CyberWire Daily - The Manhattan terror suspect claims allegiance to ISIS, but ISIS hasn't claimed him. Crimeware notes. Patching news. Crypto wars update. What the Senate learned about info ops.
Episode Date: November 2, 2017In today's podcast, we hear that, while the Manhattan truck-ramming terrorist claims ISIS, ISIS hasn't claimed him. Notes on conventional cybercrime, with some resurgent banking Trojans and mobile m...alware. Apple patches iOS against KRACK vulnerabilities. WordPress issues another fix for SQL injection bugs. US Deputy Attorney General Rosenstein takes up the pro-access banner in the crypto wars, but few from the tech sector are rallying to him. Senate hearings on Russian influence operations continue. Chris Poulin from BAH on augmenting human capabilities. Robert Knapp from CyberGhost on employers raising awareness of cyber security within their organizations.  Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The Manhattan truck terrorist claims ISIS, but ISIS hasn't claimed him.
Notes on conventional cybercrime with some resurgent banking trojans and mobile
malware. Apple patches iOS against crack vulnerabilities. WordPress issues another
fix for SQL injection bugs. U.S. Deputy Attorney General Rosenstein takes up the pro-access banner
in the crypto wars, but few from the tech sector are rallying to him. And Senate hearings on Russian influence operations continue.
I'm Dave Bittner with your Cyber Wire summary for Thursday, November 2, 2017.
The man arrested in Tuesday's truck-ramming killings in Manhattan has been charged.
He appears to have been radicalized and inspired online. Seyfulo Saipov, a native of Uzbekistan living in Patterson, New Jersey,
told investigators after his arrest that he chose Halloween as the date of his truck-ramming attack
because he expected streets to be crowded and thus to be able to kill more people.
Saipov claimed allegiance to ISIS, but so far,
although ISIS-sympathizing Twitter accounts have been quick to celebrate the murders,
ISIS official channels themselves have remained quiet.
It's been ISIS's practice not to claim a terrorist attacker as a soldier when the attacker is in custody.
Since Saipov failed to achieve martyrdom, instead having been arrested after a New York City police officer wounded him in the stomach,
it seems likely that an official claim may not be forthcoming.
Saipov told investigators that he was inspired to commit his attack,
which he said he'd been contemplating for about a year,
after watching ISIS videos on his phone.
He was particularly influenced by Abu Bakr al-Balgadi's calls for revenge
against soft targets in the West.
For now, Saipov is thought to be probably a lone wolf, although possible connections are being investigated.
His phone, at least, has been seized, and authorities are working on it.
The phone does indeed contain a lot of ISIS videos and images.
Several criminal campaigns are receiving researchers' scrutiny at midweek. A gang Kaspersky calls Silence is distributing a banking trojan being tracked under the same name.
The group isn't Carbonac, but researchers note that they're using some of the same techniques
that Carbonac pioneered in its rise to underworld leadership.
Prominent among those tactics is the use of screen grabs to record and profile ordinary daily activity
on targeted
enterprises' networks. Chinese speakers are afflicted with a new variant of iOS malware
being distributed through two third-party app stores. According to Trend Micro, the malware
appears to try to induce its victims to download repackaged apps. Proofpoint is following the resurgent of Kavkor-G, a criminal gang distributing Kavtor ad fraud
malware.
The threat group has been active since 2011.
The sixth annual Mobile Pwn2Own is on in Tokyo.
Apple's iPhone 7, running iOS 11.1, Samsung's Galaxy 8, and Huawei's Mate 9 Pro all fell
to hackers on the first day.
In patching news, Apple has fixed the crack vulnerability in iOS 11.1,
addressing the key reinstallation issues implicit in the WPA2 protocol.
WordPress has also patched, issuing a fix for a SQL injection flaw.
The issue was exploitable in WordPress 4.8.2 and earlier versions.
I think one of the biggest problems we are facing right now is
when it comes to attacks on companies is social engineering.
That's Robert Kanap, CEO of VPN provider CyberGhost,
stressing the importance of a company-wide focus on a culture of cybersecurity.
