Istanbul bombings prompt global intel collection re-look. Cyber threats to transportation.
Dave Bittner: [00:00:03:17] ISIS bombings are likely to have implications for global online intelligence collection. Dozens of banks in Ukraine and Russia may have lost millions in SWIFT raids. Locky's back, CryptXXX never left, and a lot of businesses may be quietly paying up. Malicious SMS messages install paycard-stealing malware. More dodgy apps are noticed in the Play Store. Euro-friendly bots want another UK referendum. The auto industry gets together to share cyber strategies. Symantec patches AV bugs. Apple's iPhone celebrates a birthday, so we ask Siri, or, actually, Jonathan, what's differential privacy?
Dave Bittner: [00:00:43:23] I want to take a moment to talk about our sponsor, E8 Security, and about putting your data together with E8's analytics, for security that can handle the unknown unknowns. Consider what might warn you off to malware on your system - listening, or running programs on a rare, or never-seen-before open port is one of them. It's easy to say that, but could you say what counted as rare, or never-seen-before? Or would that information jump out at you as you reviewed logs - if you have the time to review your logs, and by the time the logs reached you, the news would be old. But E8's analytical tool recognizes and flags that threat at once, enabling you to detect, hunt, and respond. Get the free white paper at e8security.com/dhr and get started. E8 Security - your trusted partner. That's e8security.com/dhr.
Dave Bittner: [00:01:40:00] I'm Dave Bittner in Baltimore, with your CyberWire summary for Wednesday, June 29th, 2016. Yesterday's horrific suicide bombings at Istanbul's Ataturk airport, where gunmen shot their way into the terminal then detonated their bombs, are moving security officials worldwide to look for better ways of collecting and developing intelligence. Both Turkish and US sources have attributed the massacre to ISIS. Much of that collection will inevitably be performed online. - how that might be accomplished will face technical, resource, and policy challenges.
Dave Bittner: [00:02:13:06] The Kyiv ISACA branch reports that an unnamed Ukrainian bank has lost $10 million to SWIFT-enabled funds transfer fraud. ISACA's statement, as reported in the Kyiv Post, says that "dozens of banks, mostly in Ukraine and Russia, have been compromised," and their losses may collectively run into the hundreds of millions of dollars. Commentary about the apparent theft has been guarded and short on details - it's early in the ongoing investigation, and the affected banks fear adverse public reaction.
Dave Bittner: [00:02:43:13] Since the SWIFT international funds transfer system was used to accomplish the theft, observers say it looks like Bangladesh, and speculate that the methods employed were similar to those used earlier this year against the Bangladesh Bank. That bank has concluded the first phases of its investigation - and with that conclusion, wraps up its contract with FireEye - and says it's moving to shore up the security of its systems on its own.
Dave Bittner: [00:03:07:10] In other cyber-crime news, some observers had hoped that Locky ransomware was fading into oblivion. Symantec found that Locky had declined steeply over the past month, as Dridex and Angler infections also fell off the cliff. Unfortunately, such hopes have proven unfounded. Cloudmark says Locky's back and being distributed widely, rejoining CryptXXX among the more popular ransomware variants.
Dave Bittner: [00:03:30:23] As more enterprises are infected with ransomware, a Radware study suggests that businesses in the US and UK are less set in their determination not to pay up than their statements might lead one to believe. 84% of IT executives at firms that had not been attacked said they wouldn't consider paying ransomware, but when one looks at firms that actually have sustained a ransomware hit, 43% have paid.
Dave Bittner: [00:03:55:21] In all of this, small businesses are looking particularly vulnerable. They hold data that's vital to their survival, and they tend to be resource-poor with respect to security. As larger enterprises become harder targets, criminals prospect small business. They're in general less well-defended, and less able to sustain a hit to their current operations, so the basic advice on dealing with ransomware remains, back up your files.
Dave Bittner: [00:04:20:12] Malicious apps remain another common form of cyber-crime. "Smishing" is phishing via SMS services on mobile devices, and a smishing campaign in Europe is spreading paycard-stealing malware posing as WhatsApp, Uber, or Google Play. The vectors are malicious SMS messages.
