CyberWire Daily - Daily & Week in Review: Pokémon Go's astonishing success. (And attack surface?) Crime, folly, the punishment thereof.
Episode Date: July 15, 2016In today’s podcast we hear about ISIS and its response to pressure from its enemies—the news is decidedly mixed, especially given the tragedy in France. Familiar banking Trojans, exploit kits, and... ransomware pick up some new functionality. Someone’s jackpotting ATMs in Taiwan. SAP and Cisco patch. US court rulings have privacy and liability implications. Venture capital investments and M&A news. Ben Yelin tells us about a 4th Amendment case involving privacy on your home computer, and Eli Sugarman from the Hewlett Foundation's Cyber Initiative shares their grant making story. And Pokemon-Go continues its irresistible rise—don’t slip into any augmented reality pitfalls. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
ISIS may be under pressure, but so are its adversaries in the civilized world's intelligence and security services.
Old malware learns some new tricks.
Taiwan deals with an apparent case of ATM jackpotting. U.S. court rulings have implications
for privacy and liability. SAP and Cisco round out a week of patching. Some security startups
get infusions of venture capital. And augmented reality continues to go global as Pokemon players try to catch them all.
I'm Dave Bittner in Baltimore with your CyberWire summary and week in review for Friday, July 15, 2016.
The tragic Bastille Day massacre in Nice rendered all the more tragic as warnings of danger
police distributed through social media failed to reach the victims in time, has prompted
much introspection among intelligence and law enforcement services.
In brief, increasing pressure on the ground is apparently driving ISIS
not only toward more dispersed out-of-area attacks,
and the U.S. FBI director warns that more may be coming,
but also toward renewed aspirations for an aggressive online presence and cyber-attack capability.
Recruiting is turning
toward less sophisticated prospects in Southeast and Central Asia and to criminal snitches,
mostly in Western Europe, who've been discovered and turned by jihadists. Loss of territory in
the Levant appears to be making training more difficult, but the untrained can still be
inspired or compromised. Avira warns that Lockheed Ransomware is now able to encrypt victims' files
without needing to connect to a command and control server.
And FireEye notes that an IE exploit has been added to the Neutrino kit.
It appears to have been reverse-engineered from a proof-of-concept researchers at Theory prepared in June.
Neutrino is widely used by criminals,
having largely superseded the earlier and
essentially defunct Angler exploit kit. Taiwan's first bank was hit early this week by criminals
who made off with about $2 million. The criminals were masked, as bank robbers should be, but they
held up ATMs and not tellers. Dozens of machines are said to have been hit. The crooks used some
form of connected device, possibly a
phone, to trigger three different malware files that, as CNN Money reports, were instructed to
spit out the cash and then delete evidence. How the machines were infected remains unclear,
but the malware was there to enable a quick physical interaction.
We heard from Craig Young, computer security researcher for Tripwire's vulnerability and
exposures research team, VRT, who sees the case as a likely instance of jackpotting. Young says,
From the description, it sounds like these thieves likely had installed malware ahead of time,
enabling a wireless connection to jackpot the ATMs. It's also possible that a vulnerable
wireless service could allow unauthorized access from hackers. End quote.
Investigation is ongoing.
Several court cases this week send decidedly mixed signals to the cybersecurity community.
Microsoft won a round in its fight to keep data secured in Ireland,
away from U.S. investigators.
But other decisions suggest some expansive interpretations of what counts as computer crime and how far civil liability for online activity can stretch.
We'll hear a bit later from our partners at the University of Maryland's Center for Health and Homeland Security,
who'll take us through other recent rulings on privacy, home computing,
and the Fourth Amendment to the United States Constitution.
Congratulations to the winners in the latest U.S. Cyber Challenge round being recognized today in Delaware.
And in other matters related to the health of the cyber sector,
we spoke to Eli Sugarman of the William and Flora Hewlett Foundation.
He described their foundation's cyber initiative.
For most of the foundation's 50 years, we've had a grant-making interest in some aspect of national security.
Most recently, that was preventing nuclear proliferation
via our nuclear security initiative.
And when our new president joined the foundation
about three, four years ago,
he started looking for emerging threats
that were relevant for national security,
but that were a little more on the leading edge
that philanthropies should be focused on,
but that weren't at the time.
And after doing quite a bit of research
and talking to a lot of experts in the field, settled upon cybersecurity as one that really
is affecting society and every American and every global citizen more and more, and that
it really demands long-term attention in the way that philanthropies can provide.
The Hewlett Foundation's Cyber Initiative is a five-year, $65 million grant
making effort. And so our three biggest grantees are Stanford University, MIT, and UC Berkeley.
