CyberWire Daily - Vault 7 updates—observers speculate about an inside leaker. Pre-loaded Android malware raises supply chain concerns. Ransomware in Japan. Convincing Chrome-spoofing malware. GCHQ warns UK parties to expect Russian influence operations.
Episode Date: March 13, 2017In today's podcast, we review some speculation about Vault 7 that holds the leaker was an insider. (But there's no specific insider named, yet—the investigation is still in its early stages.) Supply... chain security issues are raised by both Vault 7 leaks and discovery of pre-loaded malware in some Android devices. Bitcoin won't get its own ETF, yet. Japanese companies willingness to "pay to make it go away" is seen playing into the hands of ransomware extortionists. Dr. Charles Clancy from Virginia Tech's Hume Center surveys the end-to-end encryption debate. Novetta's Dr. Corey Petty previews his upcoming Etherium smart contracts presentation. GCHQ warns Britain's political parties to expect Russian influence operations in the general election. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Vault 7 speculation holds the leaker was an insider,
but there's no specific insider named yet.
Supply chain security issues are raised by both Vault 7 leaks and discovery of preloaded malware in some Android devices.
Bitcoin won't get its own ETF yet.
Japanese companies' willingness to pay to make it go away is seen playing into the hands of ransomware extortionists.
And GCHQ warns Britain's political parties to expect Russian influence operations in the general election.
I'm Dave Bittner in Baltimore with your CyberWire summary for Monday, March 13, 2017.
The Vault 7 leaks look more as if their ultimate source was an insider.
Alt-7 leaks look more as if their ultimate source was an insider.
Former CIA Deputy Director Mike Morrill expressed no doubt over the matter in appearances on weekend talk shows.
The material could only have come, he said, from strictly controlled and segregated internal networks.
The effectiveness of such control and segregation seems not to have been called into question.
Observers note a disturbing progression, Snowden, Shadowbrokers, Martin, and now Persons Unknown,
that some say cast doubt on the U.S. intelligence community's security posture.
This induces some, like Vice News, to think a contractor was behind the leak,
but that's a priority speculation only.
The investigation is in its early stages,
and the speculation is coming from informed outsiders, but outsiders still. It seems there's been no large-scale leak of the hacking tools
mentioned in Vault 7 so far. There's also been no visible movement yet on Wikileaks' promise to
work with software vendors and a responsible disclosure program to enable them to close those
zero days.
Exploitation attempts against vulnerable Apache Struts deployments continue, but Rapid7 reports
that malicious traffic is down.
Patching Apache Struts remains a good idea if you're an enterprise user.
Check Point warns that it's detected preloaded malware in 38 Android phone models to unnamed
companies issued to
employees. The manufacturers were not, Checkpoint says, responsible. Rather, the
bad code appears to have been introduced somewhere along the supply chain. This is
a different matter from other episodes of preloaded malware which have tended
to be traceable to the device's point of origin. Looking to our CyberWire events calendar, we have two events worthy of your consideration.
Booz Allen is holding a recruiting event in Tyson's Corner, Virginia, this Wednesday, March 15th.
They invite innovators, designers, and coders to attend.
This Thursday, March 16th, you can join Delta Risk for a webinar on six lessons learned
from hunting advanced cyber criminals.
You'll find links to register for both on our event tracker at thecyberwire.com slash events.
Malware Hunter reports finding a new and unusually persuasive paycard information stealer.
The malicious app, Betaling, passes itself off as the Chrome browser, and it's a pretty convincing spoof,
at least insofar as look and feel are concerned, even down to a little reassuring HTTPS lock in the corner.
Bad news for Bitcoin arrived Friday as the U.S. Securities and Exchange Commission turned down an application to establish the Winklevoss Bitcoin Trust,
which would have been the world's first Bitcoin exchange-traded fund.
The SEC denied the proposal, essentially because of fears that the fund's value would have been
too dependent on unregulated Bitcoin actors outside the reach of U.S. law and regulation,
and therefore could have been too susceptible to manipulation.
Value of a Bitcoin dropped from about $1,300 to about $1,000 on the news.
Bitcoin's underlying blockchain technology, however, has uses and applications outside
the narrow confines of that cryptocurrency. You can learn more about blockchain and related
technologies next Monday, March 20, when the security community reconvenes at its jailbreak
watering hole, and that its jailbreak watering hole,
and that's a physical watering hole, a craft brewery, in Laurel, Maryland, to talk with Novetta about Ethereum and graph databases. We checked in with one of the presenters,
Novetta blockchain analyst Dr. Corey Petty, for a preview of his presentation.
The Ethereum aspect of what I'm talking about is really about how people interact with the businesses that you create and trying to understand a new framework of how you build it up in regards to trust.
So how you trust your customers, how your customers trust you, and then how they then interact with the product that you create for them.
Ethereum opens up a lot of different ways in which you can do that that aren't based on the traditional client-server model of things. For people who don't know what smart contracts are,
can you give us an overview of what that means? A smart contract can be thought of as a robot.
