US elections proceeded undisrupted by hacking. Patch Tuesday review. Banking Trojans, Android trigger-malware, and thermostats gone wild.

Dave Bittner: [00:00:03:09] Patch Tuesday reviews. Microsoft closes 13 vulnerabilities (five of them "critical"), Adobe fixes Flash Player and Google addresses Android issues. "Trigger-based" mobile malware and why it's hard to see. Why usability matters to security. Tesco continues to recover from ATM fraud, Thermostat trouble in Finland and, oh yeah, we also hear there was some kind of election or something in the US.

Dave Bittner: [00:00:33:09] Time to take a moment to tell you about sponsor CyberSecJobs. If you're an information security professional seeking your next career, or your first career, check out cybersecjobs.com and find your future. CyberSecJobs is a veteran owned career site and job fair company for information security professionals and students. If you're a job seeker you can create a profile, upload your resumé and search and apply for thousands of jobs and if you're a recruiter, it's great for you too. If you're looking to source information security professionals, you should contact CyberSecJobs about their flexible recruitment packages designed to meet your needs. To learn more visit cybersecjobs.com, that's cybersecjobs.com and we thank CyberSecJobs for sponsoring our show.

Dave Bittner: [00:01:30:01] I'm Dave Bittner in Baltimore with your CyberWire of summary for Wednesday, November 9th, 2016.

Dave Bittner: [00:01:35:07] Yesterday and today, of course, have been big news days. Microsoft issued 13 security bulletins, five of them rated "critical." Among the vulnerabilities patched is the one Google publicly disclosed last week, to Redmond's displeasure. That fix closes a privilege escalation hole in Windows that can be used to escape security sandboxes.

Dave Bittner: [00:01:56:10] Adobe and Google also patched. Adobe addressed issues in Flash Player and Adobe Connect, fixing nine remote code execution vulnerabilities. Google addressed 12 critical vulnerabilities in Android, including the bit-flipping privilege-escalation risk known as Drammer, but Mountain View left a comprehensive fix for the Dirty Cow Linux kernel rooting vulnerability to a further round of patching. A supplemental patch did deal with Dirty Cow for Nexus and Pixel devices. Other handsets will get their fix next month. Google also noted that Chrome's Safe Browsing will henceforth crack down on sites determined to be repeat offenders.

Dave Bittner: [00:02:33:22] In response to reports that Android malware in the wild is becoming more "trigger-based" and more evasive, Giovanni Vigna, Lastline's co-founder and CEO, told the CyberWire that, "As users are increasingly relying on their smartphones for security-critical operations such as banking, cybercriminals are leveraging these new activities to collect information about two-factor authentication messages, or credentials, to spread malware through social network accounts." He also sees usability issues. It can be tough for a smartphone user to know what applications are running at any given time, which opens up vulnerabilities to phishing and clickjacking. "Malware takes control of the device and presents to the user a login page similar to the one the user intends to use. By doing this, the malware can collect credentials that are later used for spreading malware and performing social engineering attacks."

Dave Bittner: [00:03:27:10] Recent studies, notably one from the consultancy CEB, have suggested that a majority of employees don't generally follow all of their enterprise's breach prevention policies. But that doesn't surprise experts in the security industry. Mike Ahmadi of Synopsys Software Integrity Group told the CyberWire he wasn't surprised, because, as he put it, "I have indeed been in the same situation. In one case the IT department simply did not have any failure mode in place to compensate for instances where policies caused a halt in workflow, due to any of a number of reasons. I was still expected to get the job done, and the lower level IT support staff would often suggest a workaround." It's not that employees are careless, malicious or negligent. It's that their enterprises expect productivity. As Ahmadi noted, they don't reward unproductive employees for following data loss prevention policy.

Dave Bittner: [00:04:20:03] Zoltán Györkő, CEO of Balabit, thinks the studies are discouraging and demonstrates a need for real-time monitoring. The lesson seems to be this: if security doesn't come with usability, it will be self-defeating.

Dave Bittner: [00:04:33:23] Banking malware is also evolving this week. Svpeng, a mobile Trojan Kaspersky, as found lurking in the AdSense network, is troubling bank customers. Indian users seem especially affected. Researchers at IBM X-Force warn that TrickBot, a Dyre successor is using server-side injection and redirection against its targets.

