Welcome to the latest episode of the State of Enterprise IT Security podcast. In this insightful session, we delve into the multifaceted world of digital privacy and cybersecurity.
Host, Brad Bussie, Chief Information Security Officer at e360, guides us through the intricate dynamics of Facebook's user monitoring and data sharing practices, revealing how our digital footprint is more expansive than we often realize. Join us as we explore these crucial topics, shedding light on the balance between user privacy and business needs in our increasingly connected world.
[00:00:46] Hey everybody. I'm Brad Bussie, Chief Information Security Officer here at e360. Thank you for joining me for the State of Enterprise IT security edition. This is the show that makes I. T. Security approachable and actionable for technology leaders. I'm happy to bring you three topics again this week.
[00:01:07] First one is did you know that Facebook monitors its users? I'm sure you did. But did you know that that data is available and sent to thousands of companies? The second one, uh, a bit of a warning, I, I talked about this last podcast, but the, the data as part of one of the large breaches has gotten even bigger.
[00:01:33] So we'll talk about right around 26 billion records being leaked. And a lot of that comes from places like Dropbox, LinkedIn, and Twitter. The third one is the Microsoft network security breach, and it was breached through passwords brain by a Russia state hacker group. We'll talk about that. So [00:02:00] with that, let's get started.
[00:02:02] So Facebook. Interesting. I think we all have had this, uh, this discussion before where we're sitting in a room. We're all talking about something. Maybe we're talking about where we like to eat and, and perhaps it's Chinese food. And the next thing, you know, when you pull up Facebook. Uh, it's full of feed about Chinese food.
[00:02:26] So it's interesting because we've had discussions in the past and Facebook has said, no, no, we, we don't listen. We don't turn your mic on. There's none of that. It's actually the behavior from us as users of the service where maybe a day before we were looking up Chinese food. Or maybe we saw something and we clicked on it or we hovered on it for a bit of time.
[00:02:53] So when you look at how much data it goes into this, you can start to see how these organizations are learning about us. They're learning about our habits and what was done to really give this concept some merit is. There was a study that was done, I think there was right around 700 volunteers. And they shared their archives of Facebook data.
[00:03:27] And it was interesting because I think they found like 180, 000 companies that were sent data from the social network. And I, I think I want to say it was like each user. There was 2, 000, you know, 2, 200 different companies and it, it varied depending on your demographic. So your age, where you lived, what you were interested in, the things you clicked on, and I found that just super interesting because I, [00:04:00] I enjoy data.
[00:04:01] And you got to wonder what's, what's being done with that. So. When you think about it, really what it is, is it's advertising targeting at its basic level, because Facebook is trying to make money there. They're definitely a business, but then there's the information that is shared that I'm not quite sure what Facebook is after, but I think it's what their, their network of advertisers could actually do with that information.
[00:04:33] Because there's a, there's a large company called LiveRamp. Yeah. And what they are as a data broker. So all of this information that we may not understand what the use is going to be for LiveRamp just makes it available. And it could be a variety of different things. There's a lot of different data brokers out there and Facebook definitely sends a lot of the information to some big retailers, Home Depot.
[00:05:01] Walmart, Target, and others. So, there's a lot of information about this out there. So, if you're interested in learning a little bit more, I would suggest you take a look, Google search it, and it'll give you a little more information on what is actually in those, those data sets. But as a as a cyber professional, I want to give you something to think about, something to consider.
[00:05:31] And there is actually a way where you can prevent your data from being sent by Facebook and others to You know, wherever they're, they're wanting to send it. So if you go into Facebook and you go under your account center and then you click on your information and permissions, you're going to be shocked at how many different organizations show up there that are, that are [00:06:00] being sent your data.
[00:06:01] So what you can do. Is you could actually go in and disconnect the different companies and in essence, they'll no longer send your data. The challenge is this, this gets updated pretty often and just because you disconnect once doesn't mean it's disconnected forever. So you really have to stay on, on top of it.
[00:06:21] And, you know, maybe that's a business idea out there for somebody, uh, being able to do this and do it. As more of an automated type of a feature, you can also request a copy of your data and you get just this gigantic file full of stuff. And in some cases, what you get is is a table that's got a bunch of ones and zeros and things like that.
[00:06:48] And really what it is, is it's it's telemetry. It's how long you hovered over something and. And it's, it's pretty crazy how companies are going to use that, but they are definitely using it. So the debate has been going on for a while about we as consumers, do we have the right to say, I don't want you to do that.
