CyberWire Daily - Daily: ISIS info ops target gangsta demo. Snakes in walled gardens. US indicts Iranians.
Episode Date: March 25, 2016In today's Daily Podcast we talk about ISIS info operations and the difficulties of developing actionable intelligence about the group's cells. The US indicts seven Iranians for the Rye dam hack and D...DoS against financial institutions. Walled garden app stores still have security issues. Verizon Enterprise Solutions and the E-Council suffer security issues, respectively a data breach and Angler redirection. More ransomware news, and developments in the Apple-FBI standoff. We talk with MorphoTrust about security in filing state tax returns. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
As ISIS loses on the ground in its declared territory,
its online information ops target the Muslim diaspora's gangsta demographic,
and European Muslims say the gangstas aren't us.
European authorities find their intelligence sharing falls short and look for ways to shore it up.
RSA researchers look at the Apple and Google app stores and see serpents in the walled gardens.
Ransomware both old and new circulates,
and two well-known security outfits suffer security problems of their own.
It's U.S. tax season, so what should you know about filing your state taxes?
I'm Dave Bittner in Baltimore with your Cyber Wire summary for Friday, March 25, 2016.
Observers see the Islamic State's bombings in Brussels
as suggesting two trends with implications not only for physical combat,
but for information operations as well.
First, ISIS territorial losses and decreasing combat performance in Syria and Iraq
are making its claims to have established a caliphate more difficult to sustain.
Hence the turn to massacres planned and mounted from poorly
secured western neighborhoods as propaganda of the deed, and a corresponding increase in
information operations directed toward disaffected semi-criminal elements, those who'd otherwise be
likely recruits for ordinary gangs. Second, as it emerges that some of the killers were known to
intelligence services, notably those of Turkey and the United States,
but that European, especially Belgian authorities,
were unprepared to handle such intelligence,
more calls are heard for coordinated information sharing throughout Europe.
Krebs on Security reports that Verizon Enterprise Solutions,
the telecom giant's B2B service arm, has suffered a data breach,
with 1.5 million customer records for sale in
dark web black markets. The entire package is offered for $100,000, but less well-heeled
criminals can also buy the data in 100,000 record blocks for a more affordable $10,000.
In a preview of their black hat presentation, Checkpoint researchers outline problems with
the walled garden approach both Google and Apple have been following, responsibly following, we add, to screening
out all but high-reputation apps from their respective stores. In some cases, OEM-signed
malicious apps gull users into installing them. In other cases, modified versions of
legitimate development environments posted to third-party websites infect the work of
unwary legitimate app developers.
You're still better off restricting your downloading to Google and Apple stores
than you are foraging a field,
but it's worth remembering that there are serpents even in the walled garden.
Microsoft and Samba are working, they say, on a fix for the Badlock vulnerability,
but details on exactly what that vulnerability puts at risk remain obscure. Whatever Badlock actually is, it's said to be critical. The flaw apparently
sits at the intersection of Windows and Samba, where SMB-CIFS is used to share access to files
and printers, and Active Directory is used for authentication and authorization. We'll no doubt
learn more about this already branded and logoed vulnerability come
April's Patch Tuesday. A new, more virulent strain of ransomware, which discoverer Trend Micro is
calling Petya, is also out. Petya locks users out of their systems by overwriting the master boot
record. It displays its extortion message at system startup. In better news, several patches
are out.
Google has a security update for Chrome,
and Oracle issues another Java patch that fixes a problem with Java SE running in desktop web browsers.
Microsoft is deploying a macro blocking feature to Office.
This is noteworthy given the frequency with which malicious macros are used as malware vectors.
And Apple indicates it plans to turn iCloud encryption key management over to users.
This is widely regarded as a preemptive move against the companies being forced to help
law enforcement decrypt user information in the cloud.
It's U.S. tax season, and the unwary are being aggressively phished by fraudsters.
It's worth remembering that fraud goes on at all levels of citizenship, federal, state,
and local.
The Cyber Wire talked to Mark DeFry of MorphoTrust about a program they're piloting in Georgia and North Carolina to help combat fraud.
