CyberWire Daily - Revisions to the US VEP (and comparisons to China's). DPRK hacking. Laurel mole hunt. BlueBorne is back. Snakes in the Play Store. Can you sound like a child?
Episode Date: November 16, 2017In today's podcast, we get an update on the US Vulnerabilities Equities Process, which now promises more transparency, accountability, and stakeholder representation in handling zero-days. A look at C...hina's equivalent…doesn't. Worries about North Korean hacking. Mole hunting at Fort Meade. BlueBorne bugs in home assistants. More malware in Google Play. David DuFour from Webroot on the importance of communication with the board of directors. Roy Katmor from Ensilo on attacks using social engineering. And how to get around that pesky voice recognition software. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
An update to the U.S. vulnerabilities equities process
promises more transparency and accountability in handling zero days.
A look at China's equivalent
– doesn't, worries about North Korean hacking, mole hunting at Fort Meade, blue-borne bugs
and home assistance, more malware in Google Play, and how to get around that pesky voice
recognition software.
I'm Dave Bittner with your CyberW Wire summary for Thursday, November 16, 2017.
The U.S. released publicly revisions to the Vulnerabilities Equities Process, VEP,
the policy that governs when and under what circumstances U.S. agencies will disclose zero days they discover.
This means the intelligence community, for the
most part, especially NSA. The principal effects of yesterday's White House announcement, which
has received generally positive reviews, are said by cybersecurity coordinator Rob Joyce to be
greater transparency, more accountability, and better stakeholder representation in the process.
A large number of agencies are represented in the process.
The intelligence community members aren't surprising.
They're generally thought to collect zero days and develop them into tools
or produce countermeasures against foreign organizations that might do so.
And these include the Office of the Director of National Intelligence,
the Department of Justice, the FBI, the National Security Agency,
U.S. Cyber Command,
other Department of Defense agencies, and the Central Intelligence Agency.
Other organizations represented in the process are less commonly thought of,
the Office of Management and Budget, which represents the defense security interests of government systems,
the Treasury Department, there for the banks, the Energy Department, looking out for the power grid.
The Commerce Department, which is there to represent the private sector, including tech companies.
The State Department, which keeps foreign interests in mind.
And the Department of Homeland Security, not only for the security of the.gov domain, but for critical infrastructure generally.
As noted, the response to the announcement has been generally positive,
at least on the part of those one would expect to advocate for transparency and accountability.
Both the Mozilla Foundation, which you'll associate with the Firefox browser,
and the Center for Democracy and Technology's Freedom, Security, and Technology Project were
favorably impressed. They appreciated the role of non-IC agencies and the promise of regular
reports on the VEP. In fairness to the previous administration, Joyce's predecessor as cyber czar,
Mitch Daniels, had always insisted publicly that whole-of-nation equities were represented in the
process and that the default was disclosure. And Joyce, in his discussion, said that the
announcement represented continuity as much as it did change, and that the U was disclosure. And Joyce, in his discussion, said that the announcement represented continuity as much as it did change,
and that the U.S. government really hadn't been in the business of stockpiling zero days.
But what those who applauded the announcement, like the Center for Democracy and Technology,
found appealing was the public, formal description of the process,
which they regard as a significant advance in transparency and
accountability. Past criticism of the VEP have come from two sides. Some, suspicious of the
potential for government overreach, thought the process too closed and likely to be too biased
in favor of surveillance operations. Others were shocked by how leaky WannaCry and the Shadow
Brokers showed highly secure agencies to be.
On the other side of the issue, critics said that the VEP amounted to almost a kind of unilateral disarmament,
and that in any case it was no part of Fort Meade's job to become a free quality control shop for the likes of Microsoft, Google, and Apple.
We shall see how the newly revised process plays out, but for now, the reviews seem good.
So how does the competition do business? A report published this morning by Recorded Future took a
look at how China manages its national vulnerability database. The researchers found that China's
Ministry of State Security, the MSS, seems to call the shots in a fairly unchallenged way.
the MSS, seems to call the shots in a fairly unchallenged way.
