Black Hat USA, Android upgrades, and mind control (maybe).
Dave Bittner: [00:00:02:24] WikiLeaks' release of DNC emails prompt three more senior resignations. Security companies continue to see a Russian hand behind the doxing. Fears of election hacking rise as observers point out issues with e-voting. Citizen Lab continues its reports on governments' adoption of surveillance tools. An ISIS jailhouse interview casts light on terrorist command and control, and NSA gets a new love from Europe. 18-wheelers get a proof-of-concept hack. We take a quick look at Black Hat, and NFL fans want to know is Pokemon Go being used for mind control?
Dave Bittner: [00:00:41:15] Time to take a moment to tell you about our sponsor, Cylance. Are you looking for something beyond legacy security approaches? If you are, and who isn't, you're probably interested in something that protects you at machine speed and that recognizes malware for what it is, no matter how the bad guys have tweaked the binaries or cloaked their malice in the appearance of innocence. Cylance knows malware by its DNA. Their solution scales easily and it protects your network with minimal updates, less burden on your system resources and limited impact on your network and your users. Find out how Cylance is revolutionizing security with artificial intelligence and machine learning. It may be artificial intelligence but it's real protection. Visit cylance.com to learn more about the next generation of anti-malware. And even better if you're at Black Hat this year, swing by Booth 1124 and chat with the Cylance people. Cylance, artificial intelligence, real threat prevention. And we thank Cylance for sponsoring our show.
Dave Bittner: [00:01:43:14] I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, August 3rd, 2016.
Dave Bittner: [00:01:50:06] Three more leaders of the US Democratic National Committee have resigned over the emails WikiLeaks recently published. DNC CEO Amy Dacey, Chief Financial Officer, Brad Marshall, and Communications Director, Luis Miranda, left yesterday. The leaked emails have been controversial in their revelation of an apparent bias against candidate, Bernie Sanders, and in favor of his successful rival, Hilary Clinton. We note that WikiLeaks' founder, Julian Assange, says his organization has a great deal more to release.
Dave Bittner: [00:02:20:21] Assange still isn't saying where WikiLeaks got the documents - WikiLeaks rarely discloses its sources - but security firms including Fidelis and CrowdStrike continue to say the hacks were a Russian operation. Claims by hacktivists to the contrary are put down to disinformation, aimed at giving Moscow plausible deniability.
Dave Bittner: [00:02:40:21] Republican Candidate Trump has eluded to the danger of election fixing, and his Democratic opponents put this down to reflexive conspiracy mongering. Whether this is conspiracy mongering or not, security experts do think that the US elections are in principle at risk of disruption at those points where voting cross the Internet. This can occur either through compromised electronic voting machines or through interception of online votes cast over the web. This story will continue to develop through November and beyond. We'll keep you posted on both the technology and the policy.
Dave Bittner: [00:03:14:07] The University of Toronto's Citizen Lab continues its description of state surveillance tools deployed in cyberspace. Part of the growth in this sector is explained by rising fears of Islamist terrorism. (And some of the growth can no doubt be put down to policy inertia.) Foreign Affairs notes say European reassessment of NSA - upward - as that threat rises.
Dave Bittner: [00:03:37:12] An ISIS leader imprisoned in Germany offers some jailhouse insight into how the terrorist group mixes inspiration with command-and-control. The traditional C2 and operational planning are largely provided by a unit called "Emni," which recruits vets and delivers fighters to zones of anticipated terrorist activity across an international ratline. Control remains relatively loose but the general direction seems sufficient to meet ISIS requirements. Emni is likely to grow in importance as ISIS loses ground in its core territories.
Dave Bittner: [00:04:11:23] Yahoo is investigating the claims by a hacker calling himself "Peace" that he's offering a large trove of Yahoo credentials - two hundred million of them - on the black market.
Dave Bittner: [00:04:23:02] Spearphishing continues to be an effective way to compromise the systems of unsuspecting users. We spoke with Dwayne Melancon, Chief Technology Officer at Tripwire, about the technique.
