CyberWire Daily - Daily: Election hacking, layoff rumors, the unbearable lightness of Pokemon.
Episode Date: August 5, 2016In today’s podcast we look at Black Hat and draw some consensus advice for start-ups. Cyber espionage rises around the South China Sea. Apparent Russian hacking continues to worry election officials... and voters in the US. The HEIST exploit is demonstrated. ISIS jockeys with al Qaeda, Boko Haram factions for jihad leadership. Brazil works on cybercrime as the Olympics open tonight. Apple announces a bug bounty. Cyber companies are said to be preparing layoffs. Accenture Technology Labs' Malek Ben Salem explains software based networking. Galina Datskovsky from Vaporstream outlines the security concerns with voice activated devices. And companies work to keep Pokemon out of places they shouldn’t go. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindel Sea. U.S. concerns over the security
of voting systems persist. ISIS and Al-Qaeda continue to compete for jihadi mindshare.
The heist exploit is troubling, but not yet in the wild, we think. The Rio Olympics get ready
to open and banking malware is ready too. Apple announces a bug bounty. Cyber companies are said
to prepare layoffs. And we think a security company is helping make Pokemon safe.
I'm Dave Bittner in Baltimore with your CyberWire summary for Friday, August 5th, 2016.
Black Hat USA 2016 is in the books, and its participants are headed home,
or wherever else Black Hat symposiasts go, when the show's over and it's time to move on.
We'll have more on the conference over the course of next week, but if we might summarize the industry
trends we're seeing, we'd say that investors and customers are both looking
for differentiation. Point solutions, how elegant, are plentiful
and it's difficult to get through the noise and hear the signal. So understand
what problem you're solving and be clear on your value proposition.
Those customers and investors are also looking for approaches to security
that address the notorious shortages in skilled cyber professional labor.
Not only do they want solutions that can automate security functions
now performed by scarce human operators,
but they also want solutions that easily integrate into the
enterprise. Hard-to-deploy products that require a lot of maintenance and attention are non-starters.
This is no doubt obvious, but the number of young companies offering the high maintenance
and the difficult-to-deploy suggests that it's worth repeating. TechCrunch is running a nice
summary of four concepts that tended to dominate talks in Las Vegas.
The first is behavioral baselining.
This is regarded as essential for anomaly detection,
and anomaly detection in its turn is seen as the alternative
to the notoriously limited signature-based detection schemes long familiar in the industry.
The next is active response, that is, faster, more highly automated response to incidents.
This is not to be confused with hacking back, a concept finding less favor nowadays, especially since the lawyers have gotten wind of it.
Next is security analytics, especially when performed in the service of vulnerability recognition and management.
And finally, public key cryptography, which of course you're familiar with, and this
conference was nothing if not crypto-friendly. A lot of companies were talking these up. Again,
they do well to consider how they might differentiate their offerings from competitors
with similar elevator pitches. Over at DEF CON, DARPA ran its Capture the Flag competition for
artificially intelligent systems yesterday. The winners will be announced later today, and then the machines will go on to compete
against the naturally intelligent humans in a second round of Capture the Flag.
DARPA doesn't expect the machines to win this time,
but it thinks it's demonstrated the future of security.
Turning to news of international cyber conflict, F-Secure continues to track the Nanhaishu Trojan,
implicated in collecting against China's opponents in the ongoing dispute over rights to the South China Sea.
Nanhaishu appears to be an espionage tool, probably operated by Chinese services.
Recorded Future has added to the accumulation of circumstantial evidence pointing to Cozy Bear and Fancy Bear as the actors behind the Democratic
National Committee hack and other related operations against political campaign networks.
Cozy Bear and Fancy Bear are closely tied, respectively, to Russia's FSB and GRU.
