CyberWire Daily - Hamas calls for intifada; hacktivism expected. Ethiopian government surveillance ops. Crime and cryptocurrency. Keylogger in the wild. Fixes to MacOS, Android app development tools. Uber hack and bug bounties.
Episode Date: December 7, 2017In today's podcast we consider warnings of a hacktivist intifada as the US prepares to recognize Jerusalem as Israel's capital. How Ethiopia's surveillance was discovered. Criminals flock to cryptoc...urrency sites with everything from DDoS to miners to theft. Keylogger found infesting WordPress sites. Android app development tools get quick fixes. Apple updates MacOS High Sierra again. What Uber may have thought it was doing when it paid off its hackers. Section 702 surveillance authority update. Jonathan Katz from UMD on NIST’s call for algorithms for post-quantum computing. Drew Cohen from MasterPeace Solutions on drawing government talent to the private sector. A jeopardy champ faces hacking charges, and Kromtech warns about Ashley Madison (on grounds of security, not propriety). Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K. Jerusalem as Israel's capital, how Ethiopia's surveillance was discovered, criminals flock
to cryptocurrency sites with everything from DDoS to miners to theft, e-loggers are found
infesting WordPress sites, Android app development tools get quick fixes, Apple updates macOS High
Sierra, again, what Uber may have thought it was doing when it paid off its hackers,
a Section 702 surveillance authority update, and a Jeopardy champ faces
hacking charges, and ChromTech warns about Ashley Madison.
On grounds of security, not propriety.
I'm Dave Bittner with your CyberWire summary for Thursday, December 7, 2017.
As the U.S. prepares to make good on its long-promised recognition of Jerusalem as Israel's capital,
Israel and the U.S. brace for a wave of hacktivism expected to accompany the promised second
intifada.
Security concerns center on fear of physical violence, of course, but ancillary hacktivism
is to be expected.
Citizen Lab confirmed the Ethiopian government's use of intercept tools procured from Cyberbit
to surveil dissidents when it connected suspicious emails to a misconfigured command and control server
that exposed the government's target list.
Cryptocurrencies continue to draw criminal attention.
Denial-of-service attacks remain popular against Bitcoin sites.
Denial-of-service attacks remain popular against Bitcoin sites.
Over the past quarter, a study by security company Imperva in Capsula found some 73% of Bitcoin-related sites experienced a DDoS attack.
Cryptocurrency sites are highly sensitive to disruption since they depend upon high availability for their viability.
A planned Bitcoin rival, Electroneum, failed to launch as its proprietors pulled their offering in the face of effective hacking.
An updated version of the Quant Trojan is raiding cryptocurrency wallets.
And NiceHash, a popular Bitcoin mining tool, is reported to have suffered a compromise with some $56 million in coins stolen.
A keylogger has been found in more than 5,000 infected WordPress sites.
This sort of script has been circulating in the wild since April, according to researchers at security company Sucuri.
It logs keystrokes site visitors enter into form fields, and it sometimes also loads a
cryptocurrency miner.
The most dangerous infections occur on sites that run online stores, where of
course credit card details are entered at checkout. The keylogger picks those up as well.
Russian cyber gangs are particularly active in ransom campaigns against businesses in the UK
these days. Cerber remains their most popular strain of ransomware. Extortion demands commonly run to 100,000 pounds.
Android app development tools are found vulnerable to backdoors. Fixes are in progress. Researchers
at security firm Checkpoint found and disclosed the issues. They affect widely used Android
integrated development environments, including Android Studio by Google, IntelliJ IDEA and Eclipse, both by JetBrains,
and several reverse engineering tools for Android apps, including APK Tool and Cuckoo Droid.
The companies are working quickly to close the holes.
