The CyberWire Daily Podcast 1.26.16

Dave Bittner: [00:00:03:14] ISIS crypto claims are exposed as bogus. Patches are out from Magneto, Oracle, FreeBSD and Apple. Corporate cyber risk disclosures remain big but the insurance market is rapidly growing more rigorous than SEC regulations. Venture Capital looks for the next generation of cyber unicorns. More international cooperation in cyber law enforcement but US/EU safe harbor negotiations continue to drag despite US offers of a "privacy ombudsman". And don't click on CrashMySafari and no, sending that link is not funny, thank you very much.

Dave Bittner: [00:00:38:05] This CyberWire podcast is made possible by the Johns Hopkins University Information Security Institute providing the technical foundation and knowledge needed to meet our nation's growing demand for highly-skilled professionals in the field of information security, assurance and privacy. Learn more online at isi.jhu.edu.

Dave Bittner: [00:01:01:02] I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday January 26th 2016.

Dave Bittner: [00:01:07:17] The video ISIS released over the weekend appears to contain some fakery—not, alas, the murders, but rather the claimed encryption. The encrypted email is patently bogus, faked, according to informed observers. Why it was even included is the subject of some speculation. Perhaps it represents an attempt at building internal morale, or perhaps it's intended to frighten the opposition. Or, more interestingly, some speculate ISIS' claims to have strong encryption is aimed at rushing governments into policies that would subvert or otherwise restrict encryption. Presumably this would give pro-ISIS hacktivists more access to their targets, and would also serve to, as old-line Trotskyites might put it, heighten the contradictions. (But beware—one of those informed speculators is Edward Snowden, who's not entirely a disinterested party with respect to encryption policy.)

Dave Bittner: [00:01:56:03] In what appears to be a dimwitted Internet gag, various trolls are circulating a link to "crashmysafari.com" which, unsurprisingly, does something close to what it advertises. The site will induce the browser to process an indefinitely increasing string of characters, thereby clogging memory and forcing devices to reboot. OS X, iOS, and Android devices are said to have been affected. One note—beware of shortened urls in tweets sent by what Hack Read characterizes as "some idiots." The shorter urls may be less immediately recognizable as leading to the gag site, so click with care.

Dave Bittner: [00:02:32:05] The FortiOS SSH vulnerability (either a backdoor, as critics call it, or an oversight in a management authentication issue, as Fortinet maintains) has been found and fixed in additional Fortinet products. Active exploitation attempts are now being observed in the wild.

Dave Bittner: [00:02:48:16] Versions 1 and 2 of the popular e-commerce platform, Magento, have been found vulnerable to cross-site scripting. A patch is available, and analysts recommend it be applied as soon as possible.

Dave Bittner: [00:03:00:04] In other patch news, Oracle issues some Java patches ("patch it or pitch it," advises Brian Krebs). FreeBSD fixes a kernel panic vulnerability that can lead to denial-of-service conditions, and Apple pushes out a security update that addresses "multiple vulnerabilities" in tvOS. OpenSSL is expected to issue two patches later this week.

Dave Bittner: [00:03:21:02] Risk management keeps its place center-stage in industry news. A study of corporate risk disclosures in US Security and Exchange Commission filings finds such disclosures—including those pertaining to cyber risk—generally generic and uninformative, especially insofar as they fail to identify company-specific risks. The insurance market, however, continues to move toward more rigorous characterization of cyber risk. Some of that movement comes from the UK, where companies partnering with Cambridge University's Center for Risk Studies have evolved a Cyber Risk Exposure Data Schema. In the US a variety of approaches to cyber risk analysis are on offer, ranging from traditional consulting interviews to various scans of the external environment.

Dave Bittner: [00:04:02:18] Venture capital continues to flow unabated into cyber security start-ups. "Next generation" appears to be the magic words being spoken to conjure unicorns.

Dave Bittner: [00:04:12:14] Proofpoint, subject to speculation that it will be an acquisition target, says that it doesn't intend to put itself on the block any time soon.

