CyberWire Daily - Jailbreaking or forensics? W-2s and business email compromise. Router vulnerabilities. Windows zero-day. Enterprise security priorities. Iranians cyber ops and Iranian dissent. US-Russian cyber tensions.
Episode Date: February 3, 2017In today's podcast, we hear reports that Cellebrite forensic tools have been dumped online. The IRS warns that W-2 fraud is being combined with business email compromise. Cisco router vulnerabilities ...are under discussion. A Windows zero-day can produce the blue screen of death. Recent surveys prompt a review of enterprise security spending priorities: the perimeter is down, the endpoint is up, and network visibility is everywhere. Russia's treason trial proceeds. The US sends a good-cop/bad-cop message, or maybe just a mixed message, in cyber. Accenture Technology's Malek Ben Salem discusses embedded device security. Author Frederick Lane on his latest book, Cybertraps for Expecting Moms and Dads. And is Hogwarts in Buckinghamshire, or the Monongahela Valley? Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Forensic tools are dumped online after a security firm is breached.
The IRS warns that W-2 fraud is being combined with business email compromise.
We've got some Cisco router vulnerabilities. A Windows Zero day can produce the blue screen of death.
Recent surveys prompt a review of enterprise security spending priorities. The perimeter
is down. The endpoint is up. The network visibility is everywhere. Russia's treason trial
proceeds. The U.S. sends a good cop, bad cop message, or maybe just a mixed message in cyber.
Author Frederick Lane helps expecting moms and dads avoid cyber traps.
And where in the world is Hogwarts?
I'm Dave Bittner in Baltimore with your CyberWire summary for Friday, February 3, 2017.
The hacker who breached mobile forensic tool provider Celebrite last year has dumped code he or she or they claims to have obtained from that company.
Celebrite's main product is the Universal Forensic Extraction Device, UFED,
thought to be widely used by British and U.S. police to unlock phones in the course of criminal investigations.
The hacker's dump includes tools related to cracking Android, BlackBerry, and older iOS devices.
Motherboard reports that experts say the code looks like jailbreaking exploits adapted to forensic purposes.
The declared motive is to demonstrate that such tools, once developed, inevitably find their way into undesirable hands.
So observers are reading this as hacktivism directed against the alleged ease with which phone cracking tools can be turned to repressive ends.
Celebrite gained some fame during the FBI investigation of the San Bernardino Jihadist massacre.
The Bureau appears to have used Celebrite's technology to gain access to the
killer's otherwise inaccessible device. In the U.S., the Internal Revenue Service
warns that criminals are combining W-2 tax form theft with business email compromise
in fraud campaigns expected to continue through the end of tax season.
Bitdefender and the SANS Institute have analysis of Cisco router vulnerabilities,
likely to be of particular concern with respect to home networks.
U.S. CERT warns of a Windows Zero day that could be exploited to bring about the BSOD,
that is, the blue screen of death.
Several recent studies have been tracking the evolution of enterprise spending on security.
There appears to be a shift from prevention to detection, as organizations increasingly see network perimeter
defenses as insufficient protection. A survey conducted by Anderson sees not only this shift,
but also considerable interest in reducing the problem of false positives. Michael Patterson,
Plixer International's CEO, agrees that false positives are a big problem
and is driving interest in enterprise visibility.
The recent Thales data threat report also tracked enterprise spending
in response to perception of threats and vulnerabilities.
About a third of the enterprises surveyed consider themselves very vulnerable.
Shandor Balint, security lead for applied data science at Valibit,
told us he's sympathetic to the security manager's plight.
Quote, it's all too easy to chastise organizations for a perceived misalignment of security spending priorities.
It's another thing to actually be at the helm and making calls.
For many security managers, it feels like trying to plug a thousand holes in a boat,
while behind you someone's pointing out that the water's rising and you haven't plugged everything yet. End quote. His best advice? Once you've got the basics in place, invest in improved monitoring.
Iran continues to find cyber operations an attractive means of striking foreign enemies and exerting domestic control.
Internationally, it gives them a disruptive and destructive reach that's inexpensive and plausibly deniable.