While the West Coast, and in particular Silicon Valley, get the lion's share of the attention for tech startups,
there's a growing number of companies getting their start on the East Coast, in no small part thanks to the security ecosystem
built around the federal government. Drew Cohen is CEO of Masterpiece Solutions,
a Maryland company that benefits from the pool of talent coming up through the federal government
and also helps grow new startups. It's easier today to start a business than it's ever been in terms
of infrastructure, because I can get computing as a service. I can get kind of anything I need
as a service. So I can start a small business that looks like it has scale very rapidly. So it's a
still a great climate for startups. And there are capabilities that are available to startups
today that were never available in the past, pretty much anything as a service. The challenge is
that today's startups can't just ride on other platforms. They have to solve what's typically
beginning to be called deep technology problems. So they really have to invent something new that creates kind of a 10x change
in whatever sector that technology is being applied to. And so the interesting part about
that is that means you need talent. That means you need experience. It can't just be a couple
guys in their dorm creating a webpage, a social network, if you will, and having the next Facebook, you have to have guys that
really understand technology deeply and can innovate and create new hard technologies.
And the interesting part about that is that's kind of typically what the government's been
focused on. And so the skills that people have learned doing government research and government technology development is more
applicable to kind of today's startup world than the rapid throw something together, make an app,
stick it on the app store and see if you make money approach. And I think that benefits this
area. And it's one of the reasons why I think you're seeing a shift from West Coast investment
to an emerging ecosystem here in Maryland.
Yeah, it's interesting. It's almost as if there's a, I would say, a maturation of the ecosystem.
Yeah, I would call it, you know, experience driven startups.
That's kind of the term that we're using. So you can't just get into it, you know, as kids out of school.
just get into it, you know, as kids out of school, you got to have some basis of knowledge and experience and technical depth, applied technical depth that can only be learned over time in order
to really have the kind of breakthroughs that can be the foundation and underpinning of the
next generation of innovation. And I suspect too, from an investor's point of view,
that puts investors at ease when
they're putting their money toward people who can demonstrate their abilities through their
government experience. Yeah, the combination of the demonstrated abilities, but also there's
technical vetting, right? Now I can look at something and go, I see why this is 10x better.
I see why this is hard to replicate. And I see why there's a competitive advantage
in doing it this way, right? A sustainable competitive advantage. And those are things
that, so yeah, I think you hit it right. Investors invest in teams and they invest in real innovation
that provides a sustainable competitive advantage at scale. That's Drew Cohen from Masterpiece Solutions.
Apple has again updated macOS High Sierra to fix security holes.
This latest upgrade includes a permanent fix to the root bug,
the one that lets you in by typing root.
That proved surprisingly slippery last week.
A bit more has emerged concerning the Uber data breach.
The rideshare company paid hackers who got into its data $100,000
to quietly destroy the information they took.
It now seems, according to Reuters and Business Insider,
that the identity of the hackers are known,
and that they weren't the cliché Russian mobsters.
They were instead the even more cliché, if that's possible,
young man living in Florida
with his mom and a subcontractor he engaged to help him with GitHub. Their combined hacker weight
isn't stated in the coverage. It would be too much to hope that it was 400 pounds. The story is
particularly interesting, however, for what it reveals about the then current thinking at Uber.
They decided to treat it as part of their bug bounty program,
and Uber did, and presumably still does,
have a bug bounty program operated by HackerOne.
It's easy to think that if you've handled it as a bug report,
you're done, and one can imagine how the Uber security and legal executives
could have talked themselves into this way of looking at things.
After all, bug bounties are legitimate, useful ways of helping security.
But there are three problems first you generally want people to know you've paid a nice bug bounty that's how you
get more people involved second the hackers ask had at least the coloration of extortion
pay or i'll tell everyone and third data was stolen and there was a breach, and paying a bounty isn't an alternative to compliance with disclosure laws and regulations.
As Section 702 Electronic Surveillance Authority approaches sunset and renewal works its way
slowly through the U.S. Congress, the administration suggests that aspects of the program might
legally continue in the absence of reauthorization.
I'll take accused hackers for 500, Alex.
The answer is the former Jeopardy! champion accused of illegally accessing systems at Adrian College in Michigan.
Who is Stephanie Joss?
That's right, the 2012 Jeopardy champ who held the since-broken record
for longest winning streak ever by a woman on the popular game show is facing two felony
counts in Michigan. Unauthorized access to a computer, computer program or network, and
using a computer to commit a crime. The first charge carries a punishment of up to seven
years in prison, a $5,000 fine, and paying the cost of prosecution.
