CyberWire Daily - Daily: Istanbul bombings prompt global intel collection re-look. Cyber threats to transportation.
Episode Date: June 29, 2016In today's podcast, we note that in the wake of the ISIS bombings in Istanbul, security services around the world are looking for online intelligence that might help prevent future terror attacks. Ano...ther wave of SWIFT fraud appears to have hit--this time the victims are banks in Ukraine and Russia. Ransomware updates (including the unwelcome return of Locky), notes on smishing, and a review of some questionable PlayStore apps. Apple's iPhone turns 9 and The University of Maryland's Jonathan Katz explains that company's move toward "differential privacy." Jon Allen from Booze Allen Hamilton talks about the Automotive ISAC and previews the upcoming Billington Cybersecurity Global Automotive Cybersecurity Summit. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
ISIS bombings are likely to have implications for global online intelligence collection.
Dozens of banks in Ukraine and Russia may have lost millions in Swift raids.
Lockheed's back, Cryptex never left,
and a lot of businesses may be quietly paying up.
Malicious SMS messages install paycard-stealing malware.
More dodgy apps are noticed in the Play Store.
Euro-friendly bots want another UK referendum.
The auto industry gets together to share cyber strategies.
Symantec patches AV bugs.
Apple's iPhone celebrates a birthday, so we ask Siri, or actually Jonathan, what's differential privacy?
I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, June 29, 2016.
for Wednesday, June 29, 2016.
Yesterday's horrific suicide bombings at Istanbul's Ataturk Airport,
where gunmen shot their way into the terminal, then detonated their bombs,
are moving security officials worldwide to look for better ways of collecting and developing intelligence.
Both Turkish and U.S. sources have attributed the massacre to ISIS.
Much of that collection will inevitably be performed online. How that
might be accomplished will face technical, resource, and policy challenges. The Kyiv ISAC-A branch
reports that an unnamed Ukrainian bank has lost $10 million to SWIFT-enabled funds transfer fraud.
ISAC-A's statement, as reported in the Kyiv Post, says that dozens of banks, mostly in Ukraine and Russia,
have been compromised, and that their losses may collectively run into the hundreds of millions
of dollars. Commentary about the apparent theft has been guarded and short on details.
It's early in the ongoing investigation, and the affected banks fear adverse public reaction.
Since the SWIFT international funds transfer System was used to accomplish the theft,
observers say it looks like Bangladesh and speculate that the methods employed were similar
to those used earlier this year against the Bangladesh Bank. That bank has concluded the
first phases of its investigation and with that conclusion wraps up its contract with FireEye
and says it's moving to shore up the security of its systems on its own.
In other cybercrime news, some observers had hoped that Lockheed Ransomware was fading into and says it's moving to shore up the security of its systems on its own.
In other cybercrime news, some observers had hoped that Lockheed ransomware was fading into oblivion.
Symantec found that Lockheed had declined steeply over the past month,
as Drydex and Angler infections also fell off the cliff.
Unfortunately, such hopes have proven unfounded.
CloudMark says Lockheed's back and being distributed widely,
rejoining Cryptex among the more popular ransomware variants. As more enterprises are infected with ransomware,
a Radware study suggests that businesses in the US and the UK are less set in their determination
not to pay up than their statements might lead one to believe. 84% of IT executives at firms that
had not been attacked said they wouldn't consider paying ransomware.
But when one looks at firms that actually have sustained a ransomware hit, 43% have paid.
In all of this, small businesses are looking particularly vulnerable.
They hold data that's vital to their survival, and they tend to be resource-poor with respect to security.
As larger enterprises become harder targets, criminals prospect small businesses.
They're in general less well defended and less able to sustain a hit to their current operations,
so the basic advice on dealing with ransomware remains, back up your files.
Malicious apps remain another common form of cybercrime.
Smishing is phishing via SMS services on mobile devices,
and a smishing
campaign in Europe is spreading paycard-stealing malware, posing as WhatsApp, Uber, or Google Play.
The vectors are malicious SMS messages. Other bad apps are lurking in the Google Play Store.
Lookout warns that what it calls auto-rooting malware is being downloaded by unwary Android users.
Case zero of the auto-rooting epidemic is a seemingly innocent and simple app called LevelDropper. As its name implies, LevelDropper converts your device's screen into a virtual
carpenter's level, complete with green bubble. Unfortunately, it also roots your phone,
giving an attacker the ability to load and run essentially whatever they please.
Flash Keyboard, another popular app with about 50 million downloads, is also showing some dodgy
behavior. Optio Labs says the keyboard app, produced by.cUnited, isn't exactly malicious,
but it's really promiscuous in the privileges it asks for, few of which a keyboard would actually
need, however handy and helpful that keyboard aspired to be.
For example, it asks that you allow it to download files without notifying you.
That alone should be enough to warn anyone off.
Anyone, that is, beyond the 50 million or so people who apparently said,
sure, yeah, why not?
This week marks the ninth anniversary of the introduction of the iPhone.
Many observers have been congratulating Apple,
especially on the relatively good security record of iOS.
Apple recently announced at its Worldwide Developers Conference
that it intends to introduce something it's calling differential privacy.
We spoke with the University of Maryland's Jonathan Katz about what that means.
We'll hear from him after the break.
Jonathan Katz about what that means. We'll hear from him after the break.
A Google security researcher reports an array of bugs in Symantec and Norton antivirus products.
Symantec has patched the issues. You'll find the fixes on their website.
We haven't forgotten about the Dark Overlord and his or her stall of allegedly stolen,
purportedly genuine healthcare records in the real-deal dark web market. But so far, there's no consensus about the data's provenance.
Whatever they are, the asking price is steep.
We'll continue to follow this story as it develops.
