CyberWire Daily - US elections proceeded undisrupted by hacking. Patch Tuesday review. Banking Trojans, Android trigger-malware, and thermostats gone wild.
Episode Date: November 9, 2016In today's podcast we look at Patch Tuesday: Microsoft closes thirteen vulnerabilities (five of them "critical"), Adobe fixes Flash Player, and Google addresses Android issues. "Trigger-based" mobile ...malware, and why it's hard to see. Why usability matters to security. Tesco continues to recover from ATM fraud. Canadian police surveillance is scrutinized. Thermostat trouble in Finland. The Johns Hopkins University's Joe Carrigan discusses privacy of medical records. Professor Gene Tsudik from University of California, Irvine, explains a potential vulnerability with typing while Skyping. And, oh, we also hear there was some election or something in the US. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, five of them critical. Adobe fixes Flash Player and Google addresses Android issues.
Trigger-based mobile malware and why it's hard to see.
Why usability matters to security.
Tesco continues to recover from ATM fraud.
Thermostat trouble in Finland.
And, oh yeah, we also hear there was some kind of election or something in the U.S.
I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, November 9, 2016.
Yesterday and today, of course, have been big news days.
Microsoft issued 13 security bulletins, five of them rated critical.
Among the vulnerabilities patched is the one Google publicly disclosed last week to Redmond's displeasure.
That fix closes a privilege escalation hole in Windows that can be used to escape security sandboxes.
Adobe and Google also patched.
Adobe addressed issues in Flash Player and Adobe Connect, fixing nine remote code execution vulnerabilities.
Google addressed 12 critical vulnerabilities in Android, including the bit-flipping privilege escalation risk known as DRAMR, but Mountain View left a comprehensive
fix for the Dirty Cow Linux kernel routing vulnerability to a further round of patching.
A supplemental patch did deal with Dirty Cow for Nexus and Pixel devices.
Other handsets will get their fix next month. Google also noted that Chrome's safe
browsing will henceforth crack down on sites determined to be repeat offenders.
In response to reports that Android malware in the wild is becoming more trigger-based and more
evasive, Giovanni Vigna, Lastline's co-founder and CEO, told the CyberWire that, quote,
As users are increasingly relying on their smartphones for security-critical operations,
such as banking, cyber criminals are leveraging these new activities to collect information
about two-factor authentication messages or credentials to spread malware through social
network accounts, end quote.
He also sees usability issues.
It can be tough for a smartphone user to know what applications are running at any given time, which opens up vulnerabilities to phishing and clickjacking.
Quote, malware takes control of the device and presents to the user a login page similar to the
one the user intends to use. By doing this, the malware can collect credentials that are later
used for spreading malware and performing social engineering attacks, end quote. Recent studies, notably one from the consultancy CEB,
have suggested that a majority of employees don't generally follow
all of their enterprise's breach prevention policies.
But that doesn't surprise experts in the security industry.
Mike Amadi of Synopsys Software Integrity Group told the CyberWire he wasn't surprised
because, as he put it, quote,
I have indeed been in the same situation. In one case, the IT department simply did not
have any failure mode in place to compensate for instances where policies caused a halt in
workflow due to any of a number of reasons. I was still expected to get the job done,
and the lower-level IT support staff would often suggest a workaround, end quote.
It's not that employees are careless, malicious, or negligent.
It's that their enterprises expect productivity.
As Ahmadi noted, they don't reward unproductive employees
for following data loss prevention policy.
Zoltan Gierko, CEO of Balibit,
thinks the studies are discouraging and demonstrates a need for real-time monitoring.
The lesson seems to be this.
If security doesn't come with usability, it will be self-defeating.
Banking malware is also evolving this week.
Swipang, a mobile Trojan Kaspersky is found lurking in the AdSense network,
is troubling bank customers.
Indian users seem especially affected.
Researchers at IBM X-Force warn that TrickBot, a dire successor,
is using server-side injection and redirection against its targets.
British bank Tesco has brought its operations back closer to normal,
but it says £2.5 million were lost to debit card fraud over the past week.
The money seems to have gone to crooks in Spain and Brazil.
Investigations are in progress and the precise mechanisms of the fraud remain unknown.
Canadian electronic collection policy has become controversial. It's receiving a great deal of
scrutiny after allegations surfaced that at least 10 journalists in Quebec came under police
surveillance. If you're a Skype user like us, there's research from the University of California, Irvine,
that suggests you may want to think twice before multitasking while you're on that call.
We spoke with Professor Gene Sudik from UCI about potential security vulnerabilities
that come from typing on your keyboard while using Skype.
They faithfully transmit the sound from one
side to another, right? That's what they're all about. This includes the sounds of the
keys being pressed. There's nothing surprising about that. What hasn't been realized until
recently is that someone who is taking part in the conversation with you can reconstruct
what keys are being pressed. By recording and analyzing the sound of the keystrokes being pressed,
we can determine what was typed into the keyboard
on the other side of the Skype conversation.
How, with just the sound of the keys being pressed,
how can you then convert that into text?
If we know, let's say, the computer that is being used,
let's say it's an Apple MacBook Pro,
we know that it has a certain type of keyboard.
Every time you press a key, it makes a sound,
but different keys make different sounds.
