CyberWire Daily - Grid hacking in Ukraine. Cellebrite breached. WhatsApp encryption issue. EyePyramid notes. Sharing SIGINT. IG looks at FBI. Guccifer 2.0 and the ShadowBrokers take their bows.
Episode Date: January 13, 2017In today's podcast we get updates on grid hacking in Ukraine and the case of the EyePyramid spyware in Italy. Smartphone forensics shop Cellebrite suffers a data breach. WhatsApp appears to have an en...cryption issue, but most observers think it's not really a backdoor. WordPress gets eight patches. ENISA issues recommended best practices for securing connected cars. A US Justice Department IG will look into the FBI's investigation of classified information handling in the Clinton State Department. President Obama expands NSA's authority to share raw SIGINT with other intelligence agencies. The Johns Hopkins University's Joe Carrigan reminds us to protect our mobile phone numbers. Stanford Cyber Initiative Executive Director Allison Berke shares that organization's mission. Guccifer 2.0 wants to clear a few things up, and the ShadowBrokers say "bye-bye," or maybe "do svidaniya." Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Grid hacking in Ukraine.
Smartphone forensics shop Celebrite suffers a data breach.
WhatsApp appears to have an encryption issue,
but most observers think it's not really a backdoor.
An update on iPyramid.
WordPress gets eight patches.
Anissa issues recommended best practices for securing connected cars.
A U.S. Justice Department IG will look into the FBI's investigation
of classified information handling in the Clinton State Department.
President Obama expands NSA's authority to
share raw SIGINT with other intelligence agencies. Guccifer 2.0 wants to clear a few things up,
and the shadow brokers say bye-bye, or maybe do svidaniya. With that accent, sometimes it's hard
to tell. I'm Dave Bittner in Baltimore with your CyberWire summary for Friday, January 13, 2017.
The power outages in the Kiev metropolitan area sustained on December 17, 2016,
continue to be ascribed to hacking,
and to the same Russian operators believed to be behind the similar hacks of December 2015.
Researchers at Information Systems Security Partners, ISSP, are doing most of the on-the-record
discussion.
Observers differ as to whether the hack is nuisance, demonstration, misdirection, trial
run, or some mix of all of these.
Celebrite, the mobile forensic firm that established a reputation as law enforcement's go-to shop
for unlocking smartphones, confirms that it suffered a data breach.
Motherboard says the lost information includes databases,
customer data, and technical notes on the company's offerings.
Motherboard also says the stolen data is legit,
they're in touch with people who say they're involved in the breach,
and those contacts represent themselves as hacktivists
protesting recent moves by Western governments to ratchet up surveillance capabilities.
Celebrite yesterday issued a statement acknowledging the breach,
which it characterized as unauthorized access to an external web server
that included a legacy backup of the company's end-user license management system.
It's investigating, cooperating with the authorities, and is in the process of
notifying affected customers. The company advises My.Celebrite account holders to change their
passwords. A University of California crypto expert reports a flaw in WhatsApp end-to-end
encryption that observers say could enable Facebook to read WhatsApp messages. That,
of course, is contrary to WhatsApp and Facebook
declared policy. WhatsApp says the apparent bug is really a feature designed to make security
and privacy easy for people who might frequently change devices or SIM cards.
They advise users to turn on security notifications. The flaw was widely described as a backdoor,
but that, according to most experts, isn't an accurate characterization of the issue. An issue, then, but probably not really a backdoor.
More news and speculation appear about the Italian brother and sister accused of spying
on Italian bigwigs for years using iPyramid spyware. The motives remain unclear, but may
have involved gathering insider information useful in various forms of financial
speculation.
The widely used blogging platform WordPress has patched eight security issues, including
cross-site scripting and cross-site request forgery vulnerabilities.
Anissa offers a report on best practices for securing connected cars.
Their recommendations are organized into three sections,
policy and standards, organizational measures, and security functions,
and they appear to represent the sort of familiar common sense
that best practices often do.
The Justice Department's inspector general has announced an inquiry
into the FBI's handling of the Bureau's investigation
of former Secretary of State Clinton's handling of classified information.
Director Comey says he welcomes the scrutiny.
The outgoing Obama administration has loosened restrictions on NSA's sharing of raw data with other agencies.
Privacy advocates are unhappy, but the worries seem to be in part of the slippery slope variety,
in which the removal of requirements to scrub information inadvertently collected on U.S.
citizens could lead to the exploitation of such information by other federal agencies.
