CyberWire Daily - Kenyan election nullified over electronic irregularities. South China Sea cyber espionage. WikiLeaks' Vault7 dumps Angelfire. Accused leaker wants her statements excluded. DPRK raids ROK Bitcoin. WhopperCoin is here.
Episode Date: September 1, 2017In today's podcast, we hear that Kenya's Supreme Court has nullified that country's presidential election results over electronic irregularities in the balloting. Chinese steps up cyber espionage a...gainst Vietnam during South China Sea disputes. Ransomware continued to surge this week. WikiLeaks dumps "Angelfire" documents from Vault7. Reality Winner says she wasn't properly Mirandized by the FBI. North Korea raids South Korean Bitcoin exchanges. Joe Carrigan from JHU on security issues with fitness apps. Charles Henderson from IBM’s X-Force Red group on automotive security. And get ready for WhopperCoin. Thanks for listening to the CyberWire. One of the ways you can support what we do is by visiting our sponsors. Check out & subscribe to Recorded Future’s free intel daily. We read it every day. If you’d like to learn more about how small nuances in how artificial intelligence and machine learning are used can make a big difference, check out E8’s white paper. JHUISI & partner COMPASS Cyber present Cyber Security Conference for Executives on September 19th in Baltimore. Register for the event. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Kenya's Supreme Court voids that country's presidential election results
over electronic irregularities in the balloting.
The Chinese step up cyber
espionage against Vietnam during South China Sea disputes. Ransomware continues to surge this week.
WikiLeaks dumps angel fire documents from Vault 7. Reality Winner says she wasn't properly
Mirandized by the FBI. North Korea raids South Korean Bitcoin exchanges. And get ready for
WhopperCoin.
I'm Dave Bittner in Baltimore with your CyberWire summary for Friday, September 1, 2017.
In a surprise ruling, Kenya's Supreme Court voided that country's presidential elections over irregularities in the balloting.
The August 8th elections had returned
incumbent Uhuru Kenyatta to office, and the losing opposition candidate, Ryla Odinga, had petitioned
the court to nullify the results, charging that the vote had been hacked and otherwise
electronically manipulated. Few thought Odinga's suit had much merit, particularly since international
observers had concluded the election was fairly conducted. Mr. Odinga's suit had much merit, particularly since international observers had concluded the election was fairly conducted.
Mr. Odinga himself seems as surprised as anyone by the decision.
The court has directed that a new election be held within 60 days.
FireEye says Chinese cyber operators have increased their attacks on government and business targets in Vietnam.
The attacks coincide with increased tension over South China Sea territorial claims.
Lockheed and other ransomware have surged this week.
One strain is even reported to have been present in certain U.S. government websites.
WikiLeaks yesterday dumped documents purporting to describe a CIA implant framework,
AngelFire, said to be effective against Windows 7 and Windows XP machines.
Bleeping Computer sniffs that if AngelFire is indeed a CIA product,
it doesn't represent Langley's best work.
Its discussion characterizes the tools described as crude.
The presumed targets are also old, which again leads one to wonder
when and how WikiLeaks is getting the material it's producing.
There are suspicions about other leaks, and some of those have taken the form of indictments.
The legal proceeding currently in the news is the one in a Georgia U.S. federal court.
Accused leaker and former NSA contractor Reality Winner has told that court she wasn't properly Mirandized
when she first spoke with
FBI special agents searching her apartment. Her lawyers have petitioned to have the things she
said to those agents excluded at trial. Reports indicate that her conversation with the feds
amounted to a confession, which would explain their eagerness to keep it out.
Reality Winner, you will recall, is the former Air Force service member who was
inadvertently outed to U.S. authorities by The Intercept when it contacted them to authenticate
the documents Winner allegedly passed to the publication. North Korean operators have this
week been more closely tied to raids on South Korean Bitcoin exchanges. The DPRK is expected
to make more such attacks as it seeks to compensate for
revenue lost from sanctions imposed to constrain its nuclear and ballistic missile programs.
Finally, cryptocurrency meets the Hamburglar. Well, not exactly, since it's Burger King and
not a McDonald's innovation. And we'd be the last people to suggest that there's no difference
between the two global fast food titans.
I mean, we've been to the food court at the Towson Town Center, we know what's up,
so let's call it the blockchain comes to the Burger King.
Anyway, here's what's up in the Arbat, and in lots of other convenient locations,
throughout greater Moscow.
Burger King has introduced its own cryptocurrency, WhopperCoin, to its Russian operations.
Every ruble you spend on a Whopper, Whopper Junior, Gomburger, or even a Lonk Biff in Chelyabinsk or Krasnodar will get you one WhopperCoin,
which is a pretty sweet way of having it your way in our book.
