In today's podcast, we hear about cyber and information operations in Eastern Europe that look disturbingly like battlespace preparation. The FBI finds that the scope of the Democratic Party hacks is much greater than initially believed. The Bureau seems ready to ask for more authority to unlock devices, but opponents point to Microsoft's inadvertent leak of Secure Boot keys as an object lesson in why that's a bad idea. USENIX proofs-of-concept include Linux and car-hacking exploits. Samsung Pay is criticized as vulnerable to token skimming. Senior Law Analyst Ben Yelin outlines the FBI's request to expand the reach of National Security Letters. Deputy Director Rick Lipsey explains the mission of the ISAO Standards Organization. New ransomware features disappearing extortion emails. And how do you solve a problem like Pokémon-GO?
Dave Bittner: [00:00:03:18] Australia's census issues persist. Russia begins to talk about Ukrainian provocation in the Crimea. The scope of the Democratic Party hack is now thought to be far wider than previously imagined. As the FBI prepares to ask for more ability to unlock devices during investigations, Microsoft is found to inadvertently disclosed the golden key to a Secure Boot backdoor. Samsung Pay may have a token skimming issue. A new form of ransomware abuses Mailinator. And Pokémon GO continues to give people fits.
Dave Bittner: [00:00:40:02] Time to take a moment to tell you about our sponsor, Cylance. Are you looking for something beyond legacy security approaches? If you are, and who isn't, you're probably interested in something that protects you at machine speed and that recognizes malware for what it is no matter how the bad guys have tweaked the binaries, or cloaked their malice in the appearance of innocence. Cylance knows malware by its DNA. Their solution scales easily and it protects your network with minimal updates, less burden on your system resources and limited impact on your network and your users. Find out how Cylance is revolutionizing security with artificial intelligence and machine learning. It may be artificial intelligence but it's real protection. Visit cylance.com to learn more about the next generation of anti-malware. Cylance: artificial intelligence, real threat protection and we thank Cylance for sponsoring our show.
Dave Bittner: [00:01:36:10] I'm Dave Bittner, in Baltimore with your CyberWire summary for Thursday, August 11th, 2016.
Dave Bittner: [00:01:42:10] Australia's Bureau of Statistics remains convinced its online census platform was taken down by distributed denial-of-service attacks, although some a priori skepticism persists in security industry circles, that the Bureau simply wasn't prepared to handle the traffic it received as a bunch of procrastinators all jumped on the net at once. There's no attribution, and the motive is thought to be the obvious one: disrupting the census. The Australian Signals Directorate is investigating, and working to ensure the security of the site.
Dave Bittner: [00:02:11:00] The census, which is taken every five years, has been controversial in recent rounds as Australians resist being counted and categorized. Our favorite from the last one was the bloke who identified himself as "Batman" and dutifully reported his address as "Stately Wayne Manor."
Dave Bittner: [00:02:26:21] Russia's President Putin has been drawing official attention to alleged Ukrainian provocations in and around the Crimean province Russia seized from its neighbor in 2015. This hasn't yet manifested itself in cyberspace, but it's expected to do so as battlespace preparations proceeds. Observers find this development disturbing: the informational tends to foreshadow the kinetic.
Dave Bittner: [00:02:50:03] In the US, the FBI is expanding its investigation into the hack of the Democratic Party. It's now believed more than a hundred groups and party officials were compromised. Investigators speaking on background to the media no longer bother with coyness about attribution—they are calling the actors "the Russians." Suspicions are again turning to the homebrew server used by former Secretary of State Clinton, but this remains speculation. As FBI Director Comey remarked, if the people who were after that server were as good as they're thought to be, their spoor won't be easy to track.
Dave Bittner: [00:03:21:01] Director Comey is also signaling that he plans another push to induce Congress to give the Bureau more expansive authorities, or abilities, to unlock devices presently inaccessible to investigators. He believes security and privacy can achieve a kind of technical peaceful co-existence. We'll hear a bit later from Ben Yelin of the University of Maryland's Center for Health and Homeland Security; he'll discuss the FBI’s efforts to expand the reach of National Security Letters.
Dave Bittner: [00:03:46:17] But in the meantime we note that opponents continue to oppose giving the FBI, or other law enforcement agencies, a backdoor they could open at will, even with the due process safeguards of warrants, national security letter, and the like. Privacy advocates and techno-libertarians point to a development that they think shows why backdoors are inevitably a bad idea. Microsoft has inadvertently leaked its Secure Boot "golden key," effectively a backdoor that bypasses protections and enables the possessor to unlock any device protected by Secure Boot. The moral, they say, is that backdoors undercut security for everyone. Observers see the incident as a cautionary tale for policymakers. Microsoft is working on recovery and remediation.