The changes are summarized by the Office of the Director of National Intelligence as follows.
The letters IC in the summary refer, of course, to the intelligence community.
First, only allow IC elements to access raw SIGINT in circumstances where the information will further a foreign intelligence or counterintelligence mission in a significant way.
Do not permit raw SIGINT to be accessed for law enforcement purposes.
Do not apply to information collected under the Foreign Intelligence Surveillance Act, including Section 702.
including Section 702.
Establish rules that a recipient IC element must follow when accessing, processing, or retaining raw SIGINT
or disseminating information derived from SIGINT.
These rules closely follow those used by the NSA.
Set up extensive training, auditing, oversight, and compliance requirements
that are comparable to the NSA's for similar activities
and require periodic reauthorization of access and high-level
reviews of activities conducted under the procedures.
And finally, some of everyone's favorite hackers, hacktivists, agents, crooks, or sock puppets
are back.
You can take your pick on which one of these descriptions to buy.
For some reason, it's still controversial, and our stringers almost come to blows over
the issue.
In any case, they make their return to the cyber stage as the week comes to a close.
First are the shadow brokers, they of the Hakawi-accented scriptwriter's broken English,
take a bow and exit, not, we think, pursued by a bear. The bears have other pursuits,
right fancy? But because they see much risk coming in and few bitcoins going out, says they. So as they
bow, they release a bunch of alleged equation group weapons and say, in effect, Dasvidanya,
we're out of here. Wealthy elite will miss them, we're sure. And that big auction never went
anywhere for them. Skeptics will be forgiven for suspecting that the auction wasn't the point of
the whole exercise to begin with.
So, shadow brokers, as you come in from the cold, stay warm and keep the light on for Guccifer 2.0,
who also frets another hour on the boards.
This one is back to comment on the U.S. intelligence community's conclusions
that the Russian government has been up to no good in American political networks.
Guccifer 2.0 says, and wants all of us to know, quote, I have totally no relation to
the Russian government, end quote.
So that settles it.
Say hello to Fancy and the Gang, Goose, and happy Friday the 13th to you and the gang.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security
questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
Joining me once again is Joe Kerrigan. He's from the Johns Hopkins University Information Security Institute.
Joe, I saw recently there's been some talk about this notion that our mobile phone numbers,
we should be protecting them in the same sorts of ways that we protect our Social Security numbers,
that perhaps we're being a little too cavalier in our willingness to give out our mobile phone numbers.
What's your take on that?
I understand that there's a concern in there, And I think the concern is not invalid, that at some point in time, we're going to start seeing these man-in-the-middle attacks on two-factor
authentication. And I think the source you're citing said that we shouldn't be using our mobile
phone for two-factor authentication. We should be using something else.
Right. Because of the possibility of a man in the middle that it's not as secure as we think it is.
And it probably isn't as secure as we think it is. But here's the difference between my mobile
phone number and my social security number. It's very easy for me to get a new mobile phone number.
I can change that and I can go through and change the information in the sites that I need to change
it in and I'm done. Getting a new social security number is not so easy.
Very difficult.
Additionally, when you're talking about using your mobile phone for two-factor authentication,
the purpose of doing that is to take advantage of the multiplicative nature of adding a second
factor.
So now somebody not only has to have your username and your password, which is what
we call a single factor, even though it's actually two things, but it's just a single factor. Now they have to get another
factor of having your phone number and physically intercepting the message from one point to the
next. That makes it more difficult to do. So I still think it's good to use your mobile phone
for two-factor authentication. There are better options. In fact, some of them are even mobile phone-based where they don't require your phone number,
like Google Authenticator.
Right.
So I guess for the time being, certainly two-factor is better than single-factor.
Right.
No matter what.
Exactly.
But it seems like there are certain use cases, perhaps people in certain situations who,
I don't know, high risk,
high security kinds of things where it's important not to believe that two-factor using a mobile
phone number is more secure than it actually is. Right. If you're of high enough value,
then you should probably not be using your phone for two-factor authentication. You should probably
be using something like an RSA token or Google
Authenticator, which doesn't require any communication after the initial setup.
Joe Kerrigan, thanks for joining us.
My pleasure.