Domestically, the regime is sensitive to its own vulnerability to dissent and engages in a vigorous program of censorship.
An Iranian dissident is taking a pirate radio-inspired approach to pirate podcasting to circumvent censorship.
His California-based Iran-focused outfit IranCubator is soon to launch Rady2, that's R-A-D-I- California-based, Iran-focused outfit, IranCubator, is soon to launch Radito,
that's R-A-D-I-T-O, an Android app designed to enable people to listen to otherwise censored
podcasts. Russia proceeds with its prosecution of current and former FSB officers on charges
of treasonable Congress with the US CIA. This is, as observers note, a case that has potential
connections to both corruption and intra-governmental rivalry. It seems an FSB
directorate may be undergoing a purge designed to curb its influence.
There are some mixed signals from the US with respect to Russian hacking.
The US Treasury Department is modifying sanctions against the FSB in ways that would permit U.S. firms to resume selling the FSB certain items as long as those wouldn't be used in Russian-occupied Crimea.
The modifications are said plausibly to be the kind of regular re-evaluation and tweaking of sanctions Treasury always conducts, but it's difficult to see how a geographical restriction might be made to work.
conducts, but it's difficult to see how a geographical restriction might be made to work.
Also, we're curious about what U.S. companies might actually be interested in selling to the FSB.
Okay, we know that the Russian government isn't communist anymore, but it's hard not to be reminded of Lenin's wisecrack that they would hang the capitalists and the capitalists would
compete to sell them the rope. On the other hand, the U.S. Army has announced that it's funding a Ukrainian cyber defense center,
and that is surely an extremely unwelcome development in Russian eyes,
especially since the Americans say this is intended as another step toward full Ukrainian integration with NATO.
For its part, the European Union is preparing for destabilizing Russian cyber operations
during this year's national elections.
Finally, Dark Reading describes the UK's new school for hackers as a Hogwarts.
Located appropriately enough at Bleckley Park, center of British code-breaking during the Second
World War, the school is intended to train talent for Her Majesty's Cyber Services.
But Hogwarts can't quite be right, because there are other such schools out there too.
Maybe it's just one house, perhaps Ravenclaw?
We mention this because we're pretty sure Gryffindor has opened up about 250 miles north
of us, somewhere around the Cathedral of Learning.
That's right, the University of Pittsburgh is going into the cyber research and education
business.
The alumni on our editorial staff are pleased and proud.
So, Gryffindor on the Monongahela.
We'll let Carnegie Mellon and Penn State decide who wants to be Hufflepuff and who will cop to being Slytherin.
After all, it's Pennsylvania, the land of pierogi, groundhogs, and white hat hackers.
the land of pierogi, ground with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now.
We know that real-time visibility
is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking
and wickedly humorous film
from Searchlight Pictures.
Stream Night Bitch January 24
only on Disney+.
Cyber threats are evolving every second
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
And joining me once again is Malek Ben-Salem. She's the R&D manager for security at Accenture
Technology Labs. Malek, we wanted to talk today about some of the research you all are doing in regards to embedded devices.
Yeah, as you know, especially with the advent of the Internet of Things,
embedded devices are becoming increasingly connected.
They're being deployed in remote areas where they're exposed to tampering by adversaries. And it's hard to protect them
using the traditional mechanisms of protection that we rely on, where we assume that the adversary
does not have physical access to the device. And this is particularly important in the healthcare
sector. So think about a hospital. Anybody could go in pretty much,
and they can go into any patient room. They have access to the medical devices deployed there.
And if they have a malicious intent, they may be able to modify what the device,
what the medical device does, introduce significant damage to the patient.
So in order to protect against those types of attacks and tampering with the devices,
we partnered with Johns Hopkins University with their Healthcare Security Institute,
and we tried to come up with security mechanisms that would detect any tampering with the devices.
mechanisms that would detect any tampering with the devices. It relies on profiling how a security device works
in a particular mode.
And we build a sort of a control flow graph
that's dynamically built while that device is
operating in that mode.
