CyberWire Daily - IoT devices exposed in peer-to-peer software vulnerability. Car hacking claims. More warnings of possible violence in Sri Lanka. Curating app stores for security. eScooter’s “voices” hacked.
Episode Date: April 29, 2019Vulnerable peer-to-peer software exposes consumer and small-business IoT devices to compromise. A hacker says he’s hacked automotive GPS trackers, all for the good, of course, and could even turn of...f a car’s engine. Not, you know, that he would. Sri Lanka warns of the possibility of more violence, and journalists wonder if prior restraint of certain speech might be worth considering. Curating app stores for security. And potty-mouthed eScooters on Brisbane streets. Joe Carrigan from JHU ISI on Facebook’s continuing privacy violations, potential FTC fines and PR woes. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/April/CyberWire_2019_04_29.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Vulnerable peer-to-peer software exposes consumer and small business IoT devices to compromise.
A hacker says he's hacked automotive GPS trackers, all for the good, of course,
and could even turn off a car's engine.
Not, you know, that he would.
Sri Lanka warns of the possibility of more violence,
and journalists wonder if prior restraint of certain speech might be worth considering.
Curating app stores for security,
and potty-mouthed scooters on Brisbane Street.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, April 29, 2019.
There are two reports of vulnerabilities that are of general interest as the week opens.
First, researcher Paul Marapese has published his discovery,
responsibly disclosed it should be noted,
of a vulnerability in the Link P2P software widely bundled with IoT devices.
It's essentially a lack of authentication and encryption in peer-to-peer sharing,
and it exposes many such devices to compromise.
The affected systems include web-enabled cameras, DVRs, baby monitors,
and smart doorbells, the sorts of things consumers might wish to access via their smartphones.
The sharing makes it easy to do so. Unfortunately, it also makes it easy for the devices to overshare with ill-intentioned outsiders who have no business in those systems in the first place.
Motherboard says that a hacker going by the name L&M maintains the ability to exploit
automotive GPS trackers made by Protrack and iTrack to affect cars remotely, including
in some cases turning off engines while the vehicles are in motion.
L&M says he hasn't actually done that because he's a good guy and isn't interested in hurting
individuals, only companies,
so one imagines the drivers have got at least that going for them.
But if the claims are borne out, as they seem to have been, at least in part,
there are some serious issues with the way GPS tracking is implemented in onboard automotive systems.
Sri Lanka's nationwide investigation of the Easter Sunday jihadist massacres continues
with tragic results over the weekend. During a police raid on a suspected jihadist cell,
the AP reports, militants opened fire and then set off a bomb, killing 15 in and around the
building in which they were cornered. Several children are among the dead. Sri Lanka's response
to the attacks
has involved close attention to the killers' activities online, although in this case much
of the coordination appears to have been accomplished in the face-to-face contacts,
more traditional with terrorist cells. The authorities are warning that the threat is
far from contained, as shown by this weekend's blast and the quantities of bomb-making material police have seized.
It's become clearer that the government in Colombo had warnings
that might have enabled them to interdict the massacres had they been acted on.
Indian intelligence services in particular are said to have shared fairly extensive
and explicit indicators and warnings of attack.
Sri Lanka's response has been intense,
but foreign observers are
generally giving it poor marks for effectiveness. That's perhaps understandable, given the shocking
nature of the attacks. A journalist makes the case in Wired for regulating social media.
It's not so much stop me before I tweet again as it is stop them before they speak again or
post again. It's a curious and relatively
newfound tenderness many in the media are showing for the sort of prior restraint that not too long
ago they'd have ruled out at once. The concern is prompted, to be sure, by the malign use to
which online communication has been put by terrorist groups and loose connections of
extremist misfits. How such regulations might play out remains to be seen.
Here's one suggestion that doesn't appear in the Wired essay.
The police are just as free to read the newspapers as anyone else,
and open-source intelligence drawn from social media and elsewhere can be used for public safety.
That's what India's intelligence services appear to have done in the run-up to the Sri Lanka massacres.
It's a sorrow better use wasn't made of their warning.
App Store Curation Continues to Pose Challenges
Google is purging its Play Store of applications contributed by China-based software shop Dio Global
after researchers reported last week that the Chinese company's products were implicated in widespread ad fraud.
As Gizmodo notes, the dozens of D.O. global apps affected by Google's sweep have been installed somewhat more than 600 million times.
Apple, whose store tends to be more tightly curated and controlled, is also working to restrict certain kinds of apps.
Cupertino has decided to keep most parental control apps out,
and that's proving controversial.
These form, in most respects, a subset of the mobile device management sector,
given the high rate at which minor children are now equipped with phones and tablets.
Apple defends its exclusion of parental controls apps
on grounds of security and privacy.
It's just too easy for such apps to collect more than they should,
to overshare, and to have poorly vetted security.
That's not to say they're an inherently dodgy section of the market,
but they probably merit some extra scrutiny.
Parents, of course, want parental controls,
and some vendors are ready to sell them,
and they're not entirely happy with Apple's stance,
reasonable as that stance might appear from a certain viewpoint.
Kaspersky Lab, for one, sees it as a case of monopolistic restraint of trade
and has filed an antitrust claim in a Russian court.
And finally, don't believe everything a smart device says.
Hack Read has a note on a pointless act of cyber vandalism,
apparently done for the lulz.
