The CyberWire Daily Podcast 1.25.16
Dave Bittner: [00:00:03:01] Scarlet Mimic threat actors watching Tibetan and Uyghur dissidents and their allies. ISIS, whose cyber operators have increasingly been targeted by US airstrikes, posts another inspirational video threatening the UK. Anonymous remains quiet with respect to ISIS, but punishes Japan for whaling. Ireland sustains another wave of denial-of-service. Insurance markets and lawsuits shape cyber standards of care (and one risk analysis tool offers some insights). We learn some things about Internet-of-things security. And if you're worried about someone hacking your nanny-cam, well, for Mary Poppins' sake, password-protect that thing.
Dave Bittner: [00:00:39:18] This CyberWire podcast is made possible by the Johns Hopkins University Information Security Institute, providing the technical foundation and knowledge needed to meet our nation's growing demand for highly-skilled professionals in the field of information security, assurance and privacy. Learn more online at isi.jhu.edu.
Dave Bittner: [00:01:02:09] I’m Dave Bittner in Baltimore with your CyberWire summary for Monday, January 25th, 2016.
Dave Bittner: [00:01:08:09] Palo Alto Networks releases the results of a long-running study of cyber operations, mostly reconnaissance, conducted against Tibetan and Uyghur dissident groups in China. Palo Alto calls the threat group involved "Scarlet Mimic" and offers no other attribution, but other observers think the target set fits the interests of Chinese security services.
Dave Bittner: [00:01:29:05] The US is reported to be actively targeting ISIS cyber operators with air strikes. ISIS cyber operations, despite last week's minor defacement of a Chinese university's webpages, continue to concentrate on information ops. A particularly lurid instance of inspiration appeared over the weekend, as ISIS released a 17-minute clip of the Paris terrorists engaged in pre-attack training and local atrocities in Syria.
Dave Bittner: [00:01:53:07] In Pakistan, hacktivists respond to last week's massacre at Bacha Khan University by taking control of websites belonging to Pakistan's Ministry of Health. The defaced pages express solidarity with bereaved families and demand vengeance against the attackers (thought to be a faction of Pakistan's Taliban).
Dave Bittner: [00:02:10:18] Anonymous remains quiet on the anti-ISIS front, but elements of the collective do hit the website of Japan's Narita International Airport to protest whaling.
Dave Bittner: [00:02:19:16] Irish government websites have come under a sustained distributed denial-of-service campaign, this follows last week's similar attack on the national lottery. No individual or group has claimed responsibility; authorities are investigating.
Dave Bittner: [00:02:33:06] Google disputes Perception Point's claims of widespread Android device vulnerability to privilege escalation attacks through a kernel bug. The bug is real, and Google's patched it, but Google insists only a minority of devices would have been affected.
Dave Bittner: [00:02:47:09] The SSH backdoor recently discovered in Fortinet's FortiGuard system has now also been discovered in the company's FortiSwitch, FortiAnalyzer and FortiCache products. Fortinet advises moving to more recent versions (unaffected by the backdoor) and has also provided a set of manual workarounds to mitigate the vulnerability.
Dave Bittner: [00:03:06:15] AMX Harman, provider of widely used audio-visual equipment and building system controls, denies deliberately putting a backdoor into its products. The putative backdoor is merely "a legacy diagnostic and maintenance login for customer support," according to the company and they say they removed it back in December. They also apparently pushed out a "hot fix" some ten days ago. The company that disclosed the vulnerability, SEC Consult, says it hasn't had time to evaluate the patches yet.
Dave Bittner: [00:03:33:13] Shodan, the Internet-of-things search engine, has added a category that displays screenshots taken from vulnerable webcams. For the most part the vulnerable cameras are not protected by passwords, so the privacy fix seems obvious: password protect your webcams, baby monitors, nanny cams, etc.
Dave Bittner: [00:03:50:05] Malwarebytes describes a strain of ransomware, "LeChiffre," which has been infesting Indian banks and at least one pharmaceutical company since early this month. Belying the French name it's been given, Lechiffre seems to have been written in Russia. It is, Malwarebytes sniffs, "unprofessional" in its lack of obfuscation, openness to analysis, primitive encryption, and unsophisticated mode of communication (it asks the victims to email the controllers). So, probably the work of rookies, but troublesome nonetheless.
Dave Bittner: [00:04:20:24] RSA 2016 has disabled what appeared to be a Twitter-credential-collecting registration form. The misstep (as well as the choice of entertainment celebrities for a few of the expo's much-coveted keynotes) has provoked some pre-conference controversy.
Dave Bittner: [00:04:35:11] Skype has enhanced its users' privacy: it will henceforth hide their IP address.