As cars grow ever more sophisticated and connected to the Internet,
concerns about their cybersecurity grow, too.
We spoke with Booz Allen Hamilton's John Allen about the automotive ISAC
and the upcoming Billington Automotive Cybersecurity Summit,
an event for which we are proud to be a media sponsor.
We asked John Allen to begin by describing the Automotive Information Sharing and Analysis Center, or ISAC.
The concept of an ISAC was created around 1998 with a presidential decision directive that President Clinton signed to enable critical
infrastructure industries to share general threat and vulnerability information about certain
infrastructures in the United States. So it was originally like oil and gas and energy and water
are critical infrastructure. It grew out two ways. Number one is industries like automotive,
enable them to talk and share information without going across antitrust issues.
Number two is, in 1998, most of the focus was around physical threats and vulnerabilities.
And then the industry started realizing that it was cyber was the big issue.
The automotive ISAC relies on independent daily information gathering and analysis of emerging threats,
but also on the automotive industry themselves.
Say one OEM finds a vulnerability on a vehicle or an infrastructure and they're working through it
and solve it. They'll throw it out to the ISAC and say we've identified X vulnerability and this is
what we've done to solve, or this is X vulnerability we found. Has anybody
have a solution on how to solve it? But this is a big issue around the culture of trust.
This is not an industry that generally is comfortable with sharing information with each other.
They're hyper-competitive.
And so what we've seen them become is more frenemies, understanding that an attack on one is an attack on all.
The automotive makers realize that in order to enable the new customer experience,
in order to enable new technologies on the vehicle,
they have to address the underlying issue of cyber first.
You can't do data analytics unless you get the customer trust to protect their privacy and protect their data.
And you can't do that without strong cybersecurity programs.
This coming July 22nd, John Allen will be part of the Billington Cybersecurity Global Automotive Cybersecurity Summit,
John Allen will be part of the Billington Cybersecurity Global Automotive Cybersecurity Summit, which features U.S. Secretary of Transportation Anthony Fox and Mary Barra,
CEO of General Motors. To have a CEO as the keynote talking about vehicle cybersecurity
is fascinating. That's the keynote with Mary Barra, and at the end of the day,
having Secretary Fox speaking about vehicle cybersecurity as the Secretary of Transportation,
that's amazing.
I mean, there's other conferences on automotive security. However, this is the first one I've seen
with the senior leadership that they have that are dedicated to the problem. We're going to talk
about relevant issues of where the industry is going. Mary Barra talks a lot about we're going
to see more disruption in the next five years than we've seen in the last 50. I really think
from a cyber perspective, this conference is going to lay a foundation
on how that disruption is going to come forward and what cyber is going to do
within that area to really enable this disruption that we're going to see.
That's John Allen. He's a principal at Booz Allen Hamilton
and also executive director of the automotive ISAC.
And finally, a petition to revoke Brexit through another referendum appears
to have been signed mostly by bots. Authorities are investigating. After all, bots shouldn't be
voting, even in online elections, save choosing members of the Major League Baseball All-Star
squads. We're looking at you, Kansas City.
you, Kansas City. Do you know the status of your compliance controls right now? Like, right now?
We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings
automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker
is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. at the University of Maryland. Jonathan, at the recent Apple Worldwide Developers Conference, they discussed what they're calling differential privacy,
a new way that Apple is saying that they're going to be able to collect your data
but keep your data private at the same time.
Tell us, what is differential privacy?
Differential privacy is a mechanism that's been developed over the past decade or so
within the cryptography community,
and it's been spread to the security and the databases community as well. It's really interesting. What it does is it's a framework that allows you to
analyze mechanisms for doing statistical analyses over data that involve data from multiple people.
And essentially what it does is it allows you to discern global trends about the data,
which is, of course, what you want, without violating the privacy of the data of any particular individual.
So how does it work? What's the mechanism by which you can do this?
Well, there are a number of different mechanisms that have been proposed,
but one mechanism in particular that's been sort of the most popular and one of the simplest to
implement is where you simply add some random noise into the system, whether at
the time of data collection or after you perform your analysis or during the analysis itself.
And so what ends up happening is that rather than getting sort of an exact result, as you would
prior to differential privacy, you add some noise, and that gives you sort of a less accurate result,
and there's a trade-off then between the privacy that you obtain and the accuracy of the result. So the more accurate
the result, obviously the worse the privacy. And on the other side, if you want to increase the
level of privacy that you give to any individual, then that makes your result slightly less accurate.
So is this a good thing? Is Apple's approach to this,
is this a win-win for everyone or is this something we should be wary of?
Well, I guess it's not clear because Apple hasn't released all the details of what they're planning
to do exactly. I think certainly it's a win that they're aware of the need to provide privacy,
the fact that they're aware of differential privacy, something which is relatively new
and still a subject of active research. One thing that's particularly interesting here is that
in contrast to things like encryption, where we kind of have a very good understanding about the level of
security that you need in practice, with differential privacy, it's really less clear
because you have this trade-off between accuracy and privacy, and it's not really clear where the
right setting of the parameters is in order to ensure the kind of best or optimal trade-off
between privacy and accuracy. And the devil's in the details, because if you set the privacy threshold too low, trying
to get a very accurate result, then you have technically differential privacy, but it won't
be very meaningful in practice.
And so it's really not clear until we get more details about what exactly they're doing,
whether this is providing an adequate level of protection.
All right.
Well, keep an eye on it.
Jonathan Katz, thanks for joining us.
adequate level of protection. All right. Well, keep an eye on it. Jonathan Katz, thanks for joining us.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home? Black Cloak's award
winning digital executive protection platform secures their personal devices,
home networks, and connected lives. Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. practical, and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses
that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.