CyberWire Daily - Spectre and Meltdown patches may be messy, but not as performance-killing as feared. AMT exploit. Mobile ICS apps. Monero mining. Badness in the Play Store. Huawei ban? Droning while drunk.
Episode Date: January 12, 2018In today's podcast, we hear that Spectre and Meltdown have continued to receive patches, and they may not be as performance-killing as feared. F-Secure says if you leave your laptop alone it could ...be pwned in 30 seconds. Mobile ICS apps seem to be getting less, not more, secure. Google boots more bad stuff from the Play Store. Monero miners afflict unpatched Oracle WebLogic servers (so patch). The US Congress considers a Huawei ban. Johannes Ullrich from SANS and the Internet Stormcast podcast on IoT gifts. Guest is Phil Reitinger from the Global Cyber Alliance, an international, non-profit organization headquartered in New York City and London that is focused on eradicating systemic cybersecurity risks. And New Jersey is considering solving one of its biggest problems: droning under the influence. Sprung from cages on Highway 9 or not, don't try that on the turnpike, kids. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K. performance killing is feared. F-Secure says if you leave your laptop alone, it could be pwned in 30 seconds.
Mobile ICS apps seem to be getting less, not more secure.
Google boots more bad stuff from the Play Store.
Monero miners afflict unpatched Oracle WebLogic servers.
The U.S. Congress considers a Huawei ban.
And New Jersey is considering solving one of its biggest problems,
droning under the influence.
Sprung from cages on Highway 9 or not, don't try that on the turnpike, kids.
I'm Dave Bittner with your CyberWire summary for Friday, January 12, 2018.
Spectre and Meltdown remained very much in the news.
AMD yesterday revised its estimate of how susceptible its chips were to Spectre and Meltdown remained very much in the news. AMD yesterday revised its estimate of how susceptible its chips were to Spectre.
The company had at first thought not very, and then maybe a bit more,
but only to one of the two Spectre vulnerabilities.
But AMD now believes they're severely affected by both of the Spectre vulnerabilities.
They've promised to get a patch out as soon as possible.
The other players, notably Intel and Microsoft, but many other vendors as well, vulnerabilities. They've promised to get a patch out as soon as possible.
The other players, notably Intel and Microsoft, but many other vendors as well,
continue to work on fixing Spectre and Meltdown. The performance penalty the patches will impose is now becoming clearer, as Ars Technica reports. It's troublesome, but it seems less alarming than
initially feared. Initial fears estimated the performance loss at around 30%,
but it now seems clear that for most workflows,
it will be a shade under 10%,
which means that most users won't notice much change at all.
F-Secure researchers have demonstrated a way
to exploit Intel's active management technology
that enables them to bypass BIOS and BitLocker passwords.
The security company says that it's found that exploitation could let an attacker take control
of a device quickly in under 30 seconds. The under 30 seconds is a bit of FUD, maybe,
however true it might be. We're reminded of the old movie Gone in 60 Seconds, whose trailer
featured the slogan, you can lock your car but if he wants it it's gone in 60
seconds but if it serves as a word to the wise that's all to the good and there's a point to it
as well exploitation requires physical access to the targeted device and a lot of people tend to
such exploits as just junk hacks but under 30 seconds means there's the potential of a real
threat here so if you were to leave a laptop alone for an innocently short period of time,
a trip to the lavatory, say, if you take those,
or if you perch the laptop on the nearby table while you're grabbing something from a buffet line,
or if you leave it unattended in your hotel room where an evil maid could reach it,
or if you ask that friendly fellow traveler to watch it for a minute while you step out for a smoke,
your device could be pwned in 30 seconds.
Yes, we know you wouldn't do any of those things.
And yes, we know you don't smoke either.
But you might ask about such things for a friend.
So here's what that friend should know.
Intel AMT is built into Intel CPUs so that the system administrators can monitor, update, upgrade,
or otherwise maintain personal computers on their network.
If you leave your device unattended, someone could press Control-P during boot-up,
select the Intel Management Engine BIOS extension for the boot-up routine, and so bypass various logins.
