CyberWire Daily - Daily: Black Hat USA, Android upgrades, and mind control (maybe).
Episode Date: August 3, 2016In today’s podcast we follow the latest fallout from the DNC hacks (Russia’s still the prime suspect). Fears of election hacking rise in the US. Government electronic surveillance rises worldwide,... driven in part by increasing fear of jihadist terrorism. ISIS unit “Emni” is said to have broad responsibility for recruiting and organizing terror cells. Android security upgrades from Johns Hopkins University expert Joe Carrigan. TripWire's Dwayne Melancon explains spearphishing. A quick look over at Black Hat USA. And some observers think Pokemon-GO is a mind control tool. (We don’t, except insofar as any popular mania amounts to mind-control.) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Wikileaks' release of DNC emails prompt three more senior resignations.
Security companies continue to see a Russian hand behind the doxing.
Fears of election hacking rise as observers point out issues with e-voting. Citizen Lab continues its
reports on government's adoption of surveillance tools. An ISIS jailhouse interview casts light on
terrorist command and control. An NSA gets some new love from Europe. 18-wheelers get a proof-of-concept
hack. We take a quick look at Black Hat, and NFL fans want
to know, is Pokemon Go being used for mind control?
I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, August 3, 2016.
Three more leaders of the U.S. Democratic National Committee have resigned over the
emails WikiLeaks recently published.
DNC CEO Amy Dacey, Chief Financial Officer Brad Marshall, and Communications Director
Louis Miranda left yesterday.
The leaked emails have been controversial in their revelation of an apparent bias against
candidate Bernie Sanders and in favor of his successful rival, Hillary Clinton.
We note that WikiLeaks' founder Julian Assange says his organization has a great deal more to release.
Assange still isn't saying where WikiLeaks got the documents. WikiLeaks rarely discloses its
sources. But security firms including Fidelis and CrowdStrike continue to say the hacks were
a Russian operation.
Claims by hacktivists to the contrary are put down to disinformation aimed at giving Moscow plausible deniability.
Republican candidate Trump has alluded to the danger of election fixing,
and his Democratic opponents put this down to reflexive conspiracy mongering.
Whether this is conspiracy mongering or not, security experts do think that the U.S. elections are in principle at risk of disruption at those points where voting cross
the Internet. This can occur either through compromised electronic voting machines or
through interception of online votes cast over the web. This story will continue to
develop through November and beyond. We'll keep you posted on both the technology and
the policy.
The University of Toronto's Citizen Lab continues its description
of state surveillance tools deployed in cyberspace.
Part of the growth in this sector is explained by rising fears of Islamist terrorism,
and some of the growth can no doubt be put down to policy inertia.
Foreign Affairs notes a European reassessment of NSA upward as
that threat rises. An ISIS leader imprisoned in Germany offers some jailhouse insight into how
the terrorist group mixes inspiration with command and control. The traditional C2 and operational
planning are largely provided by a unit called EMNI, which recruits vets and delivers fighters
to zones of anticipated terrorist activity across an international rat line.
Control remains relatively loose, but the general direction seems sufficient to meet
ISIS requirements.
MNI is likely to grow in importance as ISIS loses ground in its core territories.
Yahoo is investigating the claims by a hacker calling himself Peace
that he's offering a large trove of Yahoo credentials,
200 million of them, on the black market.
Spearfishing continues to be an effective way
to compromise the systems of unsuspecting users.
We spoke with Dwayne Melikon,
Chief Technology Officer at Tripwire, about the technique.
Spear phishing is a kind of an attack where people craft a specific message for a specific
recipient or a specific audience. And, you know, there are kind of mass market phishing emails
where you cast a wide net and hope to catch somebody in it. And spear phishing is kind of
the opposite, where you do a lot of research and homework on a specific target, and then you craft an email that you know will be either attractive to them or will kind of slip through their defenses.
And then generally the purpose is to try to gain access to information or to compromise their computer system so that you can get away with sort of either stealing from them or compromising their infrastructure.
We've seen where, for example, one of the subjects that I've studied, a guy was looking
for parts for a vintage car.
And he'd done some posts on outside discussion boards about this.
So attackers were able to pretty quickly find out the specific make and model of the car
he was interested in. And then they crafted an email to him that sounded like,
hey, you know, I saw you on this discussion board. I know you're looking for this kind of
a part for this kind of car. And, you know, the guy's defenses immediately go down because
now you're talking about something that's not work related. It's something that has to do with
a passion or a hobby of his. But then there
was a suspicious payload where an infected Word document was sent to him saying, hey, here's what
I have. Let me know if you're interested. And he opened up the Word document to check it out,
and it infected his system. And they used that as an attack vector to get inside of his organization.
So a lot of this is, it only takes a moment. It only takes one well-crafted email to fool you, and then it's kind of game over.
What's your advice?
I mean, how can someone protect themselves against this sort of thing?
Well, there are some methods that you can deploy.
So one is you can use what's called sandboxing, where anytime information is or a system is run on your network, you can check to see what it's doing.
Is it calling from one of your systems inside your firewall out to an unknown, untrusted system somewhere else?
And generally what we see is that a command and control server is set up somewhere outside of your firewall.
