CyberWire Daily - Daily & Week in Review: Classified info--goose sauce, gander sauce. Security industry buoyed by Avast, AVG.
Episode Date: July 8, 2016In today’s podcast, we talk through the ramifications of Android encryption issues. Experts consider the implications of D-Link vulnerabilities for IoT security. The Wendy’s paycard breach has got...ten much bigger. Familiar exploits circulate in the wild, and Mac backdoors make a comeback. CryptXXX is joined by a new ransomware variant, Cryptobit, and DedCryptor continues to play the Grinch. Avast’s purchase of AVG encourages the markets. The EU adopts new data regulations aimed at improving resilience. The FBI explains what it found in its investigation of Hillary Clinton’s emails, and defense attorneys find new lines of defense. Accenture's Malek Ben Salem shares how big data can help wth analytics, and we learn about early-stage startup accelerators from Mach 37's Bob Stratton. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me. The Wendy's paycard breach has gotten much bigger.
Familiar exploits circulate in the wild, and Mac backdoors make a comeback.
Cryptex is joined by a new ransomware variant, Cryptobit,
and DeadCryptor continues to play the Grinch.
Avast's purchase of AVG encourages the markets.
The EU adopts new data regulations aimed at improving resilience.
The FBI explains what it found in its investigations of Hillary Clinton's emails,
and defense attorneys find new lines of defense.
I'm Dave Bittner in Baltimore with your CyberWire summary and week in review for Friday, June 8, 2016.
Another encryption issue surfaces in the Android ecosystem.
Orange Labs reports that Android's Keystore default implementation could be susceptible to forgery attacks.
It's a proof of concept, not an attack in the wild, but the news is nonetheless unwelcome.
Orange Labs says Keystore's hash-then-encrypt authenticated encryption scheme in cipherblock chaining mode doesn't guarantee the key's integrity.
The researchers admit that criminal exploitation wouldn't be easy.
It would, for one thing, require that the victim install a malicious application
that needed key store read-write permission.
They disclosed their findings to Google in January.
This report joins concerns expressed earlier this week about Android's Keymaster module,
whose Qualcomm environment was found vulnerable to reverse engineering.
Qualcomm says that it fixed the vulnerabilities in 2014 and so informed Google.
If there's still a problem here, one infers, it's not Qualcomm's.
Some follow-up to the D-Link device vulnerability.
It affects not only routers, but web-connected cameras and other consumer IoT devices as well.
Michael Patterson, founder of Plixer, points out that the risk here is widespread and may prove difficult to contain.
Taking smart TVs as an example of the issues that arise with the connected home, he said,
I fear that some manufacturers may not be patching the OS of old TVs, as most don't require any type of subscription for updates.
Thus, consumer electronics may be making another contribution to the botnet world.
Wendy's, the U.S. fast food restaurant chain, has determined that the payment card data breach
it sustained when criminals gained access to its network late last fall
was more extensive than previously believed.
More than a thousand
restaurants were affected, and Wendy's thinks the attackers gained access to the company's network
through some third party or parties. Service providers' remote access credentials, the company
said, appear to have been compromised. Some observers think the chain needs to consider a
radical response, decommission and replace its current infrastructure.
Brad Boosey, director of product manager at StealthBits,
told us that, quote,
the most logical thing to do in this instance is to invest in protecting your brand
and deploy new servers to all Wendy's locations.
The damage the malware has caused and will continue to cause
can't be assigned a simple monetary value.
The reputation of Wendy's is at stake,
and the quickest and most controlled
way to eradicate the hack is to decommission the current store's infrastructure, end quote.
He thinks Wendy's might do well to be guided by an analogy with farming, quote, when the breadth
and depth of an infestation is unknown, it makes the most sense to burn your fields, till the earth,
and start over, end quote. We often hear about the contribution data analytics can make to security
and how big data analytics in particular can offer insight into defense.
Malek Ben-Salem from our partners at Accenture Labs
talked us through big data and big data analytics.
We'll hear from her after the break.
Elsewhere in cyberspace, the Covter click fraud malware is posing as a Firefox update.
Users of the Firefox browser should exercise caution.
Banks in Japan are sustaining a wave of Beblo Trojan infestations,
and the venerable NetTraveler spy tool, which researchers have been tracking since 2012,
has returned to targets in Eastern Europe.