Dwayne Melancon: [00:04:34:13] Spearphishing is a kind of an attack where people craft a specific message for a specific recipient or a specific audience and, you know, there are kind of mass market phishing emails where you cast a wide net and hope to catch somebody in it. And spearphishing is kind of the opposite, where you do a lot of research and homework on a specific target, and then you craft an email that you know will be either attractive to them or will kind of slip through their defenses. And then generally the purpose is to try to gain access to information or to compromise their computer system so that you can get away with either stealing from them or compromising their infrastructure.
Dwayne Melancon: [00:05:14:18] We've seen where, you know for example, one of the subjects that I've studied, a guy was looking for parts of a vintage car and he had done some posts on outside discussion boards about this, so attackers were able to pretty quickly find out the specific make and model of the car he was interested in and then they crafted an email to him that sounded like "Hey, I saw you on this discussion board, I know you're looking for a part for this kind of car" and you know the guy's defenses immediately go down because now you're talking about something that's not work related, it's something that has to do with a passion or a hobby of his. But then there was a suspicious payload where an infected Word document was sent to him saying "hey here's what I have, let me know if you're interested." He opened up the word document to check it out and it infected his system and they used that as an attack vector to get inside of his organization. So a lot of this only takes a moment and only takes one well crafted email to fool you and then it's game over.
Dave Bittner: [00:06:17:00] What's your advice? I mean how can someone protect themselves against this sort of thing?
Dwayne Melancon: [00:06:20:08] Well there are some methods that you can deploy. So one is you can use what's called sandboxing, where any time information or a system is run on your network, you can check to see what it's doing, you know, is it calling from one of your systems inside your firewall out to an unknown, untrusted system somewhere else. Generally what we see is that a command-and-control server is set up somewhere outside of your firewall and when a system gets compromised it immediately tries to phone home to this command-and-control server and then you know you've got some kind of a compromise that's taken place. It's called a sandboxing approach because you allow things to operate inside of a controlled area, and the moment they try to make contact outside of that control area, you can shut down that access and prevent a command-and-control server from successfully taking over one of your systems.
Dwayne Melancon: [00:07:13:17] There are other things though on the systems themselves. One thing is a lot of organizations, by default, set up users as local administrators, so that they have administrative access on their local assigned system. That actually opens up a lot of security vulnerabilities, so what we recommend is that instead of setting someone up as a local administrator, set up all your new users as standard users by default and that limits what can be executed on their systems. In most cases it will take these kinds of payloads and make them useless, because without administrative access you can't make certain changes to the system that allows the attacker to gain a foothold there. So another method here is to deploy two factor authentication, so that having a user name and password is not enough to gain access to the system and masquerade as that user, you also have to have a token or maybe a challenge response that's sent to a smart phone or some other method to validate that this is a legitimate user accessing this account.
Dwayne Melancon: [00:08:14:24] And you know when you put those things together, that provides several layers of confidence that people are not going to be able to just take over a system and do what they want with a trusted and privileged account.
Dave Bittner: [00:08:26:05] That's Dwayne Melancon from Tripwire.
Dave Bittner: [00:08:30:04] As we look forward to car hacking demonstrations at Black Hat, University of Michigan researchers add to worries about automotive cyber vulnerabilities. They promise a proof-of-concept hack against the brakes and accelerator of an 18-wheeler next week.
Dave Bittner: [00:08:46:10] Black Hat's general sessions opened in Las Vegas today and the theme this year seems to be speed. And not only the speed with which threats evolve and the speed needed to fend off those threats, but the speed companies need to go to market with their security products.
Dave Bittner: [00:09:00:15] We spoke with Allegis Capital's Bob Ackerman last night about some of the things early-stage startups should bear in mind. First while the venture capital market has cooled a bit (generally, not just for cyber security) as investors have come to worry that the market may be overcapitalized, funding remains available but you'll have to work harder to find it. There's reason for optimism in that cyber security is now generally seen as neither speculative nor discretionary. It's something companies understand they have to have. But to attract investors, Ackerman said, you must be differentiated from the others in the sector. There are a lot of point solutions on offer that might be nice as a feature but that won't sustain a company. Don't be one of those offering a point solution. Go for disruption and be clear about your value proposition.
Dave Bittner: [00:09:48:13] We'll have more on Black Hat in the coming days.
