Ransomware updates. IP camera vulnerabilities. Steganography makes a comeback. Controlling content, with or without Internet autarky. Zo replaces Tay?

Dave Bittner: [00:00:03:15] More network security cameras are found vulnerable to bot-herding. Unpatched Flash bugs incorporated into exploit kits. New ransomware strains are out. Russia announces a new national Internet strategy as Canada and the EU grapple with the complexity and ambivalence of controlling extremist content. Steganography is back, alas, and in your banner ads. And Tay's kid sister Zo makes her debut.

Dave Bittner: [00:00:34:05] Time for a message from our sponsor Netsparker. When you want automated security you want it to be well, automatic. Netsparker delivers truly automated web application security scanners. It can be surprisingly labor intensive to scan websites and other solutions need a lot of human intervention. To take one example, with other scanners you have to configure URL rewrite rules to properly scan a website. Not with Netsparker. They say it's the only scanner that can identify the setup and configure its own URL rewrite rules. Visit Netsparker dot com to see how Netsparker's no false positive scanner frees your security team to do what only humans can do. Don't just take their word for it. If you'd like a free trial go to netsparker.com/cyberwire for a 30 day fully functional version of Netsparker Desktop. That's netsparker.com/cyberwire. Scan your websites with no strings attached. And we thank Netsparker for sponsoring our show.

Dave Bittner: [00:01:38:04] I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, December 7th, 2016.

Dave Bittner: [00:01:44:03] More targets for exploitation have presented themselves to Internet-of-things bot-herders. This time around, the problematic devices are IP cameras. Sony has issued a firmware update intended to slam shut back doors discovered in about eighty models of the company's networked security cameras. The Austrian security company SEC Consult reported the vulnerability, which enables a remote attacker to open one of the usual suspects, a telnet port.

Dave Bittner: [00:02:12:07] Researchers at Cybereason have independently discovered vulnerabilities in a large family of white-labeled security cameras—not Sonys—that are widely sold under a variety of brand names. In this case the cameras are both shipped with a common, easily guessed password, which is, of course, now a known password, since it's been published in several places and also a default peer-to-peer communication capability. That latter capability yields access to the camera even if it's behind an effective firewall. Providing the unique camera identification from a device enables remote access via the manufacturer's website, and apparently those unique IDs can be easily guessed through that manufacturer's website.

Dave Bittner: [00:02:53:13] It's worth noting that these reports of vulnerabilities have not yet, as far as we've heard, been exploited for distributed denial-of-service attacks by the Mirai botnet that's run wild in the wild since October. But the fear is that they soon could be. The release of the Mirai source coded opened up DDos opportunities and criminals and probably not just a few nation states, are clearly testing and exploring opportunities for disrupting the Internet.

Dave Bittner: [00:03:19:07] Recorded Future warns that the Flash zero-day Adobe patched in an emergency October update has been incorporated into seven exploit kits.

Dave Bittner: [00:03:28:00] When it comes to threats to our data, who do we fear most. AlertSec is an encryption as a service company and they did a survey of Americans to find out who's top of mind. Ebba Blitz is AlertSec's CEO.

Ebba Blitz: [00:03:41:06] Our surveys shows that in this order they're most afraid of Russia. They're afraid of anonymous, they are afraid of the petty thief that might steal their information and then comes China. And we can see that this has changed over time, but I think that on the scale, I think that the fear of hacks has increased overall.

Dave Bittner: [00:04:04:08] Yes, the survey really showed that 2016 was a bit of a wakeup call for people?

Ebba Blitz: [00:04:08:03] I certainly think so and I think that, you know, before we've heard of hacks, how they have attacked large organizations, but this year it became personal. I think that the Yahoo attack was one of these hacks where people started to think that, "Wow, this is actually affecting me." But I think that what made people think is that, you know, what happens when they attack something that really is crucial for the nation? So, I think that was a bit of a wakeup call and scared a lot of people.

Dave Bittner: [00:04:42:20] Now, you're the CEO of AlertSec, which is a company that provides a whole disc encryption. How does that tie into the results of this survey? What are the benefits of people to consider full disc encryption as part of their defense against these sorts of attacks?

