CyberWire Daily - Post hack ergo propter hack: DHS calls Russian claims “noisy garbage.” Responsible and irresponsible disclosure. FCC wants an end to robocalls. USPS Informed Delivery abused. Post Canada—whoa.
Episode Date: November 8, 2018In today’s podcast, we hear that, while election hacking seems not have happened in the US this week, that hasn’t stopped the IRA and its mouthpieces in Sputnik, RT, and elsewhere from loudly clai...ming it has. Election influence operations continue long after the election. VirtualBox zero-day disclosed to everyone. USCYBERCOM posts Lojack to VirusTotal. FCC vs. robocalls. US Postal Services’ Informed Delivery exploited. Canada Post slips to reveal cannabis customers. Dr. Charles Clancy from the Hume Center at VA Tech on in-car cell phone jammers. Guest is Ian Paterson from Plurilock Security Solutions on behavioral biometrics. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/November/CyberWire_2018_11_08.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Election hacking seems not to have happened in the U.S. this week,
but that hasn't stopped the IRA and its mouthpieces in Sputnik, RT, and elsewhere
from loudly claiming that it has.
Election influence operations continue long after the election.
A virtual box zero day has been disclosed.
U.S. cybercom posts low jacked virus total.
The FCC goes after robocalls.
The U.S. Postal Service's informed delivery has been exploited.
And Canada Post slips and reveals cannabis customers.
From the Cyber Wire studios at Data Tribe, I'm Dave Bittner with your Cyber Wire summary for Thursday, November 8, 2018.
The U.S. Department of Homeland Security has said that Tuesday's elections went off without disruption by cyber attack,
and at this point that seems a fair assessment.
Preparations are already underway to bring a comparable level of security forward into the 2020 election cycle.
So hacking proper seems to have been a fizzle, but there were some influence operations at play.
DHS also notes that disinformation about election security but there were some influence operations at play. DHS also notes that
disinformation about election security and the effects of influence operations is being actively
distributed. It's hogwash from St. Petersburg, whose internet research agency cries victory for
its trolls. DHS cybersecurity leader Christopher Krebs points out that the influence ops from Russia right now are filled
with noise and garbage,
stuffing people up with phony stories
about compromised systems and
voting having been cyber-rigged.
Expect this to continue,
and remember that Moscow's record
suggests that it has a fairly simple
and achievable goal, erode
adversary populations' trust
in their government's institutions
and in one another.
Also from St. Petersburg comes a zero day for Oracle's VirtualBox, posted to GitHub.
This isn't the IRA's work, but rather of one irritated freelance bug hunter, Sergei Zelenyuk.
Mr. Zelenyuk says he loves VirtualBox, but that the industry just takes too long to
evaluate reported bugs, and so he's dropped the zero day without prior disclosure as a gesture
of defiance. U.S. Cyber Command is also reporting bugs, but in a regular, non-angry way. The
command has submitted samples of Russia-linked Lojak malware to VirusTotal.
A major incident affecting banks in Pakistan appears to be a paycard skimming operation
as opposed to a breach. The country's central bank denies there was any breach,
but skimmers seem to have accessed around 20,000 paycards data.
The affected cards are from a range of most of Pakistan's major banks.
We are all familiar with passwords, something you know, and of course these days they're often
combined with some sort of second factor, typically something you have, to verify you are who you say
you are and that you should be granted access. The folks at Pluralock Security Solutions aim to
take that to the next level,
using behavioral biometrics to keep an eye on what you're doing and how you're doing it.
Ian Patterson is CEO at Pluralock.
Behavioral biometrics is the study of how people behave over time.
We're all familiar with traditional biometrics,
using Touch ID or Face ID, using fingerprint scanning, facial recognition.
Behavioral biometrics is intended to be used on a continuous basis where we're constantly assessing
the identity of a person. So for example, the way that you walk has unique characteristics
about yourself. It's called gait analysis. What we're doing at Pluralock is focusing on using behavioral biometrics of how
people type and move a mouse to be able to authenticate them. Now, the history of this is
actually interesting. It dates back to World War II, where telegraph operators could detect who
the other operator was just by the unique speed and cadence of how they were typing on the telegraph machine.