Dave Bittner: [00:09:51:21] Finally, these days we seem to always close with Pokemon Go news and today is no different. Our update today comes courtesy of professional football, that's American football, not the kind played everywhere else on the planet. Detroit Lions guard Larry Warford is quoted in C/Net's Technically Incorrect as worried that "Something's not right about the game." He suspects "mind control." Technically Incorrect contacted Niantic, the game's maker, "to ask whether there were any mind control parameters to the game. The company didn't immediately respond."
Dave Bittner: [00:10:25:18] But come on, we'll take our cyber security advice from elsewhere in the NFL, specifically from the Baltimore Ravens John Urschel, a PhD candidate in mathematics at MIT who's presented technical papers to symposia at Fort Meade. Come on John, there's no mind control here right? Is there? Go Ravens.
Dave Bittner: [00:10:50:10] I want to take a moment to tell you about our sponsor, E8 Security. You know once an attacker's in your network there's a good chance they'll use command-and-control traffic to do the damage they have in mind. Could you recognize it? E8's analytics can. Here's what malicious C2 traffic might look like: newly visited sites, visits to a website that doesn't have the features a legitimate site usually does, like a high number of pages, a fully qualified domain name or a distinct IP address, or the association of a website with a limited number of user agents. That's tough for a busy security team but it's easy for E8's behavioral intelligence platform. For more on this and other use cases, visit E8security.com/dhr and download the white paper. And if you're at Black Hat this week, check out E8's great t-shirt scavenger hunt. The details are on their website. E8 Security, detect, hunt, respond. And we thank E8 for sponsoring our show.
Dave Bittner: [00:11:48:10] And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute. Joe, updating your android device or mobile devices in general, but talking about android today specifically. You wanted to make our listeners aware of some updates that came with the android version 6.0.
Joe Carrigan: [00:12:06:01] Yes, 6.0 or Marshmallow as it's called, has granular permission capability. Previously when you installed an app it would say the app is going to have these levels of access, and you would either accept it and say I'm willing to accept that the app is going to access these pieces of my phone or these capabilities on my phone, or you'd say no, I'm not going to accept it and the option was you didn't install the app. Recently I have installed a couple of apps, one is of course Pokemon Go, I was very interested to see how that works, and another one is, if you have teenage kids, a very handy app to have is the urban dictionary, and that updated on my phone and I noticed that it requested new permissions. Well on android 6, you can go in to your settings and then to apps, and then click on the individual app and you can choose which level of permission you allow that app to have. So if the app needs access to your contact list, like Pokemon Go does, it asks for that access and you can say, I don't want you to have access to my contact list but to my camera and to my storage capabilities and to my network, I see where you need to have that to work, so yes you can have access to that.
Dave Bittner: [00:13:24:15] So you've got the ability to dial-in how much access you want, on an individual app basis.
Joe Carrigan: [00:13:30:05] Yes, and in my opinion this is a great feature that android has included with the latest release of their operating system.
Dave Bittner: [00:13:36:15] So is this the kind of thing everyone should go grab a copy of Version 6.0 or how many people are going to be able to take advantage of this?
Joe Carrigan: [00:13:43:02] Well right now, if you go to the android version's Wikipedia article, they have a great graphic that comes from the Google play store. About ten percent of the connections to the Google play store are on android 6, that means 90 percent of the people, and assuming that's a randomized sample or an appropriate sample, which it may not be, that means the vast majority of people can't do this yet. So the operating system needs to be upgraded on the device in order for that to happen. Now maybe the device that people have can't support the new operating system, so in which case it's probably time to go out and get a new device.
Dave Bittner: [00:14:20:17] Alright, Joe Carrigan, thanks for joining us.
Joe Carrigan: [00:14:23:02] My pleasure.
Dave Bittner: [00:14:25:09] And that's the CyberWire. For links to all of today's stories along with interviews, our glossary and more, visit thecyberwire.com. Thanks to all of our sponsors who make the CyberWire possible. The CyberWire podcast is produced by Pratt Street Media. Our Editor is John Petrik. Our Social Media Editor is Jennifer Eiben. And our Technical Editor is Chris Russell. Our Executive Editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.