More of the customary cybercrime, but with additional warnings of new ransomware vectors. Dodgy apps and holiday shopping. Credential abuse. No pardon for Snowden, for now, anyway.

Dave Bittner: [00:00:03:12] Think twice before you open that picture you got via Facebook Messenger. A recruiting site exposes GitHub profiles. Investigation of credential abuse in the Three Mobile upgrade fraud continues. Fortinet warns German users against an Android banking Trojan. Much advice on how to stay safe online during holiday shopping is out. Symantec plans to buy LifeLock, and Optiv is filing an IPO. President Obama says, while in Berlin, that he won't pardon Snowden. Rumors of DNI and SecDef discontent with Director NSA circulate. And no, Chinese cabinet ministers don't have a side gig recruiting for the Canadian Forces.

Dave Bittner: [00:00:46:21] Time to take a moment to tell you about our sponsor, AlienVault. Do you know that the typical attack goes undetected for more than eight months? This is especially frightening considering 90% of all businesses have suffered an attack. It's no longer a question of whether an organization will be breached, it's when. Better threat detection starts with AlienVault Unified Security Management. The AlienVault platform delivers all of the essential security controls needed for complete threat detection in one easy to use and affordable solution, with its integrated security controls and expert threat intelligence from the AlienVault lab security research team, you don't need to deploy and manage numerous security point products. Spend your time responding to threats rather than researching them with AlienVault. Visit alienvault.com/cyberwire today to download your free 30 day trial of AlienVault Unified Security Management. That's alienvault.com/cyberwire and we thank Alien Vault for sponsoring our show.

Dave Bittner: [00:01:54:12] I'm Dave Bittner, in Baltimore with your CyberWire summary for Monday, November 21st, 2016.

Dave Bittner: [00:02:00:20] Facebook Messenger is being used as a vector for ransomware. Criminals are distributing Locky in malicious images shared over the service. The Nemucod downloader is bypassing Facebook's whitelisting protections by arriving in the form of an SVG file, so treat images you receive with circumspection.

Dave Bittner: [00:02:20:11] GeekedIn, a recruiting site for tech jobs, scraped eight million GitHub profiles, but then left them exposed in an unsecured database. GeekedIn regrets the misstep, and says it's correcting it. GitHub told Help Net Security that it allows access to its data, but not for commercial purposes, and it's not clear that GeekedIn's use of the data for resale to recruiters would be compliant with GitHub's terms of use. Those with GitHub profiles should take steps to secure themselves.

Dave Bittner: [00:02:50:10] Investigators continue to look into the upgrade fraud at Three. Some observers think on-boarding and off-boarding practices may have contributed to compromising the credentials used in the scam.

Dave Bittner: [00:03:01:14] The CyberWire heard from Christian Lees, CTO and CSO of security firm InfoArmor. "As organizations continue to bolster their security postures at the perimeter, it’s logical for threat actors to migrate to and even expand internal lateral movement campaigns often fueled by compromised credentials." Lees points out that compromised credentials are often widely available, cost little, and can be used by a threat actor with a relatively low likelihood of detection.

Dave Bittner: [00:03:31:06] We also heard from Istvan Molnar, a compliance specialist at Balabit. He points out that, while the way the Three Mobile hackers got them remains unclear, using legitimate credentials is attractive for many reasons. "Hackers tend to use this method as it is the easiest way to stay under the radar." Molnar added that user account misuse has become "the elephant in the room." In this case, the elephant put about six million customers' personal data at risk.

Dave Bittner: [00:03:59:21] Molnar also suggests that the episode indicates the insufficiency of passwords and associated authentication methods. It's equally important, he says, to consider complementing those methods with continuous identification that keeps an eye on what users authenticated with such credentials actually do while they're operating with them. "It is important to have real time information on the user's behavior so that is then compared to the already learned behaviors of known user profiles. In the case of Three mobile, the system would have recognized the differences in the user's typing pattern, use of command set and accessed network areas. This information would have appeared on the security analytic display and if the situation got worse the system would terminate the connection of the suspicious user in real-time."

Dave Bittner: [00:04:47:09] In hacktivism news, Terbium Labs tells us that they're seeing some signs of contact information being leaked about banks thought to be involved in funding the controversial Dakota pipeline.

Dave Bittner: [00:04:59:09] Fortinet warns of an Android Trojan that's afflicting German mobile customers. It's a bogus email app that seeks administrative credentials which, if granted in a moment of inattention, will send banking credentials to the criminals' command-and-control server.

Dave Bittner: [00:05:14:07] On the subject of dodgy apps, it's worth noting that the holiday shopping season begins more-or-less officially this Friday, and there's much advice out there on how to buy safely online. RiskIQ this morning released a white paper on the topic. They draw particular attention to the risks apps pose during the season (and suggest specific points of skepticism), and they emphasize the importance of knowing you're on the site where you intend to shop, not on a spoofed page. Beware of downloading apps from the virtual equivalent of the trunk of some random guy's car. The official app stores of, for example, Google and Apple aren't perfect, but they're a whole lot better than some app scalper you've never heard of before. Be skeptical of rave reviews. Those can be and often are sock puppetry. Be very cautious if an offer arrives via some free email service. And, as always, bad spelling, sloppy grammar, malapropisms, and loose syntactic control should warn you off, when there are more of those, that is, than usual.

Dave Bittner: [00:06:15:02] In industry news, Symantec indeed is ready to acquire identity protection shop LifeLock for $2.3 billion. Security company Optiv is moving forward with its plans to go public in an IPO.