Essentially what we're doing is we're using a new solution that we've brought to market called Electronic ID.
An electronic ID is an online credential that you'd use to log into websites securely,
but it's based on the trustworthiness of your driver's license.
Essentially, it's almost like putting a credit lock on your tax ID account.
At registration time, when you first get your account set up,
you're going to have to scan the front of your driver's license with the camera on your phone.
And what that scanner is going to do is authenticate and make sure that your driver's license is real by looking at security features that are embedded
in the document. It will read the barcode information on the back of your driver's
license to extract the right user data. And then it's going to ask you for a selfie.
And that selfie and the data from the barcode are going to be passed through us to our partners within either North Carolina DOT or to the Division of Driver Services in Georgia where they issue their driver's licenses.
And we will do a one-to-one match of the selfie against the photo on record through software that we provide as well as look at the data points from the barcode and the data points that are on the system of record.
MorphoTrust's website is morphotrust.com.
As long expected, the U.S. Attorney for the Southern District of Manhattan yesterday
returned indictments against seven Iranian nationals for, among other crimes,
their now famous cyber reconnaissance of a small dam in downstate New York.
So why, some of our more
bellicose listeners are probably asking, isn't the U.S. military retaliating against an act of war?
It's not that simple. As the Defense Department explained to the Senate when asked about earlier
PLA hacks, quote, first you have to identify the geographic location of where the attack came from.
Then you have to identify the actor. Then you have to
identify whether the government of that geographic space was in control, end quote. So again, it's not
that simple. Attribution never is. Evidence good enough to indict usually isn't evidence good enough
to go to war over. And finally, we're happy to say we have a winner in the Cyber Wire's inaugural
Name That Tune competition. The prize, and our
prizes are all glory, go to
the sagacious and persistent Cuckoo's
Egg, who determined that the mystery
music we played at the end of our March 23rd
episode was from that
1978 television series
Project UFO, produced by
none other than Jack Webb.
Congratulations, and visit Ms. Egg via her
Twitter handle, at Cuckoo's Egg. Well done, Ms. Egg. Thank you. Innovation isn't a buzzword. It's a way of life. You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of
herself. Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures. Stream Night Bitch January 24 only on Disney+.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely. Thank you. I'm joined once again by Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute.
They're one of our academic and research partners.
Joe, when you download an app for your mobile device,
that app is going to ask you for permission to access various things on your device.
This is an area that requires your attention, yes?
Yes, yes it does.
It requires your astute attention.
For example, if you look at a flashlight app,
what does a flashlight app need to have access to?
Chances are it needs to have access to your camera
because that's where the LED is attached to the system
as part of the camera.
And that is probably all it needs.
And it doesn't need access to your contact list,
your Wi-Fi states, your full network access.
There are a lot of apps out there that require these things.
Just recently, I have a daughter
who's looking at purchasing a car.
So I was looking at the various apps for pricing cars,
and some of them required a huge amount
of permissions.
However, not to endorse any one over the other, but the Kelley Blue Book app did not require
a huge amount of permission.
So that's the one I installed, and that's the one I was using.
It's clear that a flashlight app doesn't need to necessarily know your GPS location.
But there are occasions where these apps can have enhanced functionality if you give them permission to access things on your phone, like your location, things like that.
Absolutely.
If you download Waze, which is a navigation app, that's going to need your GPS location, presumably to use for the purpose of getting you to your destination.
Of course, you have to understand you're making a tradeoff that Waze now has access to your GPS information.
But as a user of Waze myself, I'm comfortable making that tradeoff.
So it's a balance between the cool features and protecting your personal information.
Right.
And the cool features is how they get you, right?
Every time.
They get me every time, Joe, every time.
Thanks again for joining us.
It was my pleasure.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
your company's defenses is by targeting your executives and their families at home. Black Cloak's award-winning digital executive protection platform secures their personal devices, home
networks, and connected lives. Because when executives are compromised at home, your company
is at risk. In fact, over one-third of new members discover they've already been breached.
of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And that's The Cyber Wire. We are proudly produced in Maryland by our talented team
of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease
through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.