The CyberWire Daily Podcast 2.3.17
Ep 279 | 2.3.17

Jailbreaking or forensics? W-2s and business email compromise. Router vulnerabilities. Windows zero-day. Enterprise security priorities. Iranians cyber ops and Iranian dissent. US-Russian cyber tensions.

Transcript

Dave Bittner: [00:00:03:15] Forensic tools are dumped online after a security firm is breached. The IRS warns that W-2 fraud is being combined with business email compromise. We've got some Cisco router vulnerabilities. A Windows zero-day can produce the blue screen of death. Recent surveys prompt a review of enterprise security spending priorities. The perimeter is down, the endpoint is up, the network visibility is everywhere. Russia's treason trial proceeds. The US sends a good cop, bad cop message or maybe just a mixed message in cyber. Author, Frederick Lane, helps expecting moms and dads avoid cyber traps. And where in the world is Hogwarts?

Dave Bittner: [00:00:47:00] Time for a message from our sponsor, Palo Alto Networks. It's almost impossible to run an organization without the public cloud today and we'd like to tell you about how our sponsor, Palo Alto Networks, can help you utilize any cloud safely and securely. You can find them at go.paloaltonetworks.com/secureclouds. The cloud is no longer just a convenient place, somewhere out there to put stuff. It's an integral part of the way modern enterprises work. Palo Alto Networks understands this and they also understand that securing your data and applications that are distributed across the private cloud, the public cloud, software as a service environments and any number of configurations in between is key. Make sure your data and apps are secured and protected wherever they may be. Palo Alto Networks has the broadest, most comprehensive cyber security for private cloud, public cloud and software as a service environments. They know that secure clouds are happy clouds. So keep yours happy. Get started at go.paloaltonetworks.com/secureclouds. And we thank Palo Alto Networks for sponsoring our show.

Dave Bittner: [00:01:59:04] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Friday, February 3rd, 2017.

Dave Bittner: [00:02:09:02] The hacker who breached mobile forensic tool provider, Cellebrite, last year has dumped code he (or she or they) claims to have obtained from that company. Cellebrite's main product is the Universal Forensic Extraction Device (UFED), thought to be widely used by British and US police to unlock phones in the course of criminal investigations. The hacker's dump includes tools related to cracking Android, Blackberry and older iOS devices. Motherboard reports that experts say the code looks like jailbreaking exploits adapted to forensic purposes.

Dave Bittner: [00:02:42:05] The declared motive is to demonstrate that such tools, once developed, inevitably find their way into undesirable hands, so observers are reading this as hacktivism directed against the alleged ease with which phone cracking tools can be turned to repressive ends. Cellebrite gained some fame during the FBI investigation of the San Bernardino jihadist massacre; the Bureau appears to have used Cellebrite's technology to gain access to the killer's otherwise inaccessible device.

Dave Bittner: [00:03:10:23] In the US, the Internal Revenue Service warns that criminals are combining W-2 tax form theft with business email compromise in fraud campaigns expected to continue through the end of tax season.

Dave Bittner: [00:03:23:08] Bitdefender and the SANS institute have analysis of Cisco router vulnerabilities likely to be of particular concern with respect to home networks.

Dave Bittner: [00:03:32:11] US-CERT warns of a Windows zero-day that could be exploited to bring about the BSOD, that is the 'blue screen of death'.

Dave Bittner: [00:03:41:19] Several recent studies have been tracking the evolution of enterprise spending on security. There appears to be a shift from prevention to detection, as organizations increasingly see network perimeter defenses as insufficient protection. A survey conducted by Anderson sees not only this shift, but also considerable interest in reducing the problem of false positives. Michael Patterson, Plixer International's CEO, agrees that false positives are a big problem and is driving interest in enterprise visibility.

Dave Bittner: [00:04:11:13] The recent Thales Data Threat Report also tracked enterprise spending in response to perception of threats and vulnerabilities. About a third of the enterprises surveyed consider themselves very vulnerable. Sándor Bálint, Security Lead for Applied Data Science at Balabit, told us he's sympathetic to the security manager's plight. "It's all too easy to chastise organizations for a perceived misalignment of security spending priorities. It's another thing to actually be at the helm and making calls. For many security managers it feels like trying to plug 1,000 holes in a boat while behind you someone's pointing out that the water's rising and you haven't plugged everything yet". His best advice? Once you've got the basics in place, invest in improved monitoring.

Dave Bittner: [00:04:55:22] Iran continues to find cyber operations an attractive means of striking foreign enemies and exerting domestic control. Internationally it gives them a disruptive and destructive reach that's inexpensive and plausibly deniable. Domestically the regime is sensitive to its own vulnerability to dissent and engages in a vigorous program of censorship. An Iranian dissident is taking a pirate-radio-inspired approach to pirate podcasting to circumvent censorship. His California-based, Iran-focused outfit, IranCubator, is soon to launch RadiTo, an Android app designed to enable people to listen to otherwise censored podcasts.

