CyberWire Daily - The CyberWire 1.11.16
Episode Date: January 11, 2016Learn more about your ad choices. Visit megaphone.fm/adchoices...
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash policymakers look for technical fixes to jihadist information operations, but the jihadist's message is also being carried on dead trees. Some major vendors
patch their products, but remember, support for older versions of Microsoft's Internet Explorer
ends tomorrow. I'm Dave Bittner in Baltimore with your CyberWire Daily Podcast for Monday, January 11, 2016.
As expected, the emerging consensus over late December's rolling blackouts in western Ukraine
moved decisively towards the conclusion initially reached by ESET and iSight partners
that the affected Oblast grid sustained a cyberattack.
The SANS Institute's Influential Industrial Control Systems blog says, systems, turning them on and off at will. Other bits of malware, including the much-commented-on
KillDisc component of the Black Energy Kit and other attacks, like the telephony denial of
service the affected utility suffered, served as misdirection. Ukraine's government expects to
comment on the power grid hack after it finishes its investigation, which it expects to complete
on January 18th. If indeed this incident represents a state-mounted cyber attack,
what sort of response would be proportionate and justified?
This question arises when considering many incidents.
Take, for example, the recently discovered Iranian incursion into dam control systems in Rye, New York.
Just Security, from the Center for Human Rights and Global Justice at New York University School of Law,
considers whether that episode should be considered an act of war.
Their short answer is no, but the question is, as they say, complicated.
The Talon Manual, which has emerged as an influential guide to NATO thinking on the
matter, holds that a cyber attack need not be physically destructive to constitute, quote,
use of force, but also stop short of drawing any bright lines in the matter.
And so the conclusion in the just security piece is that the Rye incident wasn't an act of war,
but that it also could warrant what lawyers call retortion, a response that's at once
unfriendly and lawful, perhaps comparable cyber reconnaissance. German intelligence services
resume cooperation with U.S. services
after an interruption brought on by objections to U.S. electronic surveillance of German
and other friendly European targets. A group of jihadis based in Germany have begun publishing
a magazine devoted to cryptography. While explicitly denying adherence to ISIS, the
publishers nonetheless expect their work to be useful to colleagues in cyber-jihad.
The focus of such jihad continues to remain inspiration, which falls within the realm of
information operations, and how to counter the ISIS narrative remains a conundrum for opposing
security services. Counter-narrative operations appear on early reports to have been a point of
interest in Friday's White House outreach to Silicon Valley, with particular emphasis on denying ISIS inspiration its platform in social media. But it may be wayward to conceive of this
as principally a technical challenge. The Daily Beast, for one, points out that the decidedly
old-school, dead-tree ISIS magazine Dabiq enjoys a wide following. The message in this case seems
to trump the medium. Among social media firms,
Twitter especially finds itself between a free speech rock and a counter-terror hard place.
Its contretemps with Turkey's government over Kurdish pro-independent tweets
shows the practical impossibility of accommodating irreconcilable interests.
Nothing new over the weekend from Anonymous and its declared war on ISIS,
but the anarchist collective did find time to hit Nigerian government sites to protest what Anonymous views as that government's
corruption. In the UK, Labour opposition leader Jeremy Corbyn's Twitter account was briefly
hijacked to express a range of puerile, semi-obscene commentary on the news of the day.
Corbyn and Labour have since rested control of the account.
The Ravniks Trojan continues to worry Japanese banks.
That nation's distinctive language no longer serving as an effective linguistic moat around its financial system.
Other countries go on their guard against similar Ravniks infestations.
GPS, the global positioning system managed by the United States,
has long enjoyed a security advantage over the competing GLONASS and Galileo systems, but an increase in GPS blocking and spoofing tools has
begun to erode that security. Passcode reports on plans to shore up GPS through development of
backup systems. Users of social media are again cautioned against oversharing, which can render
them vulnerable to social engineering, password or security question guessing, and other threats.
And a long piece in the New Yorker on confidence games offers an occasion for reflection
on how very old forms of fraud find new outlets in cyberspace.
Brian Krebs takes an interesting look inside the boiler rooms of cyber criminals' call centers.
Fluency in the Marx native language is at a premium.
