CyberWire Daily - Daily: Yahoo! breach fallout, Krebs back online, election hack concerns.
Episode Date: September 26, 2016In today's podcast, we follow the latest on the Yahoo! breach. British sources say GCHQ stopped a Russian attack on last year's UK general election. A White House staffer's email is hacked. KrebsOnSec...urity is back, but many see a lesson in the dangers of IoT botnets and democratized censorship. Researchers describe iOS and Android vulnerabilities. The FBI releases more documents from its State Department email investigation. Yisroel Mirsky from Ben-Gurion University discusses security risks of Android touch loggers. Switzerland votes for more surveillance, and US states reassure voters that the election won't be hacked. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Yahoo breach unsettles industry and casts doubt over Verizon's pending deal to buy Yahoo assets.
British sources say GCHQ stopped a Russian attack on last year's UK general election.
A White House staffer's email is hacked.
Krebs on security is back, but many see a lesson in the dangers of IoT botnets and democratized
censorship.
Researchers describe iOS and Android vulnerabilities.
The FBI releases more documents from its State Department email investigation.
Switzerland votes for more surveillance,
and U.S. states reassure voters that the election won't be hacked.
I'm Dave Bittner in Baltimore with your CyberWire summary for Monday, September 26, 2016.
Yahoo's disclosure Thursday that more than 500 million customers' account information were
stolen continues to excite much comment. The company disclosed that the customer information
lost includes names, email addresses, telephone numbers, dates of birth, hashed passwords,
the vast majority with bcrypt, and in some cases encrypted or unencrypted security questions
and answers.
Many see the lost security questions as posing the most serious problems to customers affected by the breach.
After all, your grandmother's maiden name, your first pet, and the middle school you attended are unlikely to change.
The breach dated to 2014 and was discovered during investigation of rumors that stolen credentials were being offered on the black market by the cyber criminal whose nom to hack is Peace. What the investigation found was more
extensive and serious than anything Peace had been woofing around in the dark web market.
Yahoo, whose business for the last few years have been facing turbulence and headwinds,
has been seeking what investment analysts characterize as a soft landing in the form of a deal with Verizon
to buy Yahoo's core assets for a reported $4.8 billion.
That soft landing is now in doubt.
According to the New York Times, Yahoo stated in the merger agreement
that there have not been any incidents of or third-party claims alleging security incidents
that could affect Yahoo's value.
That statement, of course, is now more
than questionable. Some analysts see a possibility that the entire deal could be cancelled, but most
think it likelier that the acquisition will go forward, but at a price renegotiated sharply
downward. Yahoo blamed an unspecified state-sponsored actor for the breach. There is as
yet no attribution to any country, and it's worth noting that almost any business would prefer to be able to blame a successful hack on foreign intelligence services.
You look less negligent that way. Who among us could stand up unaided against the PLA, the GRU,
or any of the Five Eyes? If you think you could, then go ahead and cast the first stone, but think
twice. Look at history. Sony's relief at being able to point even to North
Korea, not in the Bears, Dragons, or Eyes league, was almost palpable. Speculation concentrates on
Russia, lately much in the news for Cozy Bear and Fancy Bear, and China, which has shown an appetite
for engulfing credentials in PII with the appetite of a filter-feeding baleen whale.
But this is all still a priority speculation, and both the attribution and the appetite of a filter-feeding baleen whale. But this is all still a priority speculation,
and both the attribution and the means of compromise remain up in the air.
In other news of state-directed activity,
the Sunday Times reports that Britain's GCHQ successfully blocked Russian attempts
to disrupt last year's general election in the UK.
In the US, more political email hacking resulted in exposure
of senior Democrats' election-related travel and appearances. The staffers' emails were posted to
DCLeaks, which has in the past been associated with Russian interests.
Krebs on security is back after sustaining what essentially everyone is calling the largest
distributed denial-of-service attack on record. The well-known and well-respected security site is now being hosted by Google.
The site's former host, Akamai, had to sever services
when the attack traffic began to affect its other customers.
It's important to note, as Krebs does, that Akamai hosted the site pro bono
and that they parted with Krebs on good terms and without acrimony.