A smart contract is just a term that they kind of came up with for historical reasons, but
for a high-level purpose, it's programming functionality into something that is going
to be embedded and that it can't change. And then you can interact with that functionality,
much like a robot. So you would program up a robot, give it some type of function. It can do
a certain amount of things. It can handle money. And then you set it out into the wild and then
you interact with that robot at your whim. And other people can also interact with that robot.
And that's kind of the best way or easiest way to kind of absorb what a smart contract does. And so you create these things, you write up a
contract with various functions to do some task and then interact with it. What are the advantages
of a smart contract over, you know, a traditional, you know, pen and paper kind of contract?
A lot of it is that it's written in code and how it works after being deployed.
It will always work that way. It can't be changed. And if it does change, you know that automatically.
A big part of what blockchain kind of promises is this idea of auditing as well as transparency. So
what you're interacting with and how you're interacting with it is very easy to see,
easy to understand. And you know that it hasn't changed since the last time you used it.
I think it's important to share that this technology is very new.
A lot of people hear a lot of buzzwords around blockchain, Bitcoin, Ethereum,
and it's someone that's this panacea to solve a lot of problems.
And we're not there yet.
It's opening up a lot of doors, but it's very infrastructure level.
So you need to build a lot of things on top of infrastructure before you have an end product.
That's Dr. Corey Petty from Novetta. He's also the host of the Bitcoin podcast.
Network analyst Chris Andreessen will be presenting on graph databases as well.
You can find a link to the event in the CyberWire's event tracker, or visit w3.novetta.com slash The Japan Times laments ransomware's local successes.
The country's enterprises have seen a wave of targeted ransomware, and Japan Times thinks they're caving in too quickly
because of a strong tradition of what the newspaper calls
pay to make it go away.
GCHQ warns British political parties of coming Russian attempts to influence elections.
Kieran Martin, chief executive of GCHQ's National Cyber Security Center, the NCSC,
wrote to parliamentary leaders requesting a meeting during which the intelligence service
could brief them on the threat of Russian online influence operations. He characterized the risk as the, quote,
potential for hostile action against the UK political system, end quote.
He cautioned that it's not only the political party's networks and systems that are at risk,
but that attacks could extend to, quote, parliament, constituency offices, think tanks, and pressure groups and individuals' email accounts, end quote.
Martin clearly expects Russian influence operations to follow the templates suggested by the DNC hacks
during the last U.S. election cycle.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword. It's a way of life. Thank you. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies
like Atlassian and Quora have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows like policies,
access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn as she discovers the best yet fiercest part of
herself. Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures. Stream Night Bitch January 24 only on Disney+. Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions
designed to give you total control,
stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe
and compliant.
And I'm pleased to be joined once again by Dr. Charles Clancy.
He's the director of the Hume Center for National Security and Technology at Virginia Tech.
Dr. Clancy, there is this ongoing debate about end-to-end encryption.
You wanted to bring us up to date. What are your thoughts on it, where it stands right now? Indeed, the topic got a lot of attention about a year ago with the Apple versus FBI lawsuit and the efforts to get Apple to reveal or to hack their own device in order to provide
information to the FBI to support law enforcement.
And the debate has kind of had its ups and downs since then with a number of different pieces of legislation
introduced congressionally from sort of both extremes where sort of one end, operators of
telecommunications infrastructure and services must have the ability to provide keys to law
enforcement under any circumstance. To the other end, which is very much on the civil liberties
and privacy side that sort of prohibits such activity by telecommunications providers.
We're still waiting to see where Senator Warner's proposal for a 9-11 style commission to actually do a thorough analysis of the topic goes.
I think kind of one of the interesting things is that this is not a new debate.
We had this debate back in the 1990s with the Clipper chip.
had this debate back in the 1990s with the Clipper chip. And many of the proposed approaches,
which include things like key escrow and use of threshold cryptography to split up master keys among multiple organizations, so no one entity has sort of supreme power for decryption,
were sort of tested in public opinion back in the 90s and really not found to be really favorable
outcomes. So as these efforts move forward, it'll be interesting to see if we come to a different conclusion this time around.
Perhaps since 9-11, the security versus privacy pendulum has swung in the other direction,
although perhaps since Snowden it swung back the other way.
I guess my point, though, is that there really are no new technologies on the table.
The technologies that are being proposed now are the same technologies that were rejected back in the 1990s. It'll be
interesting to see as the debate continues whether or not we really make any progress on this issue.
What are you seeing in terms of what direction the Trump administration may take with this issue?
That's a great question. Obviously, there's a strong push towards law enforcement and national security within the
Trump administration. Really, all we've seen so far, though, out of the Trump administration are
reports that different federal agencies are using end-to-end encryption as part of their ability to
coordinate internal protests against the new administration, rather than the administration
taking any
definitive actions or putting forward any policies towards the issue itself.
All right, the debate goes on. We'll keep an eye on it. Dr. Charles Clancy, thanks for joining us.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's
defenses is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Thank you. deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.