Vulnerable peer-to-peer software exposes consumer and small-business IoT devices to compromise. A hacker says he’s hacked automotive GPS trackers, all for the good, of course, and could even turn off a car’s engine. Not, you know, that he would. Sri Lanka warns of the possibility of more violence, and journalists wonder if prior restraint of certain speech might be worth considering. Curating app stores for security. And potty-mouthed eScooters on Brisbane streets. Joe Carrigan from JHU ISI on Facebook’s continuing privacy violations, potential FTC fines and PR woes.
Dave Bittner: [00:00:03] Vulnerable peer-to-peer software exposes consumer and small business IoT devices to compromise. A hacker says he's hacked automotive GPS trackers - all for the good, of course - and could even turn off a car's engine - not, you know, that he would. Sri Lanka warns of the possibility of more violence. And journalists wonder if prior restraint of certain speech might be worth considering. Curating app stores for security. And potty-mouthed scooters on Brisbane streets.
Dave Bittner: [00:00:36] Time for a message from our sponsor, Bandura Cyber. Are you using threat intelligence, or is threat intelligence using you? Threat intelligence gateways, or TIGs, are an exciting emerging network security technology that take the heavy lifting out of making threat intelligence actionable, operational and useful. TIGs aggregate IP and domain indicators of compromise from an unlimited number of sources, such as DHS, information-sharing groups like FS-, MS- or ONG-ISAC, commercial sources like Webroot and Anomali, or even your own internal IoCs from your SIEM or TIP. With the need for multiple sources and views of threat intelligence now more important than ever, and with existing solutions' limited ability to ingest and block third-party IoCs at scale, TIGs make taking action with massive volumes of threat intelligence easy. Get the definitive guide to this next-generation technology, operationalizing threat intelligence and in-depth guide to threat intelligence gateways at banduracyber.com/cyberwire. A bonus - it's written by our friends at Bandura Cyber. They're the company that started the TIG category. And it's free. Again, that's banduracyber.com/cyberwire. And we thank Bandura Cyber for sponsoring our show.
Dave Bittner: [00:01:59] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, April 29, 2019.
Dave Bittner: [00:02:07] There are two reports of vulnerabilities that are of general interest as the week opens. First, researcher Paul Marrapese has published his discovery - responsibly disclosed, it should be noted - of a vulnerability in the LnkP2P software widely bundled with IoT devices. It's essentially a lack of authentication and encryption in peer-to-peer sharing, and it exposes many such devices to compromise. The affected systems include web-enabled cameras, DVRs, baby monitors and smart doorbells - the sorts of things consumers might wish to access via their smartphones. The sharing makes it easy to do so. Unfortunately, it also makes it easy for the devices to overshare with ill-intentioned outsiders who have no business in those systems in the first place.
Dave Bittner: [00:02:53] Motherboard says that a hacker going by the name L&M maintains the ability to exploit automotive GPS trackers made by Protrack and iTrack to affect cars remotely, including, in some cases, turning off engines while the vehicles are in motion. L&M says he hasn’t actually done that because he's a good guy and isn't interested in hurting individuals - only companies. So one imagines that drivers have got at least that going for them. But if the claims are borne out, as they seem to have been, at least in part, there are some serious issues with the way GPS tracking is implemented in on-board automotive systems.
Dave Bittner: [00:03:31] Sri Lanka's nationwide investigation of the Easter Sunday jihadist massacres continues with tragic results over the weekend. During a police raid on a suspected jihadist cell, the AP reports, militants opened fire and then set off a bomb, killing 15 in and around the building in which they were cornered. Several children are among the dead.
Dave Bittner: [00:03:52] Sri Lanka's response to the attacks has involved close attention to the killer's activities online, although in this case, much of the coordination appears to have been accomplished in the face-to-face contacts more traditional with terrorist cells. The authorities are warning that the threat is far from contained, as shown by this weekend's blast and the quantities of bomb-making material police have seized.