Then in real time, we detect if the device starts behaving differently,
you know, basically deviates from the profile that we built for that device. And if we detect
such deviation, we can either alert the security administrator, or just in emergency cases,
we can stop the device from working. Interesting stuff. Malek Ben-Salem, thanks for joining us.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home.
Black Cloak's award-winning
digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members
discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
My guest today is Frederick Lane.
He's an attorney, public speaker, and the author of several books dealing with privacy and cybersecurity,
including American Privacy, the 400-Year History of Our Most Contested Right,
as well as a series of books covering what he refers to as cyber traps,
including Cyber Traps for the Young, Cyber Traps for Educators,
and his latest, the subject of our conversation, Cyber Traps for Expecting Moms and Dads.
When I'm talking about cyber traps, what I'm really talking about are things that are unexpected outcomes of using digital devices.
So just by way of example, one of the things that I begin with is taking a look at some of the possible physical issues that can arise from the use of technology.
And I want to make it absolutely clear, I'm not a physician,
don't even play one on TV, but I think if you take a look at the competing research out there,
there are some legitimate issues that people should think about. Whether or not, for instance,
there's any issue with respect to exposure to cell phone radiation, either prior to pregnancy or during pregnancy itself? Are there issues in
terms of holding a hot laptop on your actual lap when you're either trying to get pregnant or when
you're carrying a child? These are things that, or my goal in writing about these things was to
give people a checklist of things that they might want to talk to their doctor about.
As I said, the point of this is not to give medical advice, but to educate people about a range of topics that they really should discuss with a physician during the course of pregnancy.
The second section of your book is called
Your Little Bundle of Data, and that certainly caught my eye. I like it. It's a clever name,
but you're outlining ways that even before the child arrives that parents need to
think about protecting their own privacy and that of the coming child.
Right, and believe me, there's a ton of topics that we could spin off from there. I mean,
obviously, in terms of the privacy of the mother, there's a real premium on the identity
of women who are expecting children. And there's a good logical reason for that because retailers and manufacturers know that a woman's spending on pregnancy really peaks in the end of the second and the beginning of the third trimester of the baby.
What you see is that advertisers are willing to pay a premium, sometimes by a factor of 15 or 20, to get data about women who are pregnant.
Beyond that, you start getting into these issues of what kind of information are we going to
release about the pregnancy or the birth? And when are we going to do it? So for instance,
if you're a woman who's working, and you're not necessarily sure that you want your boss to know right away
that you're pregnant because it might impact your job, that raises issues about whether or not you
put information on social media or how do you keep your friends from letting the whole world know
that you're pregnant before you're ready to do so. That's one piece of it. Another piece that arises,
and this is where we start getting
into the impact on the child, is that literally from the moment that people start posting material
online, they're creating an identity for their child. And you can look at this different ways,
obviously. I mean, I was out of the country for about a year, and it was really wonderful to be able to see photos of my nieces and nephews and so forth.
for their child, they're having an impact on the child's ability to create their own online profile or their own online identity when they get older.
What about the notion that perhaps, you know, we're overlaying our own views of privacy
on a generation that's coming up that is likely to have a very different view of privacy from
us?
Yeah, you know, I think that's a good question. I think that it depends to a large extent on
how you define privacy. A lot of this discussion is really about terminology and that the appropriate
way for us to look at privacy and to define that concept is not so much as a
concrete thing, right? So that you would say, well, kids today, you know, they don't look at
privacy the same way we did, you know, and I'm in my 50s. So, you know, they're different. And I
think that the answer is, we actually all have the same basic approach to privacy. And that is that
what we want to be private is really about how we control our information and what choices we make.
One of the things that we see with the millennial kids today, and I've watched this with my own guys, is that they have that same desire to control information.
They just make different choices than necessarily I would about the information that they're
willing to share.
Basically, what I think it boils down to is that the right to privacy is really the ability
to control who gets access to your information and under what circumstances.
And that's something I think we all should agree on.
That's Frederick Lane.
The book is Cyber Traps for Expecting Moms and Dads.
You can find it on Amazon.
You can learn more at his website, FrederickLane.com. And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com