Dave Bittner: [00:04:41:05] Here's a dog-bites-man story from Blue Coat. The security company releases a study that points out that browsing porn is bad for your smartphone, and presumably other devices as well. Not surprising, of course, but a reminder is always in order.
Dave Bittner: [00:04:55:10] Business Insurance describes the "patchwork" quality of conventional insurance coverage for cyber incidents. Willis Towers Watson Wire goes them one better, laying out in some detail trends in what cyber policies cover and what they do not. Damage to digital assets is generally included; death or physical injury typically would not be. In general the trends would be unsurprising to those familiar with insurance markets. One big remaining area of uncertainty involves coverage for damages sustained in cloud operations.
Dave Bittner: [00:05:24:19] As insurance markets continue their contribution to developing cyber standards of care, so does the plaintiff's bar. One case industry should watch closely is Affinity Gaming's suit against Trustwave, which alleges the security provider failed to meet acceptable standards in investigating and preventing further damage from an incident Affinity experienced. The outcome will have implications for both tort and contract law. Observers call it potentially "disruptive" to the cyber security industry, and they counsel, unsurprisingly, that security vendors should take a close look at their insurance coverage.
Dave Bittner: [00:05:57:13] Thus insurance markets and lawsuits will probably prove, again, to be reciprocally illuminating. Of interest in this regard is Business Insurance's announcement of its innovation awards, one of which goes to PivotPoint Risk Analytics for its new method of estimating and quantifying cyber value-at-risk. PivotPoint Risk Analytics was spun off from our publisher, CyberPoint International, last October.
Dave Bittner: [00:06:19:16] The US and the EU are in the final stages of Safe Harbor negotiations, and whether they achieve a new agreement before the legacy agreement expires remains in doubt.
Dave Bittner: [00:06:28:08] US Attorney, General Lynch, denies it's Administration policy to require backdoors or weaken encryption. The Government just wants some technical help from the tech sector to avoid the bugaboo of criminals going dark online. What such help would look like remains to be worked out.
Dave Bittner: [00:06:46:00] This CyberWire podcast is brought to you through the generous support of Betamore, an award winning co-working space, incubator and campus for technology and entrepreneurship located in the Federal Hill neighborhood of downtown Baltimore. Learn more at betamore.com.
Dave Bittner: [00:07:05:23] I'm joined by Joe Carrigan, Senior Security Engineer at Johns Hopkins Information Security Institute, they're one of our academic and research partners. Joe, the Internet of Things. Let's start with the consumer stuff. What's the downside, what's the danger of my refrigerator being connected to the internet?
Joe Carrigan: [00:07:09:01] These are things that have not traditionally been internet connected that are now becoming internet connected. About six months ago, Samsung had a refrigerator that they opened up for penetration testing and somebody found that if you were on the network, you could perform a man-in-the-middle attack on that refrigerator that would let you get the user's Google user name and log in; user name password information.
Dave Bittner: [00:07:43:02] Is it a matter of it just being one more thing, one more place where someone has an opportunity to get at your information?
Joe Carrigan: [00:07:50:14] Absolutely. This is what we refer to in security as your attack surface. And when you start putting all these other devices on your network, you start increasing your attack surface.
Dave Bittner: [00:08:00:12] But speaking of the industrial systems, what is the danger here? What are we up against?
Joe Carrigan: [00:08:04:18] This is an interesting problem. We've seen three times now in industrial control systems that have caused real world damage. First was in Iran where we had the centrifuges fail because of the Stuxnet worm. We've also seen in a steel mill in Germany, we don't know which one because the information hasn't been released but there is physical damage to a steel mill in Germany. And recently in the Ukraine, a power grid was taken down for several days remotely by attacking their industrial control systems on that power grid.
Dave Bittner: [00:08:39:07] Would your advice be stay away? Be cautious? How should people protect themselves?
Joe Carrigan: [00:08:45:05] My advice is, is to stay away. But I understand that there's a cool factor to it and, yes, you should protect yourself, you should know what the device is doing, now you have to keep up to speed on any security alerts that come out about that device.
Dave Bittner: [00:09:01:06] It's one more thing in the home to worry about in terms of cybersecurity?
Joe Carrigan: [00:09:05:14] Correct and I don't know how many people actually keep up to speed even on the security issues of their own operating systems on the main computers that they have that they use daily.
Dave Bittner: [00:09:14:22] Joe Carrigan from Johns Hopkins University Information Security Institute. Thanks for joining us.
Joe Carrigan: [00:09:19:16] My pleasure.
Dave Bittner: [00:09:22:16] And that's the CyberWire. For links to all of today's stories, along with interviews, our glossary, and more, visit thecyberwire.com. The CyberWire podcast is produced by CyberPoint International, and our editor is John Petrik. Thanks for listening!