Sure, there's a password for that extension, but alas, most
organizations leave the factory default in place. That default is the not-so-very-
hard-to-guess admin. Once admin is in, admin can have their way with the
machine. There are a few things your friend could do. First, configure AMT so
it requires an actual password. Second, don't leave the laptop lying around in, say, a port authority
or on a side table in Hobo Joe's River Creek Crab Shack.
And third, if they don't need it, they might just disable AMT on their device.
IOactive and Embeddy have identified 147 vulnerabilities in 34 mobile applications
that are widely used to interact with industrial control systems.
The 34 Android applications tested were randomly selected from the Google Play Store.
Here's what the researchers found.
Code tampering in 94% of the apps, insecure authorization in 59%,
reverse engineering in 53%, insecure data storage in 47%, and in 38% insecure communication.
This is all worse than what they found in a comparable study during 2015.
There's been an average increase of 1.6 vulnerabilities per app.
Google has ejected more malign apps from the Play Store.
One, a phony Telegram app, is a spamming tool.
The others, some 60 of them,
are infected with adult swine malware
that serves up indecent graphic ads
to, among others, children.
Monero miners are being installed
in unpatched Oracle WebLogic servers.
If you operate one or more of those,
please do patch it.
The up-to-date versions aren't being exploited.
The U.S. Congress is considering legislation that would bar federal contractors from using Huawei equipment.
The concern is security, and it looks as if Congress may be leading Huawei down the same path they took Kaspersky.
Remember, GDPR, like winter in the Game of Thrones, is coming.
The White Walkers, actually we mean the EU officials,
say people are good and lucky that Spectre and Meltdown didn't come to light
after GDPR came into full effect this coming May.
If they had, then some companies would have been facing fines.
So remember, winter is coming this May.
And finally, to all of our friends and listeners up in the Garden State,
take care and beware.
New Jersey is considering passing a law against drunk droning.
That's right, if you're in, say, Teterboro or South Hackensack
with a blood alcohol level of.08% or worse,
put down that quadcopter and just walk away.
So enjoy your Bolero snort blackhorn, but enjoy it responsibly.
Don't be like that guy in Norway who was drunkenly bothering moose, or the Florida
droner who buzzed alligators when he was tipsy.
Leave those raccoons, bears, whatever, alone. Alone. faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security, but when it
comes to our GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies
like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Johannes Ulrich
from the SANS Technology Institute
and the ISC Stormcast podcast.
Johannes, welcome back.
You know, we've just made our way through the holidays,
and so people will have been getting gifts
and maybe regifting some of those gifts.
You have some security tips when it comes to that.
Yeah, one of the issues that we keep seeing popping up around the holidays is computer equipment, USB drives,
and in one case, actually also things like USB picture frames that come pre-installed with some
additional goodies. We sort of call them the certified pre-pwned kind of gifts
that you can give to your family. What kinds of things do people have to be careful of? And how
can you know if something that you've received has something bad on it? Well, probably the safe
thing to do is whenever you receive something, even if it's shrink-wrapped in many cases,
clear it out, do a factory reset
before you connect it to any of your systems
and essentially treat it as a hostile USB drive.
Just like you wouldn't have a USB drive
that you find on a sidewalk.
Essentially, these devices and cameras
and everything that connects to your USB drive to USB connector on
your PC behaves kind of like a USB drive so you may start inadvertently software
that someone has pre-installed. We've seen a number of cases for example where
in the factory malware was installed because a quality control system was infected.
But sometimes what's also happening is that someone tries out a product, probably infects
it, and then returns it to the store.
And the store sometimes puts it back on the shelf without wiping the system.
So it may already have data that whoever used it last put on it. And while that data is
not always beneficial to you. What about, you know, giving devices like this access to your
Wi-Fi network? A lot of them request that. Should we segment the network to protect ourselves
against them? That's, of course course ideal if you can do that a lot
of people can't necessarily do it but many of even the home network access points have like a guest
network that you can use for that right so connecting a guest network first and then again
you do a factory reset first that download the latest firmware if there's an update for it and often there is because these devices
have been sitting on the shelf for a while so um get it configured get it set up become a little
bit comfortable with the device if you have the capability by all means look for traffic going
in and out from the device i had a year or so ago a little weather station that sent my Wi-Fi password back to the manufacturer.
