CyberWire Daily - Daily: Info ops as battlespace prep. It's hard to count Australians.
Episode Date: August 11, 2016In today's podcast, we hear about cyber and information operations in Eastern Europe that look disturbingly like battlespace preparation. The FBI finds that the scope of the Democratic Party hacks is ...much greater than initially believed. The Bureau seems ready to ask for more authority to unlock devices, but opponents point to Microsoft's inadvertent leak of Secure Boot keys as an object lesson in why that's a bad idea. USENIX proofs-of-concept include Linux and car-hacking exploits. Samsung Pay is criticized as vulnerable to token skimming. Senior Law Analyst Ben Yelin outlines the FBI's request to expand the reach of National Security Letters. Deputy Director Rick Lipsey explains the mission of the ISAO Standards Organization. New ransomware features disappearing extortion emails. And how do you solve a problem like Pokémon-GO? Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Australia's census issues persist.
Russia begins to talk about Ukrainian provocation in the Crimea.
The scope of the Democratic Party hack is now thought to be far wider than previously imagined. As the FBI prepares to ask for more ability to
unlock devices during investigations, Microsoft is found to have inadvertently disclosed the
golden key to a secure boot back door. Samsung Pay may have a token skimming issue, a new form
of ransomware abuses Mailinator, and Pokemon Go continues to give
people fits.
I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday, August 11, 2016.
Australia's Bureau of Statistics remains convinced its online census platform was taken down
by distributed denial-of-service attacks.
Although some a priori skepticism persists in security industry circles,
that the Bureau simply wasn't prepared to handle the traffic it received as a bunch of procrastinators all jumped on the net at once.
There's no attribution and the motive is thought to be the obvious one, disrupting the census.
The Australian Signals Directorate is investigating and working to ensure the security of the site. The census, which is taken every five years,
has been controversial in recent rounds as Australians resist being counted and categorized.
Our favorite from the last one was the bloke who identified himself as Batman and dutifully
reported his address as Stately Wayne Manor. Russia's President Putin has been drawing official attention
to alleged Ukrainian provocations in and around the Crimean province
Russia seized from its neighbor in 2015.
This hasn't yet manifested itself in cyberspace,
but it's expected to do so as battlespace preparations proceeds.
Observers find this development disturbing.
The informational tends to foreshadow the kinetic.
In the U.S., the FBI is expanding its investigation into the hack of the Democratic Party.
It's now believed more than 100 groups and party officials were compromised.
Investigators speaking on background to the media no longer bother with coyness about attribution.
They're calling the actors the Russians. Suspicions are again turning to the homebrew server used by former Secretary of State Clinton, but this remains speculation.
As FBI Director Comey remarked, if the people who were after that server were as good as they're
thought to be, their spore won't be easy to track. Director Comey is also signaling that he plans
another push to induce Congress to give the Bureau more expansive authorities, or abilities,
to unlock devices presently inaccessible to investigators.
He believes security and privacy can achieve a kind of technical peaceful coexistence.
We'll hear a bit later from Ben Yellen of the University of Maryland's Center for Health and Homeland Security. He'll discuss the FBI's efforts to expand the reach of national security letters.
But in the meantime, we note that opponents continue to oppose
giving the FBI or other law enforcement agencies a backdoor they could open at will,
even with the due process safeguards of warrants, national security letter, and the like.
Privacy advocates and techno-libertarians point to a development they think
shows why backdoors are inevitably a bad idea.
Microsoft has inadvertently leaked its Secure Boot golden key,
effectively a backdoor that bypasses protections
and enables the possessor to unlock any device protected by Secure Boot.
The moral, they say, is that backdoors undercut security for everyone.
Observers see the incident as a cautionary tale for policymakers.
Microsoft is working on recovery and remediation.
There's much discussion of the sharing of threat information, intelligence, and best practices,
and establishing standards for how best to do that. To learn more, we spoke with Rick Lipsy,
Deputy Director of the ISAO Standards Organization. So the administration signed out an executive order, 13-691, in February of 2015, promoting private sector cybersecurity information sharing.
And to do that, they proposed the establishment of information sharing and analysis organizations, ISAOs or ISAOs. To promote the establishment of these organizations and to establish standards
and guidelines for how they would be established and how they would be operated, the government
also called for the establishment of a non-governmental standards organization. And so
that's who we are, the ISAO Standards Organization. We're comprised of representatives from the
University of Texas at San Antonio,
LMI, which is a not-for-profit government consulting firm,
and RSYSK, the Retail Cyber Intelligence Sharing Center.
According to Lipsy, spreading information among the cyber community is critical for success.
When you look at the totality of our cyber ecosystem,
there is hardly a business or an organization that
exists today that does not depend on the cyber environment.
And yet for many, they don't have access to actionable cyber threat intelligence information.
And for some, even if they did have the access, they wouldn't know how to use that.
And so what we hope to promote through ISAOs is an opportunity for communities
of interest to come together to share that type of actionable information and to exchange best
practices. There's a community building aspect as well, not unlike crime-fighting efforts in
previous generations. In the 1970s, this country started seeing a real increase in crime in our
neighborhoods. And so as a result, many neighborhoods started establishing a neighborhood watch program.
We have the same thing going on in the cybersecurity environment. And ISAOs are like a
cybersecurity neighborhood watch program that can help us address those concerns. The real power of this
comes when you consider the establishment of dozens or hundreds of ISAOs that are then,
on a voluntary basis, exchanging actionable cyber threat information and best practices.
