Transatlantic Cable podcast, episode 93

May 23, 2019

For episode 93 of the Kaspersky Lab Transatlantic Cable podcast, we touch on some old favorites as well as a new way to get a day off from school.

Our first story looks at the latest allegations of wrongdoing at Facebook. We talk about the data shared between telcos and Facebook, and how it can potentially impact credit-based advertising. We stay in the Facebook ecosystem for the second story and look at the shockingly high number of people who still have not updated their WhatsApp, especially on corporate phones.

The third story dives into the latest feature of Dota 2 that lets users pay to avoid offensive players. From there we head on to the latest hang-up for 5G in the UK — and it is not what you might expect. To close things out, we head to Ohio and a curious way kids got a free day off of school (spoiler: It involves malware).

If you enjoy the podcast, consider subscribing and sharing with your friends who need more regular updates on security. For the full text of the stories, please visit the links below:

Jeff: It seems like our hiatus of talking about Facebook on this podcast is really short-lived. Yeah, it’s been like two weeks.

Dave: We purposely decided not to talk about Facebook for the last two weeks. And there were a couple of juicy stories where we said no, we’re not going to read these. We’re not going to talk about these because we have been in following-Facebook mode for the last two months. But then this story comes up. And I think we both agreed that we had to talk about this one. So this one’s over on the Intercept. And it’s talking about how Facebook is now, allegedly — and there’s lots of anonymous sources in this article, so do take it with a little pinch of salt — the article says thanks to Facebook, your cell phone company is watching you more closely than ever before. I mean, this has got all levels of creepy on it, isn’t it?

Jeff: Yeah, I think the first part of it is just talking about how Facebook harvests data about what’s on your phone in the app, and where you can use it, and puts it into its advertising model. Now, I think anybody that looks at the T’s and C’s of the app or follows this podcast or is following, you know, the beatings Facebook has gotten in the news lately, a lot of privacy, despite what Mark Zuckerberg says, is really not built into Facebook. It’s built into being let’s be honest, it’s the Google of social networks.

Dave: Yeah. And I think this article is talking about how Facebook is kind of courting and working with cell phone carriers. For all non-US folks out there who are listening to this a cell phone, sorry, a carrier is you know, your mobile phone provider, like Virgin or Three or something like that. But you got the big guys over there: T-Mobile, Verizon is another one, AT&T. Sprint. And so that’s that. Yep. So Facebook is working with these carriers to share data and try and kind of zero in users a little bit more, so they can create more targeted advertising. And I think that’s where the level of creep comes in. Because, you know, we’re seeing now Facebook working with carriers, probably for the first time. And we’re starting to see this sort of blurring of lines a little bit here. I know, Facebook, the latest F8 developer conference, they were talking about how they’re going to be moving the company away from its current advertising model to a more sort of privacy-based system. We all had a belly laugh at that one. Time will tell, I think, on that — I mean, to be convinced. And I think you’re probably the same.

Jeff: The story, like you said, is about, you know, a leaked internal document, reading into things, and talks about how this could be used to target based on credit score, and how that might run afoul of some laws that are in place. But as I read it, and as somebody who’s advertised on Facebook for a long time, and also been on the platform for a long time, I think this stuff is possible. But it’s also a reach in some ways, in terms of like what you’re doing, you have to have some really detailed builds with Facebook to be able to get to this level of data. And I know, for example, some of the things that they’re talking about here, like where you can start to see income and things like that, that you could theoretically build credit scores based upon. I’ve only seen that actionable item within US-based audiences. So, when you look at like, the page insights, it’s only for American audiences.

Dave: Yeah, I mean, this is a very US-focused article. I think you’re right, that income-based targeting isn’t available outside of the US. Again, having worked inside Facebook advertising for a fair while, we don’t see it in the EU. And I can’t imagine with the whole GDPR and everything like that, and the sort of privacy focus that the EU has at the moment, I can’t imagine that anything like that would be —

Jeff: — Wait, you guys have privacy?

