The CyberWire Daily Podcast 1.20.16

Dave Bittner: [00:00:03:06] Ukraine girds for more Russian hacking. British crypto policy moves closer to key escrow. The Dridex banking Trojan picks up DNS cache poisoning capability. Perception Point finds a serious Linux kernel bug. Oracle, Apple, Linux, BIND, and Yahoo issue patches. Lloyds issues guidelines for common cyber risk data. Chinese cyber espionage is directed against the latest US fighter aircraft. And the US Congressional Research Service recommends lawmakers take a closer look at cybersecurity in Executive agencies.

Dave Bittner: [00:00:36:07] This CyberWire podcast is made possible by the Johns Hopkins University Information Security Institute, providing the technical foundation and knowledge needed to meet our nation's growing demand for highly-skilled professionals in the field of information security, assurance and privacy. Learn more online at isi.jhu.edu.

Dave Bittner: [00:00:59:04] I’m Dave Bittner in Baltimore with your CyberWire summary for Wednesday, January 20, 2016.

Dave Bittner: [00:01:05:11] Wired offers a summary of everything known about the Ukrainian power grid hack. The big takeaway is that it was indeed a hack.

Dave Bittner: [00:01:12:06] A researcher from University College London reports dangerous weaknesses in a voice encryption protocol her Majesty's Government is pushing on suppliers. Steven Murdoch argues that the MIKEY-SAKKE protocol would have service providers hold a master decryption key. MIKEY-SAKKE stands for Multimedia Internet KEYing-Sakai-Kasahara Key Encryption. Easy for you to say. The Government doesn't call it "key escrow," but Murdoch thinks that's what it amounts to. The report on MIKEY-SAKKE appears as Parliamentary debate over the Investigatory Powers Bill continues. The Home Office continues to disavow any intention of weakening encryption, instead representing the key escrow approach as serving both privacy and investigative needs (subject to warrants, appropriate oversight, and so on).

Dave Bittner: [00:01:57:01] There are no major policy moves reported in the US, and no new shots in the crypto wars between the Beltway and the Valley, but the Congressional Research Service has advised legislators to require more reporting on cyber security from executive agencies.

Dave Bittner: [00:02:10:10] IBM's Force-X notes an evolution in the long-familiar Dridex banking Trojan. Dridex is now using DNS cache poisoning to direct traffic to clones of some thirteen British bank sites.

Dave Bittner: [00:02:23:05] Researchers at Perception Point discover and disclose a serious Linux kernel bug that could allow remote unauthenticated users root access to affected devices. The flaw appeared in Linux version 3.8, released in 2013. Patches are coming this week, but the notorious difficulty of pushing updates to endpoints makes it a lead-pipe cinch that the vulnerability will persist for the foreseeable future. Personal computers, servers, and Android devices are all at risk.

Dave Bittner: [00:02:50:01] Phishing attempts seek to spread the Gaza Cybergang's DustSky persistent spyware to targets in Israel, Egypt, Saudi Arabia, the United Arab Emirates and Iraq. Phishing and other social engineering approaches are implicated in other attacks, including attempts to harvest credentials from LastPass. LastPass has patched the flaw that enabled exploitation.

Dave Bittner: [00:03:11:00] Other significant patches released this week include updates from Apple (for iOS, OSX El Capitan, and Safari), Oracle, Yahoo Mail, and BIND. Laggers determined to straggle along with old versions of Internet Explorer get some good news: Trend Micro says it will continue to offer protection for the more venerable versions of Microsoft IE.

Dave Bittner: [00:03:31:13] Yahoo paid a reported $10,000 in bug bounty for the Yahoo Mail vulnerability. Those of you interested in finding and disclosing the bugs that get patched might be interested in consulting ENISA's newly released set of best practices for disclosure.

Dave Bittner: [00:03:46:00] The cybersecurity of acquisition targets gets larger in M&A due diligence. Prospective buyers of banks in particular are giving close scrutiny to security posture before buying. Actuaries and accountants are playing a larger role in such scrutiny: Lloyds releases a set of common core data requirements for cyber risks, and more firms work toward credible, quantified ways of putting a price tag on cyber value-at-risk.

