CyberWire Daily - Trojanized apps in the PlayStore. How cybergangs talk, cooperate, and improve their game. More troubles reported for Tanium. A Chicago lawsuit brings privacy issues to the fore.
Episode Date: April 20, 2017In today's podcast we hear about snakes in the PlayStore's walled garden (one of them with a helpful flashlight, and another one with a plumber's cap and a mustache, which must look pretty odd on a se...rpent). A look at how cyber gangs communicate—they do it a lot like the rest of us. Source code distribution and the jokers who make annoying use of it. More troubling reports about an IPO-ready unicorn. The Johns Hopkins University’s Joe Carrigan explains limitations of fingerprint scanners. Amit Rahav from Secret Double Octopus describes innovations in authentication. Plus, what information do your products collect about you? And how do you know what the vendors are doing with it? Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
There are snakes in the Play Store's walled garden.
One of them has a helpful flashlight.
A look at how cyber gangs communicate.
They do it a lot like the rest of us.
Source code distribution and the jokers who make annoying use of it.
More troubling reports about an IPO-ready unicorn.
What information do your products collect about you?
And how do you know what vendors are doing with it?
I'm Dave Bittner in Baltimore with your Cyber Wire summary for Thursday, April 20, 2017.
We begin with a few warnings about malicious apps.
BankBot resurfaced this month in various Trojanized apps sold in the Play Store.
Google has purged the ones reported to it, but we can expect more.
Bratislava and San Diego-based security firm ESET found one bad app that repeats a familiar pattern.
It was packaged as a flashlight for Android.
It might help you find your keys at night, but the app would also swipe your credentials and maybe lock your screen.
So while the Play Store remains a far better bet than a third-party store, be wary.
Snakes do get in the walled garden.
The other problematic Play Store offering was noticed by Trend Micro.
It's a bogus version of Super Mario Run.
The tip-off to Danger is that during installation,
it seeks to be activated as the device administrator.
This, of course, is never a good idea.
Mario is no administrator.
Neither is Luigi.
Security company Flashpoint has published a study on how cybercriminal gangs communicate.
It indicates, again, how much a black market can function like a legitimate market
and the ways in which a criminal ecosystem can resemble a business vertical.
While an online forum might broker initial connections among criminals, the study finds,
the groups tend to
move quickly to various instant messaging services. Many are represented, but Skype is number one,
possibly because it's bundled with so many other Microsoft products. Flashpoint notes that criminals,
like the rest of us, like to reap the benefits of cross-community collaboration, information sharing,
and even mentorship. Flashpoint also says the criminals look for ease of use.
They like a simple, intuitive GUI, and they hate buggy apps.
They like suitability for communicating in their native language,
as well as the messaging platform vendor's willingness to resist subpoenas,
and of course security and anonymity.
Criminal organizations also tend to learn from the best,
and if you want to find the sector leaders the other gangs follow, well, the Russian mob is pick of the litter.
Surfwatch Labs has drawn security lessons from the growing availability of source code and malware online.
Reasonware, the joke ransomware a South Korean undergraduate put together serves as a cautionary example.
When Surfwatch and others called it a joke, they mean joke literally.
The reason where Impresario encrypted files but didn't ask for money.
Instead, he required the victims to win the lunatic level of a shooter game,
Toohu Sirenson.
Score 200 million points, and you'll get your files back.
The undergrad has apologized to everyone for a prank he no longer finds funny,
but SurfWatch's point is that the ready availability of swapped malware on the market
makes this kind of nonsense all the more likely to continue.
Secure authentication is an area of active research and innovation,
as increasingly people are concluding
that the old username-password combo just isn't enough.
One company claiming to have a solution to authentication challenges
is Secret Double Octopus.
And yes, we love that name too.
Amit Rahav is VP of Business Development at Secret Double Octopus.
The current way we're doing authentication and encryption
is based on algorithms that have been around for 40 years and haven't changed much, actually.
Whether it's the use of password and similar concept, whether it's the reliance on public infrastructure, these are all great concepts that have served us well.
But they were created at a different time, a different era.
different era. And the use cases we're seeing today in terms of complexity, in terms of the scale, in terms of the requirement for user experience, and in terms of the requirement
for security are dramatically different. So when you look at things like password,
right now, if you're a security admin of a large company, it only takes one customer to make a
mistake in order to fail the entire protection environment.
And we're talking about the end users.
What are the odds to make sure that no end user will make a mistake in terms of somehow giving away a password, somehow giving away access to a code?
So that's really something that we have to look again at that approach, both in terms of scale, complexity, and also in terms of user experience.
So take us through, you know, what do you all maintain is the solution?
So today, if I'm relying on SMS, if I'm relying on push notification, if I'm relying on keys,
somebody can steal that secret behind my authentication. If it's in biometric,
the same thing, there's going to be a secret there. We're creating something
that gets rid of that single point of failure, but without any compromise on
user experience. To do that, we're actually leveraging well-known algorithms that were
used in the past to protect military launch codes, when you have multiple approvals that are required.