Dave Bittner: [00:04:29:24] There's much discussion of the sharing of threat information, intelligence and best practices and establishing standards for how best to do that. To learn more, we spoke with Rick Lipsey, Deputy Director of the ISAO Standards Organization.
Rick Lipsey: [00:04:42:21] So the administration signed out an executive order, 13691, in February of 2015, promoting private sector cyber security information sharing. And to do that they proposed the establishment of information sharing and analysis organizations, ISAO's, to promote the establishment of these organizations and to establish standards and guidelines for how they would be established and how they would be operated. The Government also called for the establishment of a non-Governmental standards organization and so that's who we are, the ISAO Standards Organization. We're comprised of representatives from the University of Texas at San Antonio, LMI, which is a not-for-profit government consulting firm, and RCIS, the Retail Cyber Intelligence Sharing Center.
Dave Bittner: [00:05:36:19] According to Lipsey, spreading information among the cyber community is critical for success.
Rick Lipsey: [00:05:41:09] When you look at the totality of our cyber Ecosystem, there is hardly a business or an organization that exists today that does not depend on the cyber environment. And yet for many they don't have access to actionable cyber threat intelligence information and, for some, even if they did have the access, they wouldn't know how to use that. What we hope to promote through ISAO's is an opportunity for communities of interest to come together to share that type of actionable information and to exchange best practices.
Dave Bittner: [00:06:18:14] There's a community-building aspect as well, not unlike crime fighting efforts in previous generations.
Rick Lipsey: [00:06:24:03] In the 1970's this country started seeing a real increase in crime in our neighborhoods and, as a result, many neighborhoods started establishing a neighborhood watch program. We have the same thing going on in the cyber security environment, and ISAO's are like a cyber security neighborhood watch program that can help us address those concerns. The real power of this comes when you consider the establishment of dozens or hundreds of ISAO's that are then on a voluntary basis exchanging actionable cyber threat information and best practices. The Ecosystem as a whole is better served through voluntary actions to promote information sharing than attempting to legislate it or mandate it through regulation. We believe there is a strong and growing consensus that encouraging this type of voluntary information sharing that has obvious benefits to individual members and to the Ecosystem, to our country as a whole, is going to be very attractive.
Dave Bittner: [00:07:37:06] That's Rick Lipsey, Deputy Director of the ISAO Standards Organization. They're hosting a public forum in Tysons, Virginia at the end of August and you can find out more about that on their website ISAO.org.
Dave Bittner: [00:07:51:00] A Linux TCP flaw, apparently in place since 2012, exposes Internet users to off-path exploitation, like a man-in-the-middle attack, only with no-one in the middle. Researchers from the University of California at Riverside and the US Army Research Laboratory demonstrated a proof-of-concept exploit yesterday at USENIX.
Dave Bittner: [00:08:10:20] Also being demonstrated this week at USENIX is another series of car hacks. This time the exploit affects the keyless entry systems of, the researchers advertise, more than a hundred million vehicles. Volkswagen is getting the press attention, including its Audi and Škoda subsidiaries, but a second vulnerability affects cars built by Alfa Romeo, Citroen, Fiat, Ford, Mitsubishi, Nissan, Opel, and Peugeot.
Dave Bittner: [00:08:35:15] Samsung acknowledges there's a token skimming issue in Samsung Pay, the company's mobile payment system, but the device manufacturer says exploitation is too far-fetched to worry about.
Dave Bittner: [00:08:46:24] Tripwire reports on R980 ransomware. It has a lot of familiar crypto ransomware functionality, but it also abuses Mailinator the better to coerce its victims. Mailinator is a legitimate app that deletes email after a specified time. If you don't pay up on schedule, you'll find that the email directing you to recovery has disappeared.
Dave Bittner: [00:09:08:17] F-Secure takes a look at the ransomware criminal economy and suggests a somewhat different approach for victims. Instead of either paying or stonewalling the extortionists, why not negotiate with them? After all, F-Secure says, you've got little to lose from trying, and it seems many, perhaps most, of the criminals are open to negotiation.