The other charge is punishable by up to five years in prison, a $10,000 fine, and the cost of prosecution.
Ms. Jass is, of course, to be considered innocent until proven guilty.
Let's play another round.
I'll take Leaky Hanky Panky Emporia for $300, Alex.
And the answer is, the default security setting is to share your private
key right back. The question, what does Ashley Madison do when someone shares their private key
with you? Researchers at security firm Chromtech are the ones sounding this particular warning.
It's not that Ashley Madison has been hacked. That happened back in 2015. Instead, it's possible,
Forbes magazine notes,
to set up a bunch of bogus accounts and share your way into a trove of private pictures and other stuff.
Pictures, of course, can be de-anonymized with a variety of readily available and entirely legal tools,
like Google Image Search or TinEye.
The potential for blackmail seems real enough, especially since some 64% of Ashley Madison users are
thought by Chromtech to simply leave the default settings in place.
Ashley Madison's corporate parent, Avid Life Media, disagrees that this is a bug.
They told Gizmodo that they don't intend to make any changes since they see the automatic
key exchange as an intended feature.
That's one way of looking at it.
In the meantime, why not take fidelity for a gazillion
and avoid this kind of jeopardy?
As Ashley Madison itself points out, life is indeed short.
One final note, a more serious one.
It's Pearl Harbor Day, and it's a good time to remember
the veterans of the Greatest Generation for their service and sacrifice.
veterans of the greatest generation for their service and sacrifice. life. You'll be solving customer challenges faster with agents, winning with purpose,
and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000
off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals
to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And I'm pleased to be joined once again by Jonathan Katz. He's a professor of computer
science at the University of Maryland and also director of the Maryland Cybersecurity Center. Jonathan, welcome back. We saw recently
that NIST actually wrapped up a call for algorithm nominations for post-quantum computing.
Can you give us an overview? What is NIST after here? So a lot of people are very worried about
the impact that a quantum computer will have on the cryptography that we currently use on the
internet. It's been known for a while, actually, that if a quantum computer were ever built,
then all the cryptography we use right now, all the public-key cryptography, I should say,
would be vulnerable. And so people have always been concerned about that possibility. And more
recently, they've been worried that quantum computers seem to be coming faster than expected.
they've been worried that quantum computers seem to be coming faster than expected.
And also the standardization process for new public key algorithms that would be resistant to those quantum computers would take some time. And so NIST is trying to get ahead of things here.
And they put out a request for researchers to submit different proposals for crypto systems
that would be resilient to quantum computers. And the deadline for that was just at the end of November.
It remains to be seen how many got submitted, but it'll be really interesting to follow this process.
So NIST gets these submissions, and what happens next? Is there a public review process?
Yeah, that's one of the great things about this, actually, is that everything's going to be done in public.
All the candidate submissions are going to be placed on a web page,
and it's going to allow researchers to evaluate each other's submissions.
So people then can look at what other people are thinking.
And eventually, the hope is that the research community will converge on a few favorites, essentially, that have the best security, the best efficiency, and other desirable properties.
And then some subset of those will be chosen for standardization.
And what kind of timeline do you suspect we're on
with that sort of thing? Well, the call for nominations just ended, like I said, at the end
of November. By the end of December, I think NIST is planning to put up on their webpage a list of
all the submissions. And then NIST is looking at roughly a two-year time frame over which to
evaluate the submissions and then come to a conclusion. All right. So not right around the
corner, but still not that far out either.
That's right.
And like I said,
people are getting very concerned.
We've seen announcements from IBM
and from Google
over the course of the past year
about developments and progress
that they've had
in building smaller scale quantum computers.
But this is making people,
like I said,
get really concerned about the possibility
that a larger scale quantum computer
will be built within the next decade.
All right.
Jonathan Katz, thanks for joining us.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And that's The Cyber Wire. We are proudly produced in Maryland by our talented team
of editors and producers. I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious,
but also practical and adaptable.
That's where Domo's AI
and data products platform
comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable
impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.