Dave Bittner: [00:04:09:18] Students at Cornell are working on sarcasm detection, which they see as a means of improving the quality of online reviews; like that's gonna work.

Dave Bittner: [00:04:18:21] In industry news, IronScales and ThreatQuotient announce new rounds of venture funding. And Symantec's sale of Veritas to the Carlyle Group will, it seems, be less pricey for Carlyle: about $1 billion less pricey, according to reports.

Dave Bittner: [00:04:34:09] In cyber crime and punishment, Chinese military officers and an accomplice in Canada are accused of attempting to hack into technical information related to development of the US F-5 Joint Strike Fighter. The Canadian accomplice awaits extradition to the United States. The Chinese principals? Well, they're in China.

Dave Bittner: [00:04:54:18] This CyberWire podcast is made possible by the generous support of Recorded Future, the real time threat intelligence company whose patented web intelligence engine continuously analyzes the entire web to help information security analysts stay ahead of cyber attacks. Learn more at recordedfuture.com

Dave Bittner: [00:05:17:02] Joining me is Jonathan Katz. Professor of Computer Science at the University of Maryland, he's also the Director of the Maryland Cybersecurity Center, they're one of our academic and research partners. Jonathan, I want to talk about authentication today, let's start off, give me a definition, what is authentication?

Jonathan Katz: [00:05:33:00] Well very simply, authentication is a mechanism that allows a user to prove who they are, to prove their identity to another system. So we're all familiar with this idea of logging into a website, logging into a bank site, logging into access your email and before doing so you need to authenticate yourself to prove that you're the person that should have access to that information.

Dave Bittner: [00:05:52:17] At the most basic level we've got passwords and then we've got multi-factor authentication, so as authentication gets more sophisticated, what are the ways we can protect ourselves?

Jonathan Katz: [00:06:02:15] Yes, I think our passwords are here and I think here to stay. Even with all their problems. And so that's why people are now recommending that users use two-factor authentication to make the authentication process more secure. At the most basic level this might involve using a password in conjunction with some information on your mobile phone for example. Google, as an example, offers two-factor authentication where they'll use some information, a code that comes up on your phone in addition to your password before they'll allow you in. This can make users a lot more secure because it's a lot harder for an attacker to both guess the user's password and also figure out the code from their cell phone.

Dave Bittner: [00:06:42:16] Do you ever see us coming to a time when we're not gonna be using passwords anymore? Is there anything on the horizon that could replace them?

Jonathan Katz: [00:06:48:13] Well, I think passwords are going to be here for a while but I do think that people are working on newer forms of this two-factor authentication, are relying for now on mobile phones because of the face that people are carrying them around with them all the time. You can have a code popping up on your phone, you can have a text message being set to your phone, you can rely on geographical information about where the user is, you can rely potentially on an IP address of a person's computer. But I do think that those are all still going to be used in conjunction with a password for the foreseeable future.

Dave Bittner: [00:07:20:06] What kind of advice would you give to people who are looking to shore up their security when it comes to authentication?

Jonathan Katz: [00:07:26:09] Well really there are two things. I mean, the first is to demand two-factor authentication and to use two-factor authentication when it's available. I mentioned earlier that Google allows users to use two-factor authentication and I would recommend that. Some banks now are also offering two-factor authentication although not all of them. On the other side, when you have a site that does not offer two-factor authentication, you should take some steps to make sure that your password is not easily guessable. Even if that means actually coming up with a complicated password and then writing it down on a piece of paper that you keep in your wallet. These days that can actually be more secure than using a weak password that you can remember but that hackers can easily guess.

Dave Bittner: [00:08:04:04] Alright Jonathan Katz, thanks for joining us.

Dave Bittner: [00:08:08:05] And that's the CyberWire. For links to all of today's stories, along with interviews, our glossary, and more, visit TheCyberWire.com. The CyberWire podcast is produced by CyberPoint International, and our editor is John Petrik. Thanks for listening.