Dave Bittner: [00:09:28:08] An op-ed in Wired is calling for a code of ethics that would introduce some voluntary order and standards into augmented reality games, of which Pokémon GO is Wired's exhibit A. The editorialist fears, among other things, that developers pay insufficient attention to the social justice and safety implications of the games—why, she asks, should game developers not be held to account for stalking, and why should they be held as having no responsibility for ensuring equality of access to the game in underserved areas? Cultural historians may wish to compare Dr. Fredric Wertham's "Seduction of the Innocent" published by Rinehart and Company in 1954. It included a similar analysis of the social implications of comic books.
Dave Bittner: [00:10:12:24] But there is, finally, no shortage of places and agencies who would love to be underserved. Thailand's telecommunications authority has ruled temples, schools and the Royal Palace grounds off-limits, and authorities are warning people not to walk onto busy freeways, off cliffs, or into literal minefields. And bad news for trainers in the UK: MI6 has put a stop to the placement of pokéstops and pokémon gyms in its headquarters. But, say, we thought the hackers blew that building up in "Skyfall?" Anyway, all we can do is say, "Don't choose that, 007." We're looking out for you, Q.
Dave Bittner: [00:10:53:14] Time for a message from our sponsor, ClearedJobs.net. Who doesn't like to take the next step in their career? If you're a cyber security professional in the South West, think about attending the free cyber job fair at this year's Cyber Texas Conference, coming Tuesday, August 23rd, at the San Antonio Convention Center. Organized by ClearedJobs.net, the veteran-owned outfit that matches security professionals with rewarding careers, the cyber job fair is free and open to all cyber security professionals with and without an active clearance. And college students studying cyber security are welcome too. Connect face-to-face with industry leaders like Lockheed Martin, Booz Allen Hamilton, and the Los Alamos National Laboratory. And tune up your resume and get free career coaching from expert coach and Army veteran, Bill Branstetter, author of the Six Second Resume. To learn more, visit clearedjobs.net and click job fairs in the main menu. That's clearedjobs.net. See you in San Antonio and we thank ClearedJobs.net for sponsoring our show.
Dave Bittner: [00:11:55:12] And joining me once again is Ben Yelin, he's a Senior Law and Policy Analyst at the University of Maryland Center for Health and Homeland Security. Ben, we saw a story recently, a lot of I would say breathless headlines were saying that the FBI wants more power to spy on your browser history. The FBI is pushing to expand their national security letter authority. What's going on here?
Ben Yelin: [00:12:18:04] So the FBI is working with key senators, Senator John McCain of Arizona and John Cornyn of Texas, on a Bill to expand the power of National Security Letters. I know, Dave, we've talked about this before, National Security Letters are an administrative subpoena that a government agency can use to get information on electronic communications and all other types of communications without a warrant., this is an administrative subpoena. One of the big issues for civil libertarians is that these orders come with a gag order. Even though these gag orders are reviewed annually, if you are a telecommunications provider and you receive one of these orders you are forbidden from talking about it. The Senate proposal would grant the FBI power to access electronic communications, transactional records which includes a user's browsing history, as well as other online records. This is a new authority under the National Security Letter statute and would give the FBI wide latitude in getting not just website information from Internet service providers, the metadata who is visiting, but also personal information, browser history, which can reveal a lot of private details about people's lives.
Dave Bittner: [00:13:37:18] Why is the FBI pushing for this? Is it a matter of velocity that they don't want to be slowed down by the process of getting warrants? What's their story?
Ben Yelin: [00:13:47:08] I think that's a large part of it. The National Security Letter is a very useful tool for the FBI because there is no involvement from the judicial branch. There's no prior judicial approval for National Security Letters. So it is a way of accessing information with expedience and they have become far more prevalent in the last 15 years post 9/11, so it will be interesting to see whether the Senate, which is I think evenly divided on this issue, how they will come down. So I think we are going to see a very vigorous debate.
Dave Bittner: [00:14:18:18] All right we'll keep an eye on it. Ben Yelin, thanks for joining us.
Dave Bittner: [00:14:23:18] And that's the CyberWire. For links to all of today's stories, along with interviews, our glossary, and more, visit thecyberwire.com. Thanks to all of our sponsors who make the CyberWire possible. The CyberWire podcast is produced by Pratt Street Media. The editor is John Petrik. Our social media editor is Jennifer Eiben, and our technical editor is Chris Russell. Our executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.
Copyright © 2019 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
Maryland Art Place (MAP) inspires, supports, and encourages artistic expression through innovative programming, exhibitions, and educational opportunities while recognizing the powerful impact art can have on our community. MAP creates a dynamic environment for artists of our time to engage the public by nurturing and promoting new ideas.