CyberWire Daily - Daily & Week in Review: US DNI Clapper says Russia "curtailed" election hacking after being named. Three Mobile breached. Android and iOS issues. Good news on ransomware. Start-up rundown. China calls its Internet controls "wisdom."
Episode Date: November 18, 2016In today's podcast, we hear about US DNI Clapper's long-expected resignation and his contention that attributing election hacking to Russia seems to have induced Moscow to "curtail" such operations. T...he UK arrests suspects in an upgrade fraud scheme suffered by Three Mobile and its customers. Updates on Android spyware and banking Trojans. Siri might be helping bypass your iPhone's lockscreen. There's good and bad news about ransomware, but, happily, more good than bad. A quick review of the week's industry news, with an emphasis on cyber security start-ups. Dr. Charles Clancy from Virginia Tech's Hume Center outlines Virginia's new Cyber Security Range initiative. Sara Sorcher from the Christian Science Monitor's Passcode provides an overview of what we might expect from the Trump presidency. And, in China, wisdom sees a passing of the Mandate of Heaven in cyberspace. Or that's what wisdom's spokesmen are saying, anyway. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
USDNI Clapper submits his long-expected resignation
and on the way out comments on Russian election hacking.
The UK arrests suspects on an upgrade fraud scheme suffered by 3Mobile and its customers.
Updates on Android spyware and banking trojans.
Siri might be helping bypass your iPhone's lock screen.
There's good and bad news about ransomware, but happily more good than bad.
A quick review of the week's industry news with an emphasis on cybersecurity startups.
And in China, Wisdom sees a passing of the mandate of heaven in cyberspace.
Or that's what wisdom spokespeople are saying, anyway.
I'm Dave Bittner in Baltimore with your CyberWire summary
and week in review for Friday, November 18, 2016.
U.S. Director of National Intelligence Clapper has submitted his resignation,
as he's long intended to do.
It will take effect at the change in presidential administrations
and was planned before and independently of the recent election's outcome.
He's also said that he believes Russian cyber operations
against U.S. election-related
targets slowed noticeably after the U.S. intelligence community took formal public
notice of the attempts to influence voting. Whether any such curtailment was a win for
naming and shaming or for the retaliation threatened around the same time is unknown.
The incoming administration's prospective intelligence and national security appointments
are becoming known, but a successor to James Clapper hasn't so far been named.
We've been following news about insider threats lately, and any of you interested in seeing what an insider threat looks like in action may find a good example, by which of course we mean a bad example, in news from the United Kingdom. The mobile phone provider 3, which is said to have 8.8 million customers,
had noticed an increase in handset fraud over recent months.
This week, the company disclosed that about 6 million customers' personal information
had been breached by hackers using employee login credentials.
The information lost includes customers' names, phone number, address, and date of birth. For a sense of scale, the 2015 TalkTalk breach affected roughly 157,000 accounts,
and TalkTalk endured fines and lost business that it's only now recovering from.
TalkTalk estimated that the breach cost it £60 million.
It's too soon to guess what 3Mobile's exposure might prove to be.
The fraud and upgrade scam works basically like this, according to reports.
The grifters poked through customer records to find people eligible for upgrades, upgraded
them to new phones, and then intercepted the new phones, which they sold to other users.
It would seem fitting if sales were made from the boot of a car, but how the phones were
hawked isn't generally being reported.
There's also, of course, the fear that the personal information access could itself be
sold on the black market, although for now the crime appears to be, as they're calling it,
an upgrade scam. How the hackers got the employee credentials is unclear, but once in,
effectively they operated as insiders. Three arrests have been made, according to the National
Crime Authority. Tripwire has an update on those Android lawful intercept tools
researchers found gurgling around on some servers formerly used by Hacking Team.
No, the spyware does not appear to be a Hacking Team product,
but researchers say it's using old Hacking Team command and control servers.
There are some other mobile concerns out there as well.
Staying with Android for a moment,
a banking trojan, Android Fake Bank B,
is inducing users to add it to their device's battery optimization whitelist,
once it remains active even when the phone's in doze mode.
It looks for a set of banking apps and, should it find one,
deletes the legitimate app and gets the user to reinstall a malicious version.
There are also some Apple iOS issues.
First, ThreatPost reports that independent researchers have discovered a bypass vulnerability
in Apple's iOS versions 8, 9, and 10
that could allow an attacker to access photos and contact lists on a locked phone.
Until the bug is fixed, users can reduce their risk by disabling Siri on their lock screen.
