Breach reactions. Attention grid substations: squirrels, and snakes, and monkeys, oh my...

Dave Bittner: [00:00:03:21] Old breaches get new legs, courtesy of bots, password re-use and criminal ballyhoo. Point-of-sale malware, phishing, DDoS, and ransomware are still the big four of cyber crime.

Dave Bittner: [00:00:14:08] Some innovative companies attract encouraging amounts of venture capital. What some recent court decisions have to say about mobile location data.

Dave Bittner: [00:00:21:12] Finally, when thinking of security, don't stop at cyber. Remember that we all live in a physical space and we hesitate to even think about what the cameras around electrical substations might show us. I mean, now we've got to worry about monkeys?

Dave Bittner: [00:00:36:07] Today's podcast is made possible by ThreatConnect. Join their free webinar and learn how security incidents happen at the seams, between tool and teams and how you can unite your people, processes and technologies behind an intelligence driven defense. Sign up today at threatconnect.com/webinar.

Dave Bittner: [00:00:59:03] I'm Dave Bittner in Baltimore with your CyberWire summary and week end review for Friday, June 10th, 2016.

Dave Bittner: [00:01:06:02] Old breaches, those that LinkedIn, MySpace, and Tumblr, in particular, continue to show new life, turning out to be bigger and more exploitable, to some extent, because of widespread user practices like password re-use. Some companies, Netflix prominently among them, are proactively looking through the millions of compromised credentials, to find email addresses and passwords reused by their customers and they're warning the customers whose data they find to change their passwords.

Dave Bittner: [00:01:33:05] We've received a number of reactions from security experts, to the fallout of these old breaches. The case of Twitter is one they find particularly interesting, given Twitter's clear statements that it hasn't been hacked itself. Lastline's Craig Kensek told us, "It would take more than 140 characters to give comprehensive advice to Twitter account holders. Have strong, unique passwords for each site. Change passwords on a regular basis. Use multi-factor authenticator. Use a password manager." As an aside, we applaud Mr Kensek for putting that advice into 139 characters.

Dave Bittner: [00:02:06:19] Other experts give similar advice. Brad Bussie, Director of Production Management at STEALTHbits Technologies told us, "If what Twitter is saying is true about not being breached, we have an aggressive form of endpoint malware on our hands." He thinks the incident offers a wake-up call about the value of password managers and multi-factor authentication. "Remember," he tells us, "there are bots on the Internet that are trying usernames and passwords from other breaches 24/7, to see where else the credentials might grant access."

Dave Bittner: [00:02:37:10] We also received some reassuring perspective from InfoArmor's Chief Intelligence Officer Andrew Komarov. Komarov's aware of the risks, but he advises people to stay calm and remember that crooks are crooks. He told us, "All this data is from third party sources and botnets and in 80% it is fake, or generated and that's why we suggest that people be calm." He says that the best way to understand this sort of incident is as a form of criminal speculation. The crooks, after all, are in it for the money. It's not as if they're disinterested security researchers.

Dave Bittner: [00:03:11:00] There's been another large breach reported by the way, this one from the uTorrent forum, which has told its members to reset their credentials. A database containing 385,000 usernames and passwords has been compromised.

Dave Bittner: [00:03:26:24] Today's podcast is made possible by E8 Security; Detect, Hunt, Respond. E8 security is transforming the effectiveness of enterprise security teams. Read their informative white paper, a unified use case for preventing unknown security threats, at e8security.com/dhr.

Dave Bittner: [00:03:53:00] Joining me once again is Markus Rauschecker. He's from the University of Maryland Center for Health and Homeland Security. Markus, I saw an article recently in Engadget and it was outlining how courts are saying that police don't need warrants for phone location data. What can you tell us about this development?

Markus Rauschecker: [00:04:01:10] Yes. The US Court of Appeal for the Fourth Circuit came down with an important decision and now gets the Fourth Circuit in line with the other circuits in the country. The decision basically said that, cell phone location data is not subject to Fourth Amendment protection.

Markus Rauschecker: [00:04:24:16] As you might know, when a user of a cell phone makes a call or text, certain .dat data, of course, gets transferred over a cell phone tower and a service provider like Sprint, or 18T, or Horizon will be able to see the rough location of where a call is coming from, or where a cell phone that's being used to make the call, or to text is located, based on which tower that cell phone is connecting to.