So you certainly want to be a little bit careful there, depending on how much you want to geek out with this.
But the more checking you can do on it, the better.
Yeah. All right. Good advice as always.
Johannes Ulrich, thanks for joining us. a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
My guest today is Phil Reitinger.
He's the president and CEO of the Global Cyber Alliance, a non-profit founded in 2015.
Previously, Mr. Reitinger was appointed to serve as the Deputy Undersecretary for the National Protection and Programs Directorate and the Director of the National Cybersecurity Center in the U.S. Department of Homeland Security.
Prior to that, in the private sector, he was Sony's Senior Vice President and Chief Information Security Officer from September 2011 to September 2014.
to September 2014. We're headquartered in New York City and London, but unlike a lot of other bodies, we don't do reports and recommendations. Our focus is on actually implementing measures to
reduce systemic cyber risk. So our goal is to find a problem where there appears to be a solution
that's not being broadly deployed, And then we bring the right coalition
of people and resources and capabilities together to see if we can drive actual implementation of
that solution and then measure how effective it is. So we try to solve problems one problem at a time.
And so the fact that you're a nonprofit, how does that benefit your efforts?
It means that we're not out in the game to try and build a market.
We're trying to get solutions out there, which lets us work with other nonprofit entities,
with governments, and with private sector companies who may have their own interests.
For example, one of the things we've done is work very strongly to drive global deployment of an email authentication
protocol called DMARC that can stop spoofed email phishing in its tracks. So there are companies
that work in that space. There are a lot of entities that depend on DMARC and governments
can deploy it too. And being a nonprofit, we're not in there to make a business long-term. We're
just in there to try and get everybody term. We're just in there to
try and get everybody to deploy this so people can be safe from phishing. Yeah, I mean, take us
through the methods that you use. Are you actually, do you have developers working in-house or are you
partnering with other people? So we partner with about 200 different companies and government
entities and nonprofits around the world. So we rely a lot on
contributions from them. But again, unlike a lot of nonprofits, we do have a development shop. So
we don't have to depend on other people to write the code for us. We've got a group of people,
if a solution needs code, who can write the code. So for example, one of the things we did in DMARC
is to try and make this email authentication mechanism easier to deploy,
is we built a wizard that can take you through the process of deploying not only it, but the other protocols like SPF on which it depends.
So we wrote the code that does that, and we're able to get that out there, make it available to everyone,
and we're able to do it as the global cyber alliance in an international way.
So that wizard is now available in 13 different languages.
You all have sort of an interesting origin story.
Your original funding came through New York, I believe, and it was some civil forfeiture money, yes?
That's right. Originally funded, our seed money, if you will, is from the Manhattan District Attorney's Office, which allocated to us seed funding of up to $5 million a year for up to five years from asset forfeiture funds.
So money that was taken as a part of a fine is being used to help prevent cybercrime. And the reason the Manhattan District Attorney, along with our
other two co-founders, the Center for Internet Security and the City of London Police founded us
is all of them have become convinced that we can't sort of deter our way out of this crisis.
Prosecutions and threats alone are not going to get people to stop hacking. We've actually got to do a much better job of preventing cybercrime.
And so the DA, who is the principal funder, Cyrus Vance Jr., the Manhattan District Attorney's Office, wanted to invest some of the money from proceeds of crime into trying to prevent crime.
And your focus since your startup or one of your focuses has been phishing.
And your focus since your startup or one of your focuses has been fishing.
You know, it strikes me with fishing being such a, well, there's such a human factor in fishing,
the ability to fool people into clicking on the things that they shouldn't click on.
What's your approach to trying to tackle the fishing issue?
Fishing obviously takes a number of different approaches.
The way we think about issues is new training, I think,
is important for people, but you're never going to train your way out of the phishing crisis.
