CyberWire Daily - Email client vulnerabilities. Sanctions and trade policy. FinFisher in Turkey. myPersonality data scandal. Patch news. High school phishing.
Episode Date: May 15, 2018In today's podcast, we hear about reports of email client vulnerabilities. Worries about Russian and Chinese software and hardware vendors. Security and trade policy notes. FinFisher found used in T...urkey. The data scandal that brought down Cambridge Analytica moves to the University of Cambridge, but there the issues seem to be security, anonymization, and possible oversharing. Adobe and Samsung issue patches. A California high school student is accused of phishing for grade books. Ben Yelin from UMD CHHS on the Microsoft overseas data storage case that went to the U.S. Supreme Court. Guest is John Grimm from Thales eSecurity on their Global Encryption Trends study that they put together along with the Ponemon Institute.  Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Email client vulnerabilities reported.
Worries about Russian and Chinese software and hardware vendors.
Security and trade policy notes.
FinFisher is found used in Turkey.
The data scandal that brought down Cambridge Analytica moves to the University of Cambridge.
But there, the issues seem to be security, anonymization, and possible oversharing.
Adobe and Samsung issue patches.
And a California high school student is accused of phishing for grade books.
California high school student is accused of phishing for grade books.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Tuesday, May 15, 2018.
Researchers report a vulnerability in the way email clients render content encrypted with the widely used PGP and SMIME protocols.
Jettisoning PGP, as some advise, seems unwise, since, as many others say,
encryption is better than no encryption, and exploitation, while clever, isn't trivial.
Graham Cluley's blog offers some reassurance.
He says,
The sky is not falling. Stop freaking out. He says, Russian and Chinese companies face an increasingly complicated set of sanctions,
restrictions and suspicions in Western governments.
The basic issue is that the companies are thought to be too close
to Russian or Chinese security and intelligence services.
The U.S. administration's expressed intent to relax sanctions against China's ZTE
has come under criticism from observers who see ZTE products as a security threat.
U.S. intelligence officials have expressed security concerns about both ZTE
and Huawei devices, and the Department of Defense has ordered a halt to sales of ZTE devices in
military exchanges. The U.S. Department of Commerce recently banned ZTE from purchasing
U.S. components and software, mostly Qualcomm chips and Android software, which amounted to a near
corporate death penalty. The department's decision was a response to ZTE's evasion of
international sanctions against Iran, North Korea, and a handful of other countries.
The U.S. administration's gesture towards a lifeline for ZTE draws criticism from those
who see ZTE as a security threat and not merely a sanctions
evader. President Trump is in the process of negotiating some form of reprieve, which he's
indicated will be part of larger trade negotiations with China. Probably security negotiations too.
It's perhaps worth noting that China is closely interested in upcoming U.S. talks with North Korea.
Huawei is also under suspicion, most recently over its partnership with Chinese authorities,
to establish surveillance networks covering Yingjiang province.
That province is noted for its relatively large share of China's Muslim population,
an ethnic and religious minority that's long been a target
of government surveillance and influence operations.
Huawei's participation in the surveillance program has aroused concerns internationally
that the company's products and cooperative practices could easily be turned against external
as well as internal targets.
Canadian media, notably The Globe and Mail,
are expressing particular skittishness about Huawei.
The company has made significant inroads into that country's markets.
Turning to Russian companies,
the Netherlands has decided to ban Kaspersky products from government networks.
The Dutch justice miniature, Ferdinand Grapperhaus,
informed Parliament that Kaspersky Lab security software poses a national security risk to the Netherlands.
Russia, Grapperhaus said, has an active program in cyberspace targeting Dutch interests
and the risk of using Kaspersky products is unacceptably high.
The justice minister also urged Dutch companies to do likewise.
It's a precautionary measure.
Netherlands authorities say they've found no evidence that Kaspersky Software is being abused,
but the company is too close to the Russian government for comfort.
Grapperhaus cited British and U.S. concerns about the company in his letter.
Kaspersky said, quote,
Kaspersky Lab is very disappointed with this the U.S. government are wondering whether bans and sanctions are an unmixed good.
They're aware of the security
issues and take them seriously, but they also see uncomfortable room for retaliation by Russia,
and especially China. Suppose Beijing gets its back up when a U.S. tech company complies with
a U.S. subpoena, they ask. Advocacy group Access Now says it's found evidence Turkey's government is using Finn Fisher spyware tools against dissidents.