There's much dudgeon in the U.S. over foreign attempts to influence November's elections,
and the Secretary of Homeland Security says his department is looking into ways of improving voter security. Critics say that this involves some disingenuous reading of U.S.
intelligence operations, with NSA watcher James Bamford charging in a Reuters op-ed that the U.S.
is, quote, the only country ever to launch an actual cyber war, end quote, a contention that
would probably be disputed in Estonia, Georgia, and Ukraine,
to name three places that have received the ministrations of a large neighbor over the past 10 years.
The cyber act of war Bamford is referring to is, of course,
the deployment of Stuxnet against the Iranian uranium separation centrifuges.
ISIS is working hard to assert itself over Boko Haram's leadership in Nigeria,
not altogether to the liking of local jihadi opinion. Boko Haram has been, in the ISIS view of things, too bloodthirsty in its attacks
on moderate Muslims and their mosques. The drive to control Boko Haram is part of ISIS's recent
determination to woo co-religionists it had hitherto been willing to attack. ISIS competitors
in al-Qaeda and various Taliban factions are similarly engaged in recruitment and inspiration campaigns online.
Researchers described an exploit they're calling HEIST, which stands for HTTP Encrypted Information, can be stolen through TCP windows.
An attack wouldn't require a man in the middle position to execute, the researchers say.
An attack wouldn't require a man in the middle position to execute, the researchers say.
Heist has been demonstrated as a proof of concept, but not yet insofar as is known encountered in the wild.
We heard from Justin Jett, director of compliance and auditing at Plixer,
who told the Cyber Wire that although we don't yet know whether heist will develop into a significant threat,
quote, users should be ever vigilant.
One way to protect yourself against threats like heist, he said, is to use ad blocking software like the EFF's Privacy Badger. This would
prevent the scripts from running on an infected site, thus preventing the attacker from being
able to determine details from TCP response sizes, end quote. We'll be watching more for news of
heist-like exploits. The Olympics open in Rio tonight amid heightened physical and cyber security.
A banking Trojan, Panda Banker, has been observed spiking in host country, Brazil.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's
the gist. Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and
ISO 27001. They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. Thank you. a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And joining me once again is Malek Ben-Salem.
She's the R&D manager for security at Accenture Technology Labs.
Malek, I know an area of research for you is the security implications when it comes to software-defined networking. Right. So software-defined networking is an approach to design,
build, and manage networks that separates the network control from the forwarding plane of the
network, which enables basically more network control, enables the network to be more
programmable, and the underlying infrastructure to be abstracted for appliances and network services.
It enables more innovation. So that's why some companies are adopting this approach, but it also has its own security implications.
One of them is that by virtualizing the network, security admins or network admins no longer have visibility into the underlying infrastructure and into what's happening exactly in the network.
And that creates basically new security challenges for them.
Explain to me what you mean by that.
Why would having the network be software-based take away that visibility?
So basically, they're adding a new layer on top of the infrastructure layer,
which is this control layer that they interact with,
which abstracts everything underneath.
So they lose that visibility.
They only see what's happening at the control layer without having the visibility of what's going on in the physical layer.
That's one challenge.
The other challenge is by creating the separation,
everything basically becomes centralized into one point
through the software-defined network controller.
centralized into one point through the software-defined network controller.
And that, in and of itself, creates new threat models for the company because the SDN controller becomes a single point of failure for the network.
But there are also even security advantages, such as, for example, the ability to direct malicious traffic to a honey net,
creating honey nets quickly and directing any malicious traffic towards those honey nets to collect more information about the adversary.
All right. Malek Ben-Salem, thanks for joining us.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks and connected lives. Thank you. your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
In some industry news that broke at the end of this week, Apple announced its intention to join a growing industry trend and start a bug bounty program.
Only invited bug hunters will participate at first. A few dozen, says Cupertino. But the company's head of security engineering and architecture told people at Black Hat that
they're not setting up an exclusive club. Other researchers may submit flaws they discover and
so be considered for admission to the program. Bounties will range from $25,000 to $200,000,
and Apple says it's willing to double the bounties paid to hunters who donate the proceeds to charity.