The attacks are not really technical. They are more focused on vulnerabilities of people. And
that is something you can train and teach. And one of the examples is simply teach people to
check emails where they are from, not click on every attachment, teach them how to detect a website that is HTTPS protected properly
or just pretends to be HTTPS protected.
We have to, let's say, bring the people on the level of 2017 and the dangers of the Internet.
And you only can do that with proper training.
What about the pushback that people often have that say, you know,
my employees just want to get their job done and these things slow them down?
Yeah, that is right. You say that as long as nothing happens, you know. The first time that
you run a company, for example, that deals with sensitive customer data and then you have a
security breach and all your
customer data is out there and your business goes from 100 to zero then you don't say that people
need too long to check if they are security vulnerable it's it's simply um not the right
thing to say so it sounds to me like you're you're advocating that this really needs to come from the
top that this is something that uh the companies really need to embrace.
It needs to be a regular part of the company culture.
Absolutely. Look, we obviously need change.
If you look at the cybersecurity landscape and if you look at what happened in the last years, the data breaches get, first of all, bigger and bigger and more serious and more serious.
breaches get, first of all, bigger and bigger and more serious and more serious.
So that means at the beginning, we just had security breaches, let's see, in small companies where you would say, all right, maybe they don't have the money, they don't have the ability
to build the proper infrastructure and teach people properly and whatever.
But now we are at the level where you see security breaches at companies like Yahoo.
So and that means you need a company culture that deals with two different things,
education of the own stuff and building the proper infrastructure.
And the infrastructure that we need now looks different from an infrastructure that we had 10 years ago.
That's Robert Kanap from CyberGhost.
In the crypto wars, U.S. Deputy Attorney General Rosenstein advocates secure, responsible encryption, He's been talking about this for some weeks, and on Monday explained what he's urging as follows.
Quote, Thus companies, essentially any who carry or store communications for their users and customers, would be required to hold a key to any encrypted content their systems handle
and to produce such key when properly required to do so by a warrant.
It would not, as some reports have said,
require companies to store all messages transiting their systems in plain text.
While Deputy A.G. Rosenstein has some nice things to say about encryption,
calling it a foundational element of data security and essential to safeguarding data against cyberattacks, he nonetheless believes it should be effective secure encryption coupled with access capabilities.
at least as far as the tech sector is concerned.
Cybersecurity Hall of Famer Susan Landau recently described it in Lawfare as a keys-under-doormats approach to security.
There's no way, critics argue, of ensuring that only governments
exercising legitimate investigative authority would be able to gain access to such keys.
To provide for the government to have such access would also be
to open up the possibility of such access by other governments, criminals, and so on.
U.S. Senate hearings into Russian influence operations find that foreign trolls can post the kind of stuff everybody else does,
religious and anti-religious images, racial resentment, class disdain, gender aggression, conspiracy theories, and so on.
Basically, the Internet's stock and trade.
Senators told Twitter, Facebook, and Google executives
hauled in to testify about foreign influence
that they should get their act together,
because if they don't get a handle on their terms of service
and enforce them, Congress will,
or so said California Senator Feinstein.
How the platforms might control what people say on them is difficult to say,
particularly for observers with strong First Amendment sensibilities,
but there might well be ways of limiting the amplifying effects of, for example, bots.
And purchasing political advertising might be brought under the same restrictions
that currently govern other forms of foreign contributions to political campaigns.
The Internet Research Agency, a now well-known St. Petersburg troll farm,
was active buying political ads on Facebook last year,
and was able to use Facebook's formidable analytics to target them to the demographics it was interested in reaching.
This seems to have been straightforward marketing savvy on the Internet Research Agency's part.
have been straightforward marketing savvy on the Internet Research Agency's part.
All the companies testifying said they'd found no evidence that anyone had used voter databases to target ads.
Testimony also indicated that Russian messaging was distributed across the political spectrum
from far left to far right, from moonbats to wingnuts, and most other niches in between.
This would seem to confirm that the goal was chaos rather than any specific outcome.
