CyberWire Daily - The CyberWire 1.26.16
Episode Date: January 26, 2016Learn more about your ad choices. Visit megaphone.fm/adchoices...
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K. Purchases are out from Magneto, Oracle, FreeBSD, and Apple. Corporate cyber risk disclosures remain vague,
but the insurance market is rapidly growing more rigorous than SEC regulations.
Venture capital looks for the next generation of cyber unicorns.
More international cooperation in cyber law enforcement.
But U.S.-EU safe harbor negotiations continue to drag despite U.S. offers of a privacy ombudsman.
And don't click on Crash My Safari.
And no, sending that link is not funny.
Thank you very much.
I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, January 26, 2016.
Bittner in Baltimore with your CyberWire summary for Tuesday, January 26, 2016.
The video ISIS released over the weekend appears to contain some fakery. Not, alas, the murders,
but rather the claimed encryption. The encrypted email is patently bogus, faked, according to informed observers. Why it was even included is the subject of some speculation. Perhaps it
represents an attempt at building internal morale, or perhaps it's intended to frighten the opposition. Or, more interestingly, some speculate ISIS's claims to
have strong encryption is aimed at rushing governments into policies that would subvert
or otherwise restrict encryption. Presumably this would give pro-ISIS hacktivists more access to
their targets, and would also serve to, as old-line Trotskyites might put it,
heighten the contradictions.
But beware, one of those informed speculators is Edward Snowden, who's not entirely a disinterested
party with respect to encryption policy. In what appears to be a dim-witted internet gag,
various trolls are circulating a link to CrashMySafari.com, which, unsurprisingly,
does something close to what it advertises.
The site will induce the browser to process an indefinitely increasing string of characters,
thereby clogging memory and forcing devices to reboot.
OS X, iOS, and Android devices are said to have been affected.
One note, beware of shortened URLs and tweets sent by what Hackreed characterizes as some idiots.
The shorter URLs may be less immediately recognizable as leading to the gag site, so click with care. The FortiOS SSH
vulnerability, either a backdoor as critics call it or an oversight in a management authentication
issue as Fortinet maintains, has been found and fixed in additional Fortinet products.
Active exploitation attempts are now being observed in the wild. Versions 1 and 2 of the popular e-commerce platform Magneto have been
found vulnerable to cross-site scripting. A patch is available, and analysts recommend it be applied
as soon as possible. In other patch news, Oracle issues some Java patches. Patch it or pitch it,
advises Brian Krebs. FreeBSD fixes a kernel panic vulnerability that can lead to denial of service conditions.
And Apple pushes out a security update that addresses multiple vulnerabilities in tvOS.
OpenSSL is expected to issue two patches later this week.
Risk management keeps its place center stage in industry news.
A study of corporate risk disclosures in U.S. Security and Exchange Commission filings
finds such disclosures, including those pertaining to cyber risk,
generally generic and uninformative,
especially insofar as they fail to identify company-specific risks.
The insurance market, however, continues to move toward more rigorous characterization of cyber risk.
Some of that movement comes from the U.K.,
where companies partnering with Cambridge University's Center for Risk Studies
have evolved a cyber risk exposure data schema.
In the US, a variety of approaches to cyber risk analysis are on offer,
ranging from traditional consulting interviews to various scans of the external environment.
Venture capital continues to flow unabated into cybersecurity startups.
Next generation appears to be the magic words being spoken to conjure unicorns. Thank you. more international security and intelligence cooperation is in the offing. Australia and Thailand are working on an agreement,
and the European Union is opening a new counterterrorism center.
Law enforcement officials see such collaboration as particularly important
to the investigation and prosecution of inherently borderless cybercrime.
Negotiations over a successor safe harbor agreement between the U.S. and the EU proceed.
The U.S. is said to have floated the
idea of establishing a privacy ombudsman to address concerns EU citizens might have over
U.S. government access to their data. Elsewhere in the U.S., as responsibility for security
clearance information is set to shift from OPM to the Department of Defense, U.S. Cyber Command
warns that the country faces technological peer competitors in cyberspace.
The baffling case we saw last week of the couple in Atlanta bedeviled by people whom
Find My iPhone kept sending to their address looks closer to solution.
Flaws in cell tower triangulation might be leading tracking software to pick a single
default location, and it may be that this location just happens to be that couple's home.
They filed a complaint with the Federal Communications Commission and their senator.
We wish them good luck.
And in some final crime and punishment news, one Lord Bastion, allegedly associated with
the Crackers with Attitude, doxes the Miami Police Department via what he or she claims
is the compromise of an FBI database. The declared
motive is revenge over a raid on a Miami house that Lord Bastion and some of his or her friends
rented sometime last year. Observers wonder why it's taking law enforcement so long to round up
the Lord and his colleagues. Some news reports casually refer to the Crackers with Attitude as
a defunct group, which raises the question of how so casually assembled a group could be said to go out of existence. Logicians may recognize this as an
instance of the Sorites paradox, attributed to Eubulides of Miletus. We'll leave this as an
exercise for you, dear listener. Thank you. and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations, Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking
and wickedly humorous film from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions
designed to give you total control,
stopping unauthorized applications,
securing sensitive data,
and ensuring your organization
runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default deny approach
can keep your company safe and compliant. of computer science and the director of the Maryland Cybersecurity Center, one of our academic and research partners. Jonathan, I want to talk about backdoors, specifically
the tension that exists between law enforcement, who likes backdoors, and industry, who seems
to be resistant to them.
Yeah, that's right. And I'm actually receptive to the idea that we want to provide law enforcement
or government agencies with the ability to access communications of criminals or terrorists
or people that they're investigating for one reason or another. But I think the fundamental problem
is that any time you allow the presence of these backdoors, you're inherently weakening the
security of the system. It's all very well and good to say that this backdoor, this key, for
example, will be protected and will only be given to government agencies um upon presentation of a
warrant or some other uh legal mechanism but nevertheless you have to then worry about
protecting that key you have to then worry about which people which employees of the organizations
involved have access to that key you have to worry about hackers potentially breaking in and getting
uh getting information about those back doors and so inherently you're you're undermining the
overall security of the system what's your sense for where this is going?
Well, it's really unclear. I mean, the talk right now among the politicians seems to be that they're
all in favor of the idea of having some kind of a backdoor of the sort. But I don't think that
they all fully understand the technological implications of that, or the technological
difficulties that would be involved in making such a system.
So I think it's very easy for them right now to say that, sure, in an ideal world,
we'd like a backdoor that only law enforcement can access. But if they sat down, and hopefully at some point, they will sit down and meet with technical people and try to understand the issues
involved, they may come to the realization that that's simply not feasible.
All right, Jonathan Katz, thanks for joining us.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. Your AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.