The other Apple issue is more contentious. Elcomsoft calls it a bug, but Apple calls it a
feature. At issue is the way a user's call history is backed up to iCloud. Once iCloud is enabled,
data is uploaded often without user action or notification.
Elcomsoft sees this as a privacy problem. Apple calls it good backup service.
Ransomware continues to boom in the criminal market, accounting for a hefty fraction of the payloads delivered by spam,
as much as 97% of the spam Phishme says it's monitored in the third quarter of this year.
Lockheed remains at the top of the leaderboard.
The good news is that victims seem to be coping better with crypto ransomware. A survey of 500 cybersecurity decision makers, sponsored by SentinelOne last month,
found that 27% of the time, the attackers failed to encrypt any of the victims' files.
45% of the time, some files were encrypted, but the victims were able to decrypt them on their own.
25% of the time, the victims were able to restore their files from backups.
And in only 3% of cases were the victims out of luck.
Looking back at this week's industry news, we've seen some movement of venture funding
into startups. Virginia-based next-generation antivirus company Invincia has raised $10
million in a funding round led by Oryx Growth Capital and Comerica Bank, with participation by Harbert Ventures and New Atlantic Ventures.
Uplevel raised $1.2 million for its new managed services model.
Threat intelligence shop Apvera closed $1.7 million from ACP and Springseeds Capital,
and C-Amplify received $10 million to expand its security operations and incident response business.
Mach 37-supported cloud server protection company Atomic Core raised $1 million in seed funding,
and Masterpiece Solutions announced the successful spinoff of its daughter companies,
SourceLite and Zool IoT.
And of course, Arlington Capital merged three of its portfolio companies into a new
cybersecurity player, Polaris Alpha. And finally, Chinese authorities make the case for their new
internet controls at the Wuzhen World Internet Conference as fair and equitable, and also as
bringing Chinese wisdom to cyberspace, where it will help everyone live together in ordered harmony.
That's certainly one way of looking at it.
We're surprised the mandate of heaven wasn't explicitly invoked, but then we haven't read
the entire issue of the People's Daily.
Maybe it's somewhere in the back with the sports, or maybe the lifestyle section.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
Joining me once again is Dr. Charles Clancy. He's the director of the Hume Center for National
Security and Technology at Virginia Tech. Dr. Clancy, I know you wanted to talk today about a new state initiative called the Virginia Cyber Range.
Fill us in. What's going on here?
The Virginia Governor's Cybersecurity Commission recommended that the state invest in a cyber range
with the goal of improving curriculum and access to laboratory materials for principally high school and community colleges across the state of Virginia.
So the current fiscal year budget includes $2 million to build this range, and it includes $2 million next fiscal year to operate the range.
But essentially this range is going to include new courses.
This could include full courses or specific modules for courses.
courses. This could include full courses or specific modules for courses. It will contain virtualized laboratory exercises that students will be able to take advantage of and teachers
who want to expand cybersecurity offerings, either at the high school or community college level,
or other colleges for that matter, will be able to take advantage of these sort of pre-canned
exercises and curriculum with the goal really of building capacity for cybersecurity education
across the Commonwealth of Virginia. So really a reflection of the shortage of available qualified
people to fill those jobs. Exactly. The same commission found that there were 17,000 empty
jobs in Virginia, vacancies in cybersecurity that needed to be filled. And if the state is going to
tackle this problem,
it requires a significant ramp up in the educational capacity for cybersecurity
across the Commonwealth and really across the entire country. The governor of Virginia is
currently the chair of the National Governors Association, and he's looking to push this agenda
nationwide and get governors excited about programs in their states as well
that would expand such capacity. And our hope is that if we can prove successful in this range
being a key tool in Virginia, we can expand it regionally and nationally with other states to
do the exact same thing across the country. All right, good stuff. Dr. Charles Clancy,
thanks for joining us.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home? Black Cloak's award
winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
My guest today is Sarah Sorcher. She's the deputy editor of Passcode, part of the Christian
Science Monitor that covers digital security and privacy.
After the U.S. presidential election, she wrote an article titled,
What Trump's Victory Means for Cybersecurity.
There are some clues. He has a cybersecurity plan on his website. And he said pretty recently that to truly make America safe, we truly have to make cybersecurity a major priority. So
he has been pretty strong on some of the things
that he's emphasized with cybersecurity. But there are some other comments that he's made
along the campaign trail that have worried industry professionals and so went through
some of that as well. What kind of comments did he make? Well, there were a few. I mean,
he was asked a question on cybersecurity at a debate back in September about what he would.