The attack against Krebs on security is seen by many
as a troubling bellwether for two trends, the use of IoT botnets in high-volume DDoS campaigns,
and the privatization of censorship. Much of the traffic that flooded the site is believed to have
come from a botnet of compromised security cameras and other indifferently secured IoT devices.
And the motivation for the attack is believed to be retaliation for Krebs' reporting on VDOS,
allegedly a DDoS-as-a-service criminal enterprise whose proprietors were arrested by police in Israel
on September 15, 2016, shortly after Krebs published his story.
The incident suggests that all the usual threat actors, from hacktivists through criminals to states,
now have the ability to round up, herd, and stampede botnets in the direction of those who attract their displeasure.
Fresh reports of increasing mobile threats are out.
Elcomsoft says it's found an issue in iOS that enables attackers to crack passwords much faster than they'd hitherto been able to. The flaw is said to lie in iOS 10's backup mechanism, which introduces a vulnerability not seen in earlier versions of Apple's mobile OS.
The U.S. FBI late Friday released more documents from its investigation of former Secretary of
State Clinton's email practices. The documents include descriptions of grants of immunity
and would appear to be emails from the president found on the former secretary's private account.
Switzerland yesterday voted to grant its government more extensive surveillance powers.
The vote is seen as a popular expression of widespread concern about terrorist threats in Europe.
And finally, U.S. states seek to reassure voters that elections can be conducted without undue risk of hacking.
The National Association of Secretaries of States wrote Congress to say that they're working with federal security services
to address any attempts by nation-state adversaries to disrupt the presidential election and call its integrity into question.
The association also said, machines are standalone and do not connect to the Internet,
adding that there is no evidence that ballot manipulation
has ever occurred in the U.S. via cyber attack.
The Nevada Secretary of State has offered the Silver State similar reassurance.
We think you might be able to get odds on this in Vegas or Reno.
Reno. Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on
point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. just a challenge, it's a necessity. That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of
solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach can
keep your company safe and compliant. And joining me once again is Israel Murski. He's a PhD
candidate, researcher, and project manager at the Cybersecurity Research Center at Ben Gurion University.
You've been doing some research with some touch loggers.
What can you tell us about that?
Specifically with the Android operating system, when you download or install a new application, it asks you for certain permissions.
And if you accept these permissions, you're basically giving the application full access to those resources.
For example, writing to a disk and accessing your contacts and so on.
There's one set of permissions that an application does not need to ask for.
And that's access to motion sensors, any kind of physical sensors on the device that indicate the motion or even lighting in the room.
physical sensors on the device that indicate the motion or even lighting in the room. And this is very important because that means you can download, for example, the classic flashlight application,
and it will say that it doesn't require any special permission, so it seems rather benign.
Meanwhile, it's recording all the motion of your device from your accelerometer,
from your gyroscope, and it's trying to infer personal information about you. One of the things
we found in our labs was that you were able to determine a person's gender
just by the acceleration of the device over the day.
So you can imagine what kind of private information you can infer from a user.
And one of those things we were interested in was where the user is touching on the screen,
much like a keylogger.
Now, this isn't a new idea.
This idea was shown in the Usenix conference.
But the direction that we were taking it was that we're using a regression, a different
type of machine learning technique to improve the process.
And using this, we were able to, instead of state-of-the-art, which is about 30% accuracy
with 1,500 keystrokes, we got 30% accuracy with uh 1500 keystrokes we got 30 accuracy with only 80
keystrokes and the main difference here is that many times researchers will will see an interesting
problem and show how it can be done how can an attacker try to exploit a certain channel
whereas they don't really think about how the attack model or the attack scenario can be implemented or how feasible it is.
Without going into details, they were using classifiers, which basically require a large number of data points in order to build your model, especially for an entire keyboard.
Whereas here we're using regression, we're just using a general approach of predicting the x-y coordinates on the screen.
So in general, to summarize here, it's not enough to ignore these motion sensors. They actually
can infer quite a lot of private information, and they should really be added to these
permission lists. If not, the user should be aware of this possible, you know possible attacks on their privacy.
And are you aware of any cases of this being used in the wild?
I do know that all sorts of kinds of greyware use any method of getting information from the device to provide advertisements, for example.
And I would not be surprised if they were using the motion sensors to
understand the activity of the user. All right. Israel Murski, thanks for joining us.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to
bypass your company's defenses
is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Thank you.