Dave Bittner: [00:04:13] It's become clearer that the government in Colombo had warnings that might've enabled them to interdict the massacres, had they been acted on. Indian intelligence services in particular are said to have shared fairly extensive and explicit indicators and warnings of attack. Sri Lanka's response has been intense, but foreign observers are generally giving it poor marks for effectiveness. That's perhaps understandable, given the shocking nature of the attacks.
Dave Bittner: [00:04:42] A journalist makes the case in WIRED for regulating social media. It's not so much, stop me before I tweet again, as it is, stop them before they speak again or post again. It's a curious and relatively newfound tenderness many in the media are showing for the sort of prior restraint that not too long ago they'd have ruled out at once. The concern is prompted, to be sure, by the malign use to which online communication has been put by terrorist groups and loose collections of extremist misfits. How such regulations might play out remains to be seen. Here's one suggestion that doesn't appear in the WIRED essay. The police are just as free to read the newspapers as anyone else, and open source intelligence drawn from social media and elsewhere can be used for public safety. That's what India's intelligence services appeared to have done in the runup to the Sri Lanka massacres. It’s a sorrow better use wasn't made of their warning.
Dave Bittner: [00:05:38] App store curation continues to pose challenges. Google is purging its Play Store of applications contributed by China-based software shop DO Global after researchers reported last week that the Chinese company's products were implicated in widespread ad fraud. As Gizmodo notes, the dozens of DO Global apps affected by Google's sweep have been installed somewhat more than 600 million times.
Dave Bittner: [00:06:04] Apple, whose store tends to be more tightly curated and controlled, is also working to restrict certain kinds of apps. Cupertino has decided to keep most parental control apps out, and that's proving controversial. These form, in most respects, a subset of the mobile device management sector, given the high rate at which minor children are now equipped with phones and tablets. Apple defends its exclusion of parental controls apps on grounds of security and privacy. It's just too easy for such apps to collect more than they should, to overshare and to have poorly vetted security. That's not to say they're an inherently dodgy section of the market, but they probably merit some extra scrutiny. Parents, of course, want parental controls. And some vendors are ready to sell them, and they're not entirely happy with Apple's stance, reasonable as that stance might appear from a certain viewpoint. Kaspersky Lab, for one, sees it as a case of monopolistic restraint of trade and has filed an antitrust claim in a Russian court.
Dave Bittner: [00:07:05] And finally, don't believe everything a smart device says. HackRead has a note on a pointless act of cyber vandalism, apparently done for the lulz. Electric scooters being tested in Brisbane had their audio files replaced, so the scooters now share dimwitted, lewd wisecracks aloud. These particular scooters have been withdrawn - for now - from testing, with the manufacturer, Lime, scolding, it's not smart, it's not funny and is akin to changing a ringtone. It's disappointing that someone has taken this opportunity to poke fun at members of the community in a hurtful way. We're pretty much with Lime on this one. So if you hear an eScooter say things like, pull my hair, don't act on the request. It's just some jerk talking through the scooter, friend, and not the rider.
Dave Bittner: [00:07:58] Now it's time for a few words from our sponsor, BlackBerry Cylance. They're the people who protect our own endpoints here at the CyberWire. And you might consider seeing what BlackBerry Cylance can do for you. You probably know all about legacy antivirus protection. It's very good, as far as it goes. But you know what? The bad guys know all about it, too. It will stop the skids, but to keep the savvier hoods' hands off your endpoints, BlackBerry Cylance thinks you need something better. Check out the latest version of CylanceOPTICS. It turns every endpoint into its own security operations center. CylanceOPTICS deploys algorithms formed by machine learning to offer not only immediate protection but security that's quick enough to keep up with the threat by watching, learning and acting on systems behavior and resources. Whether you're worried about advanced malware, commodity hacking or malicious insiders, CylanceOPTICS can help. Visit cylance.com to learn more. And we thank BlackBerry Cylance for sponsoring our show.
Dave Bittner: [00:09:07] And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute. Joe, great to have you back.
Joe Carrigan: [00:09:14] It's good to be back, Dave.
Dave Bittner: [00:09:15] You are also my co-host on the "Hacking Humans" podcast.
Joe Carrigan: [00:09:17] I am.
Dave Bittner: [00:09:17] People should check that out.