Dave: [laughs] Well, we have a pony called Privacy. Sorry, a unicorn called Privacy. I mean …

Jeff: I wish I had a pony unicorn. But no, with this one — I think with this story, it’s just another wake-up call. I think the thing that I’d say about this story is read it to kind of get a picture of what’s being done on there. And I think the part of it that brings to light something in this article that I think is good for general users of Facebook, no matter what continent they live on, because the lookalike audiences that can be built based upon e-mail databases, is something that does factor in equations that come in on the back-end of Facebook. So if you know you have a one-to-one e-mail match, what does — what does David Buxton look like? What does Jeff Esposito look like? Now, to a 10% lookalike, how many of the qualities do they share with this in terms of similar users? So that’s kind of how the tool works, where it builds upon other types of things. So I don’t think this is as sleazy as some of the past things with Facebook. But I think it’s more of a wake-up call when it comes to data. And I think this is where the general user needs to start looking at some of this stuff.

Dave: I think you’re right. I think users really shouldn’t be surprised by this. I mean, you basically sign your life away when you sign up. And pretty much any social media network because unless you’re paying for it, as we’ve said, like 1,000 times before, if you’re not paying for it, you are the product. These things, just continue to prove that. Yeah. Anyway, continuing along the Facebook and privacy wagon, this next story’s talking about the majority of WhatsApp users are still unpatched. This is talking about enterprise users, but you know, vis-à-vis, I’m pretty sure you can talk about just general, you know, Joe Blogs on the street. And it’s basically saying that WhatsApp users are still unpatched a week after this major critical vulnerability was found.

Jeff: And I think that’s a big thing, especially with corporate users, because I know, we use WhatsApp, among other tools. And I think when you think about it in the bigger picture, it’s really just going in and making sure that you update your apps. And a lot of times, it’s not going to be a push update, when it’s a quick patch like what was done by WhatsApp with this one. But the next thing with it is, it’s just when you go in, go into your app store, go into the Play Store, check all of your apps for available updates, because it won’t always push it to you, and carriers might slow updates for theirs. So you might need to push it yourself.

Dave: Just looking at the numbers here, it’s 52% of iOS users and 48% of Android users are yet to patch. That’s a full half of everybody surveyed have not yet patched. I’m surprised by that.

Jeff: It’s because it’s not automatic. And people are lazy. And for the most part, they’re not going to do something if it’s not pushed to them. And I think a lot of times when you’re talking about the corporate level of this, it’s a business phone like we were just talking about earlier.

Dave: Do you think people just kind of go, “Work’ll sort it out? I’ll leave it, I’m not going to bother doing it?” Is that the sort of thing? Yeah, could be.

Jeff: I think so. Think about it this way: Most corporate users are also PC users. Whose patches get pushed to them by their IT teams. Versus it being something that they can control. And I think that’s that mentality. But also, if you look at what we were talking about earlier, I had to WhatsApp somebody, one of our colleagues in the UK, and I don’t have my work phone with me. It’s upstairs. I have my personal phone with me in my hand, but not my work phone. So if you think about it that way, in a sense, it’s work phones for work, not for always personal. So I think that’s something to keep in mind, too. So update your WhatsApp, if you are one of these people who have not done it yet.

Dave: Or even better, just enable auto-updates. And the system does it for you. You can go back to not having to think about it. Shall we jump over to the next story. You picked this one, and it was quite an interesting one, wasn’t it?

Jeff: We’ve talked a lot about the gaming industry, and we’ve talked about Valve and Steam. And we’ve also looked at the whole issue of the toxicity, you know, whether it’s a Gamergate or something similar, and there’s always nasty people online. And an interesting thing is coming out for Dota 2 where, the people who buy the new premium subscription, or their battle pass, are able to try to block certain users from playing with them online.

