Russian treason arrests may be tied to espionage. ANSSI director warns of cyber jihad. Symantec remediates Shamoon 2. U.S. Cellular was not breached.

Dave Bittner: [00:00:03:16] Updates on the Russian treason arrests, with side suspicions of underworld in-fighting. A principal victim of Shamoon 2 says that it has now recovered. IoT threats and the risk of always-on, always-listening devices. French security officials warn that cyber jihad could enlist cyber mercenaries. Cisco patches its telepresence software. And don’t worry, no-one really got locked into their rooms at that posh Alpine resort.

Dave Bittner: [00:00:33:10] We'd like to take a moment to thank our sponsor, Palo Alta Networks. Feel free to visit them at go.paloaltanetworks.com/secureclouds. You know, businesses and their data are flocking to the cloud. It's no longer just a convenient place somewhere out there to store things. It's become a viable integral part of almost all enterprise level organizations. Palo Alta Networks understands this and the fact that your data and applications are distributed across the private cloud, the public cloud, software as a service environments and any number of configurations in between. Make sure your data and apps are secure and protected wherever they may be. Palo Alta Networks has the broadest, most comprehensive cyber security for private cloud, public cloud and software as a service environments. Because secure clouds are happy clouds. Find out how to secure yours. Get started at go.paloaltanetworks.com/secureclouds. And we thank Palo Alta Networks for sponsoring our show.

Dave Bittner: [00:01:41:04] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Monday, January 30th, 2017.

Dave Bittner: [00:01:51:02] Counter to some expectations late last week, the arrest of Kaspersky security researcher Ruslan Stoyanov has begun to look like an actual espionage case as opposed to the corruption beef many suspected. Sergei Mikhailov , deputy chief of FSB's Center for Information Security, has also been arrested, with Novaya Gazeta and Radio Free Europe reporting over the weekend that the men are charged with passing information to the Americans. A third man, FSB Major Dmitry Dokuchayev was also arrested in the sweep.

Dave Bittner: [00:02:23:20] KrebsOnSecurity thinks the treason dust-up is related to suspicion over who's been leaking unflattering material about Russian leaders to the gadfly blog Shaltay Boltay. That's the Russian equivalent of "Humpty Dumpty."

Dave Bittner: [00:02:37:13] And this in turn, he suspects, is connected to long-running grudges among figures in the Russian cyber-criminal underworld. Novaya Gazeta also reports that Mikhailov is thought to have provided information about hosting service King Servers to US intelligence services. King Servers is owned by Russian national Vladimir Fomenko. His servers were used as a platform for hacks of Illinois and Arizona state election systems in 2016. Those attempts are generally unattributed but are thought by some observers to be connected with Russian security services. Another one of Fomenko's customers was the Russian electronic payment entrepreneur Pavel Vrublevsky, whose company, Chronopay, was implicated in various cyber attacks on Russian companies. Vrublevsky was arrested in 2011 and convicted, in a Russian court, in 2013. Fomenko says he has no connection to any hackers or cybercriminals who might have made use of King Servers.

Dave Bittner: [00:03:33:24] Radio Free Europe says Mikhailov testified in court that he, quote, "knew Vrublevsky and his talents well," end quote. The story is, as they say, developing.

Dave Bittner: [00:03:45:05] Saudi Arabia's Sadara Chemical Company says it, or more precisely, Symantec, hired by Sadara, has completed remediation of the Shamoon attack the company recently sustained. But the Kingdom of Saudi Arabia remains concerned about further infestations, especially since it strongly suspects Iran as the source and origin of the regional malware threat. This suspicion is widely shared. Iran has taken some shots at targets in the US as well, mostly in the financial sector, and one famous intrusion into the controls of a small flood control dam in downstate New York.

Dave Bittner: [00:04:19:17] Iran may have demonstrated some hacking chops, but its Islamist rival, ISIS, so far has not. That happy situation may not last long. Guillaume Poupard, Director of the French security agency ANSSI, warned at a conference last week that, while jihadist groups have so far shown little hacking ability, this could change rapidly should digital "mercenaries" sell the groups their services. The mercenaries could do so inadvertently, given the anonymity of much black-market information sharing. And of course, hacking aside, such groups have shown considerable facility with influence operations.

Dave Bittner: [00:04:56:10] Cisco has discovered and patched a remote code execution vulnerability in its TelePresence Multipoint Control Unit (MCU) software. Fixes are available for the MSE 8510 and 5300 series models. The 4500 model is also vulnerable to the remote code execution flaw, but it won't be patched. It reached its end-of-life last July.

Dave Bittner: [00:05:18:20] Last week we heard allegations that U.S. Cellular had sustained a breach, and we noted that the telecom provider had found no sign that it had been compromised. U.S. Cellular confirmed to us early this morning that the purported breach is bogus. The data posted in hacker for a didn't come from any U.S. Cellular database.

Dave Bittner: [00:05:37:09] And finally, ransomware hit a resort hotel in Austria last week, specifically a picturesque lakeside Alpine four-star hotel. Reports were more-than-a-little breathless, claiming that guests had been locked into their rooms. That didn't happen, and apparently isn't possible, because fire codes require that hotels let you out your room whatever electronic state their locks may be in, as hotel manager Christoph Brandstätter pointed out to Bleeping Computer. Nor were guests locked out, either. Apparently what did happen is that the hotel's ability to make new keys was impaired and that this is what the extortionists held at risk.

Dave Bittner: [00:06:14:10] While not as lurid as initial reports had it, the incident is nonetheless further evidence of the way cyber extortionists are turning to the Internet-of-things as ways of disrupting businesses.

