US DNI Clapper says Russia "curtailed" election hacking after being named. Three Mobile breached. Android and iOS issues. Good news on ransomware. Start-up rundown. China calls its Internet controls "wisdom."

Dave Bittner: [00:00:03:16] US DNI Clapper submits his long-expected resignation, and, on the way out, comments on Russian election hacking. The UK arrests suspects on an upgrade fraud scheme suffered by Three Mobile and its customers. Updates on Android spyware and banking Trojans. Siri might be helping bypass your iPhone's lock screen. There's good and bad news about ransomware, but, happily, more good than bad. A quick review of the week's industry news, with an emphasis on cyber security start-ups. And, in China, Wisdom sees a passing of the Mandate of Heaven in cyberspace. Or that's what Wisdom's spokespeople are saying, anyway.

Dave Bittner: [00:00:45:06] Time to take a moment to share a message about our sponsor, E8 Security. You know, the old perimeter approach to security no longer protects against today's rapidly shifting cyber threats. You've got to address the threats to your network once they are in your networks, and the E8 security behavioral intelligence platform enables you to do just that. Its self-learning security analytics give you early warning when your critical resources are being targeted. The E8 Security Platform automatically prioritizes alerts based on risk and lets your security team uncover hidden attack patterns. To detect, hunt and respond you need a clear view of the real risks in your business environment and that is what E8 gives you. Visit e8security.com/dhr and download their free White Paper to learn more. That's e8security.com/dhr. E8 transforming security operations, and we thank E8 for sponsoring our show.

Dave Bittner: [00:01:49:16] I'm Dave Bittner, in Baltimore, with your CyberWire summary and week in review for Friday, November 18th 2016.

Dave Bittner: [00:01:57:15] US Director of National Intelligence Clapper has submitted his resignation, as he's long intended to do. It will take effect at the change in Presidential administrations, and was planned before and independently of the recent election's outcome. He's also said that he believes Russian cyber operations against US-election-related targets slowed noticeably after the US Intelligence Community took formal, public notice of the attempts to influence voting. Whether any such curtailment was a win for naming-and-shaming or for the retaliation threatened around the same time is unknown. The incoming Administration's prospective intelligence and national security appointments are becoming known, but a successor to James Clapper hasn't so far been named.

Dave Bittner: [00:02:41:12] We've been following news about insider threats lately, and any of you interested in seeing what an insider threat looks like in action may find a good example (by which, of course, we mean a bad example) in news from the United Kingdom. The mobile phone provider Three, which is said to have 8.8 million customers, had noticed an increase in handset fraud over recent months. This week the company disclosed that about six million customers' personal information had been breached by hackers using employee login credentials. The information lost includes customers' name, phone number, address, and date-of-birth. For a sense of scale, the 2015 TalkTalk breach affected roughly 157,000 accounts, and TalkTalk endured fines and lost business that it's only now recovering from. TalkTalk estimated that the breach cost it £60 million. It's too soon to guess what Three Mobile's exposure might prove to be.

Dave Bittner: [00:03:35:03] The fraud, an "upgrade scam," works basically like this, according to reports. The grifters poked through customer records to find people eligible for upgrades, upgraded them to new phones, and then intercepted the new phones, which they sold to other users. It would seem fitting if sales were made from the boot of a car, but how the phones were hawked isn't generally being reported. There's also, of course, the fear that the personal information accessed could itself be sold on the black market, although for now the crime appears to be, as they're calling it, an upgrade scam.

Dave Bittner: [00:04:04:21] How the hackers got the employee credentials is unclear, but once in, effectively they operated as insiders. Three arrests have been made, according to the National Crime Authority.

Dave Bittner: [00:04:15:02] Tripwire has an update on those Android lawful intercept tools researchers found gurgling around on some servers formerly used by Hacking Team. No, the spyware does not appear to be a Hacking Team product, but researchers say it's using old Hacking Team command-and-control servers.

Dave Bittner: [00:04:31:08] There are some other mobile concerns out there as well. Staying with Android for a moment, a banking Trojan, Android.Fakebank.B, is inducing users to add it to their device's battery optimization whitelist, whence it remains active even when the phone's in doze mode. It looks for a set of banking apps, and, should it find one, deletes the legitimate app and gets the user to reinstall a malicious version.

