The CyberWire Daily Podcast 7.15.16
Ep 142 | 7.15.16

Pokémon Go's astonishing success. (And attack surface?) Crime, folly, the punishment thereof.

Transcript

Dave Bittner: [00:00:02:24] ISIS may be under pressure, but so are its adversaries in the civilized world’s intelligence and security services. Old malware learns some new tricks. Taiwan deals with an apparent case of ATM jack potting. US court rulings have implications for privacy and liability. SAP and Cisco round out a week of patching. Some security startups get infusions of venture capital. And augmented reality continues to go global as Pokemon players try to catch ‘em all.

Dave Bittner: [00:00:33:03] Time to take a moment to tell you about our sponsor, Netsparker. Do you know how to tell a false positive from a real threat? Netsparker does. If it's exploitable, it's real. Netsparker's distinctive automated scans drive out false positives, save you money, and improve security. Their approach is proof based scanning. Netsparker's innovative scanning engine automatically exploits the vulnerabilities that identifies in websites, and presents you with a proof of exploit. You don't need to verify the scanner findings to see if they include false positives. If Netsparker tells you it's bad, trust them, it's bad. Remember, if it's exploitable, then it is definitely not a false positive. Learn more at Netsparker.com. But wait, there's more, and we really do mean more. Go to netsparker.com/cyberwire for a free 30 day trial of Netsparker Desktop. It's fully functional. Scan your websites with Netsparker and let them show you how they do it. And we thank Netsparker for sponsoring our show.

Dave Bittner: [00:01:32:09] I'm Dave Bittner in Baltimore with your CyberWire summary and week in review for Friday, July 15th, 2016.

Dave Bittner: [00:01:39:02] The tragic Bastille Day massacre in Nice - rendered all the more tragic as warnings of danger police distributed through social media failed to reach the victims in time - has prompted much introspection among intelligence and law enforcement services. In brief, increasing pressure on the ground is apparently driving ISIS not only toward more dispersed out-of-area attacks - and the US FBI Director warns that more may be coming - but also toward renewed aspirations for an aggressive online presence and cyber attack capability. Recruiting is turning toward less sophisticated prospects in Southeast and Central Asia, and to criminal snitches (mostly in Western Europe) who have been discovered and turned by jihadists. Loss of territory in the Levant appears to be making training more difficult, but the untrained can still be inspired or compromised.

Dave Bittner: [00:02:27:02] Avira warns that Locky ransomware is now able to encrypt victims’ files without needing to connect to a command and control server. And FireEye notes that an IE exploit has been added to the Neutrino kit. It appears to have been reverse engineered from a proof-of-concept researchers at Theori prepared in June. Neutrino is widely used by criminals, having largely superseded the earlier and essentially defunct Angler exploit kit.

Dave Bittner: [00:02:52:16] Taiwan's First Bank was hit early this week by criminals who made off with about $2 million. The criminals were masked, as bank robbers should be, but they held up ATMs and not tellers. Dozens of machines are said to have been hit. The crooks used some form of connected device, possibly a phone, to trigger three different malware files that, as CNN Money reports, were instructed to “spit out the cash” and then delete evidence. How the machines were infected remains unclear, but the malware was there to enable a quick physical interaction.

Dave Bittner: [00:03:23:21] We heard from Craig Young, Computer Security Researcher for Tripwire’s Vulnerability and Exposures Research Team (VERT), who sees the case as a likely instance of jackpotting. Young says, “From the description it sounds like these thieves likely had installed malware ahead of time, enabling a wireless connection to jackpot the ATMs. It’s also possible that a vulnerable wireless service could allow unauthorized access from hackers.” Investigation is ongoing.

Dave Bittner: [00:03:52:07] Several court cases this week send decidedly mixed signals to the cybersecurity community. Microsoft won a round in its fight to keep data secured in Ireland, away from US investigators. But other decisions suggest some expansive interpretations of what counts as computer crime, and how far civil liability for online activity can stretch. We’ll hear a bit later from our partners at the University of Maryland's Center for Health and Homeland Security, who'll take us through other recent rulings on privacy, home computing, and the fourth Amendment to the United States' constitution.