Markus Rauschecker: [00:04:53:04] That kind of information now, according to the Fourth Circuit Court of Appeal, cannot be protected by the Fourth Amendment. That is available to the Government. The Government can get this information from the cell phone service provider without a warrant.

Dave Bittner: [00:05:07:23] In the article, it said that volunteering your position information means that you've given us what is referred to as a reasonable expectation of privacy. I see that phrase used in a lot of these legal briefings. But that sense of a reasonable expectation of privacy, is that something that's evolving as our mobile devices learn more and more about our personal lives?

Markus Rauschecker: [00:05:31:07] Yes, you're quite right. This reasonable expectation of privacy is the general test of whether or not a warrant is required by the Government. Generally speaking, if a person has a reasonable expectation of privacy, in certain information, then the Government will need a warrant to get access to that information. The Government can't just come in and take that.

Markus Rauschecker: [00:05:52:03] A good example, of course, is our home. We have a reasonable expectation of privacy within our home; the Government can't just come in and search our homes without actually getting a warrant first. That is what the Fourth Amendment protects.

Markus Rauschecker: [00:06:05:14] When we're talking about technology, this concept of what is a reasonable expectation of privacy certainly seems to be evolving. We certainly seem to be sharing a lot more information about ourselves online, in social media. We're texting pictures and other ideas that we have, we share them all over the place.

Markus Rauschecker: [00:06:24:19] Of course, the courts have said that, it's much more appropriate for Congress to decide where to draw the line, where this reasonable expectation of privacy rests, than it is for courts to make that policy. But we'll have to see how things develop as the technology develops.

Dave Bittner: [00:06:42:22] Alright, Markus Rauschecker, thanks for joining us.

Dave Bittner: [00:06:49:11] We want to take a moment to thank our CyberWire sponsor, the DC Cyber Security Summit. Senior level executives are invited to attend the DC Cyber Security Summit on Thursday, June 30th, at the Ritz-Carlton Tysons Corner in Virginia. You can receive 50% off your admission with the promo code CYBERWIRE50 at cybersummitusa.com. They're going to have expert speakers from NSA, FBI and more, to discuss the latest security threats facing your company.

Dave Bittner: [00:07:14:23] Your admission includes a catered breakfast, lunch and a cocktail reception sponsored by Cohiba Cigars. How about that? You can register at cybersummitusa.com and, again, if you use that promo code, CYBERWIRE50, you'll get 50% off your admission and that's how they'll know that you found out about it through the CyberWire. Check it out, cybersummitusa.com.

Dave Bittner: [00:07:35:01] Thanks again to the DC Cyber Security Summit for sponsoring the CyberWire.

Dave Bittner: [00:07:53:13] The Big Four of cybercrime, point-of-sale malware, phishing, DDoS and ransomware were all in the news this week. The US fast food chain Wendy's disclosed last month that about 300 of its restaurants had experienced a point-of-sale malware infection, which the Ohio-based chain said it had contained.

Dave Bittner: [00:08:11:06] Unusual credit card activity back in January had flagged a problem. But yesterday Wendy's announced that the problems appear to extend to many more than the 300 sites it had initially believed were infected. Specific numbers aren't known yet, but the company says, the number of affected stores is significantly higher and that the problem may not yet be contained. Wendy's operates in 5800 locations, which gives some sense of how higher the tally could rise.

Dave Bittner: [00:08:37:01] What can be done about point-of-sale security? The chip and pin technology, now being rolled out across North America, is a partial answer. But as Péter Gyöngyösi, Balabit's Blindspotter Product Manager told the CyberWire, Europe's used that technology for a good decade and they still experience credit card fraud on the other side of the pond. The target may get harder, but criminals will adapt as long as there's money to be made.

Dave Bittner: [00:09:00:03] Gyöngyösi still thinks consumers should use their chipped cards whenever possible, but he has some specific advice for merchants. He tells us, "The first step is to realize that POS terminals are extremely attractive targets for attackers and treat them accordingly. Ensure that the network connection is protected and firewalled from the rest of the infrastructure. Apply all firmware updates as soon as they become available." He also advises, watching your admin traffic, anomalies should put you on your guard.

