CyberWire Daily - The CyberWire 1.20.16
Episode Date: January 20, 2016Learn more about your ad choices. Visit megaphone.fm/adchoices...
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's join delete me dot com slash N2K code N2K. Crypto policy moves closer to key escrow. The Drydex banking trojan picks up DNS cash poisoning capability.
Perception Point finds a serious Linux kernel bug.
Oracle, Apple, Linux, Find, and Yahoo issue patches.
Lloyd's issues guidelines for common cyber risk data.
Chinese cyber espionage is directed against the latest U.S. fighter aircraft.
And the U.S. Congressional Research Service recommends lawmakers take a closer look at cybersecurity in executive agencies.
I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, January 20, 2016.
Wired offers a summary of everything known about the Ukrainian power grid hack.
The big takeaway is that it was indeed a hack.
A researcher from University College London reports dangerous weaknesses in a voice encryption protocol
Her Majesty's government is pushing on suppliers.
Stephen Murdoch argues that the Mikisaki protocol would have service providers holding a master decryption key.
Mikisaki stands for Multimedia Internet Keying Saki,
Kasahara Key Encryption. Easy for you to say. The government doesn't call it key escrow,
but Murdoch thinks that's what it amounts to. The report on Miki Saki appears as parliamentary
debate over the Investigatory Powers Bill continues. The Home Office continues to disavow
any intention of weakening encryption, instead representing the key escrow approach as serving both privacy and investigative needs,
subject to warrants, appropriate oversight, and so on.
There are no major policy moves reported in the U.S.
and no new shots in the crypto wars between the Beltway and the Valley,
but the Congressional Research Service has advised legislators
to require more reporting on cybersecurity from the executive agencies.
IBM's Force X notes an evolution in the long-familiar Drydex banking trojan.
Drydex is now using DNS cache poisoning to redirect traffic to clones of some 13 British bank sites.
Researchers at Perception Point discover and disclose a serious Linux kernel bug
that could allow remote, unauthenticated
users root access to affected devices.
The flaw appeared in Linux version 3.8, released in 2013.
Patches are coming this week, but the notorious difficulty of pushing updates to end points
makes it a lead pipe cinch that the vulnerability will persist for the foreseeable future.
Personal computers, servers, and Android devices are all at risk.
foreseeable future. Personal computers, servers, and Android devices are all at risk.
Phishing attempts seek to spread the Gaza cybergang's Dust Sky persistent spyware to targets in Israel, Egypt, Saudi Arabia, and the United Arab Emirates and Iraq.
Phishing and other social engineering approaches are implicated in other attacks,
including attempts to harvest credentials from LastPass. LastPass has patched the flaw
that enabled exploitation.
Other significant patches released this week include updates from Apple for iOS, OS X, El Capitan, and Safari,
Oracle, Yahoo Mail, and Bind.
Laggards determined to struggle along with old versions of Internet Explorer get some good news.
Trend Micro says it will continue to offer protection for the more venerable versions of Microsoft IE.
Yahoo paid a reported $10,000 in bug bounty for the Yahoo mail vulnerability.
Those of you interested in finding and disclosing the bugs that get patched
might be interested in consulting Anissa's newly released set of best practices for disclosure.
The cybersecurity of acquisition targets gets larger in M&A due diligence.
Prospective buyers of banks in particular are giving close scrutiny to security posture before buying.
Actuaries and accountants are playing a larger role in such scrutiny.
Lloyd's releases a set of common core data requirements for cyber risks,
and more firms work toward credible, quantified ways of putting a price tag on cyber value at risk.
Students at Cornell are working on sarcasm detection,
which they see as a means of improving the quality of online reviews.
Like that's going to work.
In industry news, iron scales and threat quotient announce new rounds of venture funding,
and Symantec's sale of Veritas to the Carlyle Group will, it seems, be less pricey for Carlyle,
about $1 billion less pricey, according to reports.
In cybercrime and punishment, Chinese military officers and an accomplice in Canada
are accused of attempting to hack into technical information
related to development of the U.S. F-5 joint strike fighter.
The Canadian accomplice awaits extradition to the United States.
The Chinese principals? Well, they're in China.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security, but when it
comes to our GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies
like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. www.microsoft.com I want to talk about authentication today. Let's start off. Give me a definition. What is authentication? Well, very simply, authentication is a mechanism that allows a user to prove who
they are to prove their identity to another system. So we're all familiar with this idea
of logging into a website, logging into a bank site, logging into access your email,
and those are all before doing so you need to authenticate yourself to prove that you're the
person that should have access to that information.
At the most basic level, we've got passwords and then we've got multi-factor authentication.
So as authentication gets more sophisticated, what are the ways we can protect ourselves?
Yeah, as you know, passwords are here and they seem here to stay, even with all their problems.
And so that's why people are now recommending that users use two-factor authentication to make the authentication process more secure.
And at the most basic level, this might involve using a password in conjunction with some information on your mobile phone, for example.
Google, as an example, offers two-factor authentication where they'll use some information, a code that comes up on your phone, in addition to your password,
before they'll allow you in.
And this can make users a lot more secure because it's a lot harder than for an attacker to both guess the user's password and also figure out the code from their cell phone.
Do you ever see us coming to a time when we're not going to be using passwords anymore?
Is there anything on the horizon that could replace them?
Well, I think passwords are going to be here for a while, but I do think that people are working on newer forms
of this two-factor authentication,
all relying for now on mobile phones
because of the fact that people are carrying them around
with them all the time.
So you can have a code popping up on your phone.
You can have a text message being sent to your phone.
You can rely on geographical information
about where the user is.
You can rely potentially
on an IP address of a person's computer. But I do think that those are all still going to be used
in conjunction with a password for the foreseeable future. And what kind of advice would you give to
people who are looking to shore up their security when it comes to authentication?
Well, really, there are two things. I mean, the first is to demand two-factor authentication
and to use two-factor authentication when it's available. I mentioned earlier that Google allows users to use two-factor authentication,
and I would recommend that. Some banks now are also offering two-factor authentication,
although not all of them. On the other side, when you have a site that does not offer two-factor
authentication, you should take some steps to make sure that your password is not easily guessable,
even if that means actually coming up with a complicated password
and then writing it down on a piece of paper that you keep in your wallet.
These days, that can actually be more secure than using a weak password that you can remember,
but that hackers can easily guess.
All right, Jonathan Katz, thanks for joining us. And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire. We are proudly produced in Maryland by our talented team
of editors and producers. I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into
innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate
your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.