The New Scientist reports finding that the University of Cambridge's Psychometric Centre culled data from a Facebook personality quiz, My Personality, and shared it with hundreds of researchers over a period of four years.
Some three million individuals were affected. The data
was poorly secured and imperfectly anonymized. This is the same data collection project whose
results were used by now-defunct Cambridge Analytica. One wonders whether responsible
human subjects research review boards at Cambridge were asleep at the switch,
or simply failed to recognize that the project might require their
oversight. Talus E-Security recently published the 2018 edition of their Global Encryption Trends
study. The report highlights how organizations are deploying and managing encryption around the
world. John Grimm is Senior Directory of Security Strategy at Talus E-Security.
One of the big trends that we saw over the last year is many more people are using multiple clouds.
And what that has caused is some difficulty in managing encryption processes. So if you dig a
layer beneath, you find that the reason people are encrypting has changed. Over the past several years, one of the big drivers for encryption has been compliance regulations.
So needing to check a box, if you will, or show that you're doing diligence in some form to protect data.
And that's still a big driver.
But the drivers that have really risen over the last couple of years, as shown by this survey,
risen over the last couple of years, as shown by this survey, is the need to just apply increased diligence to protecting your customers' information or protecting things like your
company's intellectual property. Although compliance is still a major driver, we're
starting to see folks applying much more diligence to just good practice of protecting specific
targeted data types. The move to the cloud has made that
difficult in some ways because now their data is so many more places. And one of the trends that
this survey also revealed is the difficulties that folks are having finding all of their data,
finding all the different places that it's going. Yeah, one of the things that stood out to me in
the report was the difficulty people have in managing their keys.
Absolutely. The more you use encryption and any sort of cryptographic process, the more diligence you have to pay to managing keys.
And it's a relatively simple problem when you've got a limited number of encryption deployments, limited amounts of data that you're encrypting.
data that you're encrypting. But once you get to a state where you're encrypting multiple databases or data stores, you're encrypting at rest in motion, you're using multiple public clouds and
encrypting in each of those, as you get further and further into it, it gets really hard to do
the job of tracking keys properly. And the most important, the linchpin of any good encryption system is how
well you protect the key. And at the end of the day, if you don't account for that key through
its entire life cycle, from the time that it's created to the time that it's retired, there are
actually quite a few phases in the middle there. And it becomes a very big accounting problem to
keep track of keys if you're following best practices such as rotating or changing your
encryption keys every X amount of time in accordance with best practice. Another thing that stood out
to me was you all dug into how organizations protect data at rest when it's in the cloud.
And it was interesting to me to see the different approaches people take towards encrypting that
data. Well, I think we're seeing a bit of a
perfect storm in terms of people's need to change how they're approaching it. The fact that folks
are using multiple cloud providers, in many cases, the public cloud providers have done a nice job
maturing their encryption tools over the last few years. But if you are using multiple cloud
providers, you're going to use the individual encryption tools of each one.
So now you're putting an extra burden on your staff to learn those tools.
And it becomes a lot more challenging to have a very consistent policy across your enterprise when your administrators have to instantiate that policy across a different set of UIs and tools that they use.
a different set of UIs and tools that they use. On top of that, one of the findings in this survey that's very consistent over the years is that the top threat to data is mistakes. Mistakes that
human beings make even in the course of trying to do things right. You put together the multiple
clouds, the multiple tools, the fact that administrators and people knowledgeable about
managing encryption and keys, pretty difficult to find that skill set, to find and retain it.
And the fact that mistakes are a big issue.
It's no wonder that we're starting to see these instances pop up in the news of misconfigured encryption resulting in data leakage.
That's John Grimm from Talus E-Security.
You can find the complete report, the 2018 Global Encryption Trends Study,
on their website.
Adobe yesterday patched 47 vulnerabilities
in Acrobat and Reader.
The products affected include Windows and macOS versions
of Acrobat DC, Consumer and Classic 2015,
Acrobat Reader DC, Consumer and Classic 2015, Acrobat 2017,
and Acrobat Reader 2017. Samsung also patched, stopping six critical bugs in its handsets.
In a little bit of welcome good news, researchers at the University of Florida have tested a method
of detecting cloned fraudulent gift cards at the point of sale
by the unstable jitter that cloning introduces.
Similar techniques could be applied to cloned ATM cards.
Crooks are fishing for Apple credentials.
The bait is a GDPR hardening offer.
Criminals always chum the internet with fish bait drawn from current events,
and GDPR goes into full effect in 10 days.