[00:07:12] I don't want you to share any information about me. I want to be able to watch whatever I want to watch and not have that fed into an algorithm. So I get more or less of something. So there is a, National data privacy initiative underway, similar to what the, the EU is doing with GDPR, it's going to be national for us in the, in the States.
[00:07:38] So if you're watching this from the States, it's something that California has really helped to pioneer and. What we're going to look for things like requiring companies to adopt a call it a data minimization strategy. So we're only collecting the most minimum sets of [00:08:00] information to perhaps advertise or do other things, making sure that we're expanding the powers of what's called an authorized agent, and that's to act on behalf of consumers to act on their rights.
[00:08:18] Think of it as like a permission slip to go on a field trip, and without that, you're not going, which means without that, your data is not going. And then increasing ad transparency. So creating archives that allow the public to go through and look at what is actually in there and what's being served up on these platforms.
[00:08:42] And I think we should follow the lead because the European Union, they're already doing this. They have a Digital Services Act. And I think it's something that we should definitely take some, some direction from. And then, uh, improving the quality and readability of data. Like I just said, when you have a table that comes across and it looks like gibberish, To a consumer, but it contains something very important that is exposing your privacy.
[00:09:14] I think that's a problem. We should all be able to understand what's in that data set and in essence have a translation that says, this contains how long you watched something where your cursor hovered or where, where you were pressing or what was scrolling along the side. It's a lot of data, and it's kind of scary when you think about it.
[00:09:36] So I'll leave you with that on number one. Uh, second topic of today is the 26 billion records leaked in a pretty massive, I'm going to call it a data breach, but I think what's contained in this is a lot of information that's been out there for a while, but the danger [00:10:00] of this particular. Set of data is that it's a set of data and it has email addresses.
[00:10:07] It has social security numbers, addresses. A lot of the things that we just talked about from a Facebook perspective, it's in this data file. So the concern is not that it's going to be leveraged to try to log into a account or an email address. I think that is a concern, but it's more of the social engineering aspect.
[00:10:29] So if an attacker can learn a lot about you and your behavior, it gets way easier to socially engineer, uh, an attack against you sending something in the mail, in the post, being able to send a very well crafted email that you have to think about. And gone are the days of, of the Nubian Prince saying you have a bunch of money somewhere because you would pull that up and look at it.
[00:10:58] You get those all the time. The English maybe isn't that good. And it's pretty, pretty spot on that, you know, you don't have any money anywhere. But now they know where you bank. They know. Where you go to school, where your children go to school. I mean, there's this data sets crazy. So the ability to create a social engineering style of attack that says, Hey, I need you to log into your school portal, or I need you to go and update some information for the city and County that you live in.
[00:11:35] It's, it's freaky because it's not just about banking anymore. It's about the. Wider set of data that encompasses like who you are as a person, your habits, your shopping, eventually, what are they trying to get? They're trying to get the data and they're trying to get the financials, but it's, it's what I would call a much longer game than [00:12:00] it has been before.
[00:12:02] So, again, this data set, 26 billion records, it was found on an open storage instance. And really what that means is it was, it was probably a dumping ground for a lot of different malicious actors or even a malicious data broker. And it's interesting that it was out there for all to see, but I think what we're seeing is that even Cyber criminals make mistakes and, uh, leaving something open, which we call like an open share, uh, that's something that organizations really worry about.
[00:12:39] And I think now it's something, this is weird to say, this is something that attackers need to be concerned about because that makes it much easier for, uh, government agencies and cyber defenders, uh, to actually do something about it and bring that data set. Down now, the 3rd issue or the 3rd thing I'd like to talk about today is one.
[00:13:06] That's that's pretty large. And it's about the Microsoft network being breached. And we talked about this topic last time, which is. Through a password compromise. And it was through password spraying and it was a Russia state hacker group that conducted the, the attack. So this is interesting mainly because it's not like this, some huge.
[00:13:37] Uh, crazy hack where they had to do a lot of different, um, things that you would maybe not expect, like they took, uh, some code, or they attacked a specific server, or they took advantage of a zero day vulnerability, like all of these very, uh, I'd say, like, spy level things that you would expect from [00:14:00] a nation state?
[00:14:01] No. Uh, they used the same old let's look at what's on the dark web. Let's find a user and password combination. And let's just try those. And let's try those repeatedly on a bunch of different access points. And lo and behold, because an organization isn't doing basic cyber hygiene, they were able to attack one of the most vulnerable, uh, I would say demographics in an organization, which is senior leadership.