Dave Bittner: [00:04:55:16] British bank Tesco has brought its operations back closer to normal, but it says £2.5 million were lost to debit card fraud over the past week. The money seems to have gone to crooks in Spain and Brazil. Investigations are in progress and the precise mechanisms of the fraud remain unknown.

Dave Bittner: [00:05:13:20] Canadian electronic collection policy has become controversial. It's receiving a great deal of scrutiny after allegations surfaced that at least ten journalists in Quebec came under police surveillance.

Dave Bittner: [00:05:26:11] If you're a Skype user, like us, there's research from the University of California, Irvine that suggests you may want to think twice before multitasking while you're on that call. We spoke with Professor Gene Tsudik from UCI about potential security vulnerabilities that come from typing on your keyboard while using Skype.

Gene Tsudik: [00:05:45:09] They faithfully transmit the sound from one site to another right, that's what they're all about. This includes the sound of the keys being pressed. Nothing surprises me about that. What hasn't been realized until recently is that someone who is taking part in the conversation with you, can reconstruct what keys are being pressed by recording and analyzing the sound of the keystrokes being pressed. We can determine what's typed into the keyboard on the other side of the Skype conversation.

Dave Bittner: [00:06:15:22] How with just the sound of the keys being pressed, how can you then convert that into text?

Gene Tsudik: [00:06:22:20] If we know the computer that is being used, so let's say it's an Apple Macbook Pro, we know that it has a certain type of keyboard. Every time you press a key it makes a sound, but different keys makes different sounds. By training our sort of program to recognize, to map incoming sounds into the key sounds that the keyboard makes, we can determine what key is being pressed. Now the second possibility is that I don't know what you're using. Often times, especially if we're using video conferencing, in addition to audio conferencing it's actually possible to see the keyboard, especially if they are external. So it might be possible to determine what kind of a keyboard is being used in real time.

Gene Tsudik: [00:07:08:22] The other possibility is that I really don't know what you're using. Well it turns that there is a finite number of keyboard types out there, you know, so I'd like to assume you're not using some kind of exotic, I don't know, Swahili keyboard. You know I'm pretty sure you're using the normal, you know, like US, English type keyboard, right? And for each one of them it is not difficult to build a sound profile. That is build the profile of the sounds that individual keys make on that keyboard.

Dave Bittner: [00:07:36:20] And what degree of accuracy do you get?

Gene Tsudik: [00:07:39:11] What we have done so far is showing with clinical experiments, clearly timing. We try not to have extraneous noise. If we know the keyboard type, the accuracy is in the low 90%. I expected it to be fairly accurate, but I never expected it to be that accurate. But I can almost completely guarantee you is that what we have done is known to the hacker community and, surely, if it's known to the hacker community, it's probably known to the intelligence community.

Dave Bittner: [00:08:07:08] That's Professor Gene Tsudik from the University of California, Irvine.

Dave Bittner: [00:08:13:01] In industry news, there's some M&A activity to report. Thycotic, backed by Insight Venture Partners, has acquired Cyber Algorithms, a Virginia-based network security analytics shop. No financial details are available, but it's worth noting that Cyber Algorithms is an alumnus of the Mach37 Cyber Accelerator.

Dave Bittner: [00:08:33:07] And California-based Synopsys has agreed to acquire Cigital, a provider of software security managed and professional services. Synopsys will also pick up Codiscope, a Cigital spinoff that provides complementary security tools. Both acquisitions are expected to be completed next month.

Dave Bittner: [00:08:52:15] Oh, the US held elections yesterday, we heard. Voting was a little disturbed by hacking, with high-turnout and despite fears of DDoS or manipulation of results. There were reports of some low-grade telephonic denial-of-service that had very limited effects on both parties' get-out-the-vote ground game. The precautionary DHS all-hands-on-deck appears to have remained just that, precautionary. The information operations mounted from Russia over the course of the Presidential campaign will be dissected for months if not years to come. In the meantime, WikiLeaks' Julian Assange assumes the unlikely mantle of good-government advocacy. Tell it to Vlad, Jules. Fears of Russian intervention in European elections, particularly in the Balkans and Central Europe, will now displace worries about voting in America.

Dave Bittner: [00:09:42:15] Finally, while DDoS may have left the US electoral Internet-of-things largely alone, the same can't be said of IoT devices in smart homes over in Finland. Residents of two smart apartment buildings in Lappeenranta, Finland, complained that their heat was off over the weekend. Smart thermostats were being subjected to DDoS and so kept rebooting, effectively turning off the heat. It's in the teens in Lappeenranta right now, according to the weather reports our stringers like to keep up with. So baby, it's cold outside. Check those thermostats and stay warm. Not too warm, mind you, just warm enough.