The ecosystem as a whole is better served through voluntary actions to promote information sharing than
attempting to legislate it or mandate it through regulation. And so we believe there is a strong
and growing consensus that encouraging this type of voluntary information sharing that has obvious benefits to individual members
and to the ecosystem, to our country as a whole, is going to be very attractive.
That's Rick Lipsey, Deputy Director of the ISAO Standards Organization.
They're hosting a public forum in Tysons, Virginia at the end of August,
and you can find out more about that on their website, isao.org. A Linux TCP flaw, apparently in place since 2012, exposes internet users to
off-path exploitation, like a man-in-the-middle attack only with no one in the middle.
Researchers from the University of California at Riverside and the U.S. Army Research Laboratory
demonstrated a proof-of-concept exploit yesterday
at USENIX. Also being demonstrated this week at USENIX is another series of car hacks. This time,
the exploit affects the keyless entry systems of, the researchers advertise, more than 100
million vehicles. Volkswagen is getting the press attention, including its Audi and Skoda
subsidiaries, but a second vulnerability
affects cars built by Alfa Romeo, Citroën, Fiat, Ford, Mitsubishi, Nissan, Opel, and Peugeot.
Samsung acknowledges there's a token skimming issue in Samsung Pay, the company's mobile
payment system, but the device manufacturer says exploitation is too far-fetched to worry about.
says exploitation is too far-fetched to worry about.
Tripwire reports on R980 ransomware.
It has a lot of familiar crypto ransomware functionality,
but it also abuses Mailinator the better to coerce its victims.
Mailinator is a legitimate app that deletes email after a specified time. If you don't pay up on schedule,
you'll find that the email directing you to recovery has disappeared.
F-Secure takes a look at the ransomware criminal economy and suggests a somewhat different
approach for victims. Instead of either paying or stonewalling the extortionists, why not
negotiate with them? After all, F-Secure says, you've got little to lose from trying, and
it seems many, perhaps most, of the criminals are open to negotiation.
and it seems many, perhaps most, of the criminals are open to negotiation.
An op-ed in Wired is calling for a code of ethics that would introduce some voluntary order and standards into augmented reality games,
of which Pokemon Go is Wired's Exhibit A.
The editorialist fears, among other things,
that developers pay insufficient attention to the social justice and safety implications of the games.
Why, she asks, should game developers not be held to account for stalking?
And why should they be held as having no responsibility for ensuring equality of access to the game
in underserved areas?
Cultural historians may wish to compare Dr. Frederick Wertham's Seduction of the Innocent,
published by Reinhardt & Company in 1954.
It included a similar analysis of the social implications of comic books.
But there is, finally, no shortage of places and agencies who would love to be underserved.
Thailand's telecommunications authority has ruled temples, schools, and the royal palace
grounds off-limits, and authorities are warning people not to walk onto busy freeways, off
cliffs, or into literal minefields. off-limits, and authorities are warning people not to walk onto busy freeways, off-cliffs,
or into literal minefields.
And bad news for trainers in the UK.
MI6 has put a stop to the placement of Pokestops and Pokemon Gyms in its headquarters.
But say, we thought the hackers blew that building up in Skyfall.
Anyway, all we can do is say, don't choose that, 007.
We're looking out for you, Q.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-
time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows
like policies, access reviews, and reporting, and helps you get security questionnaires done
five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe
and compliant.
And joining me once again is Ben Yellen.
He's a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security.
Ben, you saw a story recently. A lot of, I would say, kind of breathless headlines were saying that the FBI wants more power to spy on your browser history.
The FBI is pushing to expand their National Security Letter Authority.
What's going on here? The FBI is working with key senators, Senator John McCain of Arizona,
John Gordon of Texas, on a bill to expand the power of national security letters. And I know,
Dave, we've talked about this before. National security letters are an administrative subpoena that a government agency can use to get information on electronic communications and all other types of
communications without a warrant. It's an administrative subpoena. One of the big issues
for civil libertarians is that these orders come with a gag order. So even though these gag orders
are reviewed annually, if you are a
telecommunications provider and you receive one of these orders, you are forbidden from talking
about it. The Senate proposal would grant the FBI power to access electronic communications
transactional records, which includes a user's browsing history, as well as other online records.
This is a new authority under the National Security Letter statute and would give the FBI
wide latitude in getting not just, you know, website information from internet service providers,
the metadata who's visiting, but also personal information, browser history,
which can reveal a lot of private details about people's lives.
So why is the FBI pushing for this?
Is it a matter of velocity that they don't want to be slowed down by the process of getting warrants?
What's their story?
I think that's a large part of it.
The national security letter is a very useful tool for the FBI because there is no involvement from the judicial branch.
There is no prior judicial approval for national security letters. So it is a way of accessing
information with expedience, and they have become far more prevalent in the last 15 years post 9-11.
So it will be interesting to see whether the Senate, which is, I think, evenly divided on
this issue, how they will come down. So I think we're going to see a the Senate, which is, I think, evenly divided on this issue,
how they will come down. I think we're going to see a very vigorous debate.
All right. Well, keep an eye on it. Ben Yellen, thanks for joining us.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives
and their families at home?
Black Cloak's award-winning
digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives
are compromised at home,
your company is at risk.
In fact, over one-third of new members discover they've already been breached. Protect your executives are compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. Thank you.