It was a pretty straightforward question about how to solve the cybersecurity challenges facing the country.
And kind of a winding answer where he talked about his 10-year-old son, Baron, being really good with computers and calling digital threats the cyber, which kind of started an Internet meme.
you know, digital threats, the cyber, which kind of started an internet meme. And a lot of the tech press really dismissed this answer as, you know, incoherent or utterly disconnected. I mean,
he's talked about how he doesn't, you know, doesn't really use computers at all. So there
was this sense of disconnect, you know, is this somebody that really understands what's going on
and the complexity of this? And he does have advisors. He, you know, his senior military
advisor is retired Army Lieutenant General Michael Flynn. And, you know, he has people who are
advising him who do know more. And it's you do see some of these things on his website that go into
more details about the plan. But, you know, some of there are questions about whether he himself
might need to brush up on cybersecurity issues when he's in office. And then really notably with all of the hacking that went on this election season, he did,
you know, a couple of times take a step away, you know, from blaming Russia for hacking
political organizations like the DNC.
And even after U.S. intelligence officials and cybersecurity researchers who investigated the hacks came out and said that they believe that there's enough evidence to blame Moscow.
And even Michael Flynn also broke with him to say that he thought that Russia was responsible.
Trump did not acknowledge that or say that he was willing to blame Russia.
And it kind of offered up his own idea that maybe it was China.
Or I think the quote was, you know, someone sitting on their bed that weighs 400 pounds.
So just kind of think out on this evidence.
So that raises some questions about is now the president elect when he's in office, is
he going to take these briefings more seriously?
Is he going to take the word of intelligence officials who are really on the front lines
of gathering intelligence in cyberspace seriously? Is he going to take the word of intelligence officials who are really on the front lines of gathering intelligence in cyberspace seriously? Is he going to listen to his closest
advisors? He did make some statements along the way about encryption. Yeah, he did. That was
another thing. I mean, we during the campaign, we also had the big standoff between the FBI and Apple. Trump went so far as to call for a boycott of Apple
because he said he just said, who do you who do they think they are? You know, really questioning
the role of a company, the right of a company to deny the government access to the phone. And
this was a really contentious issue that pitted a lot of people in the tech industry against the FBI. And it hasn't been resolved so far. I think the expectation is
that the encryption fight is going to be kicked into the next administration. And the sense among
a lot of security professionals right now seems to be that there will be a bill to force some sort of government access into
encryption, especially since Senate Intelligence Committee Chairman Richard Burr was, you know,
he's still going to be around next year as well. And so he was reelected. So I think, you know,
you'll see some of this push from within the executive branch if Trump remains consistent
to his past statements and in Congress to take some action on that front. As you survey responses from people
on social media, on Twitter, you know, people in the cybersecurity industry, are people taking a
wait-and-see approach or do you see people bracing themselves for, you know, potential rough times
ahead? I think you see both. I think you see people who
are hoping for the best and who want to be optimistic if it was an outcome that they
didn't support or didn't expect. But on the security and privacy side, I mean, you see a mix.
You have tech companies who, you know, Facebook's Mark Zuckerberg had said that he, you know,
wished him luck. And you have a bunch of tech leaders
who've said that as well and who seem to be giving him a chance. On the other hand, you have people
who are privacy advocates who have been calling for the dismantling of some of the surveillance
programs from the National Security Agency for a long time. And they're really worried that now
Donald Trump will have control of this, someone
that, you know, several of them have already said that they don't see as fit for the responsibility
of governing these particular programs that could have consequences on people's lives.
And so you have privacy advocates already calling for Obama to take action before Trump takes
office. What in particular has caught your attention? What are you going to be looking out for?
I think the Russia stuff will be really interesting to watch
because there are a lot of people who are saying
that this might actually embolden Russia to carry out even more attacks.
And there were reports earlier this week by Wired and Vice
that this was already happening,
that the same hackers that were linked to Russia
that are believed to have gone after the DNC servers, that they already began targeting
more people at American universities or think tanks, the State Department, Radio Free Europe,
other places. And so will Russia, thinking know, thinking more willing to use these tactics and
other parts of the world? I think that's going to be something really interesting to keep an eye on
in the long term, something that doesn't just go away in the election cycle. That's Sarah Sorcher
from the Christian Science Monitor's Passcode. You can find her article, What Trump's Victory
Means for Cybersecurity, on their website.
She's also co-host of Passcode's podcast called the Cybersecurity Podcast, and you should definitely check that out, too.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. Thank you. AI, and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.