Dave: Yeah, I like the idea of this. But the simple fact is that — and I think quite rightly, the article’s, author points out — this shouldn’t be something that we have to pay for. You know, I’ve dealt with a fair bit of toxicity playing on games in the past. And yeah, sure enough, it’s easy to mute people and just leave games and things. But the fact is, those people are still out there causing all sorts of problems for other people, so the fact that Valve, I won’t say audacity, but they think they can get away with charging for something which should be basically like base game is staggering to me that they feel that players should pay an extra $10 to be able to avoid harassers.

Jeff: But I think the other part about it, too, is it’s not — how do I say this right? — it also doesn’t seem like it’s foolproof. It can suggest that they don’t play in the same games as you, but they can still — as I read it, it’s not foolproof.

Dave: It is, as I understand it, an experimental beta system. So it’s still being worked on.

Jeff: [laughs] Another reason you don’t pay 10 bucks for it.

Dave: I mean, you kind of sign up to a beta like, you know, you do with most other things, and betas as far as I understand them are usually free, right?

Jeff: Yeah, I’ve got a few. I’ve got a Slack beta. I’ve got a Facebook beta.

Dave: But for them to charge is still like, what? I don’t understand it. But you know, what a world we live in.

Jeff: And hey, look, people pay for stuff. And I think that the problem here is this is a general I think, as I read it with the way the articles written and maybe this is just a slant that the author takes but you know, it’s one of those things where, hey, if you can market it as a good thing and people don’t realize it, that’s where it goes.

Dave: Yeah, that is true, sadly, sadly. I still believe it should be free, but maybe I’m just a grumpy old git.

Jeff: You want people to get off your lawn.

Dave: Yeah. Yeah, definitely. Now got a new one as well.

Jeff: Mine, I’m the only person who walks on it now, because I’m still watering it.

Dave: We sound old. Shall we, the two old guys, jump over to the next story? This one I find hilarious. It’s over in the UK. And you know the big news story at the moment. I don’t know about you, Jeff, but over here in the UK, everybody’s talking 5G and it’s driving me up the wall because all they seem to talk about is 5G 5G 5G. But this story kind of stuck out because apparently there’s been a delay to the rollout of 5G — and not for some sort of crazy technical reason. It’s down to of all things lampposts. Which — I scratched my head when I read this story. Turns out that lampposts are an ideal place to stick 5G transmitters, I think because they’re smaller, you know, the big —not the lampposts, the big kind of transmitters we have at the moment. Those huge great big whacking white things might be a thing of the past because 5G transmitters are a lot smaller, and they can stick them pretty much anywhere. But it turns out there’s a lot of legal ramifications about sticking 5G transmitters in lampposts —

Jeff: This is a wonderful world — so we go from Facebook maybe looking at stuff on your phone, to selling it to advertisers, to some people not patching WhatsApp to Valve maybe trying to not really block private issues or bad players. And then now you’ve got lampposts holding stuff up. So it’s not the issues that are going on with Huawei or ZTE, now, in some of the areas that could be holding up 5G, it’s lampposts —

Dave: — councils and lampposts. I’m telling you, the whole system’s messed up. What a world we live in.

Jeff: Make Britain Great Again.

Dave: Make lamppost great again. [laughs] Now, I mean, this one is we just added this one in for a bit of fun, but I think it does have some I don’t want to say bad ramifications, but it may slow things down that they’re saying on the article that 5G rollout may be slowed down by a year or two, which I don’t know if people are a bit gutted by that. But for me, I don’t see it as a real problem. I know we have some carriers over here in the UK, which are now starting to roll out 5G. I think, off the top of my head, T-Mobile will be rolling out 5G in either London or Birmingham this year, actually, so maybe they’ve got no lampposts, maybe, their lamppost infrastructure is up to date.