As they put it in their executive summary,
recorded future analysis has uncovered evidence of a formal vulnerability evaluation process at CNNVD,
that's the National Vulnerability Database,
in which high-threat CVEs, Common Vulnerabilities and Exposures,
are likely evaluated for their operational utility by the MSS before publication. The useful vulnerabilities are exploited then, while the state slow rolls
their disclosure. Turning to a country where there's little pretense to disclosure, observers
see a recent increase in North Korea's cyber operationaloperational tempo, and think this could represent a possible indication
that Pyongyang is preparing to wage a wider cyber war.
And of course, questions about leaks from NSA,
mostly those peddled by the shadow brokers,
are among the concerns that have produced controversy
over the very notion of zero-day hoarding.
Those leaks have also led to speculation about a mole or moles
remaining on the payroll at Fort Meade.
Kaspersky Lab, hardly a disinterested party but not to be dismissed out of hand either,
has released the results of an internal study that suggests the much-discussed NSA workers' laptop
that was protected by Kaspersky software was in fact riddled with other malware,
and that such malicious code, and not a Kaspersky security product,
was the root cause of any compromise.
This is unlikely to change many minds within the U.S. government
over the expulsion of Kaspersky security products from federal systems.
Targeted spear phishing attacks continue to grow in sophistication,
taking advantage of the human factor to circumvent technical countermeasures.
Roy Catmore is CEO at security firm EnSilo, and he offers his views on social engineering.
If you're looking at most of the attacks, they will start by a human intervention kind of triggering activity.
There are seamless malicious activities triggered by malware ties and what we call
run-by malwares, but most of them, if you're looking at the major infections today, are
triggered by a user interaction. And it seems like time and time again, when these are described,
that the HR department seems to be a target. Can you take us through some of the types of
attacks that people use
when they're targeting HR? If you're looking into targeted phishing attacks, as opposed to kind of
just the spam errors all over, you will find that HR department and administration in general
are a fertile ground to be the target. And the reasons are very simple. Making it a very credible email is pretty
simple when it comes to HR. I think that basically each and every company have their own public way
of recruiting people. Recruiting is becoming a huge effort, especially in today's kind of ecosystem.
And of course, the social media are becoming the best way to recruit and fast and spread the word.
And by having some, it's going to be very easy for somebody to target an organization that is currently hiring by sending a spear phishing email that will have the exact position.
A resume inside that could be, of course, include some kind of an exploited document encapsulated within a normal document with the right name,
the right job application, and, you know, overall, it looks legit.
Now, is this also an effective way for the bad guys to work around defense mechanisms
that people might have in their corporate networks?
I'm imagining, you know, if I'm trying to, pretending to try to recruit someone,
I could say to that person, hey, I don't want to send this to you on your corporate email.
Let me send it to you on your Gmail account.
But then they may still download that attachment to a corporate computer.
Yes.
Very good point.
Now, think about that.
You know, another point.
So we mentioned why HR is such a nice target.
So we said first, it's easy to sound credible.
Right. You've got the name, you've got the job, you've got the you've got the entire relationship and social connections.
That's a one. And the second is, of course, the confidentiality around searching for a job.
So a lot of people obviously don't want to use their corporate emails when they're applying for a job or interested in listening to a job.
And of course, one of the first things to do is to get offline to a private email address.
That makes it harder for, you know, one, if you have an anti-spamming or other kind of filtering tools, it's going to work if you're going to go to a private.
it's going to work if you're going to go to a private. And obviously what the same thing is going to do that you most likely going to work on the same device, which makes it easier to go
through these filtering tools that are mail related. So what do you recommend in terms of
both policy and training? What are some of the best ways that companies can help prevent these
sorts of things? So three points. One, be aware. That's kind of education. Make sure that you're getting
the right intelligence on each and every one of them. Check the background. The second,
patching. Keep your systems patched as much as you can. It may not help you in the first wave
being patient zero, but it will definitely help you on the patient one and second following waves
they're going to come. And third, focus on the consequences.
Where is your soft belly?
What do you really need to protect against?
Is it the infiltration? Is it them being in?
Or the consequences, the data-related consequences that you need to prevent and protect in real time.
That's Roy Catmore from Insilo.
real time. That's Roy Catmore from Insilo. Armis Labs reports that Amazon Echo and Google Home are both susceptible to the Bluetooth vulnerability reported earlier this fall as BlueBorn. Echo is
vulnerable to remote code execution in the Linux kernel and to information disclosure in the SDP
server. Google Home has information leakage issues via Android's Bluetooth implementation.
