CyberWire Daily - Iranian dissent takes to Tor. Iran cracks down on Internet services (and Infy gets busy). Kernel memory issue in Intel processors. macOS bug published. "Trackmageddon." Curating YouTube. Condolences to a SWATTING victim's family.
Episode Date: January 3, 2018In today's podcast we hear that Iran's crackdown on Internet channels of dissent continues. Intel processors are determined to have a deep security flaw: cloud users are likely to be affected. A macO...S local privilege escalation vulnerability is published. The "Trackmageddon" location service vulnerability seems to originate in a buggy API. The suicide forest video appears to have passed through YouTube's human curators. The man arrested in the Wichita police shooting may have been a serial SWATTER. Joe Carrigan from JHU on holiday IoT devices. Guest is Thomas Jones from Bay Dynamics on updated NIST rules for DOD contractors. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Iran's crackdown on Internet channels of dissent continues.
Intel processors are determined to have a deep security flaw,
and cloud users are likely to be affected.
A macOS local privilege escalation vulnerability is published.
The Trackmageddon location service vulnerability seems to originate in a buggy API.
The suicide forest video appears to have passed through YouTube's human curators.
And the man arrested in the Wichita police shooting may have been a serial swatter.
The man arrested in the Wichita police shooting may have been a serial swatter.
I'm Dave Bittner with your Cyber Wire summary for Wednesday, January 3, 2018.
Iran continues to crack down on dissent as the government faces street protests and online organizing.
Protesters and their supporters are dissatisfied with the Islamic Republic on at least two points.
They object to what they characterize as a badly mismanaged economy whose privations have been rendered worse by official corruption,
and they see the regime as being far too concerned
with things going on outside the country.
Support for Hezbollah in particular and the Palestinian cause in general
have been singled out for chanted denunciation by protesters.
There have also been surprising expressions of nostalgia for Shah Reza Pahlavi, deposed by the Islamic Revolution of January 1979.
There seem to have been no calls by protesters for the release of still interned leaders of the failed 2009 Green Revolution.
Statements by senior officers in Iran make it clear that in their view the unrest is driven
by foreign enemies whose weapon is information. That concern is about alleged foreign involvement
in what has the appearance of grassroots protests. The chief deputy of staff of the Iranian armed
forces, Brigadier General Jazzy Yeri,
said yesterday that anyone who remained silent in the face of what the Mare News Agency called
a comprehensive plan of enemies to change beliefs, thoughts, and behavior of the nation
should be held to account.
As the Brigadier General put it,
quote,
In the current situation, urgent and decisive measures should be taken by the relevant agencies
to achieve secure and domestic cyberspace.
End quote.
The leader of the Revolutionary Guard said this afternoon that the uprisings had been decisively put down,
but few observers are so far willing to accept that assertion at face value.
More than 20 are reported to have been killed since last Thursday.
Nearly 500 are thought to have been arrested.
Government-organized counter-demonstrators took to the streets this morning to denounce the protests
and chant, Death to America, following the regime's line that the unrest had been fomented by enemies abroad.
Tehran has sought to restrict Internet access in order to deprive dissenters with both a platform and a means of organization.
Telegram and Instagram have so far received most of the government's attention.
As ready access to these platforms is lost,
many in the country seem to be turning to Tor connections for internet access.
While the cyber implications of the Islamic Republic's response
have for the most part been domestic, confined to Iran,
security experts warn those outside of Iran who may have had actual or apparent contact with Iranian citizens to beware of spear phishing.
This is expected to be carried out by the government-associated Infi threat group.
Infi has in the past shown a willingness and ability to target foreign persons of interest.
A major security flaw has been reported in Intel x86 processors produced over the past decade.
Details remain sketchy as Intel prepares an announcement,
but apparently attackers can identify and exploit normally protected kernel memory.
All major operating systems are affected.
protected kernel memory. All major operating systems are affected.
Users of cloud services may also experience issues noticeable as slowdowns in their service.
Amazon Web Services has told users to expect a major security update Friday.
Observers speculate that Microsoft will address the problem in its January 10 patches.
AMD has noted with pardonable satisfaction that its chips don't suffer from this flaw.