And now, a message from Black Cloak. Did you know the easiest way for cyber criminals to
bypass your company's defenses is by targeting your executives and their
families at home. Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
My guest today is Allison Burke, Executive Director of the Stanford Cyber Initiative.
The Stanford Cyber Initiative is a research and education initiative that was established by the Hewlett Foundation in 2014 to study how cybersecurity fits into society in a more general sense than the traditional notion that cybersecurity is mainly a problem for computer scientists.
Our particular purview in terms of research and education
is what we're calling cyber social systems.
And those are the integration of secure cyber technologies
into the different systems within society,
like the healthcare system, the financial system,
the labor system, and so on.
And so our research takes a unique view on those systems
and looks at how secure cyber technologies
are affecting and complementing the activities that already go on on those systems and looks at how secure cyber technologies are affecting and
complementing the activities that already go on in those systems and what security needs those
systems have that are unique that research could help with. So let's dig in a little deeper to
that because that cyber social systems is not a term that I've heard before. What are you hoping
to achieve by approaching that side of things? Yeah, so it's a new term that we came up with that I suppose we're trying to popularize.
And our hope is that we can both produce policy-relevant research that goes beyond the sort of academic or ivory tower view of cybersecurity as something that is highly technical or that is sort of a specialized set of skills.
is highly technical or that is sort of a specialized set of skills.
Our hope is that our research can show how cybersecurity is more of a shading to problems that might arise in other sectors of society as opposed to sort of its own unique field
or unique discipline.
We want to show how cybersecurity affects problems in the labor industry, for example,
Cybersecurity affects problems in the labor industry, for example, with new forms of worker platforms or ways for workers to combine different tasks and form a job that they can do remotely or that they can do as part of the gig or contract economy. We want to show how that affects both labor security and the security of the platforms that are offering those types of jobs.
security of the platforms that are offering those types of jobs. Another example is that we want to show how the healthcare system has unique cybersecurity needs that go beyond the issues
of patient data security that are addressed by HIPAA or high-tech laws and look at how physicians
are using patient records digitally to better serve patients, how patients can have a better
relationship with their physician
via things like video calling and online chat, and how patient data can be securely provided to
health researchers in a way that would benefit the entire population while also preserving
patient privacy. So we do think that cybersecurity is something that will become more and more of a
skill that's integrated into multiple professions and into different types of education, rather than just being something that only computer
scientists focus on. And so what is the process by which you hope to explore these possibilities?
Sure. Education is a large part of it. We support undergraduate courses, as well as
cyber policy boot camps for policymakers and congressional
staffers and media. We're looking into offering those also for law enforcement and reaching out
to other sectors of society. But our primary way of affecting this change is through research. So
every year we fund approximately 1.1 million in research projects that are multidisciplinary with faculty on the Stanford campus who are running the projects.
The multidisciplinarity angle is important to us and also important to Stanford in the sense of Education, from the School of Business or from the School of Law,
so that we can get that kind of better integration of cybersecurity into different disciplines through these projects.
And then, of course, communicating the results of those projects in such a way that they reach think tanks and policymakers and important decision makers
and go beyond sort of the academic publishing platform is also important to us. We're still searching for different creative ways to do that. One way
is through white papers and through the sort of executive education conference events that we have.
Another way is through the podcast that we run or through a weekly newsletter,
but we're hoping to be able to reach a much broader sector of society than the traditional academic publication because we understand that
people who are concerned with cybersecurity or for whom cybersecurity affects part of their job
may not be reading conference publications or they may not be reading academic journals,
but could still benefit from the research that we're producing.
And looking forward, how will you measure success?
that we're producing. And looking forward, how will you measure success? We're hoping to measure success based on our impact on policy and on conversations that occur around cybersecurity,
both in the U.S. and globally. Hopefully one way we could measure that is by the proliferation of
this view of cyber social systems or that security is a firmly entrenched part of multiple jobs and
sectors that aren't simply data science or computer science we're also hoping to measure
success by the number of projects that we're able to support and by the distribution of our research
across fields our projects currently touch six out of seven of stanford's schools and we're hoping to add a project that involves the last school, the School of Earth, Energy and Environmental Science.
And so hopefully our impact will be measured by the familiarity and the utility of our research results and of our contribution to the discourse.
That's Alison Burke from the Stanford Cyber Initiative.
They have a podcast, by the way. It's called Raw Data.
You can find it in all the usual places.
Check it out.
And that's the Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI
and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.