[00:14:36] So this came through and impacted, uh, senior leaders. And just in my experience as a, as a cybersecurity practitioner, I see this all the time where everyone else changes their password. They got to do it every 30 or 90 days. They have a multi factor token. But maybe you have a senior leader that they just, that's not their jam.
[00:15:03] They're not into it. They, they don't want to have to comply. So we create a policy that says it's okay for Brad to not change his password. Because that's, he's moving too fast. He's closing the big deals. He's doing all the things and We can't bother him There's no way that he can be locked out of his system or his email because there's just too much going on And I I can't seem to get my multi factor to work on a consistent basis So, you know what you don't have to you don't have to use it and and I'm sure you're sitting there shaking your head Like that doesn't happen It still happens.
[00:15:41] And this is, I think, proof that these kinds of things still happen. And I can't speculate, well, I guess I can speculate. Was it active accounts? Was it accounts that hadn't been deprovisioned? There's some things that they're not saying, and that's okay. You don't have to tell us all of the things that [00:16:00] happened.
[00:16:00] However, what we are noticing are signs of a clear lack of blocking, tackling, and the basics of cybersecurity hygiene. So, last episode, I urged you to consider Getting rid of your passwords moving to pass keys and which account was I really focused on it was your email making sure that that is one of the hardest accounts to compromise because what happens if that does get compromised.
[00:16:36] You can reset passwords for a bunch of other sites and accounts. And next thing you know, uh, an attacker has access to a heck of a lot more things and you're locked out of your email and they're going through and resetting everything and gaining more and more and more access. That's a bad day. So I think if if I'm talking to Microsoft about this, it's really just getting back to the basics and making sure that we don't make those exceptions anymore.
[00:17:10] Because when we make exceptions at the highest level. That's our most vulnerable population. And in a lot of cases, they have the most access out of anybody because that just kind of happens. Let's say you started, this is going to be funny. Let's say you started in the mailroom. This was 30 years ago. And you've slowly moved up.
[00:17:32] What I find has happened is you get access to more and more and more and more things. And if you haven't, if you don't have the proper identity and access management system that does what I call reprovisioning, which means you only have access to the things that you're supposed to have in the job role that you have today.
[00:17:54] But what I see in most organizations. It's like an aggregate. You just keep getting more and [00:18:00] more and more access to things as you climb the ladder. And next thing you know, you know, I've, I've got access to the mail room information. I've got access to accounts payable and wait a second. I was actually in accounts receivable at one time cause that's, that's how my organization went.
[00:18:17] And next thing you know, Brad can write himself checks. And as much as I would love to be able to do something like that, we don't want those types of things to happen. So that's why we have separation of duty. That's why we have the reprovisioning processes with, with large identity and access management systems.
[00:18:34] And the crazy thing is. Microsoft has that technology, so the fact that this wasn't done is maybe an oversight, but honestly, in large corporations and organizations, this happens a lot more than you would think. So the fact that the Russian group, uh, Midnight Blizzard gained access to the environment is not a surprise.
[00:19:00] They were in production systems. And now here's the big question mark. How deep did they get into Microsoft and 365? And I, I think what Microsoft is talking about right now is there's no evidence that they got into source code, into any of the AI systems. Uh, Or like deeply into the Microsoft 365 service.
[00:19:30] But here's the thing about hackers. What do, what do they typically do? They'll drop things in an environment and that stuff will lay in wait. And sometimes it'll lay in wait for months or even years. So, with this style of an attack and the fact that it was a nation state. This is a big one, and I think we're going to be hearing about some of the repercussions for for quite a while.
[00:19:58] So something to something to [00:20:00] watch. I think Microsoft is definitely going to spend some time on this and making sure that they can trust their own systems and. Uh, they're, they're getting some of the best cyber defenders in the world, some of the best incident responders that money can buy and, and that's a good thing.
[00:20:20] So, if I leave you with 1. Bit of sage advice. It is spend the time on the cybersecurity basics. And one of those basics is making sure that passwords, if you still have them rotated on a. A quasi aggressive basis, but also make sure that all of your accounts have some form of second factor, just so people can validate you are who you say you are.
[00:20:59] And the second piece of it is, are you coming from a device? And is that device who it says that it is? And having those two bits of information will prevent. I'll go out on a limb and say 80 percent of attacks. Uh, the other 20 percent are the, the ones that are a little more targeted towards a identity provider specifically.
[00:21:24] So with that, have a great rest of your day and thank you for joining us.