On January 1, 2018, some new security requirements kicked in for government contractors who work for the Department of Defense or Intelligence Community.
They are now mandated to comply with a NIST special publication, 800-171.
Thomas Jones is a federal systems engineer with Bay Dynamics,
and he helps us make sense of the new mandate.
December 30, 2015, the DOD actually amended two of their requirements
for actually compliance with contracts.
So if you're going to do business with the DOD,
you had to actually fall into two areas, new areas within the DFAR contracts.
One's around protection of controlled, unclassified information, and the other one's around reporting breaches within your organization.
So it reaches outside of what is normally considered federal purview into the contractor community or into the civilian community, and actually tells them how to set and control safety standards in their IT systems.
So this is one of the first times they've done that for non-classified information. There's
always been something in place for classified information, things that are secret or top secret
or what have you. But this actually touches upon the non-classified information, the social
security numbers of individuals, the contact information, as well as sensitive but non-classified
information that you simply wouldn't want other people to have from an individual perspective
and from a national perspective. So what are the real-world practical implications of this?
Well, it's actually been very interesting.
A lot of times you implement these with contractors, and it's a fairly straightforward process.
You tell them that their contracts are dependent upon them, and they roll them out.
But this one's a little different in that it's not just the prime contractors that had to be in line with these requirements.
It's also the subcontractors.
that had to be in line with these requirements.
It's also the subcontractors.
So each one of the primes have to go back to their subcontractors and make sure that they're actually adhering to these best practices.
And that becomes a little dicey when you're talking about subcontractors
that are two or three mom-and-pop shops
where they don't have the resources to implement this.
So the real-world implications are that you potentially have a
situation where a prime contractor could lose a multimillion dollar contract based on a small
subcontractor not being able to or not being aware of the requirements around protecting the
controlled unclassified information. Did these requirements become retroactive?
No, it's not. There's actually
been a softening of the general requirement, and I call it a softening. The DOD is saying there's
no change at all, but they're simply requiring by the January 1st deadline that people have a
reporting mechanism in place. So you can generate a report saying that you're compliant with these
You can generate a report saying that you're compliant with these 14 key areas of 800-171.
And in those areas that you may not have actually implemented the controls, that you have a plan to get in place and a date to get in place by,
which is a little softer than having to have all those controls in place by the January 1st deadline,
which is the way most contractors have been approaching this.
So is there a secondary deadline now that's been put out there for having to actually have things in place? Not that I've been able to find. And I've been searching long and hard for that. But
there doesn't seem to actually be anything in place that draws a line in the sand and says,
by this date, you need to have these in place.
What you do need to have in place by January 1st is a plan to actually fulfill all 14 key areas within your organization,
including identification of the data that has to be protected,
a risk assessment of the organization to determine what the critical controls need to be in place first,
to determine what the critical controls need to be in place first,
what patches need to actually be implemented first, and what risks really are your greatest risks within the organization,
as well as things like encrypting data in rest, data in motion,
and doing things like controlling the flow of data within the organization,
where it can go, who can access it, and the ways it may be
accessed. That's Thomas Jones from Bay Dynamics. A researcher known by the handle Saguza has
published a macOS local privilege escalation vulnerability that could be exploited for
root access and code execution. The vulnerability was apparently not disclosed to Apple before
publication. There's currently no fix available, but Cupertino is doubtless working on one.
The flaw is not believed to be remotely exploitable.
You would need physical access to work your bad magic,
which renders the bug less interesting to skids and script kitties.
Saguza cites this, and Apple's lack of a bug bounty program,
in justification of his decision to publicly disclose his findings, as opposed to giving Apple a heads up.
Two researchers yesterday disclosed issues with a vulnerable API used for GPS tracking services that can expose location data, audio recordings, image files and device information.
They're calling it Trackmageddon.
The afflicted sites are policing themselves up one by one.
Logan Paul's now infamous and repellent YouTube video from Japan's suicide forest has been taken down,
and an apology from Paul posted in its place.
Paul's fans and detractors have taken their predictable defensive or offensive stances.