Dave Bittner: [00:05:37:10] Russia proceeds with its prosecution of current and former FSB officers on charges of treasonable congress with the US CIA. This is, as observers note, a case that has potential connections to both corruption and intra-governmental rivalry. It seems an FSB directorate may be undergoing a purge designed to curb its influence.

Dave Bittner: [00:05:58:20] There are some mixed signals from the US with respect to Russian hacking. The US Treasury Department is modifying sanctions against the FSB in ways that would permit US firms to resume selling the FSB certain items, as long as those wouldn't be used in Russian-occupied Crimea. The modifications are said, plausibly, to be the kind of regular reevaluation and tweaking of sanctions Treasury always conducts but it's difficult to see how a geographical restriction might be made to work.

Dave Bittner: [00:06:27:19] Also we're curious about what US companies might actually be interested in selling to the FSB. Okay, we know that the Russian government isn't communist anymore, but it's hard not to be reminded of Lenin's wisecrack that they would hang the capitalists, and the capitalists would compete to sell them the rope. On the other hand, the US Army has announced that it's funding a Ukrainian cyber defense center, and that is surely an extremely unwelcome development in Russian eyes, especially since the Americans say this is intended as another step toward full Ukrainian integration with NATO.

Dave Bittner: [00:07:01:08] For its part, the European Union is preparing for destabilizing Russian cyber operations during this year's national elections.

Dave Bittner: [00:07:10:02] Finally, Dark Reading describes the UK's new school for hackers as a Hogwarts. Located appropriately enough at Bletchley Park, center of British code breaking during the Second World War, the school is intended to train talent for Her Majesty's cyber services. But Hogwarts can't quite be right because there are other such schools out there too. Maybe it's just one house, perhaps Ravenclaw?

Dave Bittner: [00:07:34:11] We mention this because we're pretty sure Gryffindor has opened up about 250 miles north of us, somewhere around the Cathedral of Learning. That's right. The University of Pittsburgh is going into the cyber research and education business. The alumnae on our editorial staff are pleased and proud. So Gryffindor on the Monongahela. We'll let Carnegie Mellon and Penn State decide who wants to be Hufflepuff and who will cough to being Slytherin. After all it's Pennsylvania, the land of pierogi, groundhogs, and white hat hackers.

Dave Bittner: [00:08:10:15] Time to take a moment to tell you about our sponsors, CyberArk, the only security company focused on eliminating the cyber threats that abuse insider privileges. Dedicated to stopping attacks before they stop businesses, CyberArk proactively secures you against cyber threats before attacks can escalate and do irreparable damage. Are you attending this month's RSA conference in San Francisco? Stop by booth 3209 in the north hall to visit CyberArk. You can learn how to protect privileged accounts across the enterprise, on premise, in the cloud and on your endpoints. They'll also be revealing their latest innovations in privileged account security. They're looking forward to seeing you in San Francisco, that city by the other bay, at booth 3209. To learn more about the trusted advisors in privileged account security, visit cyberark.com/cyberwire and by all means drop by at RSA at booth 3209. Once again that's cyberark.com/cyberwire. And we thank CyberArk for sponsoring our show.

Dave Bittner: [00:09:15:05] And joining me once again is Malek Ben Salem. She's the R&D Manager for Security at Accenture Technology Labs. Malek, we wanted to talk today about some of the research you all are doing in regards to embedded devices.

Malek Ben Salem: [00:09:26:13] As you know, especially with the advance of the Internet of Things, embedded devices are becoming increasingly connected. They're being deployed in remote areas where they're exposed to tampering by adversaries and it's hard to protect them using the traditional mechanisms of protection that we rely on, where we assume that the adversary does not have physical access to the device. This is particularly important in the healthcare sector. Think about a hospital, anybody could go in, pretty much and they can go into any patient room, they have access to the medical devices deployed there. If they have a malicious intent, they may be able to modify what the medical device does, and introduce significant damage to the patient.

Malek Ben Salem: [00:10:21:21] In order to protect against those types of attacks and tampering with the devices, we partnered with Johns Hopkins University, with their Healthcare Security Institute, and we tried to come up with security mechanisms that would detect any tampering with the devices. It relies on profiling how a security device works in a particular mode and we built a control flow graph that's dynamically built while that device is operating in that mode. Then in real time we detect if the device starts behaving differently, it basically deviates from the profile that we built for that device. If we detect such deviation, we can either alert the security administrator or just in emergency cases we can stop the device from working.

Dave Bittner: [00:11:21:13] Interesting stuff. Malek Ben Salem, thanks for joining us.

Dave Bittner: [00:11:29:05] A brief pause for a note about us, the CyberWire. Did you know we offer special tailored editions and bespoke security podcasts cut to fit the interests of enterprises? We do. Drop us a line and we'll see what we can do together. It's contactus@thecyberwire.com.

