CyberWire Daily - Daily: Slinging cyber lingo. Bad robots. Pokémon Go's long march.
Episode Date: July 14, 2016In today's podcast we hear about some expansive court decisions that may make you uneasy. Chinese spies get into the FDIC, and the victim may have covered it up. Start-ups attract fresh investment. Ne...w exploit kits jockey for position. Securing your Bitcoin wallet. What to make of Pokemon's security issues. Dale Drew from Level 3 Communications gives us the low-down on some cyber security lingo, and Darin Stanchfield from KeepKey explains options for securing your Bitcoin. And, in California, an alleged violation of Asimov's First Law of Robotics. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Courts, responsibilities, and liabilities.
Chinese spies in the FDIC and a cover-up?
Industry notes, the world of cybercrime.
Pokemon Go is almost everywhere
and it's dragging some bad actors in its wake.
And in California, there's a bad robot.
You know who you are, bot.
I'm Dave Bittner in Baltimore
with your CyberWire summary for Thursday, July 14, 2016.
Two recent U.S. federal court decisions may have significant implications for users of the Internet.
The first decision of interest comes from the U.S. District Court for the Southern District of New York
in Enigma Software Group USA LLC vs. Bleeping Computer LLC.
The court found that an online forum operator couldn't assert publisher immunity
against the claim that a volunteer moderator allegedly defamed a security product in that forum.
In the other case, the Ninth Circuit has handed down its opinion in Facebook v. Vacani,
and some legal observers find the decision a disturbingly broad reading of the Computer Fraud and Abuse Act.
The Volokh Conspiracy, writing in the Washington Post, decision a disturbingly broad reading of the Computer Fraud and Abuse Act. The volic conspiracy,
writing in the Washington Post, thinks the opinion made the defendant's state of mind crucial,
as opposed to what the defendant actually did. As the conspiracy points out, quote,
it says that if you tell people not to visit your website and they do it anyway,
knowing you disapprove, they're committing a federal crime of accessing your computer
without authorization, end quote. The decision also seems to make it all the more important to read the EULAs,
the End User License Agreements, those notoriously lengthy, turgid, hard-to-understand
things you click through when you download, oh, I don't know, say, Pokemon Go. As HelpNet
Security remarked in a different context, quote, I agree to these terms and conditions is now
provably the biggest lie on the Internet.
Communications researchers at York University
and the University of Connecticut
used a test site to establish what everyone knows.
Almost no one actually reads terms and conditions
or privacy policies.
The science is settled.
End quote.
The U.S. House Science, Space, and Technology Committee
has looked into an apparent Chinese government hack of the Federal Deposit Insurance Corporation and concluded that the FDIC was indeed compromised.
And more seriously, committee researchers concluded that the agency attempted to cover up the incident.
In industry news, AppThority raises $7 million in Series B and Samsung takes a stake in UK cybersecurity darling
Darktrace. Investors continue to look forward to Intel's sale of its security business,
even though they don't anticipate the company selling it for much more than it paid for
it in the first place.
In cybercrime notes, F-Secure reports that Lockheed Ransomware is seeing a resurgence.
Phishme publishes more details on the Rockloader-delivered BART crypto ransomware.
It's especially active in Germany, the UK, and the US.
The cross-platform, Java-based Adwind remote-access Trojan continues to spread rapidly.
Zscaler reports that the Sundown exploit kit is pushing RIG and Neutrino for black market share
left by the effective disappearance of Angler
and Nuclear. Sundown is run by the self-styled Yugoslavian Business Network, pretty obviously
modeled on the much better known and notorious Russian business network. Much ransomware,
of course, solicits payment in Bitcoin, but there's more to it than that. Cryptocurrencies
are growing in acceptance. We spoke with Darren Stanchfield, the founder of KeepKey, a Bitcoin digital hardware wallet maker. Bitcoin is a peer-to-peer virtual currency,
and sometimes it's referred to as a cryptocurrency because it uses cryptography to secure it.
But it can be thought of more as like a global ledger that resides on a bunch of peer-to-peer
nodes. When you transfer money in it, you're not really transferring money, you're assigning value on the ledger.
You don't have to accept identification from a customer.
They can just give you the Bitcoin,
and the Bitcoin is good.
So you have the Bitcoin,
you can verify that you have the Bitcoin,
there's no chance of it being reversed on you.
It's like cash.
So once you have it, it's yours.
So because Bitcoin is peer-to-peer,
there's no central authority to reverse transactions.
Once someone gets your private key and they make a transaction, they're gone for good.
And there's no recourse.
One of the key features of Bitcoin is its baked-in security.
Let's say Bob wants to send Alice some money.
He, on this ledger, he creates a transaction that just assigns the value from his portion of the ledger to Alice's portion,
and then he signs it and he broadcasts that signature.
And so everyone on the network can cryptographically verify that the transfer is authentic by Bob.
So this block of transactions actually refers to the previous block of transactions,
which refers to the previous block all the way back to the Genesis block, which was the very first Bitcoin block.
And that's what you commonly hear as the blockchain.
So to actually do a double spin on the network, you would have to override all the proof of work that ever took part in that blockchain.
And that's why it's secure.
It's not impossible to forge a Bitcoin, but it's mathematically unlikely.