So it's a very early form of signals analysis.
And what we do on keyboard to detect people's speed, rhythm, and cadence actually traces its roots back all the way to World War II.
Wow. So let's dive into that a little bit here.
I mean, what are some of the things that you're tracking and how effective is it?
So we have a solution that is used primarily inside workplaces, and we're able to constantly assess the identity of users on their devices.
So we look at speed, rhythm, and cadence of how people type on a keyboard.
We also look at the X and Y position
of a cursor using a mouse or a touchpad. We extract unique biometric markers. And so some
of those markers include how fast you type, how long you dwell on specific keys, the flight time,
how long it takes your fingers to go from one key press to the next.
And then on mice, we also look at how you move, how you click, how you scroll, and then the relationship between clicks, movements, scrolls, typing.
And so I suppose there's some kind of a learning process that happens when you're onboarding someone
to get the system to figure out what their normal range of activities is?
It is. So we use artificial intelligence to build a profile of a user. Depending on the environment,
it could be as quick as 20 minutes to build that initial profile, or it could be over several days.
Once we have that profile built, then we're constantly learning and adding to that profile.
So the system is unmanaged, just sits in the background.
In most cases, users don't interact with the system.
It's just constantly monitoring and protecting.
Now, why do you suppose that this sort of thing hasn't become popular up until now?
What's been holding back these specific types of behavioral extra tests?
Well, part of it is it's a hard problem to solve.
Our technical team spent over 35,000 hours of research in the technology itself, even
before we started productization.
We have a core team of data scientists who have spent most of their career around behavioral
biometrics and cybersecurity and are the leading sources in the academic journals where either we're the guys authoring
those articles or we're the ones being cited. So it's a hard problem to solve. It's also resulted
in a lot of IP. So we have a number of patents that are filed in this area. I think that what's
happened in the industry is that traditional identity systems like two-factor authentication, like traditional login and passwords, haven't proved to stop the data breaches. 2017, the Verizon data breach incident report suggested that three out of five on average
data breaches originated from a weak or stolen password. That was 2016. 2017, that went up to
four out of five. So the problem is getting worse, not better. And what we're seeing is that the
industry is demanding more and stronger identity defenses that operate not only at the time of
login,
but also continuously throughout the user procession.
That's Ian Patterson from Pluralock Security Solutions.
With next month's Chrome 71 release,
Google will give abusive advertisers 30 days to clean themselves up or face ejection from the company's advertising service.
This is going to be easier said than done. themselves up or face ejection from the company's advertising service.
This is going to be easier said than done.
Misbehaving ads include ones that block content, keep users from scrolling, blast through settings that would mute autoplay, and so on.
But it also includes serious criminality, phishing, waterholing, tech support scams,
and so on.
How Google will wrangle this stuff remains to be seen,
and the 30-day limit may represent a quiet acknowledgement
that Mountain View, which depends upon advertising,
grasps the difficulty of the challenge.
Krebs on Security reports that the U.S. Secret Service is circulating internally
a warning that its field offices have observed an uptick in criminals abusing weaknesses
in the U.S. Postal Service's Informed Delivery Service to commit identity theft and credit card fraud.
Informed Delivery enables recipients of letters to view scanned images of inbound mail.
Criminals have been able to use the service to watch potential victims of identity fraud stealing mail containing,
for example, credit cards from mailboxes before the recipient can pick up the mail.
This has continued despite the Postal Service's recent attempts to increase security and make
it easier for people to opt out of the service.
One wonders if this particular form of crime won't fade with traditional mail delivery.
Informal checks suggest to us that the U.S. mail now consists mostly of advertising,
sprinkled with a few magazine subscriptions and the occasional wedding invitation,
the way landline phone calls seem increasingly dominated by robocalls.
Speaking of which, the U.S. Federal Communications Commission
is scolding and nudging phone companies to do more against robocalls.
FCC Commissioner Pai, in a letter to voice call providers Monday, said,
quote, combating illegal robocalls is our top consumer priority at the FCC.
That's why we need call authentication to become a reality.
It's the best way to ensure that customers can answer their phones with confidence.