Dave Bittner: [00:10:23:21] And now it's time to mention one of our sponsors E8 Security and let me ask you a question. Do you fear the unknown? Lots of people do of course, scary clowns, slender man, stuff like that. But we're not talking about bugs, we're talking about real threats, unknown unknowns lurking in your networks. The people at E8 have a white paper on hunting the unknowns with machine learning and big data analytics that go beyond the old school legacy signature matching and human watch standing. Go to E8security.com/DHR and download their free white paper, Detect, Hunt, Respond. It describes a fresh approach to the old problem of recognizing and containing a threat that no- one is ever seen before. The known unknowns, like Chessy or Champy, they're nothing compared to the unknown unknowns out there in the wild. See what E8's got to say about them. E8security.com/DHR and check out that free white paper. And we thank E8 for sponsoring our show.

Dave Bittner: [00:11:26:14] And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute. Joe, you know, I recently visited my doctor's office, my general practitioner. I went in for a check up and when I checked in with the doctor, they asked for my insurance card, which I gladly handed over and then they asked me for my driver's license. And I maybe, you know, paused a little bit for that but I didn't want to cause any trouble so I handed over my driver's license and the woman behind the counter took my driver's license and promptly put it in her scanner and scanned it.

Joe Carrigan: [00:12:00:23] [LAUGHS] Made it part of your electronic medical record.

Dave Bittner: [00:12:03:05] Right. And so that gave me a little bit of pause. Am I overreacting here or not?

Joe Carrigan: [00:12:10:01] I don't think you are. My personal preference is to not give them that kind of information. My question would be 'why do you need my driver's license?' and if the answer was 'I'm going to scan it in and put it in your record', my answer would be 'you know what? I walked here, I don't have a driver's license', you know?

Dave Bittner: [00:12:26:24] Alright.

Joe Carrigan: [00:12:27:10] I think maybe I would lie, I don't know. I do have a driver's license.

Dave Bittner: [00:12:30:04] You're going to be that guy.

Joe Carrigan: [00:12:31:03] Yeah I'm going to be that guy. I'm always that guy. Medical records are very valuable on the black market. I think some of the statistics I've heard are that they're, like, ten times more valuable than other records because they provide information that doesn't change.

Dave Bittner: [00:12:48:18] Right.

Joe Carrigan: [00:12:49:05] I mean, if I still a credit card from somebody and start using that credit card, it becomes pretty obvious that I've stolen the credit card and they cancel the credit card and the impact to both the customer and the credit card company are minimal. If I steal someone's medical data, I have a lot of information about them and if that medical data contains their social security number, that's great. Now I can essentially impersonate that person for a very long time. It becomes a much harder problem to solve than a lost credit card.

Dave Bittner: [00:13:18:24] Yes, and I was thinking, you know, with this particular doctor he's part of a group of doctors, which is more popular these days. In the old days he kept all of his medical records right there on site, I could actually see the stacks of records, they'd go and pull a file out that was mine, but now it's all electronic, who knows where it is, you know, and obviously there are regulations in there.

Joe Carrigan: [00:13:38:01] There are regulations. HIPAA has a bunch of requirements about how you store that data. Like, for example, I work at Hopkins, so we have a system that is storing medical data for research and, even though it's medical data that functions for research purpose, it still has to be secured and that security includes camera on the access point, the physical access point, the physical access point has to be locked, people have to be able to log when they go into the physical location. That's a security requirement that you don't see on a lot of other places. But that's part of the requirement for HIPAA, and there's lots of other requirements as well.

Dave Bittner: [00:14:16:22] Yeah. Alright, well sometimes maybe it's in your best interest to be that guy.

Joe Carrigan: [00:14:21:04] Right I think it is [LAUGHS] and I'm not afraid to be that guy.

Dave Bittner: [00:14:25:13] Yes, maybe I'm just a little more polite than you Joe.

Joe Carrigan: [00:14:27:21] Yeah I'm not.

Dave Bittner: [00:14:28:11] Maybe you're not [LAUGHS]. Alright, it's good talking to you.

Joe Carrigan: [00:14:32:08] My pleasure.

Dave Bittner: [00:14:35:03] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible. The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Our social media editor is Jennifer Eiben and our technical editor is Chris Russell. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.