Dave Bittner: [00:04:38:22] Other bad apps are lurking in the Google Play Store. Lookout warns that what it calls "autorooting" malware is being downloaded by unwary Android users. Case Zero of the autorooting epidemic is a seemingly innocent and simple app called "LevelDropper." As its name implies, LevelDropper converts your device's screen in a virtual carpenter's level, complete with green bubble. Unfortunately, it also roots your phone, giving an attacker the ability to load and run essentially whatever they please.
Dave Bittner: [00:05:08:14] Flash Keyboard, another popular app with about 50 million downloads, is also showing some dodgy behavior. OptioLabs says the keyboard app, produced by DotC united, isn't exactly malicious, but it's really promiscuous in the privileges it asks for, few of which a keyboard would actually need, however handy and helpful that keyboard aspired to be. For example, it asks that you allow it to download files without notifying you - that alone should be enough to warn anyone off. Anyone, that is, beyond the 50 million or so people who apparently said, "Sure. Yeah, why not?"
Dave Bittner: [00:05:44:09] This week marks the ninth anniversary of the introduction of the iPhone. May observers have been congratulating Apple, especially on the relatively good security record of iOS. Apple recently announced at its Worldwide Developers Conference that it intends to introduce something it's calling "differential privacy." We spoke with the University of Maryland's Jonathan Katz about what that means. We'll hear from him after the break.
Dave Bittner: [00:06:07:11] A Google security researcher reports an array of bugs in Symantec and Norton antivirus products. Symantec has patched the issues; you'll find the fixes on their website.
Dave Bittner: [00:06:17:21] We haven't forgotten about the DarkOverlord, and his or her stall of allegedly stolen, purportedly genuine healthcare records in the Real Deal dark web market, but so far, there's no consensus about the data's provenance. Whatever they are, the asking price is steep. We'll continue to follow this story as it develops.
Dave Bittner: [00:06:37:00] As cars grow ever more sophisticated and connected to the Internet, concerns about their cybersecurity grow, too. We spoke with Booz Allen Hamilton's Jon Allen about the automotive ISAC and the upcoming Billington Automotive Cybersecurity Summit - an event for which we are proud to be a media sponsor. We asked Jon Allen to begin by describing the Automotive Information Sharing and Analysis Center, or ISAC.
Jon Allen: [00:07:00:00] The concept of an ISAC was created around 1998, with a presidential decision directive that President Clinton signed to enable critical infrastructure industries to share general threat and vulnerability information about certain infrastructures in the United States. So it was originally like oil and gas, and energy, and water - our critical infrastructure. It grew out two ways. Number one is industries like Automotive enable them to talk and share information without going across antitrust issues. Number two is, in '98, most of the focus was around physical threats and vulnerabilities, and then the industry started realizing that it was cyber that was the big issue.
Dave Bittner: [00:07:39:08] The Automotive ISAC relies on independent daily information gathering and analysis of emerging threats, but also on the automotive industry themselves.
Jon Allen: [00:07:48:01] Say one OEM finds a vulnerability on a vehicle, or in an infrastructure, and they're working through it, and they've solved it. They'll throw it out to the ISAC and say "We've identified X vulnerability, and this is what we've done to solve it." Or, "This is X vulnerability we've found - does anybody have a solution on how to solve it?"
Jon Allen: [00:08:05:11] But this is a big issue around the culture of trust. This is not an industry that generally is comfortable with sharing information with each other. They're hyper-competitive, and so what we've seen them become is more "frenemies," understanding that an attack on one is an attack on all. The automotive makers realized that in order to enable the new customer experience, and new technologies on the vehicle, they have to address the underlying issue of cyber first. You can't do data analytics unless you get the customer's trust to protect their privacy, and protect their data, and you can't do that without strong cyber security programs.
Dave Bittner: [00:08:40:19] This coming July 22nd, Jon Allen will be part of the Billington Cybersecurity Global Automotive Cybersecurity Summit, which features US Secretary of Transportation Anthony Fox, and Mary Barra, CEO of General Motors.
Jon Allen: [00:08:54:14] To have a CEO as the keynote, talking about vehicle cybersecurity is fascinating. That's the keynote with Mary Barra, and at the end of the day, having Secretary Fox speaking about vehicle cybersecurity as the Secretary of Transportation. That's amazing! I mean, there's other conferences on automotive security - however, this is the first one I've seen, with the senior leadership that they have, that are dedicated to the problem.