One of the technologies Apple is known for is Siri, the automated assistant on the iPhone that
responds to your voice. Android has Cortana, and Amazon sells their Echo with Alexa. We spoke with Galina Detskovsky, CEO of VaporStream,
about voice-activated devices and privacy concerns.
If you look at the younger population today,
let's say the kids, the teens, even the 20-somethings,
they're typing a lot less and they're talking to their devices.
They're speaking to the device and they want the answers or the signs read to them as opposed
to reading them.
So there's a lot more human-like interaction with the devices.
In addition to that, we're seeing quite a number of devices that are specifically voice activated, that might not even have
a keyboard input at all. So for example, Alexa. If you look at Alexa from Amazon, you talk to Alexa,
you get answers from Alexa, you could play games with Alexa. There is no other way to interact with it.
I think there are several assurances that we have to have from the manufacturers. So one is,
is the device going to be listening even when I don't want it to be listening? Can the device be
hacked to listen to me, right, and respond or report in time?
Can somebody hack the storage of information?
So if the information that I'm speaking and I am receiving,
is that stored somewhere?
Is that identifiable to me?
Can that be hacked?
How is that used?
How is it given to third parties? Can that
be used for espionage if I have this particular device in my office, right, and maybe in the
boardroom? What if I wear a device that I'm speaking to? Maybe it's not a device that sits on my desktop, but it's a wearable that's
voice activated. Can somebody hack that? What kind of information is produced? So I think those are
issues that, first of all, one should be concerned about. And secondly, I think the manufacturers
need to make people comfortable with. These types of devices are easy to use and fun to use,
and there's a natural tension between that and security.
There's always that trade-off of convenience versus security and privacy,
and generally they happen to be at odds, right?
So in some ways, you don't want to overprotect the device
because you really want it to learn your voice signature
and the way you speak and kind of use it like the fingerprint right so we are seeing the security on
your phone now going to biometrics and and finger scans you don't have to type in a code but you
could just do that and presumably that is a lot safer because you are less likely to forget or lose your fingerprint, and somebody else can't exactly duplicate it.
So voice signatures are very similar, and you sort of want the device to know, like you said, your voice signature.
Unfortunately, voice signatures, in fact, can be somewhat duplicated.
And voice signature recognition is not absolutely perfect.
Probably the device won't confuse you and me, but perhaps another deeper male voice could actually imitate yours, either on purpose or accidentally, especially if the phrase is relatively short. You agree to a certain set
of privacy definitions when you click through the EULA, the End User License Agreement.
But what's not so certain is what happens with a device like this from a legal point of view
if it gets hacked. If something is recorded improperly, if you want to make an argument that you didn't wake up the device, it woke up
based on the wrong word, right? Or somebody hacked it. And now they're getting your information.
And you are actually being illegally recorded, if you will. And somebody is taking that illegal
recording and doing something with it, which was not in the terms and conditions, who is liable?
That's Galina Detskovsky. She's the CEO of VaporStream.
In other industry news, two sector leaders, FireEye and Fortinet,
are reported to be preparing or conducting layoffs.
FireEye has announced a round of layoffs in response to disappointing earnings,
and Fortinet is rumored to have begun significant layoffs that will hit marketing heavily.
Other unnamed companies are also thought to be considering headcount reductions.
We'll be watching to see if these rumors are confirmed by events.
Finally, Looking Glass seems to have found a Pokemon-related revenue stream.
Enterprises are telling them where Pokemon are unwelcome, and Looking Glass seems to have found a Pokemon-related revenue stream. Enterprises are telling them
where Pokemon are unwelcome, and Looking Glass is working with Pokemon Masters Niantic to
exclude them. Some are calling this killing Pokemon, but to us, it looks more as if Looking
Glass is keeping Pokemon safe. No one, least of all Looking Glass, would be heartless enough
to kill Pikachu, but anyone would like to keep him out of traffic, transformer stations, military bases, and so on. Right, Chris?
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, Thank you. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.