Dave Bittner: [00:06:28:01] President Obama, wrapping up his European farewell tour, told Der Spiegel that he can't pardon NSA-leaker and current Moscow resident Edward Snowden, on the grounds that Snowden has so far declined to face the music in a US Court. Failure to appear in Court hasn't in the past necessarily served as a barrier to receiving a Presidential pardon. After all, President Ford pardoned his predecessor, Richard Nixon, without it, so it would seem that in this case "can't" should actually be heard as "won't."

Dave Bittner: [00:06:58:19] Rumors circulating in Washington over the weekend suggest DNI Clapper and Secretary of Defense Carter want NSA Director Rogers removed, ostensibly over dissatisfaction with NSA security and US Cyber Command operations against ISIS. Republican Congressional leadership sharply disagrees, and says it's considering hearings into the matter. Admiral Rogers is said to have met with President-elect Trump last week, purportedly - say the rumors - to discuss possible service as Director of National Intelligence Clapper's successor.

Dave Bittner: [00:07:32:08] Finally, if you were considering joining the Canadian Forces late last week, you may have found your interactions with their recruiting site redirected to a Chinese site featuring news and photos of various government functionaries in the People's Republic. Canadian authorities say it's a serious matter, and they're investigating. It seems very improbable that the redirection was the work of the Chinese government: hacktivists or simple vandals motivated by the lulz are the likelier suspects.

Dave Bittner: [00:08:04:15] It's time to take a moment to tell you about our sponsor, Recorded Future. Recorded Future is the real time threat intelligence company whose patented technology continuously analyzes the entire web, developing cyber intelligence that gives analysts unmatched insight into emerging threats. At the CyberWire, we subscribe to and profit from Recorded Future's Cyber Daily. As anyone in the industry will tell you, when analytical talent is as scarce as it is today, every enterprise owes it to itself to look into any technology that makes your security teams more productive and your intelligence more comprehensive and timely because that's what you want, actionable intelligence. Sign up for the Cyber Daily email, and every day you'll receive the top trending indicators Recorded Future captures crossing the web: cyber News targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today and stay a step or two ahead of the threat. Go to recordedfuture.com/intel to subscribe for free threat intelligence updates. That's recordedfuture.com/intel, and we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:09:14:21] Joining me once again is Markus Rauschecker. He's the cyber security program manager at the University of Maryland Center for Health and Homeland Security. Markus, I saw a story come by recently that the Feds are proposing voluntary automotive cyber security standards. What are the Feds looking to do here when it comes to cyber security with our cars?

Markus Rauschecker: [00:09:34:08] I think, over the past few years, we've seen that cars are essentially becoming computers. We see a lot of technology being built into these cars that we, as consumers, as drivers, really like. We can listen to music and we can connect our phones to the car; the car itself has a lot of built-in technology too to make it more efficient. The problem is that as these new technologies are being built into cars, the car makers have not really been thinking about security all that much. There is a rush-to-market, so to speak, with the latest and greatest new technologies being built into cars, so now we have cars that can drive themselves which is, for consumers, a really cool idea but it poses a lot of security problems as well, because security oftentimes is an afterthought when these new technologies are being developed.

Markus Rauschecker: [00:10:32:05] Therefore, the Department of Transportation National Highway Traffic Safety Administration recently came out with cyber security best practices for modern vehicles. Basically, these are guidelines that car makers should follow when they are developing these new technologies that they're building into cars. The problem, of course, is that these are only guidelines, which means that car makers can choose to ignore them; car makers are not required to implement any of these guidelines. That is where we are now. There is a certain recognition that cars are vulnerable, the technology within cars is vulnerable and that something needs to be done to increase security here and stop any kind of cyber threat from actualizing itself against these vehicles which, of course, could have dramatic consequences when we're thinking about cars going at top speeds.

Dave Bittner: [00:11:25:05] So these are voluntary guidelines. Why guidelines and not actual regulations?

Markus Rauschecker: [00:11:32:04] We've seen this approach over and over again, where Federal Government is proposing guidelines rather than passing regulations or passing laws to actually force any kind of security measures to be implemented. I think it gets down to a very core belief here, which is that regulations and laws are generally opposed by industry, because they're seen as stifling innovation, as being burdensome, as instituting significant costs on a developer of technologies. The idea is that we don't really want to stifle that innovation; we want those new technologies to come on the market. Certainly consumers want new technologies and the industry itself wants to be able to not be burdened by all these additional regulations. This is the approach that is often taken by the Federal Government, where best practices are recommended or guidelines are recommended, but no actual regulation or laws adopted yet.

Dave Bittner: [00:12:36:08] Then if the guidelines prove in the long term to not be sufficient, then that is when perhaps regulations are explored?

Markus Rauschecker: [00:12:44:24] Yes, I think that's true. I think the hope is that manufacturers will implement the guidelines to make their technologies more secure, but if that doesn't end up happening and society sees a need for greater security measures, then I think, at some point, we will see actual regulations or laws being passed that will mandate the implementation of additional security measures.

Dave Bittner: [00:13:12:23] All right. We will keep an eye on it. Markus Rauschecker, thank you for joining us.

Dave Bittner: [00:13:18:11] And that's the CyberWire. For links to all of today's stories, along with interviews, our glossary, and more, visit thecyberwire.com. Thanks to all of our sponsors, who make the CyberWire possible. If you consider the CyberWire podcast a valuable part of your day, we hope you'll take the time to write a review on iTunes. It really does help people find the show and is just the kind of support we would expect from a smart and attractive person like you.

Dave Bittner: [00:13:41:23] The CyberWire podcast is produced by Pratt Street Media. The Editor is John Petrik. Our Social Media Editor is Jen Eiben, and our Technical Editor is Chris Russell. Our Executive Editor is Peter Kilpe and I'm Dave Bittner. Thank you for listening.