Dave Bittner: [00:04:55:12] There are also some Apple iOS issues. First, Threatpost reports that independent researchers have discovered a bypass vulnerability in Apple’s iOS versions 8, 9, and 10 that could allow an attacker to access photos and contact lists on a locked phone. Until the bug is fixed, users can reduce their risk by disabling Siri on their lock screen.

Dave Bittner: [00:05:15:21] The other Apple issue is more contentious. Elcomsoft calls it a bug, but Apple calls it a feature. At issue is the way a user's call history is backed up to iCloud. Once iCloud is enabled, data is uploaded often without user action or notification. Elcomsoft sees this as a privacy problem. Apple calls it good backup service.

Dave Bittner: [00:05:37:11] Ransomware continues to boom in the criminal market, accounting for a hefty fraction of the payloads delivered by spam, as much as 97% of the spam Phishme says it's monitored in the third quarter of this year. Locky remains at the top of the leaderboard. The good news is that victims seem to be coping better with crypto ransomware. A survey of "500 cybersecurity decision makers" sponsored by SentinelOne last month found that 27% of the time, the attackers failed to encrypt any of the victim's files; 45% of the time, some files were encrypted, but the victims were able to decrypt them on their own; 25% of the time, the victims were able to restore their files from backups and, in only 3% of cases, were the victims out of luck.

Dave Bittner: [00:06:20:20] Looking back at this week's industry news, we've seen some movement of venture funding into start-ups. Virginia-based next-generation antivirus company, Invincea, has raised $10 million in a funding round led by ORIX Growth Capital and Comerica Bank, with participation by Harbert Ventures and New Atlantic Ventures. Uplevel raised $1.2 million for its new managed services model. Threat intelligence shop, Apvera, closed $1.7 million from ACP and Spring Seeds Capital, and Siemplify received $10 million to expand its security operations and incident response business. MACH37-supported cloud-server protection company, Atomicorp, raised $1 million in seed funding, and Masterpeace Solutions announced the successful spin-off of its daughter companies, SrcLight and Zuul IoT. And, of course, Arlington Capital merged three of its portfolio companies into a new cybersecurity player, Polaris Alpha.

Dave Bittner: [00:07:20:14] And finally, Chinese authorities make the case for their new Internet controls at the Wuzhen World Internet Conference as "fair and equitable," and also as bringing "Chinese wisdom" to cyberspace, where it will help everyone live together in ordered harmony. That's certainly one way of looking at it. We're surprised the Mandate of Heaven wasn't explicitly invoked, but then we haven't read the entire issue of the People's Daily. Maybe it's somewhere in the back, with the sports, or maybe the lifestyle section.

Dave Bittner: [00:07:53:14] Time to take a moment to tell you about our sponsor, AlienVault. Do you know that a typical attack goes undetected for more than eight months? This is especially frightening, considering 90% of all businesses have suffered an attack so it's no longer a question of whether an organization will be breached, it's when. Better threat detection starts with AlienVault Unified Security Management. The AlienVault platform provides all of the essential security controls needed for complete threat detection in one easy to use and affordable solution. With its integrated security controls and expert threat intelligence from the AlienVault Lab Security Research Team, you don't need to deploy and manage numerous security point products. Spend your time responding to threats rather than researching them with AlienVault. Visit alienvault.com/cyberwire today to download your free 30-day trial of AlienVault Unified Security Management. That's alienvault.com/cyberwire, and we thank AlienVault for sponsoring our show.

Dave Bittner: [00:08:56:04] Joining me once again is Dr Charles Clancy. He's the Director of the Hume Center for National Security and Technology at Virginia Tech. Dr Clancy, I know you wanted to talk today about a new state initiative called the Virginia Cyber Range. Fill us in. What's going on here?

Dr Charles Clancy: [00:09:12:10] The Virginia Governor's Cybersecurity Commission recommended that the state invest in a Cyber Range with the goal of improving curriculum and access to laboratory materials for principally high school and community college across the state of Virginia.