And in cryptography term, the algorithm to achieve that has been defined and it has
been created actually by Adi Shamir,
the co-inventor of RSA. He also created Shamir Secret Sharing. So we've created the world's
first authentication architecture that's designed on Shamir Secret Sharing. And what it does is it
allows me to authenticate to the server without any point of failure along the way. It allows my
admin to deploy the system without having
any key management. And then I can eliminate password altogether. But it all becomes
completely indifferent to hacks that we know today. So how does it work for the user? What's
the user experience? Well, the user will get rid of having to remember password and instead they
will use an app. Anything that they do that is sensitive, all their operations will be approved using a highly protected app that is installed on their
phone. They can just, with a single tap, approve or reject certain operations. They can have the
benefit of knowing that as they do that, they are fully protected, but they don't have to deal with
the security itself. They don't have to type any codes. They don't have to carry around special
hardware. Just a simple beeping on my phone. I tap one touch and I am approved to go.
That's Amit Rahav from Secret Double Octopus.
Tanium is in the news again, and not in a good way. The privately held triple unicorn,
recently valued at $3.5 billion and preparing for a long-awaited IPO,
has seen the departure of a surprising number of senior executives over the past year. Earlier this
week, reports were published complaining that the CEO had an abusive style and that he'd gone so far
as to limit the dilution of his equity by firing employees just before their options were due to
vest. Tanium denied that there was any such practice.
Late yesterday, however, the Wall Street Journal reported
that Tanium had been using a customer's network
to demonstrate its security products to other potential customers.
The customer whose network was used in the demos, a California hospital,
has said it was unaware that this was going on.
They're none too happy about having been so exposed.
Tanium's demonstrations apparently began as early as 2014
and continued for some time.
Industry reaction to this story has been predictably harsh.
We heard from Stuart Okun of software vendor 1E.
He says that, quote,
using live customer environments for demos is a rookie move, end quote,
and that a Wild West startup culture won't fly in the security space.
The stakes are too high.
He draws three lessons from the incident.
First, start thinking early about scalable demonstration environments for your products.
Second, use testing rigs so you don't disrupt operations.
And third, don't contribute to hype.
You're probably not, as a security startup, offering a magic pill,
so take a measured, integrated approach.
Tanium's CEO, Orion Hendawi, has published an open letter to customers
that amounts to a partial rebuttal of the news reports.
He acknowledges that mistakes were made in their use of the client's network
and that they could have done a better job anonymizing their demo.
He categorically denies reports of a toxic environment within the company,
and though he does cop a mildly apologetic way to having a sometimes hard-edged manner,
he thinks that some of that is simply a natural expression
of the company's commitment to its mission and its customers.
Finally, there's an odd lawsuit being filed in Chicago
that alleges audiophile company Bose has been collecting user information from Bose wireless headphones and then sending that data to third parties.
We'll forgo the obvious wisecracks about how a headphone manufacturer might be listening in and simply note what Bob Noel of Plixer International mentioned to us.
A lot of companies collect data, and a lot of that data is collected by permission of the end-user license agreement, the EULA we all click through impatiently when
we get a new product. Noel says, quote, because data collection occurs across the encrypted tunnel,
as a consumer, it's impossible to verify what data is being taken and what the manufacturer
is doing with that data, end quote. So perhaps the best folk wisdom to cite here
is the one sung by American philosopher Tom Waits
in Step Right Up.
The large print giveth, and the small print taketh away.
Calling all sellers.
Salesforce is hiring account executives
to join us on the cutting edge of
technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer
challenges faster with agents, winning with purpose, and showing the world what AI was
meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber
for $1,000 off. Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
Nightbitch, January 24, only on Disney+. Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of
solutions designed to give you total control, stopping
unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and
securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe safe and compliant.
Joining me once again is Joe Kerrigan. He's from the Johns Hopkins University Information Security Institute. Joe, welcome back. You sent over an interesting article about
fingerprint sensors on iPhones and Android devices.
Right.
Certainly a popular way to log into your phone. I'll admit I use it to log into
my iPhone every day. I do too. We just got new phones in our house. I love that I just touch
the back of it and it opens up for me and that if I need my son to open it, I can tell him what the
code is and he can open it with the code. I think it's a very great convenience. It's just convenient
and it's fast, but not necessarily so secure.
Exactly.
So this article talks about a paper that came out from NYU and Michigan.
And in that paper, the researchers have found a set of fingerprints that have enough common features.
They're actually partial fingerprints because these things don't work on full fingerprints.
Right.
They work on just a partial fingerprint because you're only touching a small portion of your
finger to that sensor.
What they found is that if they have generated this set of fingerprints that has enough of
the common features of the population's fingerprints that it can be identified as about 60% of
the people by a fingerprint sensor.
Now, they didn't talk about doing this on an actual phone.
They were using a different device.
Okay.
But still, if you're looking at this from a security standpoint,
if you're matching 60% based on this set of fingerprints,
then even if the phone is four times as good,
then you're still matching 15% of the population, which is probably an unacceptable level for security.
Yeah, I've always looked at this as being more of a step up of security versus nothing at all.
It's sort of the sweet spot between having a complex password is too much of a pain and slows me down too much, so I'm just not going to use it.
But not having anything isn't secure at all.
So it's a better than nothing solution in terms of security.
But if you're someone who really needs to have your device locked down, you probably shouldn't rely on the fingerprint.
This is probably not the best, not the best solution anymore. My feeling on this is that for for real security, fingerprints just aren't going to cut it.
All right. Joe Kerrigan, thanks for joining us. My pleasure, Dave.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Thank you. deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.