When you've amassed 1,700 WhopperCoin, you can exchange them for a tasty, flame-grilled, non-virtual Whopper coin, you can exchange them for a tasty flame-grilled non-virtual
Whopper. The BBC has saved our staff data scientists the trouble of checking menus,
exchange rates, and actually adding and doing the troublesome long division. And the Beeb
estimate that customers will be able to get a free sandwich for every five or six they buy
with real money. Real money. Ha! Like cryptocurrency isn't real money. Get with the times, BBC.
And while you're at it, put on your bowler, ankle on down to the local Burger King instead of the
Drone's Club, and just imagine the possibilities. So anyway, the king is working with the cryptocurrency
startup Wave, which says it's already generated a billion Whopper coin to prep for the big launch,
which they're not calling an initial coin offering,
but which we think they should. So why is this not just an ordinary loyalty program? Well,
it sort of is when you think about it, which is pretty much the point. One of the problems with
all sorts of loyalty programs, from airline miles to supermarket bonus points, is the limited range
of things you can exchange them for. Another is the difficulty of keeping track of them,
the heated altercations at the counter, and so on.
So a cryptocurrency would be a good way of having it your way,
a little like the old SNH green stamps your great-grandmother used to save,
only without the gluey taste.
Burger King Russia communications director Ivan Shistov
says the company has transformed the Whopper into an investment vehicle.
As he put it, now it's not just a burger, which is loved in more than 90 countries, but it's also a tool for investment.
Experts predict a rapid increase in the cost of cryptocurrency.
Therefore, eating one today is a reserve for financial well-being tomorrow.
Academic experts think Burger King may be on to something.
Cryptocurrency mavens at both Cambridge and Cornell think loyalty programs are a good use case for the blockchain.
So the next time you're passing down Světnoy Boulevard, remember, it's not just a sandwich.
It's practically a 401k. challenges faster with agents, winning with purpose, and showing the world what AI was
meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more. Do you know the status of your compliance controls right now? Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com
slash cyber. That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking and wickedly
humorous film from Searchlight Pictures. Stream Night Bitch January 24 only on Disney+.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families
at home. Black Cloak's award-winning digital executive protection platform secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute.
Joe, welcome back. We saw an article come by from Quartz, and the headline was,
Using a fitness app taught me the scary truth about why privacy settings are a feminist issue.
And really, to summarize the article here, there's a woman who used an app to track her running.
Right. And she
thought she had disabled the ability for anyone else to see what she was doing. Right. But it
turns out this app has a lot of different levels of security. She had turned off public sharing,
but she hadn't turned off being posted to the leaderboard. Right. And because she was such a
good runner, she made it to the leaderboard and suddenly she started getting messages from people who she didn't know saying, hey, great run around that place you were today that you weren't intending to share with everyone.
Exactly.
Well, this is one of the consequences of making everything social.
Right.
Now people that you don't know become part of your social circle.
And I use social with scare quotes around it. Because you're a big fan of the social circle and i use social with the scare quotes around it
because you're a big fan of the social sharing right right and being being someone who generally
avoids social interaction myself i don't fill out my complete profile on facebook right you know i'm
sure facebook knows exactly where i live but you know it's not listed on my profile because the
data has not been entered into my profile people need to be aware that when you're working with these apps that claim to be social,
and I use a social fitness app, when you're working with them, you are sharing this information with
people and you're making it available to people you might not want to make it available to.
Yeah. And the woman who wrote this article made the point that this could be a safety issue because...
Absolutely could be a safety issue.
Who knows? You know, she did not intend to share the location of her runs. Right. But just by using the app,
she did inadvertently. And so it's also the point of whether or not you need to opt in or opt out.
Yeah, that's a good point. There's a big debate around that. I see both sides of the issue.
I see the definite personal responsibility side of the issue, but at some point in time, we're talking about large amounts of data being gathered, and that's something I would rather opt into than have to opt out of.
Yeah, it's interesting because it seems like the European standard is to opt in, and for those of us here in the United States, you're opted in.
Right, you're opted in.
You have to opt out. Right. But to be fair, the European standard, if you go to a European website, their opt-in policy is opt in or don't use the service.
I see.
So, you know, you log on and it says, this site uses cookies.
If you don't like that, leave the site.
And if you click OK, then they start gathering cookies.
And if you leave the site, then you can't use the service.
Right.
Right.
So I guess the bottom line here is buyer beware. Right. I hate to say read the EULA because that's... Nobody does
that. It's unrealistic, really. I mean, who am I kidding? Yeah, exactly. But I guess if privacy
is a concern for you, it's worth shopping around to try to find.
There's no shortage of fitness apps out there.
There is no shortage of these things.
Try to find the one that respects your privacy.
And if there is one that starts out from the get-go as making you opt in to sharing these things.
You agree?
I do agree.
I'm sorry.
I didn't know you were waiting for me to say something.
It's caveat emptor pretty much all the time.
All right.
You're on your own.
Yeah.
All right.
Joe Kerrigan, thanks for joining us. My pleasure.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
My guest today is Charles Henderson. He's the global head of IBM's X-Force Red,
where he leads a team doing penetration testing as well as vulnerability research.