This bug can also be exploited to induce a denial of service condition.
Google's Play Store has seen a wave of malicious apps that have succeeded in bypassing the
safeguards Mountain View has put in place to protect the store. Dr. Web found a hidden browser
that's used by hoods to goose their ad impressions. Malwarebytes discovered an SMS trojan, targeted only at users in Asia,
that subscribes them unwittingly and unwillingly to premium phone services.
McAfee found over 140 applications infested with Graebus malware,
which apparently serves a fraudulent paper install app scam.
Most of the apps infected by Graebus have been audio
players or mp3 downloaders. And ESET has discovered some multi-stage evasive malware lurking in
innocent-appearing apps. With all of these, the wall around the Play Store's walled garden is
looking a lot like a chain-link fence. The snakes seem to be sliding right through.
And finally, researchers at the University of Eastern Finland,
which we think is close enough to the North Pole
so that they should know a thing or two about how children sound
when they talk to Santa Claus,
report a way of defeating voice recognition software
designed to keep known fraudsters from interacting with banks.
The software amounts to a kind of blacklist,
as in, we know that's you, Harkonnen.
You're not fooling anyone here, no sir.
You've got to get up pretty early in the morning to put one over on us, etc.
But you can get around those systems by making your voice sound like a little kid's.
Like this.
Alexa, please send me a Nintendo Switch.
Well, the little guy's got a birthday coming up.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose,
and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself. And now, a message from Black Cloak.
message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
And I'm pleased to be joined once again by David DeFore. He's the Senior Director of Engineering
and Cybersecurity at Webroot. David, welcome back. You know, something we talk about a lot is the importance of communication between folks on the board and folks on the technical teams. You got some advice for people who might not be so technically minded who want to talk tech. Yes. First of all, thank you for having me back, David. With Equifax having recently happened, you see a lot of times where boards or senior
executives aren't as plugged in as they should be on what's going on in terms of cybersecurity
and how to prevent it. And what I see a lot, you know, I'm kind of in the middle there.
I see a lot of times the security professional or the person they've hired to bring in is so technically focused.
And they're going to walk into a company and say, I need $20 million to make us secure.
And the company just made $30 million in profit last year.
So they're not about to spend $20 million of it on implementing a cybersecurity solution.
about to spend 20 million of it on implementing a cybersecurity solution. So what I'm trying to help people understand and be aware of, and it's very common, very basic things, is you've got to
identify a person inside of an organization that can help put messaging together that resonates
both up to the executives where there's potentially a plan on we're going to need to spend 20 million,
but if you give me one million, I can get us this far, which moves us towards our goal.
And then also be able to communicate down to that person who comes up with these ideas that, hey,
we've got to we've got to approach this in bite sized chunks. What's the most effective way that
we can tackle things early on to make the biggest splash
to ensure we're driving towards our security goal? It's all about communicating. Well, isn't a large
part of it as well about being able to put it in terms of risk? You have said a mouthful with that
sentence. I spend a lot of time with small businesses, large enterprises. You know, I'll be speaking to an MSP group and they're like, well, we need to set up a SOC and we need to do analysis.
And I say to them, you know, if you are working with a customer as an MSP that supports a welder in central Oklahoma, they probably don't need a security operations center.
central Oklahoma, they probably don't need a security operations center. What they probably need are solid backups and a good antivirus solution to protect their environment. And if
there is an incident like ransomware, because they don't want to pay that ransom, all you got to do
is restore from the backup. And if you're worried about data exfiltration at a welding shop in
central Oklahoma, you're probably overanalyzing the security threat.
Because unless they're doing some type of new, you know, protected, patented welding technology, there's probably a lot they don't need to worry about short of having good backups and having a basic security posture.
David DeFore, thanks for joining us.
Thank you, David.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of Thank you. nigh approach can keep your company safe and compliant. And that's the Cyber Wire. We are proudly produced in Maryland by our talented team
of editors and producers. I'm Dave Bittner. Thanks for listening. adaptable. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI
and data into innovative uses that deliver measurable impact. Secure AI agents connect,
prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.