Ebba Blitz: [00:04:57:12] Yes, I mean, it would be great if there was one service that covers everything, but unfortunately there isn't. I mean, you have to look at a lot of things. We store data either in our cloud applications or we store data at the end point, so that would be our laptops or our phones and such. And we need to keep these safe because if someone finds our laptop and hacks it, they can have access to, of course, anything that's stored on the laptop itself, but that can also be the gateway to anything that's stored in the cloud as well. So we need to make sure that this data is protected and encryption is, of course, the absolute best way to keep it safe. We must also look at the communication between our end points and our cloud services and that is protection that we need VPN tunnels for, which encrypts this communication. I think that anyone doing anything sensitive on an application should also have multi-factor authentication and I think that we must understand that IT security is a whole array of features that just need to be in place for us to be fairly safe.

Ebba Blitz: [00:06:10:07] But there will always be new threats and we need to up our game, we need to listen to what's going on and we need to be really adamant in patching security holes and do all the updates and upgrades that are out there. Don't delay, don't postpone. We have to be really agile here.

Dave Bittner: [00:06:29:09] That's Ebba Blitz from AlertSec.

Dave Bittner: [00:06:33:07] As security analysts look toward the new year, they're tending to predict more of the same in 2017. The IoT will offer a fertile field for criminal activity and ransomware can be expected to persist as well. Observers also foresee a surge in cyber attacks by nation states. There's been an update on one such attack: the apparent North Korean intrusion into RoK military networks. South Korean sources now say that some information was successfully exfiltrated during the incident.

Dave Bittner: [00:07:02:07] Steganographic threats return as ESET reports a campaign that uses malicious banner ads to install malware in Internet Explorer users' systems. They call the attack campaign, appropriately, "Stegano". Stegano aims at credential theft, and it affects primarily Internet Explorer users.

Dave Bittner: [00:07:21:05] The Petya-Mischa ransomware combination has been updated, researchers tell Bleeping Computer, into a "Golden Eye" version. The malware targets German-speaking enterprises, coming across as a "Bewerbung." That's an "application," as in a job application. So if you're working in HR or recruiting in Germany, please beware. The installer is typically a malicious Excel file attached to an email.

Dave Bittner: [00:07:45:14] Last week San Francisco's Muni light rail hung tough against the extortionists who hit it. Not every victim makes that same cost-benefit calculation, as some are still finding it easier to pay up than fight extortionists. The Allegheny County State Prosecutor's Office in Pennsylvania coughed up $1400 to get rid of Avalanche. Not much and they surely calculated that it was worth it.

Dave Bittner: [00:08:09:10] The EU has put big tech firms on notice that they will be expected to promptly take down content officially regarded as "hate speech." And in Canada, Google is fighting a requirement that would appear to give Canadian regulators authority to direct Google to remove specified content worldwide, and not just in Canada.

Dave Bittner: [00:08:29:03] Do you remember Tay? The potty-mouthed chatbot Microsoft unwisely let hang out on the Internet street corners, where she picked up a lot of ways that just aren't right? Well, Tay's kid sister is making her debut. Her name is Zo, and she's being called "the mechanical millennial." Zo is said to crack wise with charming puns, but early observers say Zo seems to get confused and "go off on tangent." These virtual kids today! Would HAL have gone off on a tangent? Well, alright, there was that whole problem with Dave en-route to Saturn, but hey, even if HAL terminated the crew's life functions, HAL always spoke professionally.

Dave Bittner: [00:09:07:21] Finally, alert listeners will have connected the name "Golden Eye" with the James Bond film franchise. Alert listeners will be right. The criminal responsible for Petya-Mischa and thus for Golden Eye goes by Janus, which is an apparent homage not to the double-faced Roman god of doorways and portals, but rather to the Janus Syndicate, the villains 007 thwarted in Golden Eye. Janus is a sharp-elbowed competitor. He's said, by Bleeping Computer, to be the guy who took out a competitor by releasing decryption keys to the Chimera ransomware. Thus Janus. We hope that his decision to take the name of a loser foreshadows a take down by the authorities. If not Bond, James Bond, perhaps another representative of MI6. May Janus be shaken, not stirred.