So it's secure, but it's also not possible to get your Bitcoin back if it falls into the hands of
bad guys or girls. As a Bitcoin user, you're assigned a private key.
And it's that private key, it's really what people think of as Bitcoin. So there's a couple
different ways. You can store your private key on your computer, but then anything that's on your computer can get to your private key and then to your Bitcoin.
So viruses, malware.
And then, you know, what was common in the past was for people to say, well, good security is hard.
I'm going to trust a third party to do it.
So there's online wallets that will store that private key for you and kind of abstract that away where you just kind of have a web wallet.
The last few years have been a move towards hardware wallets. And it's just about this idea of keeping private keys offline on an air gap computer. So this is really just like a
personal HSM that keeps those private keys generated offline, and they sign transactions
offline. And so there's no way to extract the
private key once it's generated on the device. If it all sounds a bit complicated, well, it is.
But Stanchfield says one of the main benefits of a hardware wallet is to protect the user
from their own mistakes. With a hardware wallet, you guarantee that you have the bitcoins,
they're in your control, and that it's very hard to stray and leak your private key and
that's your Bitcoin.
But what the hardware does is it's so simple that it's really difficult to do the wrong
thing.
You would have to go out of your way to do the wrong thing, and you would know that you
were doing the wrong thing, like sending Bitcoin to someone else.
That's Darren Stanchfield, the founder of KeepKey.
That's Darren Stanchfield, the founder of KeepKey.
The OurMine hackers, known for their skittish compromises of prominent tech executives with weak social media passwords,
claim they've taken down HSBC servers in the US and UK.
The bank recovered rapidly. It's unclear whether any customer service was disrupted.
Pokemon Go, its privacy concerns partly addressed if you've updated and done everything else right, continues its long march through the internet. TechCrunch reports
that the game already has more active daily users than Pandora, Netflix, Google Hangouts,
and Spotify, and that it's installed on more devices than such popular apps as Candy Crush,
Viber, LinkedIn, Clash of Clans, and Tinder.
This is of security interest not only because of privacy issues, but due to the number of
malicious apps trying to ride Pokemon Go's coattails. That number is exploding.
Finally, we hear that out in, where else, Palo Alto, a security robot in a mall knocked down
a toddler. The small boy wasn't injured, but he cried a lot.
So, we have a clear violation of Asimov's first law of robotics. We mean, come on,
it's not Skynet, but hey, robots, you're supposed to observe and report. Leave those poor kids alone.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their
controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks like SOC 2 and ISO 27001. They also centralize key workflows like policies, access
reviews, and reporting, and helps you get security questionnaires done
five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. lot of terms here on the Cyber Wire podcast, and we talk about zero days, we talk about half days,
but we don't often stop to take the time to explain what we mean by those. I was hoping
maybe you could explain to us, what are we talking about when we talk about a zero day or a half day?
You know, the security industry has its own dictionary, and that dictionary is growing
on a daily basis. You know, but zero day and half day are terms where, you know, a zero day
is an exposure that the industry is not yet aware of.
It's typically where a bad guy has gone through the source code themselves,
have identified a weakness in that source code,
and then they utilize that source code to weaponize it into an exploit or an exposure.
A half-day is, ironically enough, an exposure that the industry
is aware of, but has not yet patched it or has no immediate plans to patch it. A lot of vendors
will take bugs or bug reports from the industry or from their own organization, and they will
prioritize those bugs to determine at what point that they're going to introduce them as a fix.
those bugs to determine at what point that they're going to introduce them as a fix.
So, you know, bad guys will monitor those open forums of people talking about bugs they've seen. They will then identify if they can weaponize those into exploits or exposures.
You know, the average zero day gives an intruder about 10 months of undetected access to an enterprise.
gives an intruder about 10 months of undetected access to an enterprise.
And the average half-day gives an intruder about eight months of undetected access to an enterprise.
So they're both very, very valuable commodities in the industry.
And then when we shift from zero days and half days, then we're talking about APTs or advanced persistent threats.
zero days and half days, and then we're talking about APTs or advanced persistent threats.
Yeah, so a bad guy identifies a half day or a zero day,
and then he weaponizes that into an exploit or an exposure.
And then what he does is that he can then create a package that will load or install that exposure on a victim and then have the ability of staying persistent or resident on that computer for some extended period of time without being detected, as an example. That is
what we call an advanced persistent threat. It's the ability for an exposure to stay resident
on a compromised computer and do its activity, collect keystroke data, download proprietary
information from the company, and send it to the bad guy without being detected and
persisting for some extended period of time.
Do we have any sense for how long a typical APT rattles around inside someone's system?
You know, the industry average has been around a year to a year and a half.
And so, you know, to sort of put that in context,
a bad guy essentially has access to your enterprise
with the same level of access as most of your enterprise users for a year and a half.
And that gives them the ability of downloading data.
That gives them the ability of monitoring keystroke data
and passwords of all
the employees. And the theory goes that the reason why that it lasts for a year to a year and a half
is because once the bad guy has gotten access to pretty much all the data that they believe they
need, then they get a little bit more sloppy in how they're managing that access and that system,
and they then become more
detectable as a result. Dale Drew, thanks for joining us.
And now, a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home? Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And that's the Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided
apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.