Dave Bittner: [00:09:28:22] Merchants also commonly use physical systems; security cameras prominently among them, to keep their businesses safe. Cameras aren't without their vulnerabilities, as we learned at the last hacking shindig at the Jailbreak Brewing Company in Laurel, Maryland. We caught up with one of that conference's featured experts, Wes Wineberg of Microsoft, to learn a bit more about the problem.

Wes Wineberg: [00:09:49:15] Over time, embedded devices have changed in a lot of ways and stayed the same in a lot of ways. For security cameras in particular, there's been a shift over the last five, ten years where systems that previously used to be entirely analog and can have more or less direct wired connections back to some sort of video recorder, now have switched to a model where they're all IP based. They can still have that same direct wired connectivity back to a video recorder, but they can also have connectivity much further.

Wes Wineberg: [00:10:23:17] That kind of mirrors what I've seen in a lot of other device markets and that often poses a lot of risk to the people using the device, because now there is much further connectivity that was never there.

Dave Bittner: [00:10:38:01] It's easy to think of a security camera as a benign device; sitting out of reach, high up on the corner of a building, or inside a lobby, or waiting area.

Wes Wineberg: [00:10:45:13] Quite a few companies, maybe even the majority of companies, will put their security cameras on the same network as other building automation systems, or just add their same corporate network. Since it requires an IP connection, most companies just move to whatever is familiar and convenient, whether that's their same building automation system, or whether that's their corporate network.

Wes Wineberg: [00:11:09:14] Now, if the cameras on the same network are acting as yet one more way to get onto that network, if someone compromises the camera, they can now use that to talk to all your other building automation devices as well.

Wes Wineberg: [00:11:23:21] Conversely, if it's just sitting on your corporate network, it's a device that's very hard to manage and monitor. A standard PC, there's lots of software tools and techniques to know what's running on a PC if a user's computer's been infected and better devices are a much different world for that, yet, at the same time, have just as much access to your network as any other device.

Dave Bittner: [00:11:49:19] One kind of compromise for embedded video cameras is, of course, getting access to the video stream itself.

Wes Wineberg: [00:11:55:08] When it comes to commercial security cameras, in many cases a lot of the cameras are just pointed at public spaces in the first place. So, while it might be interested to people to watch their video feeds, they're not necessarily exposing any private data. Some companies, of course, will have cameras inside their buildings, looking at more sensitive areas, but the general use case is more external and perimeter security.

Wes Wineberg: [00:12:20:05] Where it does sometimes get interesting is, there was an example a couple of years ago where a group was targeting point-of-sale systems, trying to steal credit card numbers and so on, and they combined that with compromising an IP camera's video feed, so that they could watch people type in their pin numbers and then try and correlate that to the card data that they were stealing.

Dave Bittner: [00:12:43:15] Compromising a camera video feed is one thing; but Weinberg says, this kind of embedded device can open your network to even more serious issues.

Wes Wineberg: [00:12:51:19] With an embedded device like a camera, as long as it continues to function as expected, it's very unlikely that anyone's ever going to look into whether or not anything might have been changed on the device. So the end result is that it's completely possible for an attacker to modify the code that's running on a camera, repackage it, update the camera essentially, but at the same time have the camera give no indication that any changes or updates have been made.

Wes Wineberg: [00:13:21:16] What this means then is, if you've got an advanced attacker on a network, instead of compromising say, a user's PC where, you know, once the company's trying to track down an infection, they might pull the hard drive from that computer and start to run forensics on it.

Wes Wineberg: [00:13:38:05] If you instead target an embedded device like a camera, first of all it can be much more difficult to even expect that that would be a target that was compromised, but second, it's extremely difficult to recover any traces of what the attacker might have done, because it's just simply not a function that the camera would typically provide.

Dave Bittner: [00:13:57:20] Many IP cameras are run in commonly used operating systems, which presents attackers with a wide variety of opportunities to compromise a network.

Wes Wineberg: [00:14:06:01] From an attacker point of view, they've got the ideal setup, where they can just build their malicious firmware, run the tool and, you know, update every single camera that the company's running. The camera system I looked at just runs an embedded version of Linux on an ARM processor. So an architecture that's fairly common, especially these days, and an operating system that's very well understood by attackers and users alike with, you know, support for pretty much any security testing tool that you might like. The opportunity is open to an attacker, if they're able to update the firmware, or otherwise gain access to the camera, are pretty open.