Dave Bittner: [00:11:55:19] My guest today is Frederick Lane. He's an attorney, public speaker and the author of several books dealing with privacy and cyber security, including American Privacy: The 400-year History Of Our Most Contested Right as well as a series of books covering what he refers to as cybertraps, including Cybertraps For The Young, Cybertraps For Educators and his latest, the subject of our conversation, Cybertraps For Expecting Moms and Dads.

Frederick Lane: [00:12:20:07] When I'm talking about cybertraps, what I'm really talking about are things that are unexpected outcomes of using digital devices. Just by way of example, one of the things that I begin with is taking a look at some of the possible physical issues that can arise from the use of technology, and I want to make it absolutely clear, I'm not a physician, don't even play one on TV, but I think if you take a look at the competing research out there, there are some legitimate issues that people should think about. Whether or not for instance there's any issue with respect to exposure to cellphone radiation, either prior to pregnancy or during pregnancy itself. Are there issues in terms of holding a hot laptop on your actual lap when you're either trying to get pregnant or when you're carrying a child.

Frederick Lane: [00:13:17:03] My goal in writing about these things was to give people a checklist of things that they might want to talk to their doctor about. As I said, the point of this is not to give medical advice but to educate people about a range of topics that they really should discuss with a physician during the course of pregnancy.

Dave Bittner: [00:13:42:00] The second section of your book is called Your Little Bundle Of Data and that certainly caught my eye. I like it, it's a clever name. You're outlining ways, even before the child arrives, that parents need to think about, protecting their own privacy and that of the coming child.

Frederick Lane: [00:14:03:01] Right. Believe me, there's a ton of topics that we could spin off from there. I mean, obviously in terms of the privacy of the mother, there's a real premium on the identity of women who are expecting children and there's a good logical reason for that. Retailers and manufacturers know that a woman spending on pregnancy really peaks in the end of the second and the beginning of the third trimester of the baby. What you see is that advertisers are willing to pay a premium, sometimes by a factor of 15 or 20, to get data about women who are pregnant.

Frederick Lane: [00:14:47:04] Beyond that you start getting into these issues of what kind of information are we going to release about the pregnancy or the birth and when are we going to do it. For instance if you're a woman who's working and you're not necessarily sure that you want your boss to know right away that you're pregnant because it might impact your job, that raises issues about whether or not you put information on social media. Or how do you keep your friends from letting the whole world know that you're pregnant before you're ready to do so. That's one piece of it.

Frederick Lane: [00:15:22:04] Another piece that arises, and this is where we start getting into the impact on the child, is that literally from the moment that people start posting material online, they're creating an identity for their child. You can look at this different ways obviously. I was out of the country for about a year and it was really wonderful to be able to see photos of my nieces and nephews and so forth but what I think parents do need to think a little bit about is that when they are creating an online identity for their child, they're having an impact on the child's ability to create their own online profile or their own online identity when they get older.

Dave Bittner: [00:16:12:00] What about the notion that perhaps we're overlaying our own views of privacy on a generation that's coming up that is likely to have a very different view of privacy from us?

Frederick Lane: [00:16:24:11] I think that's a good question. I think it depends to a large extent on how you define privacy. A lot of this discussion is really about terminology and that the appropriate way for us to look at privacy and to define that concept is not so much as a concrete thing. You would say, "well, kids today they don't look at privacy the same way we did, they're different.'' I think that the answer is we actually all have the same basic approach to privacy and that is what we want to be private is really about how we control our information and what choices we make. One of the things that we see with the millennial kids today, and I've watched this with my own guys, is that they have that same desire to control information. They just make different choices than necessarily I would about the information that they're willing to share.

Frederick Lane: [00:17:34:21] Basically, what I think it boils down to is that the right to privacy is really the ability to control who gets access to your information and under what circumstances, and that's something I think we all should agree on.

Dave Bittner: [00:17:51:06] That's Frederick Lane. The book is Cybertraps For Expecting Moms And Dads and you can find it on Amazon. You can learn more at his website, fredericklane.com.

Dave Bittner: [00:18:04:09] And that's the CyberWire. For links to all of today's stories, interviews, our glossary and more, visit thecyberwire.com. Thanks to our sponsors for making the show possible, especially our sustaining sponsor, Cylance. Find out how they can help protect you at cylance.com. You know, hardly a day goes by where someone doesn't approach me on the street and say, "Dave, I listen to the CyberWire every day. How can I support the show?" You know, it's easy. You can recommend us to your friends and coworkers, write a review on iTunes or Facebook or share our show on social media. We really do appreciate it.

Dave Bittner: [00:18:36:23] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Social media editor is Jennifer Eiben and our technical editor is Chris Russell. Our executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening. Have a great weekend.