Dr Charles Clancy: [00:09:27:14] So, the current fiscal year budget includes $2 million to build this range, and it includes $2 million next fiscal year to operate the range. Essentially, this range is going to include new courses. This could include full courses or specific modules for courses. It will contain virtualized laboratory exercises that students will be able to take advantage of and teachers who want to expand cybersecurity offerings, either at the high school or community college level, or other colleges for that matter will be able to take advantage of these pre-canned exercises and curriculum with the goal really of building capacity for cybersecurity education across the Commonwealth of Virginia.

Dave Bittner: [00:10:05:20] So really a reflection of the shortage of available, qualified people to fill those jobs?

Dr Charles Clancy: [00:10:11:05] Exactly. The same Commission found that there were 17,000 empty jobs in Virginia, vacancies in cybersecurity that needed to be filled. If the state is going to tackle this problem, it requires significant ramp-up in the educational capacity for cybersecurity across the Commonwealth, and really across the entire country. The Governor of Virginia is currently the Chair of the National Governors Association and he's looking to push this agenda nationwide and get governors excited about programs in their states as well that would expand such capacity.

Dr Charles Clancy: [00:10:46:08] Our hope is that, if we can prove successful and this Range being a key tool in Virginia, we can expand it regionally and nationally with other states to do the exact same thing across the country.

Dave Bittner: [00:10:59:13] Alright. Good stuff. Dr Charles Clancy, thank you for joining us.

Dave Bittner: [00:11:07:02] And now another word from our sponsor, AlienVault, asking the question, "What are your plans for December 1st?" Consider listening to what AlienVault has to say about host-based intrusion detection by going to the cyberwire.com/alienvault and signing on for their free presentation. Now let me ask you a second question: what's the difference between an insider and an outsider threat? Well, it's obvious, right? Actually, not so much. Here's the problem. Once the outsiders get in, they act like insiders. AlienVault gets this, and they'd like to show you how they can recognize the bad stuff that goes on inside a host. Their Unified Security Management approach integrates host-based intrusion detection systems. That's an approach security prose called HIDS, with real time threat intelligence and SIEM event correlation, making it tough for bad actors to hide. Let AlienVault show you how their unified solution can take your security where it needs to go - inside the enterprise. Go to the cyberwire.com/alienvault and sign up for their free December 1st presentation. That's AlienVault for fast, cost-effective security that works for you. The cyberwire.com/alienvault. And we thank AlienVault for sponsoring our show.

Dave Bittner: [00:12:27:21] My guest today is Sara Sorcher. She's the Deputy Editor of Passcode, part of the Christian Science Monitor that covers digital security and privacy. After the US Presidential elections, she wrote an article titled "What Trump's Victory Means for Cybersecurity".

Sara Sorcher: [00:12:42:13] You know, there are some clues. He has a cybersecurity plan on his website and he said, pretty recently, that to truly make America safe we truly have to make cybersecurity a major priority. So he has been pretty strong on some of the things that he's emphasized with cybersecurity, but there are some other comments that he's made on the campaign trail that have worried industry and professionals and so we went through some of that as well.

Dave Bittner: [00:13:08:02] What kind of comments did he make?

Sara Sorcher: [00:13:09:24] There were a few. He was asked a question of cybersecurity at a debate back in September. It was a pretty straightforward question about how to solve the cybersecurity challenges facing the country. However, we provided a winding answer where he talked about his ten year-old son, Barron, being really good with computers and calling digital threats "the cyber" which started an internet meme. A lot of the tech press really dismissed this answer as incoherent or disconnected. I mean, he's talked about how he doesn't really use computers at all, so there was a sense of disconnect. Is this somebody that really understands what is going on and the complexity of this? He does have advisers. His senior military adviser is retired Army Lieutenant General Michael Flynn, and he has people who are advising him who do know more, and you do see some of these things on his website that go into more detail about the plan. However, there are questions about whether he himself might need to brush up on cybersecurity issues when he's in office.