Wes Wineberg: [00:14:51:13] That was kind of the second part of my findings which was, now, if we're not just worrying about maybe persistence, which is great through the firmware update, but we just want to have a target on the network that we can compromise, you know, maybe store tools on, do that as a point of attack, a Linux system that you can easily compromise remotely is always going to be a great thing in the mind of an attacker.

Wes Wineberg: [00:15:14:13] That's essentially what the camera I looked at was. It had the web interface, just like many Linux devices and systems do, and there were several functions within the web interface, which could potentially be leveraged to gain remote shell access on the device.

Wes Wineberg: [00:15:32:21] Basically, the camera is a vulnerable system on your network, a vulnerable system running Linux. But unlike the computer systems that you might be scanning for on a regular basis and taking inventory of, a camera's very likely to be overlooked as that vulnerable Linux system, by a company who's running it.

Dave Bittner: [00:15:54:09] If you're using IP security cameras on your network, Wineberg has some advice.

Wes Wineberg: [00:15:59:00] My big recommendation for what owners of these devices should do, is just simply put them on their own separate network. So that's physical wiring, or setting up VLANs and firewall rules appropriately, so that really nothing can get to the cameras and the cameras can't get back to anything else, other than the video recording system that they should be talking to.

Dave Bittner: [00:16:19:05] That's Security Researcher Wesley Wineberg. In his day job, he works for Microsoft, but he asked us to mention that the presentation he gave at the Jailbreak Security Summit was independent research.

Dave Bittner: [00:16:31:06] To resume our cybercrime rundown, phishing, particularly in the form of business email compromise, continues to rise in the English-speaking world. Distributed denial-of-service attacks are also surging and businesses are well advised to address this risk in their planning. Ransomware continues to pay, just ask them up in Calgary, as its criminal masters shift to different payloads and delivery methods.

Dave Bittner: [00:16:53:01] If you're keeping score at home, TeslaCrypt is out and Crysis is in. CryptXXX has jumped ship from Angler to the Neutrino exploit kit, and Locky's fallen off dramatically, as the botnet principally engaged in serving it has apparently vanished from the wild.

Dave Bittner: [00:17:08:12] There's some encouraging industry news this week, as venture capital flows to some interesting startups. Zimperium, the mobile security company, has received $25 million in Series C funding. Cylance, whose tools congressional investigators now believe were the ones that detected the OPM breach, has joined the ranks of the unicorns with $100 million in Series D capital.

Dave Bittner: [00:17:30:14] Finally, we here at the CyberWire have long been trying to draw attention to the risks to critical infrastructure, especially water and power. We've covered the Bowman Avenue Dam hack in Rye, New York and the take down of the power grid in Eastern Ukraine by implausibly deniable Russian cyber goons. But it's often said correctly, that squirrels have a power grid take down track record the FSB could only dream about, and will continue to add, although none of you seem to be paying proper attention to the matter, that snake-outs have long been a problem on Guam.

Dave Bittner: [00:18:01:05] An expert from Tenable has pointed out this week that the North American electrical grid could be distributed for months by the coordinated physical destruction of just nine well-selected substation transformers. We hope utility security managers are thinking about more than just fences, and that they're hardening their own physical security measures, including those IP cameras Wes Weinberg has been telling us about.

Dave Bittner: [00:18:23:05] But wait, there's more. If this weren't enough to worry us, as if on cue, Kenya's power grid goes down, when a monkey inserts itself into the works. Squirrels and snakes and monkeys, oh my.

Dave Bittner: [00:18:39:13] That's the CyberWire. For links to all of today's stories, along with interviews, our glossary and more, visit thecyberwire.com. Thanks to all of our sponsors who make the CyberWire possible. We help you stay on top of the news in cybersecurity and information assurance; we can also help you get your product, service, or solution in front of an informed audience of influencers and decision-makers. Visit thecyberwire.com/sponsors to find out how.

Dave Bittner: [00:19:02:01] The CyberWire podcast is produced by Pratt Street Media, the Editor is John Petrik. I'm Dave Bittner. Thanks for listening. Have a great weekend.