And so we've made those three anchor grants at three leading research universities,
really to anchor what we believe needs to sort of be created, which is a sort of
multidisciplinary field. And so each university is creating an interdisciplinary center that pulls together computer science and engineering with policy, law, economics, business, social sciences,
to do two things, to really pursue research that's very policy relevant, that's anchored in reality and real-world problems.
And then secondly, not to suggest it's less important, but also equally, if not more important, is education.
not to suggest it's less important, but also equally, if not more important, is education.
They're trying to create new educational programs that, again, are multidisciplinary and give students the technical knowledge they need, as well as the non-technical overlay,
so that when they enter the workforce, they can work in government, they can go work in industry,
they can work in academia, and again, they can translate and understand the different sides of these issues.
Cybersecurity is a relatively young, rapidly evolving field, and Eli Sugarman says it's
important that the foundation take an ideologically neutral approach.
We need to fund lots of different viewpoints because we don't have an institutional viewpoint
that we want to fund voices on the left, voices on the right, technical voices, social sciences
voices, you know, voices from the hacker community,
voices that are more from the vendor community, and lift those up and put them into the debate and let the marketplace of ideas and policymakers choose what the best outcomes are, because that's
their job. We think that we can help create the foundation for a mature debate and ecosystem,
but that it's not our role to pick the winner and to pick the right answer on a policy
question. And so we fund right of center think tanks, we fund left of center think tanks. We are
trying to bring more diverse and new voices to the debate to make sure that they're inclusive and that
all the different aspects of these various issues are touched upon. We're saying that, listen,
different fundamental values are in tension. And the real hard work is rolling up your sleeves, getting in there and figuring out how to manage those trade-offs. The cyber initiative
has been underway for about two years now, and Sugarman says they've discovered some interesting
challenges along the way. It's really hard to build trust among the different groups who play
in this field, in this space, given how acrimonious a lot of the conversations are
about whatever timely policy issue is. And so trying to find ways to say,
how do I bring together the civil liberties community with the national security community,
with the vendor community, with the academic community, with other key stakeholders,
and really build trust and connective tissue such that they want to work together to solve problems,
as opposed to just blaming each other for being the problem or labeling them,
you're from that other tribe and I don't want to talk to you. Doing that is really hard because it
really depends on individuals who have credibility in other stakeholder groups and want to reach
across the aisle and really want to work together. And so we can do that in small curated gatherings,
but it's really hard to scale that. And to really solve this problem, you need to work together. And so we can do that in small curated gatherings, but it's really hard to scale that.
And to really solve this problem, you need to scale it.
So that's an area that I don't think,
we knew it would be challenging.
I don't think we fully appreciated
how challenging it would be.
So right now we're starting to bring on a consultant
and an evaluation to figure out
what are models from other fields that have been built
that may be relevant?
How are other ways to build trust at scale and to really learn and do better at that.
The other thing that we've learned is that trying to attract funders, whether foundations,
corporate philanthropy, high net worth individuals, it's tough because a lot of people think
that government and industry alone will solve these problems, which we firmly do not believe.
We believe they're key partners, but that there's a critical role here for philanthropy.
So it's been hard to catalyze more funding.
Part of it is I think people just assume government and industry are going to fix it.
If you go to other foundations, sometimes they don't have the existing expertise on these issues, so they find it a little daunting to dive into this new area.
And really making that case for why resources from outside of government and companies need to come online for this, that's been challenging as well.
And so that's an area that we're increasingly focused on.
I asked Eli Sugarman how the Hewlett Foundation will measure success.
how the Hewlett Foundation will measure success. We're just trying to prove the concept to sort of serve as that funder on the sort of front leading edge to then show what's possible,
get others to come in and partner with us or take a different approach based upon what we've learned
that success for us is not solving this problem by ourselves because we don't think we can.
We're sort of a small player here, but really what success is, is catalyzing that broader
movement that we're trying to achieve. We're agnostic as to the specific policy outcomes,
but really just want to create a healthier ecosystem. And so any way that we can be
supportive, we're always happy to talk about that and always in search of new creative ideas,
because we completely will be the first to admit that we don't have
all the answers, that we rely upon our grantees and the experts we support and partner with.
They're the real experts. They're the ones who do the real work. And we need them to lead the way
and really help come up with all the creative ideas and all the great work that needs to be
funded. That's Eli Sugarman. He's the program officer of the William and Flora Hewlett Foundation's Cyber Initiative.
Do you know the status of your compliance controls right now? Like, right now?
We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize
key workflows like policies, access reviews, and reporting, and helps you get security
questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and
securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe
and compliant.
Joining me once again is Ben Yellen. He's a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security.
Ben, an interesting article came by about the federal courts ruling that the Fourth Amendment does not protect your home computer.
My response to this was, really?
What can you tell us about this case?
