CyberWire Daily - Daily: Social media aren't automatically on the right side of history, it seems. More on the Adups backdoor. Holiday shopping cyber-safety and security.
Episode Date: November 17, 2016In today's podcast, we hear about German concerns over Russian meddling in elections. In the US, the NSA Director says a nation-state made a conscious attempt to influence American elections. Dictator...s can use social media, too, it seems. Huawei and ZTE reassure customers about the Adups backdoor. Holiday shopping security warnings are out, and they're not just about online purchases, either—watch out for that in-store Wi-Fi. The UK's Snooper's Charter passes the House of Lords. Ran Yahalom from Ben Gurion University describes USB hardware attacks. John LaCour, CEO of Phishlabs provides advice on avoiding (wait for it…) phishing attacks. And a Russian court tells that country's ISPs to shut down LinkedIn—it's a concern about privacy, don't you know. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
German concerns about Russian election influence mount.
In the U.S., the NSA director says a nation-state made a conscious attempt to influence American elections.
Dictators can use social media, too, it seems.
Holiday shopping security warnings are out, and they're not just about online purchases, either.
The U.K.'s Snooper Charter passes the House of Lords,
and a Russian court tells that country's ISPs to shut down LinkedIn.
It's a concern about privacy, don't you know?
I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday, November 17, 2016.
Hans-Georg Mason, head of Germany's Federal Office for the Protection of the Constitution,
adds his voice to warnings of potential Russian interference in German elections.
Mason told Reuters he thinks the Russian objective would be to erode confidence in German institutions and to sow mistrust among members of the European Union. The information operations he describes
would count as black propaganda, that is, as false stories, the counter to which he says should be unmasking and rumor control.
Foreign policy makes a depressing observation about cyberspace,
both in terms of security and in terms of information operations.
Repressive regimes have found many ways of turning social media to unfortunate advantage.
Twitter's rise as the day star in the false dawn of Iran's green revolution now seems like ancient history.
Information may want to be free, sure, but a kind of Gresham's Law might also be operating here,
with bad money driving good money out of the marketplace.
So German concerns track U.S. concerns on this matter fairly closely.
NSA Director Admiral Michael Rogers said this week that an unnamed state, but there's no mystery about which one,
the U.S. intelligence community named Russia a few weeks ago,
made a conscious effort to affect the recent U.S. elections via WikiLeaks.
The WikiLeaks connection is significant since it would make the operation Julian Assange leads to be, in U.S. official eyes,
at the very least an agent of influence acting
on behalf of Russian interests. It's worth noting that whatever motives WikiLeaks has
are likely to be overdetermined. Assange probably had political rooting interests
and taste for online muckraking long before any alleged contact by Russian organs.
Reactions in the U.S. press are interesting. Mother Jones wants Congress to investigate,
and Mother Jones is sounding perhaps surprisingly a lot more like Mr. Deeds than their labor activist
and wobbly founder namesake. An op-ed in the Christian Science Monitor's passcode, remembering
that the documents leaked were apparently genuine enough, argues that the big lesson to take away
from the U.S. elections is that everyone, especially politicians and their staffs and their enablers,
needs to do a better job of securing themselves online.
An ongoing threat to organizations and individuals alike are phishing attacks,
typically emails that use social engineering to get users to click through to nefarious websites
or otherwise unwittingly do the bidding of the baddies.
We checked in with John LaCour, CEO of Fish Labs, for some advice on fighting the fishers.
Security hardware and software companies try to make technology that catches the attacks
before they get put in front of humans.
And by and large, they work pretty well.
Most of the bad stuff is filtered out.
But yet some of it still gets through.
And the bad guys are able to tailor their emails and tweak them over time
to figure out how to make them get through.
So some of these malicious messages
end up in user mailboxes
where users have to take action
to either infect their computer,
open the back door for the bad guys.
Automated technology is not going to be a panacea, but it does help.
Do people's perceptions of phishing align with the reality of it?
Do people consider it to be the serious threat that it is?
Do they take it more seriously than they should or less seriously than they should or somewhere in the middle?
I think people don't take it seriously enough. I think it's one of those things where they hear about the media stories of data breaches,
but most people think, well, that happens to other people or I'm going to recognize the attacks.
But the reality is that, and it's a good thing in a way, most people's human nature is to be
helpful. And so the attackers know this
and use that as part of their attack. So they'll send email messages that are friendly. In some
cases, the attackers will send emails that are very demanding and ominous, and they want to
encourage people to take action right away. And so I think people don't understand how sophisticated some of
these attacks can be and generally are not very good at spotting the phishing messages. You know,
we've known about phishing for a long time and companies are still losing, in some cases,
millions of dollars every year to phishing attacks. So, you know, the results speak for
themselves. Phishing is still a big problem. So what's your advice to companies who want to try to get a better handle on this?
Yeah, so my advice to companies is to really do three things. It's a three-pronged approach. The
first is to educate your users. And that's your first line of defense after the security
technologies that you've already invested in. The second step is once you've educated users, leverage them as part of your threat detection system,
if you will.
Have a process whereby users can report suspicious emails
and have them acted upon.