Dave Bittner: [00:06:24:24] In the meantime, don't worry about getting locked into your hotel room. Worry about that free WiFi instead.

Dave Bittner: [00:06:35:22] Just a moment to thank our sponsors, CyberArk, the security company laser focused on stopping the most advanced cyber threats, the ones that exploit insider privileges to attack the heart of the enterprise. Whether they're in the hands of a malicious outsider or an equally malicious insider, privileged accounts can let the bad actors take full control of your IT infrastructure, disable security controls, steal confidential information, disrupt your business and rob you virtually blind. CyberArk delivers the industry's most comprehensive, privileged account security solution, designed equally for on-premise, hybrid cloud, and OT SCADA environments. It secures privilege from the end point to the cloud. Attackers are going to get in. But CyberArk's privileged account security solutions prevent attackers from escalating and doing irreparable business damage. It's time to put privilege first. Learn more at cyberark.com/cyberwire. Once again, that's cyberark.com/cyberwire. And we thank CyberArk for sponsoring our show.

Dave Bittner: [00:07:43:10] Joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute. Joe, welcome back, you know, we had a story recently on the CyberWire about this, this little caper that happened with the Amazon Alexa where a news organization in San Diego announced that-- actually we've started calling her, "She who will not be named" so as to not activate her among her listeners.

Joe Carrigan: [00:08:08:13] That's a good policy.

Dave Bittner: [00:08:09:21] Yes, but someone-- this news story summoned the name and many people within their listening area without knowing it, ordered a doll house over, over the thing. Sorry, I wanted to address this issue of these always-on listening devices. There are several of them.

Joe Carrigan: [00:08:26:24] Right, there's the Alexa. You know, you've got the-- I don't wanna say the OK G-o-o-g-l-e 'cause my, my phone's sitting right next to me-- and you've got Cortana from Microsoft. And they're always on and Amazon's done something where they've made the device a separate device that you keep in your home. And I'll tell you as a-- I'm an Amazon Prime member and when this came out, I got a special offer that said you can, you can get an Amazon Echo in your house and we'll sell it to you as an Amazon Prime member early for $99. And I was like, ooh, and I, I-- it sounds very exciting, very cool and I go home and I mention it to my wife and she's go, I can't believe you of all people want to put a bug in your house. And it took my wife telling me that this thing is essentially always listening and you don't know what the-- you know, what it's storing and what it's not storing. Amazon says the only thing they're storing is the information after you say the keyword to open it up.

Dave Bittner: [00:09:25:01] Right. They say that it has like a 60 second buffer and it's not actually sending, you know, your raw audio to Amazon but, you know--

Joe Carrigan: [00:09:33:00] It's sending something to Amazon that represents your raw audio because they're doing a search on it. Whether that's a Soundex that gets processed on the machine in your home or something, it's enough information to understand what you've said.

Dave Bittner: [00:09:49:20] But do you know, it also got me thinking about how, you know, on my laptop computer, you know, like a lot of people I have a piece of tape over the camera on the computer.

Joe Carrigan: [00:09:57:11] I have that too on my laptop.

Dave Bittner: [00:09:59:06] But you can't really do that with a microphone.

Joe Carrigan: [00:10:01:01] No, you can't and that's actually an interesting thing. I've heard at the Department of Defense they open up your new laptop and they disable the microphone right off the bat. That's one of the first things they do. Also at home I have a big old tower PC that is my main PC. I enjoy playing video games so I like to have a nice PC that I can upgrade and swap out parts for. And that's great but it's not exactly a portable machine. These portable machines are essentially not user-serviceable. So when you have a microphone that's built into these portable machines, you have very little control over it. And we've seen that in our research with Matthew Brocker and Steve Checkoway, probably about three years ago, found a way to turn on the older MacBook cameras without notifying the user with a little LED green-- little green LED. What I'd like to see happen, is I'd like to see hardware manufacturers offer a way for me to physically disconnect these devices from the rest of the computer. Not with software but to physically throw a switch and have these things no longer hot as it were.

Dave Bittner: [00:11:09:19] So swinging back to the Alexa, Amazon says you can change the word that summons her so that seems like a pretty good thing to do right off the bat there to protect yourself from people accidentally purchasing things for you.

Joe Carrigan: [00:11:24:07] Right, and there's also parental controls you can put in. I actually have an Amazon Fire TV and my nephews came over one day and now they're four and five and they were just playing with the remote and ordered some video that kind of looked like it might be a good kids video and charged my account 3 bucks, you know.

Dave Bittner: [00:11:44:05] There you go. That's how they get you.

Joe Carrigan: [00:11:45:15] Exactly. It was an inexpensive way for me to learn the lesson to put parental controls on it. You know, everybody in my house knows the parental control codes but my four year old nephew doesn't. So, yeah, it's a matter of what-- you know, the kind of security that you need to be usable.

Dave Bittner: [00:11:59:07] Alright, Joe Carrigan, thanks for joining us.

Joe Carrigan: [00:12:01:03] My pleasure, Dave.

Dave Bittner: [00:12:04:12] And that's the CyberWire. For links to all of today's stories, along with interviews, our glossary, and more, visit thecyberwire.com. Thanks to all of our sponsors for making the show possible, especially to our sustaining sponsor, Cylance. For more information about how Cylance can help protect you, visit cylance.com. I want to thank everybody who listens to us every day and welcome all of our new listeners as well. We hope you'll recommend our show to your friends and coworkers and consider rating the show and writing a review on iTunes. It really does help new people find the CyberWire. So thanks. The CyberWire podcast is produced by Pratt Street Media. The editor is John Petrik. Our social media editor is Jennifer Eiben and our technical editor is Chris Russell. Our executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.