Electric scooters being tested in Brisbane have their audio files replaced,
so the scooters now share dim-witted, lewd wisecracks.
Allowed.
These particular scooters have been withdrawn, for now, from testing,
with the manufacturer, Lime, scolding,
it's not smart, it's not funny, and is akin to changing a ringtone.
It's disappointing that someone has taken this opportunity to poke fun at members of the community in a hurtful way.
We're pretty much with Lime on this one.
So if you hear an e-scooter say things like, pull my hair, don't act on the request.
It's just some jerk talking through the scooter, friend, and not the rider.
Just some jerk talking through the scooter, friend.
And not the rider.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to
evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already been breached. Protect your executives and their
families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Joe Kerrigan. He's from the Johns Hopkins University Information Security Institute. Joe, great to have you back. It's good to be back, Dave.
You are also my co-host on the Hacking Humans podcast.
I am.
People should check that out.
They should if they haven't done so already.
So today we are going to talk about Facebook.
And you wanted to hit on some adjustments that Facebook has made to some numbers.
Yes.
Go on.
Now, a couple of weeks ago I was on here talking about the fact that Facebook was logging user credentials in plain text, including their passwords.
Right.
And they had logged some large number.
And Facebook was kind of downplaying it, saying, no, no, this is not a big deal.
These numbers didn't breach out.
As they do.
Right.
Well, Naked Security has an article from the 19th of April saying that Facebook is now
saying, oh, we logged 100 times more Instagram passwords in plain text than we thought.
100 times more. 100 times. Several than we thought. A hundred times more.
A hundred times.
Several orders of magnitude.
Yes, two.
Two of them.
See, here's the thing about these breaches.
They very rarely, in fact, I can only remember hearing about one that was, oh, it's not as bad as we thought it was.
We actually lost less data.
Every time I hear about these things, you hear about the news cycle breaks,
and they've lost a million passwords or a million people's information. And then you hear another
week later, okay, we've looked into it more. We've actually lost 10 million or 50 million,
or in the case of Facebook, 100 times more. These things never get smaller,
almost never get smaller. They almost always get bigger.
What do you make of this? I mean, these organizations, they're now required to report within a certain amount of time.
Right.
So they have to get information out there.
Right, yeah.
So people say that's part of it.
That might be part of it.
There might be regulations like GDPR that compel Facebook to tell people what they know immediately.
Yeah.
And then kind of slowly dribble out this information as they discover it.
And if they're complying with regulation, what are you going to do?
I think it's interesting also that this past week the Wall Street Journal said that when Facebook released its earnings report,
that they have set aside $3 billion for anticipated fines from the FTC.
What about this notion that big companies like Facebook have to be broken up,
from the FTC. What about this notion that big companies like Facebook have to be broken up,
that they're the modern robber barons, that they're running a monopoly, and for the good of the nation and the good of the world, we need to split them up into pieces? So there's a couple
things from my rudimentary understanding of monopoly law, which is not good, and I'm not a
lawyer, but one of the big problems with calling them monopolies is that there is essentially no barriers to entry.
Railroads are a monopoly because I can't go out and build a railroad easily.
There's a significant barrier to entry.
But I can go out and certainly build a social media network real easy.
This is why I was always saying that Microsoft was a monopoly,
despite the fact that more than 90% of the people who had computers used Microsoft.
There were free alternatives like Linux and FreeBSD out there.
That's not a monopoly.
People are just making a market decision.
But when you talk about being too big, like, for instance, Facebook has gone out and they've bought up Instagram.
Right.
And the FTC approved that and the SEC approved that or somebody approved it.
I'm not so sure that's in the benefit of the consumer.
You know, these companies going out and acquiring each other, it doesn't provide a competitive environment.
I think that should definitely stop.
So in terms of breaking them up and breaking Facebook back up into its constituent parts,
I wouldn't be upset by that at all.
But what are you going to do with Twitter?
Twitter is just Twitter.
Yeah. Right? Yeah. I wouldn't be upset by that at all. But what are you going to do with Twitter? Twitter is just Twitter. Yeah.
Right?
Yeah.
I don't know.
I guess I just can't help having this feeling like we can't continue down the same path
that we're on, that something has to change, whether it's from within Facebook and Twitter
or regulations have to come down on them.
Or here's a $3 million idea.
So we can start a new social media site that doesn't track all the data and tries to be a good corporate citizen.
Yeah.
Market it that way.
Yeah.
I sincerely wonder why that hasn't happened.
Yeah, me too.
Has someone run the numbers and it's not financially viable?
Because I believe there is a barrier to entry, and I think that is that everybody's on Facebook.
Right. So how are you going to get everybody to move over?
How are you going to get enough people to move over when Facebook has hit critical mass where that's where everybody is?
That's where all the pictures are.
That's where all the events are.
That's, you know, how do you pull people away from that?
I think it's easier said than done.
Probably.
Yeah.
All right.
Well, we've solved all the world's problems here today, Joe.
No, we haven't.
I think we just resigned ourselves to the situation. Yeah. All right. Well, we've solved all the world's problems here today, Joe. No, we haven't. I think we just resigned ourselves to the situation.
Yeah. Yeah. All right. Always good having you here.
It's always good to be here.
All right. Take care.
Joe Kerrigan, thanks for joining us.
My pleasure.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.