When a system gets compromised, it immediately tries to phone home to this command and control server. And then you know you've got some kind of a compromise that's taken place. So there are a
lot of, it's called a sandboxing approach because you allow things to operate inside of a controlled
area. And the moment they try to make contact outside of that control area, you can shut down
that access and prevent a command and control server from successfully taking over one of your systems.
There are other things, though, on the systems themselves.
And one thing is a lot of organizations by default set up users as local administrators
so that they have administrative access on their local assigned system.
That actually opens up a lot of security vulnerability.
So what we recommend is that you, instead of setting someone up as a local administrator,
set up all your new users as standard users by default.
And that limits what can be executed on their systems.
In most cases, it will take these kinds of payloads and make them useless
because without administrative access, you can't make certain changes to the system
that allows the attacker to gain a foothold there.
So another method here is to deploy two-factor authentication,
so that having a username and password is not enough to gain access to the system and masquerade as that user.
You also have to have a token or maybe a challenge response that's sent to a smartphone
or some other method to validate that this is a legitimate user accessing this
account. And when you put those things together, that provides several layers of confidence that
people are not going to be able to just take over a system and do what they want with a
trusted and privileged account. That's Dwayne Mellencon from Tripwire.
As we look forward to car hacking demonstrations at Black Hat, University of
Michigan researchers add to worries about automotive cyber vulnerabilities. They promise
a proof-of-concept hack against the brakes and accelerator of an 18-wheeler next week.
Black Hat's general sessions opened in Las Vegas today, and the theme this year seems to be speed.
And not only the speed with which
threats evolve and the speed needed to fend off those threats, but the speed companies need to
go to market with their security products. We spoke with Allegis Capital's Bob Ackerman last
night about some of the things early-stage startups should bear in mind. First, while the
venture capital market has cooled a bit, generally, not just for cybersecurity, as investors have come
to worry that the market may be overcapitalized. Funding remains available, but you'll have to
work harder to find it. There's reason for optimism in that cybersecurity is now generally seen as
neither speculative nor discretionary. It's something companies understand they have to have.
But to attract investors, Ackerman said, you must be differentiated
from the others in the sector. There are a lot of point solutions on offer that might be nice
as a feature, but that won't sustain a company. Don't be one of those offering a point solution.
Go for disruption and be clear about your value proposition. We'll have more on Black Hat in the
coming days. Finally, these days we seem to always close with Pokemon Go news, and today is no different.
Our update today comes courtesy of professional football.
That's American football, not the kind played everywhere else on the planet.
Detroit Lions guard Larry Warford is quoted in CNET's Technically Incorrect as worried that something's not right about the game.
He suspects mind control. quoted in CNET's Technically Incorrect as worried that something's not right about the game.
He suspects mind control.
Technically Incorrect contacted Niantic, the game's maker,
to ask whether there were any mind control parameters to the game.
The company didn't immediately respond.
But come on, we'll take our cybersecurity advice from elsewhere in the NFL, specifically from the Baltimore Ravens' John Urschel, a Ph.D. candidate in mathematics at MIT who's presented technical papers to
symposia at Fort Meade.
Come on, John, there's no mind control here, right?
Is there?
Go Ravens.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
And joining me once again is Joe Kerrigan. He's from the Johns Hopkins University Information
Security Institute. Joe, updating your Android device, or mobile devices in general,
but talking about Android today specifically,
you wanted to make our listeners aware of some updates
that came with Android version 6.0.
Yeah, 6.0, or Marshmallow as it's called,
has granular permission capability.
Previously, when you installed an app,
it would say the app is going to have these levels of access. And you would either accept it and say,
I'm willing to accept that the app is going to access these pieces of my phone or these
capabilities on my phone. Or you'd say, no, I'm not going to accept it. And the
option was you didn't install the app. Recently, I have installed a couple of apps.
One was, of course, Pokemon Go.
Of course, of course.
Very interested to see how that works.
And another one is if you have teenage kids,
a very handy app to have is the Urban Dictionary app.
And that updated on my phone.
And I noticed that it requested new permissions.
Well, in Android 6, you can go into your settings and then to apps and then click
on the individual app and you can choose which level of permission you allow that app to have.
So if the app needs access to your contact list, like Pokemon Go does, it asks for that access,
you can say, I don't want you to have access to my contact list,
but to my camera and to my storage capabilities and to my network,
I see where you need to have that to work.
So yes, you can have access to that.
So you've got the ability to dial in how much access you want
on an individual app basis.
Yes, and I think, in my opinion, this is a great feature that Android has included
with the latest release of their operating system.
So is this the kind of thing everyone should go grab a copy of version 6.0,
or how many people are going to be able to take advantage of this?
Well, right now, if you go to the Android versions Wikipedia article,
they have a great graphic that comes from the Google Play Store.
About 10% of the connections to the Google Play Store are on Android 6.
That means 90% of the people
and assuming that's a randomized sample
or an appropriate sample, which
it may not be, that means that
the vast majority of people can't
do this yet.
So,
the operating system needs to be upgraded
on the device in order for that to happen.
Now, maybe the device
that people have can't support the new operating system, so in which case it's probably time to happen. Now, maybe the device that people have can't
support the new operating system. So in which case, it's probably time to go out and get a
new device. All right, Joe Kerrigan, thanks for joining us. My pleasure.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire. We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Thank you. into innovative uses that deliver measurable impact. Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.