Among his areas of research are connected cars,
and not long ago he had some direct experience with some automotive vulnerabilities.
Several years ago, I bought a connected car,
and it was this awesome car. It was convertible. It was really
my dream car. Family grew and the car was, it just wasn't practical. So I traded it in. But
the interesting thing was I had this app that controlled all sorts of things and I could
geolocate the car and do all sorts of fun stuff with it. And I noticed that my old car was still listed
when I got home and enrolled my new car into the app. And I'd done a factory reset of the old car
before I traded in because I didn't want, you know, my contacts from Bluetooth going to the
new owner. I wanted the car to be fresh and clean. And, you know, I'm sort of paranoid as a security researcher as well.
Sure. I figured that eventually the dealership would reset the control of the car and that it was just a matter of the fact that it had just been a few days since I'd sold the car.
Well, days turned into weeks, weeks turned into years. And now I guess it's been four years now,
I still have access to that old car. So what can you do? Can you remotely start it? Are you
able to freak out the new owners? Yeah. I mean, I think the headline is car possessed.
I can geolocate it. Shortly after we reported this issue, many of the car companies,
Shortly after we reported this issue, many of the car companies, their geolocation capabilities of cars, so that you had to be within one mile of the car to geolocate it. The problem is that you self-report where you were located, so your phone self-reports where it's located.
And I wrote an app that basically lied about where my phone was located.
And at about roughly 300 web requests, you can cover most metropolitan areas.
I think New York City was like 312.
I can geolocate it. I can honk the horn, adjust the climate control,
things like that. I can actually unlock it. The reason
that this still works is they didn't deprovision my access.
And it's important because that second owner doesn't think of their car as a connected car they think of their car as a car
because it functions exactly the way it's supposed to and there's no uh warning light on the dash
hey charles henderson's accessing your car right it you know it's sort of the same phenomenon as
iot in general what does a connected light bulb look like?
It looks like a light bulb.
So you notify the manufacturers that this is an issue.
What was the response?
That's the really interesting part. So at first, the manufacturer said, well, this is a dealership problem.
We went through the responsibility disclosure process with the dealership.
I think that was mainly just to
see what would happen. Turns out, no, a dealership is not equipped to handle this. And candidly,
you'd have to notify thousands of dealerships across the world. At first, there was a push
that, oh, it's the first owner's responsibility to make sure that their access is deprovisioned.
And actually, some of the car companies, the legal teams at least,
had obviously thought about this because there were some lines
in some of the car companies' car automobile contracts
that said in the Ts and Cs for accessing the app
that it was the first owner's responsibility,
basically that you're responsible for decommissioning your access.
Other car companies compared it to having a set of keys and keeping them.
But it's very different than keys
because my keys don't geolocate the car.
It's a very heightened level of access.
In the long run, though,
the car companies realized it was an issue
and you're starting to see them try to deal with it.
We've actually been in contact with them
and running through some of the scenarios they might
use as a solution to the problem. The key here is that when they were designing that car, when they
were making it connected, they were thinking so much about getting the car off the lot and not
about three years down the line when the car got sold. Was there no provision by which the car's new owner or manufacturer could disable your access to that car?
The car's new owner could if they knew that I had access to the car.
But it's kind of almost a catch-22 where they don't know I have access without checking.
And they don't check because they don't know I have access.
Right.
checking, and they don't check because they don't know I have access.
Right. So somewhere buried in a menu, there may be a list of the people or devices that have access to this car, but why would you go looking for that menu if you think you were getting a
clean car? That's where it gets worse. It's not actually a menu in the car. They would have to
actually go to the dealership and talk to someone that many dealerships call them a provisioning specialist.
Basically, they go deep into a system. And that's because in the early stages of connected car,
that account subsystem wasn't really exposed. And even if there's a web portal where you could log
in and check who has access to the car, unless you're using the
connected car function, you're probably never going to see that web portal. So increasingly
what you're seeing manufacturers do is say, hey, we really need a menu
in the car that shows who has access.
It also underscores a problem that you see
in a lot of areas of security. Everyone thought it was someone else's responsibility. The new car dealership thought it was the used lot's responsibility. The used car dealership thought it was the car manufacturer's responsibility. The car manufacturer thought it was the owner's responsibility. The owner thought, hey, I don't have access to the
system. How on earth could this be my responsibility? You start seeing this sort of
convoluted web of ownership. And the truth is, if you have disagreement about whose responsibility
security is, security is no one's responsibility. There needs to be clearly defined responsibility chain for security to work.
And this is an example of security failing because no one had ownership.
That's Charles Henderson from IBM's X-Force Red. We've got an extended version of this
interview on our Patreon page for our supporters there. Go to patreon.com slash the cyber wire to
check it out.
And that's the cyber wire. We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner.
Thanks for listening.
Your business needs AI solutions
that are not only ambitious,
but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps
tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.