Jeff: I don’t know but you know, what’s not up to date. Now, we’re going to move back to the States and we’re going to go to the wonderful state of Ohio. O-H-I-O, for those that like Ohio State Buckeyes, but you go into this, and the Coventry comments posted on their Facebook page: Dear Coventry families, Coventry local schools will be closed tomorrow on Monday, May 20, 2019. School is closed for all students. Staff still needs to report. Unfortunately, at the end of last week, our district’s network and computers were infected by the TrickBot virus. TrickBot is the new snow day.

Dave: You beat me to it. I was gonna say, we used to have snow days, now they have TrickBot days. I mean, what the hell? Did they not have any sort of basic antimalware solutions on their systems? But yeah, kids are loving this, aren’t they?

Jeff: I think just looking at this. This is like the greatest message on a Facebook page. And I know it’s poking fun at somebody who’s had a bad thing happen to them, but beyond what was done is that this infection didn’t come from a student, which is an interesting area. And this brought down the schools’ IT systems, including their PCs, their phones, and their HVAC system. So you can’t have heat or air con working for you if you’ve got this kind of issue.

Dave: That’s not just the case of the computer is not working. I mean, that’s serious stuff, the whole network — everything — has gone down, which, yeah, that’s a pretty big thing. I mean, if heating is not working, I can kind of understand why they’re not sending kids to school.

Jeff: And I think one of the things that comes up about this is that — in looking more into the story, the FBI has been counseling the school district on recovery — one of the things that DHS has pointed out recently is that TrickBot attacks are on the rise. So even though the malware is old, it’s something that’s still on the rise.

Dave: Well, we say old — I mean, it’s like, I think you researched this in 2016, 2015, something like that. It’s old in malware terms, but I mean, not ancient, really.

Jeff: Yeah. And one of the things is, they did go back to school. So that’s another thing the article talks about, as we get to. But one of the things that now the school had talked to the press on here, and one of the things it says is, it seemed that once one machine was infected, ten more were right behind it. Soon the whole network essentially stopped functioning. So, you’re looking at something that’s a pretty decent-sized attack to a school system, which is not always going to be the — we’re not talking about a giant government system. We’re talking about something where we’re educating the kids, so it’s not always the most sophisticated of platforms.

Dave: Yeah, I mean, it kind of reminds me of the other sort of attacks that have happened in — like, it’s a bigger study, but like the NHS over in the UK, and it just goes to show that —

Jeff: One thing can really —

Dave: —yeah, one small thing like that, you know, NHS was hit by WannaCry a few years ago. And I think it just goes to show that just having patches, updates, and, you know, some sort of protection in place, stop these things. But I suppose hindsight is a beautiful thing, isn’t it? You know, these people will probably go, “Well, yeah, we should have done that.”

Jeff: But, again, it comes to budgets. So like, yeah, we’re talking about before with, you know, with updating work iPhones, it’s like, to be honest, like, if something’s there and you don’t fit into the budget, maybe it doesn’t go the right way as you planned. It’s good to hear they’re back up and running. We don’t wish anything bad upon them, even though, you know, their school got out there. I wish —

Dave: Although the kids loved it.

Jeff: Oh, the kids must love this. Like you can’t — like, they had to re image 1,000 computers and laptops. Which, if you think about it, like, we go back to WannaCry, and I’m sure that, you know, the company’s impact, like the NHS bought new infrastructure. Yes, it’s cheaper to buy new than to replace. So, school systems don’t have that type of disposable income. So, well, kids, you got a nice new off day, but this might be something we see in the future. What do you think, Dave?

Dave: Oh, yeah, definitely. Things like this are going to carry on.

Jeff: All right, folks. There you have it. It’s a wrap. This week’s edition of the Transatlantic Cable podcast by Kaspersky Lab is in the books. If you like what you heard, please subscribe below. You all know, sharing is caring, so please share it with your friends if you think they might be interested in it. If you think Dave and I got something wrong or there’s a story we should cover, hit us up @kaspersky on Twitter, and we look forward to your comments. Until then, happy trails and we will see you next week, same cybertime, same cyberchannel with next week’s edition.