And then thirdly, take those learnings from those reports
and use that as a feedback loop
to better your security posture,
whether that's by improving technology and tools that you've purchased, whether that's by improving technology and
tools that you've purchased, whether that's by improving your education program, or just
better information about what sort of information or data your attackers are going after.
That's John LaCour from Phish Labs.
Huawei and ZTE scramble to reassure customers about the ad-epts backdoor crypto wire researchers found in too many phones.
Huawei asserts firmly that it's never been a customer of the Shanghai Adepts technology company.
ZTE doesn't go quite that far, but it does say that none of the phones it sold in the U.S. feature the backdoor.
Enigma Software predicts a holiday cybercrime spike, and others, including Core
Security and SkyCure, offer advice on staying safe while shopping. SkyCure's even got a rundown on
the riskiest mall Wi-Fi systems. You can read the whole thing from the link in today's CyberWire
Daily News Brief, but we'll just say that there's one shopping center in Vegas where you should
probably keep your phone turned off.
Recorded Future is offering a peek into the mind of the cybercriminal.
Readers of Freakonomics who've seen how low-level street criminals are recruited even though the money goes to the kingpins,
and those of you who saw Donnie Brasco and remember the Pacino character
trying to saw open parking meters for chump change
won't be surprised to learn that low-level cyber hoods lack skills
and really just don't make very much.
But alas, they're still out there,
so be on guard when you shop during the holidays.
Others are predicting a holiday surge of denial of service, too,
in part because the barriers of entry in this part of the criminal market
have dropped as much as they have.
The Cyber Wire heard from Plixer's CEO Michael Patterson on this issue. He said, quote, it's no surprise that the volume of DDoS attacks
are on the rise. It provides value to cyber criminals in multiple ways, end quote. It can,
as we've seen, serve as a misdirection for a simultaneous targeted attack, and the threat
of DDoS can be a way of extorting companies, like retailers depending on holiday online sales,
to pay up or face seasonal ruin.
Patterson went on to say that the widespread availability of Mirai source code
has contributed to the problem,
as has the proliferation of connected things in the Internet of Things.
Quote,
If you consider that Gartner estimates that by 2020,
50 billion connected things will be on the Internet,
you can appreciate that the trend here isn't really our friend.
End quote.
In the UK, the Snoopers charter passes the Lords.
This means that once it receives the expected essentially routine royal assent,
it will become law probably before the new year.
And finally, because the Russian government cares as much about personal privacy
as it does about combinations in restraint of trade,
a Russian court has ruled that the country's ISPs must block LinkedIn.
You did see that Kaspersky and Microsoft are now in an antitrust dust-up in a Moscow court?
Hmm.
Hmm. programs, we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings
automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default-deny approach
can keep your company safe and compliant.
Joining me once again is Ron Yohalem.
He's the project leader at the Malware Lab of the Cybersecurity Research Center at Ben Gurion University.
Ron, USB devices are one of your specialties,
and today you wanted to take us through some potential hardware vulnerabilities when it comes to USB devices.
I want to talk about two categories, primary categories of USB hardware attacks.
The first one is what I call Trojan attacks.
Now, there are many inexpensive
microcontrollers out there that can be used to emulate different USB devices, practically any
USB device, while being concealed in an innocuous casing. For example, you can consider the Teensy,
which is a complete USB microcontroller development system and comes with many free
software development tools and can be purchased for only $20.
And another example is the universal RF USB keyboard emulation device,
which was developed by Monta Elkins,
which is basically a TNC with an additional radio frequency component attached to it,
and it allows the adaptive and remote delivery of keystrokes to a computer.
So it's actually overcoming the blind timing and selection of attacks.
And these are challenges that it's impossible to overcome if you can't operate from a remote location.
And a different example is the USB rubber ducky, which is a commercial keystroke injection attack platform.
It's based on an Amtel microcontroller that poses as a keyboard.
And it's developed by the nice folk at Hack5.
It can be purchased for about $45.
It's a little bit more expensive,
but it does almost everything with a very simple language
that you can code the scripts with.
And once you inject it, it will automatically execute a script of commands.
It's capable of changing system settings, opening back doors, retrieving data, initiating reverse shells,
or basically anything that you can achieve with physical access.
And it does that all in a matter of seconds.
So the second category, i guess you can call
them electrical attacks um this thing was originally referred to as a usb killer and it was
developed by a russian security researcher in 2015 nicknamed dark purple and what he did he just
built a usb stick that that's capable of destroying sensitive components of your computer once it's plugged in okay basically what he does is he connect when you once you
connect the stick to a host USB port it starts the operation of a voltage
converter on the USB stick which charges a capacitor to about minus 220 volts and
then when the voltage is that voltage is achieved the converter is switched off
the the capacitor is discharged and uh its accumulated energy is just supplied to the
signal lines of the usb interface and the cycle is repeated in about a couple of seconds um you
can incapacitate the host computer so it basically fries part of the computer. So what we really should hope for our
new USB device is that the manufacturers do add some kind of hardware signature validation of the
firmware. And another approach maybe would be to develop all sorts of detection methods,
kind of like what my research is aiming at, so that we can continue using the very many currently available USB devices.
But be safe.
All right, Rania Halem, thanks for joining us.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company
is at risk. In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And that's The Cyber Wire. We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com. That's ai.domo.com.