So I think it's a very consequential case
the case is United States v. Mavish
and it took place
at a district court in the Fourth Circuit
down in Virginia and it centers around
an FBI investigation
of this website Playpen
which is a child pornography website
and
it's a Tor hidden services site
so the government had to use NIT to track the site and ended up tracking this user.
They arrested this user on child pornography charges, and the user attempted to suppress the evidence based on a Fourth Amendment claim that searching this person's home computer violates his reasonable expectation of privacy.
violates his reasonable expectation of privacy.
Under the Fourth Amendment, if a person has a reasonable expectation of privacy,
then it is a search for Fourth Amendment purposes and is subject to Fourth Amendment protection.
What this court tried to argue is that this person did not have a reasonable expectation of privacy using a Tor Hidden services site, because in order to sign
up for this technology, he had to submit his IP address. And under what's called the third party
doctrine, if you submit identifying information that you know would be submitted to a third party,
for instance, the numbers you dial, if you know that those are going to be submitted to
the phone company, then you forfeit your expectation of privacy under the Fourth Amendment.
So the court held that there was no search for Fourth Amendment purposes,
and that even if there was, there was a warrant based on probable cause.
So, but, I mean, using your telephone system analogy,
I would reasonably expect that, you know, the metadata of my phone call would be would would be subject to being, you know, gotten with perhaps without a warrant, but not the actual, you know, not a recording of my phone call itself.
How does that analogy extend to this? FBI would know that this person was interacting with whatever website he was, but then to go in and search through his computer in his home seems like a stretch to me.
Is that a good line of reasoning?
I think that's a reasonable inference.
This sort of reminds me of a concurrence that Justice Sotomayor made in a case called United States v. Jones.
And she talked about that when this third-party doctrine was ratified early in the 1980s,
it was a very different technological landscape.
And there wasn't much one could reveal in the metadata submitted to the phone companies.
It was just a number.
Now, your use of technology, even if it's not the content of communications
or the content of conversations, can actually reveal a lot of
private and personal details, medical histories, personal interests, political affiliations,
just by knowing an IP address, for example. So I think the court in this case misapplied the law,
and I would suspect that the Fourth Circuit Court of Appeals would probably reverse this decision.
And if it got up to the
Supreme Court, I think it would be a very interesting test of whether Sotomayor's concurrence,
which noted that the third-party doctrine may indeed be outdated in light of modern technology,
whether it would still apply. All right, Ben Yellen, more to come. We'll keep an eye on this one. Thanks for joining us.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
A week of patching is rounded out with fixes from SAP and Cisco. SAP has issued 36 patches,
two of which the enterprise software maker rated high priority. Cisco addressed security issues,
and it's Cisco IOS, IOS XR, ASR 5000, WebEx Meeting Server, and Cisco Meeting Server.
In other industry news, Delta Risk Cybersecurity Services announced plans to acquire Allied Info Security.
Denver-based CyberGRX emerged from stealth with $9 million in Series A funding led by Allegis Capital.
Bay Dynamics received $23 million in Series B funding earlier this week.
That's a correction from the number we reported yesterday.
At the SciNet Innovation Summit in New York yesterday,
we heard of much interest on connecting security companies
with investors and government agencies.
A few of the points speakers made are worth noting here,
as we hear of some successful
and innovative startups. Those who buy from and invest in startups offer this advice. Young
companies succeed if they can execute, if they're differentiated from the very large field of
competitors, and if they have market space for what they're offering. And as one panelist put it,
when asked what counts as success, quote, success is building a sustainable business,
when asked what counts as success,
quote,
Success is building a sustainable business,
not how much money you raise or who's on your board.
We'll have a full report on Cynet's 2016 Innovation Summit this coming Monday.
And finally, Pokemon Go shows no signs of flagging popularity. Its inexorable long march toward our newly augmented reality continues apace.
TechCrunch reports that the game's revenue per user and its retention
rates are double, that's right, double the industry average. The game has reached the UK,
and its purveyors say that they'll go global once they've released it in two or three more countries.
It's interesting to us, of course, not because we all play Pokemon, well, okay, some of our staff
might, but others seem to prefer Crash Bandicoot, but because any widely distributed
app presents an increased attack surface and ample opportunity for fraud, even the U.S. Senate,
well, okay, so it's mostly Senator Al Franken, is concerned. Pokemon Go's security risks remain
intensely debated. Whether the privacy issues that cropped up from the inadvertently extensive
privileges the game initially assumed have been fully addressed or not, players are strongly cautioned
to be alert for bogus apps and
pirated versions, and to look
both ways in physical space before crossing
streets. Augmented reality
isn't yet so augmented that it will
protect you from a smash-up.
Let's be safe out there, friends.
and that's the cyber wire we are proudly produced in maryland by our talented team of editors and producers i'm dave bittner thanks for listening Thank you.