Mac backdoors are also making a comeback.
ESET has found another, Keydnap, which is hunting passwords in Mac keychains.
The advantage in ransomware seems, for the moment, to be shifting back toward the criminals.
Sucori has observed a new variant, Cryptobit, being distributed in a campaign called Real Statistics.
Real Statistics, which is also pushing the more familiar Cryptex, is using the Neutrino exploit kit and exploiting compromised websites
based on the Joomla or WordPress content management systems.
Cryptex itself has grown harder to track.
It's being distributed in more effectively obfuscated forms,
as, for example, in pseudo-DarkLeach.
It now directs victims to a new.onion site for payment,
payment still accepted in Bitcoin, of course,
but it's now removed the customer service support it once provided its victims in order to make it easier for them to cough up their ransom.
Died Kryptor, the ransomware that struts its stuff as an evil Santa Claus,
or, more properly, as our editor pedantically insists, an evil Died Moros,
is spreading out a bit from its Russian heartland and infecting
more English-speaking users, and removes the opportunity to contact customer service.
Died Cryptor is still asking for two Bitcoin, about $1,300, if you want to be taken off the naughty list.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Thank you. slash cyber for $1,000 off.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And joining me once again is Malek Ben-Salem.
She's the R&D manager for security at Accenture Technology Labs.
Malek, I know one thing you wanted to share with us today is your take on how big data can help with analytics.
Absolutely. I think big data technology is enabling new security analytics use cases and applications.
Companies today struggle with their security analytics if they're only collecting data or acting upon data,
such as security alerts and events collected by their SIM tools,
the security information event management tools,
or by looking at their logs from their firewall servers.
Those are just the tip of the iceberg in terms of the things that they,
the types of data that they can analyze.
The reason why they cannot analyze more data is prior to this
is because we didn't have these big data repositories.
But today with technologies like big data frameworks,
Hadoop-based frameworks where storage is no longer a problem, we can collect a lot more and act upon a lot more data.
For example, we're no longer limited to web application firewall data.
You can look at your user web browsing behaviors.
You can gather data about malware from the internet. You can gather data like,
what are the blacklists and watchlists, and link that to malware that you see
to understand what's going on within your network. You can use business process data to understand
how your applications are doing and identify if they're undergoing an attack.
You can leverage social media activity, email data to understand or to analyze your employees'
behavior and identify if there are any insider threats within your company. So a new range of use cases, a new range of applications are enabled by the ability of
being able to link structured and unstructured data through these big data frameworks, big
data repositories, and big data processing capabilities.
Malek Bensalam, thanks for joining us.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive
protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365 with Black Cloak. Learn more
at blackcloak.io. In industry news, Avast's move to buy competing and complementary security
company AVG for $1.3 billion has had a generally positive effect on the markets. The acquisition seems both a bid for a geographically wider market and an IoT security play.
Cybersecurity exchange-traded funds enjoyed a nice bounce on the news.
The acquisition is also regarded as an auspicious sign for prospective sellers,
notably Intel, which is interested in finding a buyer for its security unit,
and for companies like FireEye that are perennial subjects of acquisition speculation.
We wanted a take on the current state of the early-stage startup ecosystem, and so we spoke
with Bob Stratton of the Mach 37 Cyber Accelerator to gain some perspective.
Our focus is restricted to things that are specifically oriented around cybersecurity
products.
oriented around cybersecurity products. We started in September 2013 and since then have helped launch 35 security product startup companies.
Mach 37 is located in Northern Virginia and Stratton says from the outset being in the
mid-Atlantic was a deliberate choice. What was then an intuition, and which I now actually can prove,
is that we had perhaps the highest density
of security expertise in any region in the world
in the mid-Atlantic area.
And more recently, that's been borne out
because I know there was at least one analysis
done across all the security people
that could be found on LinkedIn.
And about half were found could be found on LinkedIn.
And about half were found to be in the U.S., and the single biggest concentration of security expertise in that group
was in the Washington, Baltimore area at around 6%,
whereas the closest runners-up were New York and Silicon Valley,
and they were both in the 2% range.
So what was an intuition for us has been borne out, which is that we're in an area that has the people who understand the threat and understand the problem.