Joe Carrigan: [00:09:18] They should if they haven't done so already.
Dave Bittner: [00:09:20] (Laughter) So today, we are going to talk about Facebook. And you wanted to hit on some adjustments that Facebook has made to some numbers.
Joe Carrigan: [00:09:29] (Laughter) Right. Yes.
Dave Bittner: [00:09:30] Go on.
Joe Carrigan: [00:09:30] Now, a couple of weeks ago, I was on here talking about the fact that Facebook was logging user credentials in plaintext, including their passwords.
Dave Bittner: [00:09:40] Right.
Joe Carrigan: [00:09:40] And they had logged some large number. And they were - Facebook was kind of downplaying it, saying, no, no, this is not a big deal.
Dave Bittner: [00:09:47] Yeah.
Joe Carrigan: [00:09:47] These numbers didn't breach out.
Dave Bittner: [00:09:48] As they do.
Joe Carrigan: [00:09:49] Right. Well, Naked Security has an article from the 19 of April saying that Facebook is now saying, oh, we logged a hundred times more Instagram passwords in plaintext than we thought.
Dave Bittner: [00:10:01] A hundred times more.
Joe Carrigan: [00:10:03] Hundred times.
Dave Bittner: [00:10:04] Several orders of magnitude.
Joe Carrigan: [00:10:06] Yes, two - two of them.
Dave Bittner: [00:10:08] (Laughter).
Joe Carrigan: [00:10:08] See, here's the thing about these breaches.
Dave Bittner: [00:10:09] Yeah.
Joe Carrigan: [00:10:10] They very rarely - in fact, I can only remember hearing about one that was, oh, it's not as bad as we thought it was; we actually lost less data. Every time I hear about these things - you hear about - the news cycle breaks, and they've lost a million passwords or a million people's information.
Dave Bittner: [00:10:27] Right.
Joe Carrigan: [00:10:27] And then you hear another week later, OK, we've looked into it more; we've actually lost 10 million or 50 million or, in the case of Facebook, a hundred times more. These things never get smaller, almost never get smaller.
Dave Bittner: [00:10:39] Yeah.
Joe Carrigan: [00:10:39] They almost always get bigger.
Dave Bittner: [00:10:41] What do you make of this? I mean, these organizations, they're now required to report within a certain amount of time.
Joe Carrigan: [00:10:47] Right.
Dave Bittner: [00:10:47] So they have to get information out there.
Joe Carrigan: [00:10:49] Right, yeah. Well, that...
Dave Bittner: [00:10:50] So that - people say that's part of it.
Joe Carrigan: [00:10:52] That might be part of it; that there might be regulations, like GDPR, that just make - that compel Facebook to tell people what they know immediately.
Dave Bittner: [00:10:59] Yeah.
Joe Carrigan: [00:11:00] And then kind of slowly dribble out this information as they discover it.
Dave Bittner: [00:11:03] Right.
Joe Carrigan: [00:11:04] And if they're complying with regulation, you know, what are you going to do?
Dave Bittner: [00:11:07] Yeah.
Joe Carrigan: [00:11:07] But I think it's interesting also that this past week, The Wall Street Journal said that when Facebook released its earnings report, that they have set aside $3 billion for anticipated fines from the FTC.
Dave Bittner: [00:11:19] What about this notion that big companies like Facebook have to be broken up - that, you know, they're the modern robber barons, that they're running a monopoly, and for the good of the nation and the good of the world, we need to split them up into pieces?
Joe Carrigan: [00:11:31] So there's a couple of things that, from my rudimentary understanding of monopoly law - which is not good, and I'm not a lawyer.
Dave Bittner: [00:11:37] (Laughter).
Joe Carrigan: [00:11:37] But one of the big problems with calling them monopolies is that there is essentially no barriers to entry, right? You know, railroads are a monopoly because I can't go out and build a railroad easily, right?
Dave Bittner: [00:11:49] Yeah.