Dave Bittner: [00:04:23:19] Congratulations to the winners in the latest US Cyber Challenge round, being recognized today in Delaware.

Dave Bittner: [00:04:30:00] And in other matters related to the health of the cyber sector, we spoke to Eli Sugarman of the William and Flora Hewlett Foundation. He described their Foundation's cyber Initiative.

Eli Sugarman: [00:04:40:04] For most of the Foundation's 50 years, we've had a grant making interest in some aspect of national security. Most recently that was preventing nuclear proliferation via our nuclear security initiative. And when our new President joined the Foundation about three/four years ago, he started looking for emerging threats that were relevant for national security, but that were a little more on the leading edge that philanthropies should be focused on but that weren't at the time. And after doing quite a bit of research, and talking to a lot of experts in the field, settled upon cyber security as one that really is affecting society in every American and every global citizen more and more and that it really demands long term attention in the way that philanthropies can provide.

Dave Bittner: [00:05:25:03] The Hewlett Foundation's cyber initiative is a five year, $65 million grant making effort.

Eli Sugarman: [00:05:30:21] And so our three biggest grantees are; Stanford University, MIT, and UC Berkeley. So we've made those three anchor grants at three leading research universities, really to anchor what we believe needs to sort of be created, which is a multidisciplinary field. So each university is creating an interdisciplinary center that pulls together computer science and engineering, with policy law, economics, business, social sciences, to do two things. To really pursue research that's very policy relevant, that's anchored in reality and real world problems. Then, secondly, not to suggest it's less important but also, equally, if not more important is education. They're trying to create new educational programs that again are multi-disciplinary and give students the technical knowledge they need, as well as the non technical overlay, so that when they enter the workforce they can work in government, they can go work in industry, they can work in academia and, again, they can translate and understand the different sides of these issues.

Dave Bittner: [00:06:27:07] Cyber security is a relatively young, rapidly evolving field and Eli Sugarman says it's important that the Foundation take an ideologically neutral approach.

Eli Sugarman: [00:06:36:21] We need to fund lots of different viewpoints, because we don't have an institutional viewpoint. We want to fund voices on the left, voices on the right, technical voices, social sciences voices, voices from the hacker community, voices that are more from the vendor community and lift those up and put them into the debate, and let the marketplace of ideas and policy makers choose what the best outcomes are because that's their job. We think that we can help create the foundation for a mature debate and ecosystem, but it's not our role to pick the winner, and to pick the right answer on a policy question. So we fund right of center think tanks, we fund left of center think tanks. We are trying to bring more diverse and new voices to the debate, to make sure that they're inclusive and that all the different aspects of these various issues are touched upon.

Eli Sugarman: [00:07:23:20] We're saying listen, different fundamental values are intention and the real hard work is rolling up your sleeves, getting in there and figuring out how to manage those trade offs.

Dave Bittner: [00:07:33:07] The cyber initiative has been under way for about two years now, and Sugarman says they have discovered some interesting challenges along the way.

Eli Sugarman: [00:07:40:13] It's really hard to build trust among the different groups who play in this field and this space, given how acrimonious a lot of the conversations are about whatever timely policy issue is. So trying to find ways to say how do I bring together the civil liberties communities with the national security community, with the vendor community, with the academic community, with other key stakeholders and really build trust and connective tissue so they want to work together to solve problems, as opposed to just blaming each other for being the problem, or labeling them, "You're from that other tribe, and I don't want to talk to you?" Doing that is really hard, because it really depends on individuals who have credibility in other stakeholder groups who want to reach across the island and really want to work together.

Eli Sugarman: [00:08:25:22] So we can do that in small, Curated gatherings but it's really hard to scale that and to really solve this problem you need to scale it. So that's an area we knew would be challenging, but I don't think we fully appreciated how challenging it would be. So right now we're starting to bring on a consultant and an evaluation to figure out what are models from other fields that have been built that may be relevant? What are other ways to build trust at scale, and to really learn and do better at that.