YouTube itself has come in for more interesting criticism. Both Wired Magazine and TechCrunch
have called out the video platform, Wired arguing that the incident should be a reckoning and TechCrunch
deciding that YouTube is more responsible for the video than one might at first judge a platform to
be. According to the report in TechCrunch, YouTube manually reviewed the video than one might at first judge a platform to be. According to the report in TechCrunch,
YouTube manually reviewed the video after concerned viewers flagged it. The content
assessment team saw the video and, according to the report, left it up without so much as an age
restriction. It's not as if the nature of the content was particularly difficult to discern,
of course. The video's title, you recall, was, We Found a Dead Body in the Japanese
Suicide Forest, and the thumbnail showed the suicide victim. Logan Paul might be accused of
many things, but failure to judge what would prove to be clickbait is not among them. The incident,
again, shows the difficulty of content management, whether by machines, humans, or some centaur mix
of the two. It also shows why Google is likely to remain in hot water in the UK,
where it recently failed to respond to questions about extremist content
posed by Parliament's Home Affairs Committee.
Tyler Raj Barris, or at least his online persona, Swatistic,
is said by Krebs on Security to have tweeted late last week
a boast of having called in bomb threats or SWATistic, is said by Krebs on Security to have tweeted late last week a boast of
having called in bomb threats or SWAT teams at some ten homes and more than a hundred
schools.
Barris was arrested in connection with the tragic and lethal SWATing attack that took
the life of an innocent and uninvolved father of two late last week.
The victim's address seems to have been chosen for its plausible proximity to the actual
target and for the lulls. Explaining himself to Krebs on security, Barris said, quote,
bomb threats are more fun and cooler than SWATs in my opinion, and I should have just stuck to that,
but I began making dollars doing some SWAT requests, end quote. The investigation continues,
looking at both the police officer who fired,
and for other gamers who might have been involved in the dispute that led to the swatting.
Our heartfelt condolences to the family of the victim, Andrew Finch. May they receive comfort,
consolidation, and justice. Thank you. winning with purpose, and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist,
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute.
Joe, welcome back.
Hey, Dave.
So we have survived another holiday season.
And with that is going to come a flood of new IoT devices hitting the web.
We'll probably receive some ourselves.
Yes, gadgets.
Gadgets, we can gadget guys.
People will give us things with best intentions.
And say, here, you can use this.
Yeah, and the first thing that device is going to want is your Wi-Fi password.
That's right, access to your network.
Right.
And it wants to go connect to some external server and start uploading data somewhere.
And it also may want to create some external port, like there might be some kind of camera
where you now can go out and view your camera, a security camera for example, from the outside
world.
So if you're at work, you can check on your dog and your cat, watch what the nanny's doing
if you have a nanny.
People should be aware that when these things come,
they're going to come with some default password. That's the first thing I'm going to recommend.
If you get a new device that is accessible on the internet, first off, evaluate, do you truly
need this device? Do you need that connectivity? Do you need that connectivity? Right. If you
believe that you do, take the time to secure it and change the default passwords
so that people aren't just logging in remotely or putting it in some botnet like the Mariah
botnet.
And do that, I mean, quickly, right away.
You can do that in a way before it's connected to...
Because I've seen these reports where people will hose up a camera to the internet and
it takes, I mean, it's moments before that thing is owned by outside
forces. That's correct. So if you can disconnect your internet connection and then connect the new
device to the Wi-Fi network and you can still actually connect to it from your computer,
it just can't reach the internet. And then you can go ahead and change the password if that's
possible. And what about the idea of basically having a guest network for all your IoT devices,
separating it from the computers where you keep important information? Yeah, I would definitely
recommend doing that. If you have that technical capability and the hardware to do it, yeah,
that's always a good thing to do. It's segmentation. It's a basic security practice. It's a good idea.
However, that's not going to stop those things from being attacked from outside of your network.
They're still going to get attacked.
You're just going to have that attack be isolated.
It will be less damaging.
So you still need to take measures to make sure that the devices themselves are protected.
All right.
Good advice.
Joe Kerrigan, thanks for joining us.
My pleasure, Dave.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, Thanks for listening.
We'll see you back here tomorrow.
Thank you. AI, and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.