Back in Menlo Park, Facebook CEO Zuckerberg said he was dead serious
about curtailing problematic activity on the social media platform.
He framed this as a security issue and warned that the company's security investments
would be significant in the coming year, markedly increasing operating expenses.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of
technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself. Based on the acclaimed novel, And now, a message from Black Cloak.
message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
And I'm pleased to be joined once again by Chris Poulin. He's a principal at Booz Allen
Hamilton Strategic Innovations Group.
He heads up their Internet of Things security team.
Chris, welcome back.
You know, you and I have spoken about medical devices before,
and being someone who grew up in the era of the $6 million man,
I am very interested in the possibility of augmenting my human capabilities.
And this is something that you're interested in.
And some of these things are not that far off.
That's true.
And I really do hope that you weave in the $6 million man.
So, yes, in fact, it's kind of interesting because I've been talking quite a bit about this.
And I'm fascinated.
I actually got fascinated by
watching somebody called left anonym lepht and it's like anonymous but shortened um who actually
has started pioneering grinding which is basically implanting magnets and things like that into her
body in her kitchen with a bottle of vodka and a scalpel um and then it's moved on there's a
a organization called grindhouse wetware out of
pittsburgh who do similar things and it's kind of fascinating they'll use magnets and an echo
locator to actually help blind people to navigate rooms you know so the magnet actually picks up on
the return ping basically and they've had great success and then being able to accurately navigate
rooms and determine the height and distance and
all that of objects that are in people's way. So it doesn't really have a cyber implication right
now. But I started thinking about, you know, what the future holds, and even some of the stuff that's
happening now. So, for example, Elon Musk is coming up with, he's thinking about neural lace.
So effectively, it's a Utah array or array of sensors that you can overlay onto your brain
and the theory is that i could think of a in fact this podcast could be coming to you
just by somebody sitting there and i could be thinking these words and it could be transmitted
directly without any any translation through you know my mouth and airwaves directly onto your
brain so i could think of a picture and you could be translated directly or you could receive it in the exact form that I thought potentially.
But see, so that's where it gets scary is that it requires,
in order for this to work the way that we want it to,
is a communications network.
So think about telematics for your brain.
And so if you've got a point of presence or a threat surface,
you know, literally here here then somebody could break
in and if you have access to somebody somebody's brain you can cause them to have purposeful
hallucinations or attacker controlled hallucinations or there's a movie a really bad b movie from the
90s i think called idle hands okay uh where an evil possessed hand manages to find its way on
this young kid's body it's a silly stupid movie it stupid movie. It's great if you had a couple beers and it's a rainy day.
But effectively, I think about that.
You could cause somebody to cause motor movements that they were not intending.
Something a little less juvenile would be something like the Manchurian Candidate, right?
So that's one aspect.
The other one is looking at actual nanotechnology,
where we've seen nanotubes
that have actually been put into practice. So it'll be things like they might target certain
cancer cells or whatever. So basically, you ingest this nanotechnology, and it can be controlled
through software. And so one of my friends and colleagues, Chris Roberts, actually,
he has been doing some work in that area and has managed to figure out how to hack those.
So effectively, if you've ingested those and their goal is to, I don't know, target cancer cells or whiten your teeth or whatever it is that they want them to do, he can change it so that it can do something more evil to somebody.
more evil to somebody. So again, one of these things, and I keep cautioning people, and this is how I like to end discourse on these types of topics, is it's always about attacker motivation.
So unless you're some high-profile target, I don't worry that much about people just taking
control of these things and causing harm. But quite honestly, I think it becomes a little bit more widespread when it's something like neural lace, where you could actually make people believe what
you want them to believe. So there actually is a far more insidious motive than actually harming
people. So just sort of a cautionary note as we move into that realm. These are things that Oscar
Goldman never had to worry about on The Six Million Dollar Man.
Chris Poulin, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping
unauthorized applications, securing sensitive data, and ensuring your organization runs
smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. solutions that are not only ambitious, but also practical and adaptable. That's where Domo's AI
and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.