You know, about well over 90% of intrusions start with a phishing attack. And phishers have gotten so good, and I'm sure you've seen this, they can produce phishing emails that fool the strongest experts. So our approach is on any project to try and
build protections into the ecosystem, if you will, so that you get security with connectivity, that
you don't have to do anything extra special. You can just enable something and then go forward. So
what DMARC does is DMARC is a sort of a technical means that if your web mail provider or your
email provider has deployed it, and chances are very, very good that it has, and the company
sending you the email has deployed it, then you can't get spoofed from that company anymore.
So if your bank has deployed DMARC, it doesn't matter whether you get a really good phishing email or not. If it appears,
if it is stated to come from bank.com, the bank that you are using, and they've deployed demark,
if they've done it the right way and your provider's done it the right way, that email
will go straight to trash or be marked as spam, regardless of anything you do. The other thing we did is build
a global, with several partners, including Packet Clearinghouse and IBM, build a global
Anycast DNS infrastructure that's now operating under the name Quad9. So if you've heard about
Quad9, we were one of the builders and founders of that. That operates on the notion, for example,
one of the builders and founders of that, that operates on the notion, for example, let's say you click on a email, a link in a phishing email that you should not have. If that takes you to a
bad domain and Quad9 knows it's a bad domain and it knows a lot of things are bad domains,
then you simply don't go there. You get what's called an NX domain. You are not routed to the
bad site. So despite that you've made a mistake, you're not
taken to the phishing site or malware is not downloaded. So they're protecting the users from
themselves as an intermediary, if you will. Very much. Automatic protection is required.
And it's not because users who don't know better make mistakes. It's because everybody makes
mistakes. We're humans. We've actually,
you know, we've gotten so much better in the physical ecosystem at building protections in,
you know, it's when you buy a car in the US, you get seatbelts and you get airbags. And that's
true around the world. We've got to put the same sort of protections on the internet. So people
who have who are not cybersecurity professionals can be reasonably
secure, even if they're not paranoid. And right now, it really takes paranoia.
So in terms of success, how do you all measure if the job that you're doing is making a difference?
We're continuing to work on that. Right now, we measure what we can. So for DMARC,
the thing that we measure the most right now is how many people
use our wizard to deploy DMARC. And that's been about 3,000 domains that have taken a look at
our wizard and then deployed DMARC at an effective level. Our calculation, so that's a very effective
return on investment. We're also looking at how broadly we're affecting the ecosystem, which
is hard to cause, you know, tie directly to us, but we're a part of a coalition. So, you know,
one of the things that happened recently that we're very pleased with is the U.S. government
actually required all civilian government agencies back in October to, as a part of a number of
different things, deploy DMARC. And so we are measuring how far along Homeland Security
and all of the departments and agencies in the U.S. are coming towards getting to that conclusion.
And they're roughly about halfway there with a week and a half to go to meet the first deadline.
So they've got a long way to go, but they're making much better progress than they did before. For things like DNS, we can measure how many things we block, how many calls to the service
we're getting. And right now, Quad9, thanks to the publicity from the launch back in November and how
effective the service is, is not only getting rave reviews, its usage is taking off around the world.
So in terms of partnering with people, who are you looking to reach out to and what's the best way for them to get in touch with
you? We're looking to partner with entities that really want to put some effort into working on
cybersecurity and solving real issues. So, you know, we're not a talk shop. We've done an event
or two, but that's not what our core business is. Our core business is actually implementing
these things that solve problems. We are happy to have people come and join as a partner. We're
actually not a pay-to-play organization. So we accept partners regardless of ability to pay,
as long as they want to invest resources,
whether it's expertise or help with publicity, into the effort. We do ask people, entities that want to join, to put some effort in. And of course, we'd love to have contributions. Anyone
who can make a real difference and wants to work on these issues and solve problems is welcome to
join. To get more information, you can visit our website, which is www.globalcyberalliance.org.
And you can get more information by sending an email to info at globalcyberalliance.org.
That's Phil Reitinger from the Global Cyber Alliance.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Thanks for listening.
We'll see you back here tomorrow. Thank you. innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate
your data workflows, helping you gain insights, receive alerts, and act with ease through guided
apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.