Slinging cyber lingo. Bad robots. Pokémon Go's long march.
Dave Bittner: [00:00:03:11] Courts, responsibilities, and liabilities. Chinese spies in the FDIC and a cover up? Industry notes. The world of cyber crime. Pokemon Go is almost everywhere, and it's dragging some bad actors in its wake, and in California, there's a bad robot. You know who you are, bot.
Dave Bittner: [00:00:26:05] Time to take a moment to tell you about our sponsor, Netsparker. Still scanning with labor intensive tools that generate more false positives than real alerts? Let Netsparker show you how you can save time and money and improve security, with their automated solution. How many sites do you visit and therefore scan that are password protected? With most other security products, you've got to record a log and macro, but not with Netsparker. Just specify the user name, the password and the URL of the login page, and the scanner will figure out everything else. Visit Netsparker.com to learn more. And if you'd like to try it for yourself you can do that too. Go to Netsparker.com/CyberWire for a free 30 day fully functional trial version of Netsparker Desktop. Scan your websites and let Netsparker show you how easy they make it. That's Netsparker.com/CyberWire. And we thank Netsparker for sponsoring our show.
Dave Bittner: [00:01:25:08] I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday, July 14th, 2016.
Dave Bittner: [00:01:31:04] Two recent US Federal court decisions may have significant implications for users of the Internet.
Dave Bittner: [00:01:37:03] The first decision of interest comes from the US District Court for the Southern District of New York in Enigma Software Group USA LLC versus Bleeping Computer LLC. The court found that an online forum operator couldn't assert publisher immunity against the claim that a volunteer moderator allegedly defamed a security product in that forum.
Dave Bittner: [00:01:58:01] In the other case, the Ninth Circuit has handed down its opinion in Facebook versus Vachani, and some legal observers find the decision a disturbingly broad reading of the Computer Fraud and Abuse Act. The Volokh Conspiracy, writing in the Washington Post, thinks the opinion made the defendant's state of mind crucial, as opposed to what the defendant actually did. As the conspiracy points out, "It says that if you tell people not to visit your website, and they do it anyway knowing you disapprove, they’re committing a federal crime of accessing your computer without authorization."
Dave Bittner: [00:02:31:00] The decision also seems to make it all the more important to read the EULAs, the End User License Agreements, those notoriously lengthy, turgid, hard-to- understand things you click through when you download,say, Pokémon Go. As Help Net Security remarked in a different context, "I agree to these terms and conditions is now, probably, the biggest lie on the Internet. Communications researchers at York University and the University of Connecticut used a test site to establish what everyone knows: almost no one actually reads terms and conditions or privacy policies. The science is settled."
Dave Bittner: [00:03:05:09] The US House Science, Space, and Technology Committee has looked into an apparent Chinese government hack of the Federal Deposit Insurance Corporation and concluded that the FDIC was indeed compromised. More seriously, Committee researchers concluded that the agency attempted to cover up the incident.
Dave Bittner: [00:03:23:22] In industry news, Appthority raises $7 million in Series B, and Samsung takes a stake in UK cybersecurity darling Darktrace. Investors continue to look forward to Intel's sale of its security business, even though they don’t anticipate the company selling it for much more than it paid for it in the first place.
Dave Bittner: [00:03:42:09] In cyber crime notes, F-Secure reports that Locky ransomware is seeing a resurgence. Phishme publishes more details on the Rockloader-delivered “Bart” crypto ransomware. It’s especially active in Germany, the UK, and the US. The cross-platform, Java-based Adwind remote-access Trojan continues to spread rapidly. Zscaler reports that the Sundown exploit kit is pushing RIG and Neutrino for black marketshare left by the effective disappearance of Angler and Nuclear. Sundown is run by the self-styled Yugoslavian Business Network, pretty obviously modeled on the much better known, and notorious, Russian Business Network.
Dave Bittner: [00:04:20:05] Much ransomware of course, solicits payment in Bitcoin, but there's more to it than that. Crypto currencies are growing in acceptance. We spoke with Darin Stanchfield, the founder of KeepKey, a Bitcoin digital hardware wallet maker.