Joe Carrigan: [00:11:49] There's a significant barrier to entry. But I can go out and certainly build a social media network real easy. This is why I was always saying that Microsoft wasn't a monopoly, despite the fact that 90% - more than 90% of the people who had computers used Microsoft. There were free alternatives like Linux and FreeBSD out there; that's not a monopoly. People were just making a market decision. But when you talk about being too big - like, for instance, Facebook has gone out and they've bought up Instagram.
Dave Bittner: [00:12:16] Right.
Joe Carrigan: [00:12:17] And the FTC approved that, and the FCC approved that.
Dave Bittner: [00:12:20] Yeah.
Joe Carrigan: [00:12:20] Or somebody approved it. I'm not so sure that's in the benefit of the consumer, you know. These companies going out and acquiring each other, it doesn't provide a competitive environment. I think that should definitely stop. So in terms of breaking them up and breaking Facebook back up into its constituent parts, I wouldn't be upset by that at all. But what are you going to do with Twitter? Twitter is just Twitter.
Dave Bittner: [00:12:42] Yeah.
Joe Carrigan: [00:12:43] Right?
Dave Bittner: [00:12:43] Yeah. I don't know. I guess I just can't help having this feeling, like, we can't continue down the same path that we're on; that some something has to change, whether it's from within Facebook and Twitter or regulations have to come down on them - just in trouble.
Joe Carrigan: [00:12:57] Or - here's a $3-million idea.
Dave Bittner: [00:12:59] Yeah.
Joe Carrigan: [00:12:59] So we can start a new social media site that doesn't track all the data and tries to be a good corporate citizen.
Dave Bittner: [00:13:05] Yeah.
Joe Carrigan: [00:13:06] Market it that way.
Dave Bittner: [00:13:07] Yeah. I sincerely wonder why that hasn't happened.
Joe Carrigan: [00:13:10] Yeah, me too.
Dave Bittner: [00:13:10] Someone - has it not been - has someone run the numbers, and it's not financially viable?
Joe Carrigan: [00:13:14] Could be.
Dave Bittner: [00:13:16] Is it that the - because I believe there is a barrier to entry, and I think that is that everybody's on Facebook.
Joe Carrigan: [00:13:22] Right.
Dave Bittner: [00:13:22] So how are you going to get everybody to move over? How are you going to get enough people to move over, when Facebook has hit critical mass - where that's where everybody is, that's where all the pictures are, that's where all the events are? That's - you know, how do you pull people away from that? I think it's easier said than done.
Joe Carrigan: [00:13:36] Probably.
Dave Bittner: [00:13:37] Yeah. All right. Well, we've solved all the world's here today, Joe.
Joe Carrigan: [00:13:40] Right. Yeah, we have.
Unknown: [0:13:40] (LAUGHTER)
Joe Carrigan: [00:13:43] I think we just resigned ourselves to the situation.
Dave Bittner: [00:13:46] Yeah, yeah. All right. Well, always good having you here.
Joe Carrigan: [00:13:49] It's always good to be here, Dave.
Dave Bittner: [00:13:50] All right, take care.
Joe Carrigan: [00:13:50] Thanks for having me.
Dave Bittner: [00:13:51] Joe Kerrigan, thanks for joining us.
Joe Carrigan: [00:13:53] My pleasure.
Dave Bittner: [00:13:57] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT - the leading insider threat management platform. Learn more at observeit.com. Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the "Recorded Future" podcast, which I also host. The subject there is threat intelligence, and every week we talk to interesting people about timely cybersecurity topics. That's at recordedfuture.com/podcast.
Dave Bittner: [00:14:39] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik; social media editor, Jennifer Eiben; technical editor, Chris Russell. Our staff writer is Tim Nodar; executive editor, Peter Kilpe. And I'm Dave Bittner. Thanks for listening.
Copyright © 2019 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
Pioneered in part with the U.S. Department of Defense, the Bandura Cyber Threat Intelligence Gateway enables organizations of all sizes to fortify their network defenses, automate threat intelligence, and maximize their current security investments. Learn more at banduracyber.com.
Cylance is revolutionizing cybersecurity with products and services that proactively prevent, rather than reactively detect the execution of advanced persistent threats and malware. Learn more at cylance.com.