Eli Sugarman: [00:08:53:07] The other thing that we've learned is that trying to attract funders, whether foundations our corporate philanthropy high net worth individuals, is tough because a lot of people think that the government and industry alone will solve these problems, which we firmly do not believe. We believe they're key partners, but that there's a critical role here for philanthropy so it's been hard to catalyze more funding. Part of it is, I think, people just assume government and industry are going to fix it. If you go to other foundations, sometimes they don't have the existing expertise on these issues, so they find it a little daunting to dive into this new area and really making that case for why resources from outside of government and companies need to come online for this. That's been challenging as well, and so that's an area that we're increasingly focused on.

Dave Bittner: [00:09:42:18] I asked Eli Sugarman how the Hewlett Foundation will measure success?

Eli Sugarman: [00:09:47:00] We're just trying to prove the concept. It's a sort of service that's on the front leading edge, to then show it's possible and get others to come in and partner with us, or take a different approach based upon what we've learned. That success for us is not solving this problem by ourselves, because we don't think we can. We're sort of a small player here, but really what success is is catalyzing that broader movement that we're trying to achieve. We're agnostic as to the specific policy outcomes, but really just want to create a healthier eco-system in any way that we can be supportive. We're always happy to talk about that and always in search of new creative ideas, because we completely will be the first to admit that we don't have all the answers, that we reply upon our grantees and experts we support and partner with. They're the real experts, they're the ones who do the real work, and we need them to lead the way and really help come up with all the creative ideas and all the great work that needs to be funded.

Dave Bittner: [00:10:44:08] That's Eli Sugarman. He's the Program Officer of the William and Flora Hewlett Foundation's cyber initiative.

Dave Bittner: [00:10:54:21] It's time to thank our sponsor, E8 security. You know the old parameter approach to security no longer protects against today's rapidly shifting cyber threats. You've got to address the threats to your network once they're in your networks. And E8 security's behavioral intelligence platform enables you to do just that. Its self learning security analytics give you early warning when your critical resources are being targeted. The E8 security platform automatically prioritizes alerts, based on risk and lets your security team uncover hidden attack patterns. To detect, hunt and respond, you need a clear view of the real risks in your business environment. That's what E8 gives you. Visit e8security.com/dhr and download the free White Paper to learn more. E8, transforming security operations.

Dave Bittner: [00:11:44:16] Joining me once again is Ben Yelin. He's a Senior Law and Policy Analyst at the University of Maryland Center for Health and Homeland Security. Ben, interesting article came by about the federal courts' ruling that the fourth amendment does not protect your home computer. My response to this was "Really?". What can you tell us about this case?

Ben Yelin: [00:12:06:08] I think it's a very consequential case. The case of the United States v. Mavis, and it took place in a District Court in the fourth circuit down in Virginia. It centers around an FBI investigation of this website, Playpen, which is a child pornography website. It's a Tor hitting servicer site, so the government had to use NIT to track the site and ended up tracking this user. They arrested this user on child pornography charges and the user attempted to suppress the evidence based on a Fourth Amendment claim that searching this person's home computer violates his reasonable expectation of privacy. Under the Fourth Amendment, if a person has a reasonable expectation of privacy then it's a search for Fourth Amendment purposes and it's subject to Fourth Amendment protection.

Ben Yelin: [00:12:58:09] What this court tried to argue is that this person did not have a reasonable expectation of privacy using a Tor hitting services site because, in order to sign up for this technology, he had to submit his IP address. Under what's called the Third Party Doctrine, if you submit identifying information that you know would be submitted to a third party, for instance, the numbers you dial if you know that those are going to be submitted to the phone company, then you forfeit your expectation of privacy under the fourth amendment. The court held that there was no search for fourth amendment purposes and that, even if there was, there was a warrant based on probable cause.

Dave Bittner: [00:13:39:23] Using your telephone system analogy, I would reasonably expect that the metadata of my phone call would be subject to being gotten perhaps without a warrant, but not a recording of my phone call itself. How does that analogy extend to this? It seems to me that perhaps the FBI would know that this person was interacting with whatever website he was, but then to go in and search through his computer in his home seems like a stretch to me. Is that a good line of reasoning?