Dave Bittner: [00:10:01:08] Time to tell you about our sponsor Recorded Future. Recorded Future is the real time threat intelligence company, whose patented technology continuously analyzes the entire web, developing cyber intelligence that give analysts unmatched insight into emerging threats. At the CyberWire we subscribe to and profit from Recorded Future's Cyber Daily. As anyone in the industry will tell you, when analytical talent is as scarce as it is today, every enterprise owes it to itself to look into any technology that makes your security teams more productive and your intelligence more comprehensive and timely, because that's what you want. Actionable intelligence. Sign up for the Cyber Daily email and every day you'll receive the top trending indicators Recorded Future captures crossing the web. Cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today and stay a step or two ahead of the threat. Go to Recorded Future dot com slash intel and subscribe for free threat intelligence updates. That's Recorded Future dot com slash intel. And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:11:10:08] And I'm pleased to be joined once again by Dr. Charles Clancy. He's the Director of the Hume Center for National Security and Technology at Virginia Tech. Dr. Clancy, when it comes to research and development and developing solutions in cybersecurity, we have this sort of dual use need for both federal and commercial needs, but there's some challenges associated with that, making things so that they can function in both of those environments.

Dr. Charles Clancy: [00:11:36:17] Exactly. The federal R&D environment is focusing increasingly on cybersecurity, with the need to address major technology needs within the federal government. But those needs within the federal government are not unique. The commercial industry sees the exact same challenges on their infrastructure and on their networks. But as the federal government seeks to invest its R&D resources, it's doing so in a way that's consistent with how it's always invested such resources. The defense R&D ecosystem is designed to build something unique for the federal government because, historically, the federal government has had unique challenges in technology and it is designed to do that over a decade, right? We're good at doing R&D to build a new aircraft carrier or a tank with timescales of decades, but in cybersecurity you just can't operate on that timescale. The threat is moving entirely too quickly. So, at Virginia Tech we're very interested in finding ways where we can adopt more commercially oriented models for addressing research and development in cybersecurity.

Dave Bittner: [00:12:47:18] Is there any sort of institutional resistance to this? Of, you know, overcoming longstanding methods and ways of handling things within the federal government.

Dr. Charles Clancy: [00:12:57:07] I think that, obviously, there's the acquisition processes by which the federal government operates. That is always going to cause slow downs and there are some attempts to try and reform that. But, I think, really it's how the government looks to mature technology. They'll invest basic research, often at universities or national labs and that basic research needs to find its way into a government program of record. That's how the government knows how to buy this things. At Virginia Tech we've found that if we have some innovative R&D that we've done at the university, finding some big government program of record that's going to mature it is not always the best path. The government wants to increasingly buy commercial solutions in the cybersecurity space. So, a few years ago we looked at well, how can we take this research that the federal government invested in, in the cybersecurity domain and turn it into a commercial solution? Well, that involves spinning it off into a startup company that can do that commercialization and productization, not finding some big government program to move the technology into.

Dr. Charles Clancy: [00:14:02:08] So, after the last three years we've spun off three companies that are working in this domain. Collectively, they took about $10 million worth of research that was funded by the federal government and then raised $60 million to actually commercialize and productize it. So, these companies are now in a position to sell back to the government a shrink wrapped, fully completed product, without having to go through that long transition process that is increasingly ill-equipped in the cybersecurity space. And I'm hopeful that the federal government will look to institutionalize these approaches and figure out ways to work more closely with the venture capital community, particularly in the cybersecurity domain, where the need for solutions is critical and the timescale within which they're needed are orders of magnitude shorter than the government is used to operating within.

Dave Bittner: [00:14:55:24] Alright, Dr. Charles Clancy, thanks for joining us.

Dave Bittner: [00:15:00:14] And that's the CyberWire. For links to all of today's stories, along with interviews, our glossary, and more, visit thecyberwire.com. Thanks to all of our sponsors who make the CyberWire possible. The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Our social media editor is Jennifer Eiben, and our technical editor is Chris Russell. Our executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.