Dave Bittner: [00:04:20:13] In policy news, more international security and intelligence cooperation is in the offing. Australia and Thailand are working on an agreement, and the European Union is opening a new counter-terrorism center. Law enforcement officials see such collaboration as particularly important to the investigation and prosecution of inherently borderless cyber crime.

Dave Bittner: [00:04:39:24] Negotiations over a successor Safe Harbor agreement between the US and the EU proceed. The US is said to have floated the idea of establishing a privacy "ombudsman" to address concerns EU citizens might have over US Government access to their data.

Dave Bittner: [00:04:55:23] Elsewhere in the US, as responsibility for security clearance information is set to shift from OPM to the Department of Defense, US Cyber Command warns that the country faces technological "peer competitors" in cyberspace.

Dave Bittner: [00:05:08:20] The baffling case we saw last week of the couple in Atlanta bedeviled by people whom FindMyiPhone kept sending to their address looks closer to solution. Flaws in cell tower triangulation might be leading tracking software to pick a single default location, and it may be that this location just happens to be that couple's home. They've filed a complaint with the Federal Communications Commission and their Senator and we wish them good luck.

Dave Bittner: [00:05:33:14] And in some final crime and punishment news, one "Lorde Bashtien," allegedly associated with the Crackas With Attitude, doxxes the Miami Police Department via what he (or she) claims is the compromise of an FBI database. The declared motive is revenge over a raid on a Miami house that Lorde Bashtien and some of his (or her) friends rented sometime last year. Observers wonder why it's taking law enforcement so long to round up the Lorde and his colleagues. Some news reports casually refer to the Crackas With Attitude as a defunct group, which raises the question of how so casually assembled a group could be said to go out of existence. (Logicians may recognize this as an instance of the Sorites Paradox attributed to Eubulides of Miletus. We'll leave this as an exercise for you dear listener.)

Dave Bittner: [00:06:21:14] This CyberWire podcast is brought to you through the generous support of Betamore, an award-winning co-working space, incubator and campus for technology and entrepreneurship located in the Federal Hill neighborhood of downtown Baltimore. Learn more at Betamore.com.

Dave Bittner: [00:06:41:18] Joining me is Jonathan Katz, he's a professor of computer science and the director of the Maryland Cyber Security Center, one of our academic and research partners. Jonathan, I want to talk about backdoors, specifically the tension that exists between law enforcement who likes backdoors and industry who seems to be resistant to them.

Jonathan Katz: [00:06:59:04] Yes, that's right and I'm actually receptive to the idea that we want to provide law enforcement or government agency with the ability to access communications of criminals, terrorists or people that they're investigating for one reason or another. But I think the fundamental problem is that anytime you allow the presence of these backdoors you're inherently weakening the security of the system. It's all very well and good to say that this backdoor, this key for example will be protected, and will only be given to government agencies upon presentation of a warrant or some other legal mechanism, but nevertheless you have to then worry about protecting that key. You have to then worry about which people, which employees at the organizations involved have access to that key, you have to worry about hackers potentially breaking in and getting information about those backdoors. And so inherently you're undermining the overall security of the system.

Dave Bittner: [00:07:48:01] What's your sense for where this is going?

Jonathan Katz: [00:07:50:05] Well, it's really unclear. I mean the talk right now among the politicians seems to be that they're all in favor of the idea of having some kind of a backdoor of the sort, but I don't think they all fully understand the technological implications of that, or the technological difficulties that would be involved in making such a system. So I think it's very easy for them right now to say that sure in an ideal world we'd like a backdoor that only law enforcement can access, but if they sat down, and hopefully at some point they will sit down and meet with technical people and try to understand the issues involved, they may come to the realization that it's simply not feasible.

Dave Bittner: [00:08:24:24] Alright Jonathan Katz thanks for joining us.

Dave Bittner: [00:08:28:23] And that's the CyberWire. For links to all of today's stories along with interviews, our glossary and more visit the CyberWire.com. The CyberWire podcast is produced by CyberPoint International and our Editor is John Petrik. Thanks for listening.