Expect more of this, and be careful what emails you open and what links you follow.
Finally, a California high school sophomore is facing 14 felony counts for getting some teachers or teacher to enter their online gradebook credentials into a bogus site.
teacher to enter their online gradebook credentials into a bogus site. He's said to have changed grades for several students, raising some and lowering others, but he didn't get to his own
transcript before the Concord, California Police Department got to him. The student who was
arrested is a minor, just 16, who apparently did it for the lulz, and we won't repeat his name.
The kid did go to a local TV station and say that
fishing the Mount Diablo Unified School District was like taking candy from a baby.
He says he did so because he did kind of want to give awareness to cybersecurity.
We sympathize with his aggrieved family. As his father put it, quote,
I'm frustrated he did this, and I don't want him in juvenile hall, end quote.
I'm frustrated he did this, and I don't want him in Juvenile Hall.
An interesting side note, the police used a dog to sniff out the location of an SD card hidden in a tissue box.
Like we said, we won't mention the youth's name, but we will give a shout-out to the dog,
a pleasant-looking lab named Doug. He's got a nose for removable storage devices, so good dog, Doug.
got a nose for removable storage devices.
So, good dog, Doug.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose,
and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to
evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Ben Yellen. He's a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security. Ben, welcome back. We had a story come
by from NPR, and this was called A Needle in a Legal Haystack Could Sink,
a major Supreme Court privacy case.
A lot's going on here.
It involves Microsoft and data stored overseas.
Fill us in what's going on.
So there was this very prominent Supreme Court case, came up for oral arguments, I think in January.
Microsoft has a data storage facility in Ireland,
and the U.S. sought and obtained a warrant to collect information that was housed in this facility.
And Microsoft is trying to argue that that warrant is not applicable to data that's stored overseas.
Went in front of the Supreme Court.
We don't have a decision yet, but just sort of based on the legal analysis that I saw, oral argument went very, very poorly for Microsoft.
It kind of looked like they were going to lose. Enter Congress, who steps in before this case is even decided, and they pass
as part of a much larger omnibus spending bill, what's called the CLOUD Act. And of course,
it has one of those clever acronyms, clarifying lawful overseas Use of Data. And this would sort of make the Microsoft v. United States issue moot.
And what the act does is it gives an incentive to our government and to foreign governments to make bilateral one-on-one agreements that would allow the tech companies to honor court-approved search warrants.
So it would encourage the United States to make some sort of agreement with Ireland where they would agree under which circumstances a U.S. warrant would apply at an Ireland facility.
The way they're able to enforce this is they say that if the company does not come up with some sort of bilateral agreement with an overseas territory, then the presumption is that the warrant is valid and that the company would have to execute the warrant. So that's how they're going to try to enforce this legislation. So there are a couple
of issues here. One is that it's sort of more of a transparency issue. This piece of legislation
has been in the works for a while in Congress, but it was tucked into a 2100-page omnibus spending
bill. People just didn't really realize that the act had been
incorporated into the bill. So there was really no time for public consideration or public comment.
And I think that's pretty detrimental to both transparency and potentially the long-term
outlook of this legislation. Having said that, I think the tech companies support this because
A, avoids the worst case scenario where in all circumstances, they have to abide by U.S. law enforcement warrants.
They can come up with these extraterritorial agreements.
And it also sort of passes the burden on to the government.
They can tell their customers, now, according to this Cloud Act, if there isn't some sort of agreement, we do have to hand over your data, even if it's stored overseas.
That might help them blunt the publicity hit if they say, you know, the government passed this law, they're forcing us to do it.
What's very interesting to me in terms of future outlook is what's going to happen with the Supreme Court case.
The Solicitor General's office under the Trump administration filed a petition with the court.
office under the Trump administration, filed a petition with the court. It was basically just an amicus brief. So a friend of the court brief arguing why this particular case should be moot
in light of the new legislation. And we'll see if that impacts the court's decision, if they decide
to dismiss the case, or if they decide to qualify their opinion based on this new information that
they have. But I think it was certainly surprising that Congress, which
as we know, doesn't really do anything, was able to get its act together, even if it was what
amounts to a footnote in a large piece of legislation to address a very live legal problem.
Hmm. All right. We'll keep an eye on it. Ben Yellen, thanks for joining us.
Thank you.
joining us. Thank you. Cyber threats are evolving every second and staying ahead is more than just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of
solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Thank you. back here tomorrow. Thank you. guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.