Darin Stanchfield: [00:04:33:02] Bitcoin is a peer-to-peer virtual currency. Sometimes it's referred to as a crypto currency because they use this cryptography to secure it, but it could be thought of more as like a global ledger that resides on a bunch of peer-to- peer notes. When you transfer money in it, you're not really transferring money, you're assigning value on the ledger. You don't have to accept identification from a customer. They can just give you the Bitcoin, and the Bitcoin is good. So, you have a Bitcoin: you can verify that you have a Bitcoin. There's no chance of it being reversed on you. It's like cash so, once you have it, it's yours. So, because Bitcoin is peer-to-peer, there's no central authority to reverse transactions, but once some-one gets your private key, and they make a transaction, they're gone for good and there's no recourse.
Dave Bittner: [00:05:19:10] One of the key features of Bitcoin is its baked-in security.
Darin Stanchfield: [00:05:22:18] Let's say, Bob wants to send Alice some money. On this ledger, he creates a transaction that just assigns the value from his apportional ledger to Alice's portion, and then he signs it, and he broadcasts that signature. So, everyone on the network can cryptographically verify that the transfer is authentic by Bob. So this block of transactions actually refers to the previous block of transactions, which refers to the previous block, all the way back to the genesis block which was the very first Bitcoin block: that's what you could commonly hear as the blockchain. So, to actually do a double spin on the network, you would have to override all the peripheral work that ever took part in that blockchain, and that's why it's secure. It's not impossible to forge a Bitcoin, but it's mathematically unlikely.
Dave Bittner: [00:06:11:14] So, it's secure but it's also not possible to get your Bitcoin back if it falls into the hands of bad guys or girls. As a Bitcoin user, you're assigned a private key.
Darin Stanchfield: [00:06:21:03] It's that private key, that's really what people think of as Bitcoins. So, there's a couple of different ways. You can store your private key on a computer, but then anything that's on your computer can get to your private key and then to your Bitcoins. So, viruses, malware, and then, what was common in the past was for people to say, well, good security's hard. I'm gonna trust a third party to do it. So, there's online wallets that will store that private key for you, and kind of abstract out a way where you just kind of have a web wallet. The last few years have been a move towards hardware wallets, and it's just about this idea of keeping private keys offline on air-gapped computer. So, this is really just like a personal HSM that keeps those private keys generated off-line, and they sign transactions off-line. So, there's no way to extract the private key once it's generated from the device.
Dave Bittner: [00:07:13:12] If it all sounds a bit complicated, well, it is, but Stanchfield says one of the main benefits of a hardware wallet is to protect the user from their own mistakes.
Darin Stanchfield: [00:07:22:09] With a hardware wallet you guarantee that you have the Bitcoins. They're in your control and it's very hard to stray and leak your private key, and that's your Bitcoins. What the hardware does is it's so simple that it's really difficult to do the wrong thing. You would have to go out of your way to do the wrong thing: you would know that you're doing the wrong thing, like sending Bitcoins to someone else.
Dave Bittner: [00:07:45:02] That's Darin Stanchfield, the founder of KeepKey.
Dave Bittner: [00:07:50:11] The OurMine hackers, known for their skiddish compromises of prominent tech executives with weak social media passwords claim they've taken down HSBC servers in the US and UK. The bank recovered rapidly. It’s unclear whether any customer service was disrupted.
Dave Bittner: [00:08:07:06] Pokémon Go, its privacy concerns partly addressed if you’ve updated, and done everything else right, continues its long march through the Internet. TechCrunch reports that the game already has more active daily users than Pandora, Netflix, Google Hangouts, and Spotify and that it’s installed on more devices than such popular apps as Candy Crush, Viber, LinkedIn, Clash of Clans, and Tinder. This is of security interest not only because of privacy issues, but due to the number of malicious apps trying to ride Pokémon Go’s coat-tails. That number is exploding.
Dave Bittner: [00:08:41:07] Finally, we hear that out in, where else, Palo Alto, a security robot in a mall knocked down a toddler. The small boy wasn't injured, but he cried a lot. So, we have a clear violation of Asimov's First Law of Robotics. We mean, come on, it's not Skynet, but hey, robots, you're supposed to observe and report. Leave those poor kids alone.