Sara Sorcher: [00:14:16:08] Notably, with all of the hacking that went on this election season, he did, a couple of times, take a step away from blaming Russia for hacking political organizations like the DNC, even after US intelligence officials and cybersecurity researchers who investigated the hacks came out and said that they believed that there was enough evidence to blame Moscow. Even Michael Flynn also broke with him to say that he thought that Russia was responsible. Trump did not acknowledge that, or say that he was willing to blame Russia, and offered up his own idea that maybe it was China or, I think the quote was, "someone sitting on their bed that weighs 400 lbs". So just kind of [INAUDIBLE] out on this evidence, so that raises some questions about is the President Elect, when he's in office, going to take these briefings more seriously? Is he going to take the word of intelligence officials, who are really on the front lines of gathering intelligence in cyberspace, seriously? Is he going to listen to his closest advisers?

Dave Bittner: [00:15:23:00] He did make some statements along the way about encryption.

Sara Sorcher: [00:15:26:06] Yes, he did. That was another thing. During the campaign, we also had the big stand-off between FBI and Apple. Trump went so far as to call for a boycott of Apple. He just said, "Who do they think they are?" really questioning the right of a company to deny the government access to the phone. This was a really contentious issue that pitted a lot of people in the tech industry against the FBI, and it has not been resolved so far. I think the expectation is that the encryption fight is going to be kept into the next administration, and the sense among a lot of security professionals right now seems to be that there will be a Bill to force some sort of government access into encryption, especially since Senate Intelligence Committee Chairman, Richard Burr, is still going to be around next year as well; he was re-elected. Therefore, I think that you will see some of this push from within the executive branch if Trump remains consistent to his past statements and in Congress to take some action on that front.

Dave Bittner: [00:16:40:04] As you survey responses from people on social media, Twitter, people in the cybersecurity industry, are people taking a wait and see approach or do you see people bracing themselves for potential rough times ahead?

Sara Sorcher: [00:16:55:02] I think you see both. I think you see people who are hoping for the best and who want to be optimistic, if it was an outcome that they did not support or did not expect. However, on the security and privacy side, you see a mix. You have tech companies like Facebook's Mark Zuckerberg, who had said that he wished him luck. We have had a bunch of tech leaders who have said that as well and who seem to be giving him a chance. On the other hand, you have people who are privacy advocates, who have been calling for dismantling of some of the surveillance programs from the National Security Agency for a long time, and they're really worried that now Donald Trump will have control of this. Several of them have already said that they do not see them as fit for the responsibility of governing these particular programs that could have consequences on peoples' lives. Therefore, you have privacy advocates already calling for Obama to take action before Trump takes office.

Dave Bittner: [00:17:53:08] What in particular has caught your attention? What are you going to be looking out for?

Sara Sorcher: [00:17:56:12] I think the Russia stuff will be really interesting to watch, because there are a lot of people who are saying that this might actually embolden Russia to carry out even more attacks. There were reports earlier this week by Wired and Vice that this was already happening, that the same hackers that were linked to Russia, that are believed to have gone after the DNC servers, that they already began targeting more people in American universities or think tanks, the State Department, Radio Free Europe, other places. Will Russia be more willing to use these tactics in other parts of the world? I think that is going to be something really interesting to keep an eye on in the long term, something that does not just go away in the election cycle.

Dave Bittner: [00:18:48:09] That's Sara Sorcher from the Christian Science Monitor's Passcode. You can find her article, “What Trump's Victory Means for Cybersecurity,” on their website. She's also co-host of Passcode's podcast called the Cybersecurity Podcast, and you should definitely check that out too.

Dave Bittner: [00:19:08:11] And that's the CyberWire. For links to all of today's stories, along with interviews, our glossary, and more, visit thecyberwire.com. Thanks to all of our sponsors, who make the CyberWire possible. We help you stay on top of the news in cyber security and information assurance. We can also help you get your product, service, or solution in front of an informed audience of influencers and decision-makers. Visit the cyberwire.com/sponsors to find out how.

Dave Bittner: [00:19:32:23] The CyberWire podcast is produced by Pratt Street Media. Our Editor is John Petrik, our Social Media Editor is Jen Eiben, and our Technical Editor is Chris Russell. Our Executive Editor is Peter Kilpe. I'm Dave Bittner. Thank you for listening. Have a great weekend, everybody.