Jon Allen: [00:09:17:11] We're going to talk about relevant issues and where the industry is going. Mary Barra talks a lot about we're gonna see more disruption in the next five years than we've seen in the last 50. I really think from a cyber perspective this conference is going to lay a foundation on how that disruption's going to come forward, and what cyber is going to do, within that area, to really enable this disruption that we're going to see.
Dave Bittner: [00:09:37:16] That's Jon Allen - he's a principal at Booz Allen Hamilton, and also Executive Director of the Automotive ISAC.
Dave Bittner: [00:09:45:09] And finally, a petition to revoke Brexit through another referendum appears to have been signed mostly by bots. Authorities are investigating. After all, bots shouldn't be voting, even in online election - say, choosing members of the Major League Baseball All-Star squads. We're looking at you, Kansas City.
Dave Bittner: [00:10:08:05] This CyberWire podcast is made possible by the generous support of CyLance, offering revolutionary cybersecurity products and services that proactively prevent, rather than reactively detect, the execution of advanced persistent threats and malware. Learn more at cylance.com.
Dave Bittner: [00:10:31:10] Joining me once again is Jonathan Katz - he's a Professor of Computer Science at the University of Maryland. Jonathan, at the recent Apple Worldwide Developers Conference they discussed what they're calling "differential privacy" - a new way that Apple is saying that they're going to be able to collect your data, but keep your data private at the same time. Tell us, what is differential privacy?
Jonathan Katz: [00:10:50:21] Differential privacy's a mechanism that's been developed over the past decade or so within the cryptography community, and it's since spread to the security and the databases community as well. It's really interesting - what it does is it's a framework that allows you to analyze mechanisms for doing statistical analyses over data, that involves data from multiple people, and essentially what it does is it allows you to discern global trends about the data, which is of course what you want, without violating the privacy of the data of any particular individual.
Dave Bittner: [00:11:23:05] So how does it work? What's the mechanism by which you can do this?
Jon Allen: [00:11:27:12] Well, there are a number of different mechanisms that have been proposed, but one mechanism in particular that's been the most popular, and one of the simplest to implement, is where you simply add some random noise into the system - whether at the time of data collection, or after you perform the analysis, or during the analysis itself. What ends up happening is that rather than getting an exact result, as you would prior to differential privacy, you add some noise, and that gives you a less accurate result, and there's a trade-off then between the privacy that you obtain and the accuracy of the result. So the more accurate the result, obviously the worse the privacy, and on the other side, if you want to increase the level privacy that you give to any individual, then that makes your result slightly less accurate.
Dave Bittner: [00:12:11:21] So is this a good thing? Is this a win-win for everyone, or is this something we should be wary of?
Jonathan Katz: [00:12:19:18] Well, it's not clear, because Apple hasn't released all the details of what they're planning to do, exactly. I think certainly it's a win that they're aware of the need to provide privacy, and that they're aware of differential privacy - something which is relatively new, and still the subject of active research. One thing that's particularly interesting here is that in contrast to things like encryption, where we have a very good understanding about the level of security that you need in practice, with differential privacy it's really less clear, because you have this trade-off between accuracy and privacy, and it's not really clear where the right setting of the parameters is in order to ensure the optimal trade-off between privacy and accuracy.
Jonathan Katz: [00:12:58:13] The Devil's in the details, because if you set the privacy threshold to low, trying to get a very accurate result, then you have, technically, differential privacy, but it won't be very meaningful in practice, and so it's really not clear until we get more details about what exactly they're doing, whether this is providing an adequate level of protection.
Dave Bittner: [00:13:15:20] All right, well keep an eye on it. Jonathan Katz, thanks for joining us.
Dave Bittner: [00:13:20:20] And that's the CyberWire. Looking ahead to next week, we remind our listeners that the CyberWire won't publish Monday. We'll be observing Independence Day, the US holiday that commemorates the Amexit of 1776 - you may have heard of it. We'll be back as usual on Tuesday, July 5th, with both our daily news summary and our podcast - and of course we'll be publishing the rest of this week, too.
Dave Bittner: [00:13:42:09] For links to all of today's stories along with interviews, our glossary, and more, visit thecyberwire.com. The CyberWire podcast is produced by Pratt Street Media. The editor is John Petrik. Our social media editor is Jen Eiben, and our technical editor is Chris Russell. Our executive editor and principal suit is Peter Kilpe. I'm Dave Bittner. Thanks for listening