Dave Bittner: [00:09:06:11] Time to tell you about our sponsor, E8 Security. The old parameter approach to security no longer protects against today's rapidly shifting cyber threats. You've got to address the threats to your network once they are in your networks. E8 security Behavioral Intelligence Platform enables you to do just that. Its self-learning security analytics give you early warning when your critical resources are being targeted. The E8 Security Platform automatically prioritizes alerts based on risks, and lets your security team uncover hidden attack patterns.To detect, hunt and respond, you need a clear view of the real risks in your business environment. That's what E8 gives you. Visit E8Security.com/DHR, and download their free white paper and learn more. E8, transforming security operations. We thank E8 for sponsoring our show...
Dave Bittner: [00:10:00:11] ...and I'm joined once again by Dale Drew. He's the chief security officer at Level 3 Communications. Dale, we toss around a lot of terms here on the CyberWire pod-cast, and we talk about zero-days. We talk about half-days, but we don't often stop to take the time to explain what we mean by those. I was hoping maybe you could explain to us, what are we talking about when we talk about a zero-day, or a half-day?
Dale Drew: [00:10:21:08] The security industry has its own dictionary, and that dictionary is growing on a daily basis, but zero-day and half day are terms where a zero-day is an exposure that the industry is not yet aware of. It's typically where a bad guy has gone to the source code themselves, have identified a weakness in that source code, and then they utilize that source code to weaponize it into an exploit or an exposure. A half day is, ironically enough, an exposure that the industry is aware of, but has not yet patched it, or has no immediate plans to patch it. A lot of vendors will take bugs or bug reports from the industry, or from their own organization, and they will prioritize those bugs to determine at what point the that they're going to introduce them as a fix. So, bad guys will monitor those open forums of people talking about bugs they've seen. They will then identify if they can weaponize those into exploits or exposures. The average zero-day gives an intruder about ten months of undetected access to an enterprise, and the average half day gives an intruder about eight months of undetected access to an enterprise. So, they're both very valuable commodities in the industry.
Dave Bittner: [00:11:45:13] And then, when we shift from zero-days and half-days, and then we're talking about APTs or advanced persistent threats.
Dale Drew: [00:11:52:01] Yes. So, a bad guy identifies a half day or a zero-day, and then he weaponizes that into an exploit or an exposure. Then, what he does is that he can then create a package that will load or install that exposure on a victim, and then have the ability of staying persistent or resident on that computer for some extended period of time without being detected, as an example. That is what we call an advanced persistent threat. It's the ability for an exposure to stay resident on a compromised computer, and do its activity. Collect keystroke data, download proprietary information from the company and send it to the bad guy without being detected, and in persisting for some extended period of time.
Dave Bittner: [00:12:43:06] Do we have any sense for how long a typical APT rattles around inside someone's system?
Dale Drew: [00:12:49:05] The industry average has been around a year to a year and a half. So, to sort of put that in context, a bad guy essentially has access to your enterprise with the same level of access as most of your enterprise users for a year and a half; that gives them the ability of downloading data: that gives them the ability of monitoring keystroke data and passwords of all the employees. The theory goes that the reason why that it lasts for a year to a year and a half is because, once the bad guy has gotten access to pretty much all the data that they believe they need, then they get a little bit more sloppy in how they're managing that access and that system, and they then become more detectable as a result.
Dave Bittner: [00:13:35:13] Dale Drew, thanks for joining us.
Dave Bittner: [00:13:38:14] That's the CyberWire. For links to all of today's stories, along with the interviews, our glossary, and more visit thecyberwire.com. Thanks to all of our sponsors who make the CyberWire possible. If you'd like to place your product, service, or solution in front of people who'll want it, you'll find few better places to do that than the CyberWire. Visit thecyberwire.com/sponsors and find out how to sponsor our podcast or Daily News Brief.
Dave Bittner: [00:14:00:05] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Our social media editor is Jennifer Eiben, and our technical editor is Chris Russell. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.