By this time next year,
I expect that consumers will begin to see this on their phones.
End quote.
The FCC's preferred anti-robocalling framework,
which it's urging on the telcos,
has the vaguely James Bondian name Shaken STIR,
which stands for Signature-Based Handling of Asserted Information Using Tokens,
that's SHAKEN, and Security Telephone Identity Revisited, which would be STIR.
The framework digitally validates phone call handover as calls pass through various networks
in a way that makes it possible for the company serving the recipient to verify that the call
is from the person represented as making it.
There are interesting analogies between this framework and the work on transparency and
against coordinated authenticity currently in progress among social networks.
For now, shake and stir is voluntary, but the FCC suggests that if the phone companies
don't get on board, it may become compulsory.
And finally, we close with another postal story, this one from our neighbors to the north.
The Ontario Cannabis Store warns that its delivery list for newly legal weed has been illicitly accessed due to missteps at Canada Post.
Some coverage seems to show signs of the Butterfield effect,
representing a fairly obvious causal connection as paradoxical.
A new and trendy industry finds itself under cyber attack,
which of course it does.
Fashionable, only recently legal, young companies?
Of course they're going to be of interest to cyber criminals.
That's not the case with the Canada Post, naturally,
which has been mushing
around to deliver the letters since its founding as Royal Mail Canada back in 1867. So they've
been around the block a time or two.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more. GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Dr. Charles Clancy. He's the executive director of the Hume Center
for National Security and Technology at Virginia Tech. Dr. Clancy, it's the executive director of the Hume Center for National Security and Technology at Virginia Tech.
Dr. Clancy, it's great to have you back.
You sent over an article from the Los Angeles Times.
This is written by David Lazarus.
And the title is, it's time cell phone signal jammers were installed in people's steering wheels.
I can't help but thinking that you probably have some issues with this notion.
Yeah, I think that the challenges would be tremendous.
First of all, operating a cell phone jammer is illegal.
Let's assume we can get past that point.
Well, let's start off by describing what they're after here.
Why they think that possibly having extremely low-reach jammers
might improve safety when it comes to cell phone use in cars?
Well, the concept, of course, is texting and driving and other forms of distracted driving are a major safety issue on the road.
And if we had a way of blocking people's cell phones, then we'd be in a better position.
People wouldn't text and drive. People would drive more safely.
That's the fundamental premise. In order to accomplish that, though, you need to
extend a bubble of jamming that only affects the driver of an individual vehicle.
And there's a huge technical challenge there in being able to calibrate the power level
in order to only affect that one very
localized spot. So, I mean, is this the kind of thing where there could be more practical solutions?
I know, for example, Apple has something in iOS that will allow you to opt in. If it senses that
you're using a Maps app or traveling at a certain speed, you can have things like text automatically
get put on hold until you finished your trip.
Exactly. The more proactive solution is to find automotive technology that will integrate with people's phones in order to more safely engage the user in that phone. So for example, easy to
configure, easy to use, hands-free was a huge technology gain for the industry. And now most people are not holding
a phone to their head. Of course, we still have challenges of texting and emailing. If there's
ways to figure out how to delay delivery of those texts or find other ways in which the user can
interact with that data in a more safe way, I think that's the more proactive solution.
Of course, we're also looking down the road towards self-driving and autonomous
and connected vehicles. So having jammers and steering wheels would cause problems when your
automobile is using the cellular network to do autonomous navigation and things of that nature.
So we generally don't want to jam the airwaves because we want cars to be able to connect to
the internet so that we can support a lot of the autonomy features.
And if your car is able to do adaptive cruise control and lane assist and becomes increasingly autonomous, then, again, safety goes up significantly.
Yeah, and the FCC doesn't take kindly to these sorts of things.
In this story, they point to a gentleman who was hit with a $48,000 fine for playing around with his jamming
device. Indeed, yes. Under the Communications Act of 1934, it is illegal to operate a jammer,
cell phone or otherwise, unless you are the federal government. So not a good idea.
All right. All right. Well, we'll hold off for more practical technical solutions.
Dr. Charles Clancy, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri,
Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious,
but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.