However, the economy in this region tends to be very service-oriented. And one of the things that we've often wondered about is, you know,
why don't we see more product companies out of the Mid-Atlantic region,
given that we have all this talent here that understands this stuff?
And the answers to that come down to a couple of things.
Access to capital, investment capital, is certainly one big factor.
And another is that a lot of the people that start these kinds of companies
tend to be technical founders. They tend to have come from the technical track
initially and may not, if you're talking about a first-time CEO, for example, they may not have
been through some of the more management, traditional business history that, you know, startups and other sectors,
those founders might have come from.
So we realized that in order to address kind of all of those things, you needed to do a couple of things.
One is you needed to create an ecosystem that would foster access to capital and customers, frankly.
But also we decided that a curriculum was in order.
So we decided that a curriculum was in order.
So unlike a lot of other accelerators where the program may consist of office hours with mentors and a dinner once a week, we actually built a 14-week program that is oriented to what my partner, our managing partner Rick Gordon,
calls the cumulatively exhaustive set of things a startup CEO needs to know.
Mach 37 typically engages with startups early in the business lifecycle.
We are usually the first money into a company, first outside investor into a company.
We can and have taken a range of companies that span from a good idea on the proverbial cocktail napkin to companies that
have come to us having built a product and having got customers and revenue. And we can tailor the
program to the extent we need to, depending on that. But in general, they have not even raised a formal seed round yet in many cases.
So what happens a lot of the time is that right when they come out, that's the point where we're
helping them do fundraising for a more formal structured seed round before they even think
about going to a Series A. Stratton says Mach 37 focuses on product-based startups for a number of reasons.
There's the obvious one, of course, that product companies often provide the best return on
investment. But equally important, according to Stratton, is the issue of scalability.
The reality is you have a lot of very talented people working on the service side of this,
and none of us scale. This problem is huge is huge right we continually hear about we can't
hire enough people we have all these rules that need to be filled we can't get enough analysts
at the end of the day if you're in a position if you have some expertise that you can encapsulate
into some mechanism that's reproducible you may have the opportunity in some small way to be in
more places than one at once and do more work than eight hours a day if you can embody that expertise into a product.
And so if you even just look at it from the cybersecurity problem writ large and ask yourself the question, how can I achieve the maximal impact on this problem?
There's an argument to be made that we need better products
that solve more problems more effectively than we do now. Bob Stratton also shared some advice
based on his experience working with so many startups. I've seen more worthwhile security
product startups hurt out of an unwillingness to talk about what they're doing than I have ever
seen hurt because somebody took their idea. Ideas are a dime a dozen, and they may be brilliant, but execution at the end
of the day is really what matters. And so because of our nature as security people, we tend to be,
you know, very private and very concerned about telling anybody what we're doing and
maybe even, dare I say it, a little bit paranoid, I've seen far more people hurt themselves by being cagey and not engaging with people who
might be able to help them than I have ever seen hurt because somebody stole their idea.
That's Bob Stratton from the Mach 37 Cybersecurity Accelerator. The name Mach 37,
by the way, comes from the speed at which an object must be going to reach escape velocity from Earth.
So yeah, pretty cool.
In policy news, as companies continue to mull the possible effects of Brexit,
the European Union has moved to adopt new cybersecurity rules.
Red Seal CEO Ray Rothrock had this to say about the EU's regulations.
Quote,
The EU's new cybersecurity rules are an important step forward.
Fundamentally, they recognize that perimeter defenses, while necessary,
are not sufficient to stop and, more importantly, recover from a successful cyber attack or disruption.
Networks supporting critical services, such as banking, power distribution, drinking water, and week in the U.S.
involved the FBI's decision not to recommend indictment of former Secretary of State Clinton
for mishandling classified information.
FBI Director Comey testified before the House Oversight Committee yesterday.
In essence, he said that while the former secretary was extremely careless,
there was insufficient evidence of criminal intent to sustain a prosecution.
There are some gestures in Congress to deprive the presumptive Democratic presidential
nominee of access to classified information, but there's also movement toward other investigations.
The State Department is reopening its own inquiry, and the House Oversight Committee
strongly hinted it would be asking the FBI to open a perjury investigation.
And defendants in other cases involving the handling of classified information are already invoking the standards implied in the email investigation as they move for dismissal or acquittal.
And that's the Cyber Wire. We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner.
Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.