’re furloughing cyber security professionals.”
Who’s In Charge Of Cyber Security?
Rettas started off the last segment by talking about the fact that “we got rid of our cyber czar last year.” And since we essentially ‘took away our quarterback,’ it’s a big concern in the industry. But — there isn’t any consensus either on who’s in charge of cyber security either.
Last week in a Washington post article, it was written that “Responsibility for the nation’s cyber security is spread piecemeal throughout the government without a single person or agency in charge. That creates dangerous gaps that U.S. adversaries could exploit to hack the government or critical infrastructure.”
Homeland Security Chairman Ron Johnson (Wis.) and Mike Rounds (S.D.), chair of the Armed Services Committee’s cyber panel, are “mulling how they might create a centralized government authority for cyber security issues,” according to the article.
While Rettas revealed that the article is likely politically motivated, when you look at it from a business perspective, someone needs to be in charge.
Pageler noted that “if they can get some momentum here,” it could be a positive start. In addition, by boosting bug bounty programs and looking at staffing — like introducing competitive programs to recruit young talent, or debt forgiveness to get them in trained early – it helps to train and retain better talent. “Some will lead the private sector and in turn work in line with the government.”
Rettas asked: Right now for the most part, DHS is more civilian security whereas DOD is more military, where do you think the centralized location should lie?
Pageler explained that the DHS – should be defense. “Let’s get a really good defense first. Then coordinate with DOD on offense because I think the offense would come out of the military.” He said that we should “mirror it like anything else: We have police to protect inside, and when it’s bad enough, you bring the big guns out and bring in military.”
Where Is All The Data From The Equifax Breach?
To round out the show, the duo discussed one of the greatest mysteries in cyber security over the last year: What happened to the 143 million records stolen in the September, 2017 Equifax Breach?
“The fact that we haven’t seen any fraud associated with this really scares me,” said Pageler. He believes that either a really strong organized crime syndicate is involved, or a “nation state has done this to help them build up a database on who we all are.”
“What if it’s something no one has even though of?” asked Rettas. According to Kate Fazzini of CNBC, it has been 17 months since the breach where data of 143 million people vanished into thin air – Fazzini talked to intelligence officials, dark web hunters, and even Equifax to see where it went and what it could possibly be used for. Her number theory for now is that the data was stolen by a nation sate for spying purposes. So Rettas asked, “Does this change the seriousness to the breach?”
“This data is gone,” said Pageler, so there are two things we need to do:
- We need to start locking down future data so that if it is a nation sate or someone really trying to learn about us, they can’t continue to populate that data. What they want is more live data to keep it going so, at least by locking it down, maybe we can protect future generations.
- We need to start really thinking about every type of attack that can come from this.
“We need to prepare for that, what we would need to do, how to stop it. If fraudulent accounts start to double or triple, how would we respond to that?” asked Pageler. “The thing that really scares me is this could be a huge impact to our intelligence community.” Pageler explained that we have CIA/NSA operatives who are out there, who go and recruit spies. So, if they have this data, they can start to identify who they are (that they’re potentially a spy). “How do you work with human assets when word gets out that potential spies are identified?”
And while Rettas brought up the notion that “they’re not looking for the average Joe, but people with power” instead, Pageler debunked this by saying, “Not necessarily. If you make life miserable for people who are living paycheck to paycheck, it can really shut us down (i.e. farmers).”
The ‘Task Force 7 Radio’ recap is a weekly feature on Cyber Security Hub.
To listen to this and past episodes, click here.