Juniper Networks is dropping its
reliance on a weak backdoored encryption scheme. Mozilla deals with the consequences of too hasty
SHA-1 deprecation, consequences which Google, in contrast, seems to have anticipated. VMware and
Apple both issue security upgrades. And tomorrow marks the end of Microsoft support for versions 8, 9, and 10 of Internet
Explorer. The U.S. National Highway Traffic Safety Administration finishes its study of last year's
proof-of-concept hack of Jeep vehicles. They conclude that only Jeeps were vulnerable, but car
manufacturers continue to show increased sensitivity to hacking. General Motors has asked security
researchers to help it look for and fix automotive software bugs.
In legal news, Romanian police, with an assist from Europol, take down a major ATM hacking gang.
In the U.S., there's more trouble over the classification of former Secretary of State Clinton's emails.
Judges find lack of precedent complicating the sentences they hand down for convicted hackers.
complicating the sentences they hand down for convicted hackers.
Lack of precedent seems to trouble the courts in a way analogous to that in which lack of actuarial data troubles insurance companies trying to price cyber risk transfer.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's
the gist. Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and
ISO 27001. They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. Thank you. cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of
solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default deny approach can keep your company safe and compliant.
Joining me is John Petrick, editor of the Cyber Wire.
John, I know we go through our days and we don't really think about GPS, the global positioning system.
It's just become a part of our everyday lives, but it hasn't really been around that long. No, it's new that the first real operational use of the global positioning system
was by the United States military in the first Gulf War.
In today's Cyber Wire, there was information about passcode reporting on plans to shore up a GPS,
developing backup systems for it.
Why is that important,
and how does that relate to cybersecurity? It's important because of all the things we use GPS for.
It not only provides you with driving directions, but it provides geolocation information for Google Maps, for all kinds of applications that we don't even think about anymore.
Just give us a rundown. What is GPS, and how does it work?
A good way of thinking about GPS is
to think of it as an artificial form of celestial navigation, that the GPS system orbits 31
satellites in a constellation. And each one of those satellites carries a highly precise, highly
synchronized atomic clock. And they're constantly sending out a signal from that clock. So the GPS receiver in your car system or in your phone is getting
the signal from four satellites. It's comparing time of transmission to time of arrival, and it's
deriving from that your location on the ground, your location on the surface of the Earth,
in much the same way that celestial navigators back in the age of sail would have kept a highly
precise chronometer synchronized with
the Royal Observatory at Greenwich's chronometer to enable them to determine latitude and longitude
by taking a variety of celestial observations. And all of this is being done automatically for you.
And the ability to do that depends upon your ability to receive unblocked signals from those
satellites. So why would someone go about blocking the signals or spoofing them?
People do that for all kinds of reasons or might do it for all kinds of reasons.
There was a case in Newark, New Jersey that PASCO talks about in which the Newark airport
was finding that the GPS signals were being blocked at unusual intervals around the airport.
So what was it?
At first, they thought it was an equipment failure,
but no, it wasn't an equipment failure,
nor was it some kind of natural interference.
It turned out that there are little blockers
that you can buy to block a GPS signal locally.
The guy in this case who was found to be blocking it
was a guy who was driving a truck for an engineering firm
who really didn't want his bosses tracking what he was doing and where he was going during the day.
So that was the cause of the problem in that case.
So this guy is just trying to get a little private time, and in the meantime, he's endangering
aircraft at an airport.
Yeah, evidently, that's what the case was.
So what people are thinking about is they're thinking about, because GPS is so valuable
and so pervasive and more reliable, candidly, than the alternatives like the Russian GLONASS system or the European
Space Agency's Galileo system, what can we do to have a backup for it? Well, you could boost the
signal strength. Boosting signal strength is one common way of just burning through jamming.
You could develop an alternative backup system that would provide
insurance if GPS were generally blocked or jammed. There's an old legacy terrestrial system called
Loran that old sailors would be familiar with. Loran is one possible alternative. If you upgraded
Loran, that might serve to backup GPS. Both the British and the Republic of Korean governments have spent some money backing
up Loran as an alternative to GPS. The U.S. had plans for doing something similar, but cut that
for budgetary reasons recently. So we'll see how that develops and see what comes in the future.
All right, John Petrick, thanks for joining us. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
is by targeting your executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io. And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to