By training our program to recognize,
to map incoming sounds into the key sounds that the keyboard makes, we can determine what key is
being pressed. Now, the second possibility is that I don't know what you're using. Oftentimes,
especially if we're using video conferencing in addition to audio conferencing, it's actually
possible to see the keyboards, especially if they're external. So it might be possible to
determine what kind of a keyboard is being used in real time.
The other possibility is that
I really don't know what you're using.
Well, it turns out that
there is a finite number of keyboard types out there.
So let's assume you're not using
some kind of exotic, I don't know, Swahili keyboard.
I'm pretty sure you're using a normal,
like US English type keyboard.
And for each one of them, it is not difficult to build a sound profile.
That is to build a profile of the sounds that individual keys make on that keyboard.
And what degree of accuracy do you get?
What we have done so far is fairly clinical experiments.
Clinical, I mean, we try not to have extraneous noise.
If we know the keyboard type, the accuracy
is in the low 90%. I expected it to be fairly accurate, but I never expected it to be that
accurate. But I can almost completely guarantee you that what we have done is known to the hacker
community. And surely, if it's known to the hacker community, it's probably known to the
intelligence community. That's Professor Gene Sudik from the University of California, Irvine.
In industry news, there's some M&A activity to report.
Thycotic, backed by Insight Venture Partners, has acquired Cyber Algorithms,
a Virginia-based network security analytics shop.
No financial details are available, but it's worth noting that Cyber
Algorithms is an alumnus of the Mach 37 Cyber Accelerator. And California-based Synopsys has
agreed to acquire Sigital, a provider of software security managed and professional services.
Synopsys will also pick up Codascope, a Cigital spinoff that provides complementary security tools.
Both acquisitions are expected to be completed next month.
Oh, the U.S. held elections yesterday, we heard. Voting was little disturbed by hacking,
with high turnout and despite fears of DDoS or manipulation of results.
There were reports of some low-grade telephonic denial of service that had very limited effects on both parties' get-out-the-vote ground game.
The precautionary DHS all-hands-on-deck appears to have remained just that, precautionary.
The information operations mounted from Russia over the course of the presidential campaign will be dissected for months, if not years to come.
In the meantime, WikiLeaks' Julian Assange assumes the unlikely mantle of good
government advocacy. Tell it to Vlad, Jules. Fears of Russian intervention in European elections,
particularly in the Balkans and Central Europe, will now displace worries about voting in America.
Finally, while DDoS may have left the U.S. electoral Internet of Things largely alone,
the same can't be said of IoT devices in smart homes over in Finland.
Residents of two smart apartment buildings in Lappeenranta, Finland,
complained that their heat was off over the weekend.
Smart thermostats were being subjected to DDoS,
and so kept rebooting, effectively turning off the heat.
It's in the teens in La Pineranta right now,
according to the weather reports our stringers like to keep up with.
So, baby, it's cold outside.
Check those thermostats and stay warm.
Not too warm, mind you, just warm enough.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews,
and reporting, and helps you get security questionnaires done five times faster with AI. Thank you. Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute.
Joe, you know, I recently visited my doctor's office,
my general practitioner. I went in for a checkup. And when I checked in with the doctor,
I had, you know, they asked for my insurance card, which I gladly handed over. And then they asked me for my driver's license. And I maybe, you know, paused a little bit for that,
but I didn't want to cause any trouble. So I handed over my driver's license and the
woman behind the counter took my driver's license and promptly put it in her scanner and scanned it.
Made it part of your electronic medical record.
Right.
And so that gave me a little bit of pause.
Am I overreacting here or not?
I don't think you are.
My personal preference is to not give them that kind of information.
My question would be, why do you need my driver's license uh and if the answer was i'm
going to scan it and put it in your record my answer would be you know what i walked here i
don't have a driver's license you know maybe i would lie i don't know um i do have you're gonna
be that guy yeah i'm gonna be that guy i'm, I'm going to be that guy. I'm always that guy. Medical records are very valuable on the black market.
I think some of the statistics I've heard are that they're like 10 times more valuable than other records because they provide information that doesn't change.
from somebody and start using that credit card, it becomes pretty obvious that I've stolen the credit card and they cancel the credit card and the impact to both the customer and the
credit card company are minimal. If I steal someone's medical data, I have a lot of information
about them. And if that medical data contains their social security number, that's great. Now
I can essentially impersonate that person for a very long time. It becomes a much harder problem to solve than a lost credit card. Yeah. And I was thinking, you know, with
this particular doctor, he's part of a group of doctors, which is more popular these days. So,
you know, in the old days, he kept all of his medical records right there on site. I actually
could see the stacks of records. They'd go and pull a file out that was mine. But now it's all
electronic. Who knows where it is?
And obviously there are regulations in there,
best practices and all. There are regulations.
HIPAA has a bunch of requirements
about how you store that data and how you,
like for example, I work at Hopkins,
so we have a system that is storing medical data
for research, and even though it's medical data
that functions for a research purpose,
it still has to be secured, and that security includes camera on the access point, the physical
access point. The physical access point has to be locked. People have to be able to log when they
go into the physical location. That's a security requirement that you don't see on a lot of other
places. But that's part of the requirement for HIPAA. And there's lots of other requirements
as well. Yeah. All right. Well, sometimes maybe it's in your best interest to be that guy.
Right. I think it is. And I'm not afraid to be that guy.
Yeah. Maybe I'm just a little more polite than you, Joe.
Yeah, I'm not.
Maybe. All right. Good talking to you.
My pleasure, Dave.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions
that are not only ambitious,
but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.