Ben Yelin: [00:14:17:04] I think that's a reasonable inference. This reminds me of a concurrent Justice Sotomayor case called United States v. Jones. She stated that, when this third party doctrine was ratified early in the 1980s, it was a very different technological landscape and there wasn't much one could reveal on the metadata submitted to the phone companies; it was just a number. Now your use of technology, even if it's not the concept of communications or the contents of conversations, can actually reveal a lot of private and personal details, medical histories, personal interests and political affiliations just by knowing an IP address, for example. I think the court in this case misapplied the law, and I would suspect that the fourth circuit Court of Appeals would probably reverse this decision. If it got up to the Supreme Court, I think it would be a very interesting test of whether, Sotomayor's concurrence, which noted that the third party doctrine may indeed be outdated in light of modern technology, it would still apply.

Dave Bittner: [00:15:21:24] Alright, Ben Yelin, more to come. We'll keep an eye on this one, thank you for joining us.

Dave Bittner: [00:15:29:16] I want to take a moment to tell you about our sponsors at the Billington Global Automotive Summit, the heads of GM, Lift, General Dynamics and the Department of Transportation offer their perspective on the latest strategies, best practices and steps needed to ensure cyber security and connected cars, and autonomous vehicles, at the Billington Global Automotive Summit, meeting this July 22nd at Detroit's Cobo Center. They'll join top cybersecurity professionals from three of the world's leading auto makers, as well as the leader of the newly formed Auto-ISAC to discuss a new path forward in auto CyberSecurity. Registering with promo code CyberWire2016 will save you 20% on admission. Don't miss this information rich day with the most important stakeholders in the dynamic world of connected cars, and autonomous vehicles. Register at BillingtonCyberSecurity.com/GACS. And don't forget to use the promo code, CyberWire2016 to receive 20% off the corporate rate.

Dave Bittner: [00:16:39:07] A week of patching is rounded out with fixes from SAP and Cisco. SAP has issued 36 patches, two of which the enterprise software maker rated "high priority.” Cisco addressed security issues in its Cisco IOS, IOS XR, ASR 5000, WebEx Meetings Server and Cisco Meeting Server.

Dave Bittner: [00:16:58:15] In other industry news, Delta Risk Cybersecurity Services announced plans to acquire Allied InfoSecurity. Denver based CyberGRX emerged from stealth with $9 million in Series A funding led by Allegis Capital. Bay Dynamics received $23 million in Series B funding earlier this week. That's a correction from the number we reported yesterday.

Dave Bittner: [00:17:22:01] At the SINET Innovation Summit in New York yesterday, we heard of much interest on connecting security companies with investors and government agencies. A few of the points speakers made are worth noting here, as we hear of some successful and innovative startups. Those who buy from and invest in startups offer this advice. Young companies succeed if they can execute, if they're differentiated from the very large field of competitors, and if they have market space for what they’re offering. And, as one panelist put it, when asked what counts as success, "Success is building a sustainable business, not how much money you raise, or who's on your board." We’ll have a full report on SINET’s 2016 Innovation Summit this coming Monday.

Dave Bittner: [00:18:01:23] And finally, Pokémon Go shows no signs of flagging popularity. Its inexorable long march toward our newly augmented reality continues apace. TechCrunch reports that the game’s revenue per user and its retention rates are double, that’s right, double, the industry average. The game has reached the UK, and its purveyors say that they’ll go global once they've released it in two or three more countries. It’s interesting to us, of course, not because we all play Pokémon - well, okay, some of our staff might, but others seem to prefer Crash Bandicoot - but because any widely distributed app presents an increased attack surface and ample opportunity for fraud. Even the US Senate (well, okay, so it’s mostly Senator Al Franken) is concerned. Pokémon Go’s security risks remain intensely debated. Whether the privacy issues that cropped up from the inadvertently extensive privileges the game initially assumed have been fully addressed or not, players are strongly cautioned to be alert for bogus apps and pirated versions and to look both ways in physical space before crossing streets. Augmented reality isn't yet so augmented that it will protect you from a smash up. Let’s be safe out there, friends.

Dave Bittner: [00:19:12:19] And that's the CyberWire. For links to all of today's stories, along with interviews, our glossary, and more, visit thecyberwire.com. The CyberWire podcast is produced by Pratt Street Media. Our Editor is John Petrik. Our Social Media Editor is Jennifer Eiben, and our Technical Editor is Chris Russell. Our Executive Editor is Peter Kilpe. I'm Dave Bittner. Have a great weekend everybody. Thank you for listening.