The CyberWire Daily Podcast 1.13.17
Ep 265 | 1.13.17

Grid hacking in Ukraine. Cellebrite breached. WhatsApp encryption issue. EyePyramid notes. Sharing SIGINT. IG looks at FBI. Guccifer 2.0 and the ShadowBrokers take their bows.

Transcript

Dave Bittner: [00:00:03:03] Grid hacking in Ukraine. Smartphone forensics shop Cellebrite suffers a data breach. WhatsApp appears to have an encryption issue, but most observers think it's not really a backdoor. An update on EyePyramid. WordPress gets eight patches. ENISA issues recommended best practices for securing connected cars. A US Justice Department IG will look into the FBI's investigation of classified information handling in the Clinton State Department. President Obama expands NSA's authority to share raw SIGINT with other intelligence agencies. Guccifer 2.0 wants to clear a few things up, and the ShadowBrokers say "bye-bye," or maybe dasvidaniya. With that accent, sometimes it's hard to tell.

Dave Bittner: [00:00:51:09] Time to take a moment to tell you about or sponsor, CyberSecJobs. If you're an information security professional seeking your next career or your first career, you need to check out CyberSecJobs.com and find your future. CyberSecJobs is a veteran owned career site and job fair company for information security professional and students. Job seekers can create a profile, upload their resume and search and apply for thousands of jobs. And it's great for recruiters too. If you're an employer looking to source information security professionals, contact CyberSecJobs about their flexible recruitment packages designed to meet your needs. To lean more visit CyberSecJobs.com. That's CyberSecJobs.com. And we thank CyberSecJobs for sponsoring our show.

Dave Bittner: [00:01:45:07] Major funding for The CyberWire podcast is provided by Cylance.

Dave Bittner: [00:01:49:00] I'm Dave Bittner, in Baltimore with your CyberWire summary for Friday, January 13th, 2017.

Dave Bittner: [00:01:55:07] The power outages the Kiev metropolitan area sustained on December 17th, 2016, continue to be ascribed to hacking, and to the same Russian operators believed to be behind the similar hacks of December 2015. Researchers at Information Systems Security Partners (ISSP) are doing most of the on-the-record discussion. Observers differ as to whether the hack is nuisance, demonstration, misdirection, trial run, or some mix of all of these.

Dave Bittner: [00:02:23:16] Cellebrite, the mobile forensics firm that established a reputation as law enforcement's go-to shop for unlocking smartphones, confirms that it's suffered a data breach. Motherboard says the lost information includes databases, customer data, and technical notes on the company's offerings. Motherboard also says the stolen data are legit, they're in touch with people who say they're involved in the breach, and those contacts represent themselves as hacktivists protesting recent moves by "Western governments" to ratchet up surveillance capabilities.

Dave Bittner: [00:02:55:22] Cellebrite yesterday issued a statement acknowledging the breach, which it characterized as "unauthorized access to an external web server" that included a legacy backup of the company's end user license management system. It's investigating, cooperating with the authorities, and is in the process of notifying affected customers. The company advises my.Cellebrite account holders to change their passwords.

Dave Bittner: [00:03:19:16] A University of California crypto expert reports a flaw in WhatsApp's end-to-end encryption that observers say could enable Facebook to read WhatsApp messages. That, of course, is contrary to WhatsApp and Facebook declared policy. WhatsApp says the apparent bug is really a feature designed to make security and privacy easy for people who might frequently change devices or sim cards. They advise users to turn on security notifications. The flaw was widely described as a "backdoor," but that, according to most experts, isn't an accurate characterization of the issue. An issue, then, but probably not really a backdoor.

Dave Bittner: [00:03:57:07] More news and speculation appear about the Italian brother and sister accused of spying on Italian bigwigs for years using EyePyramid spyware. The motives remain unclear, but may have involved gathering insider information useful in various forms of financial speculation

Dave Bittner: [00:04:14:01] The widely used blogging platform WordPress has patched eight security issues, including cross-site scripting and cross-site request forgery vulnerabilities.

Dave Bittner: [00:04:24:05] ENISA offers a report on best practices for securing connected cars. Their recommendations are organized into three sections, policy and standards; organizational measures, and security functions, and they appear to represent the sort of familiar common sense best practices often do.

Dave Bittner: [00:04:42:09] The Justice Department's Inspector General has announced an inquiry into the FBI's handling of the Bureau's investigation of former Secretary of State Clinton's handling of classified information. Director Comey says he welcomes the scrutiny.

Dave Bittner: [00:04:55:24] The outgoing Obama Administration has loosened restrictions on NSA's sharing of raw data with other agencies. Privacy advocates are unhappy, but the worries seem to be in part of the slippery slope variety, in which the removal of requirements to scrub information inadvertently collected on US citizens could lead to the exploitation of such information by other Federal agencies. The changes are summarized by the Office of the Director of National Intelligence as follows, the letters "IC" in the summary refer, of course, to the Intelligence Community. First: "Only allow IC elements to access raw SIGINT in circumstances where the information will further a foreign intelligence or counterintelligence mission in a significant way", "Do not permit raw SIGINT to be accessed for law enforcement purposes", "Do not apply to information collected under the Foreign Intelligence Surveillance Act, including Section 702", "Establish rules that a recipient IC element must follow when accessing, processing, or retaining raw SIGINT, or disseminating information derived from SIGINT. These rules closely follow those used by the NSA", "Set up extensive training, auditing, oversight, and compliance requirements that are comparable to the NSA’s for similar activities", and "Require periodic reauthorization of access and high-level reviews of activities conducted under the procedures."

Dave Bittner: [00:06:17:08] And finally, some of everyone's favorite hackers, hacktivists, agents, crooks, or sockpuppets are back. (You can take your pick on which one of these descriptions to buy, for some reason it's still controversial, and our stringers might almost come to blows over the issue.) In any case, they make their return to the cyberstage as the week comes to a close.

Dave Bittner: [00:06:35:20] First are the ShadowBrokers, they of the Hekawi-accented, scriptwriter's broken English, take a bow and exit, not, we think, pursued by a bear (the bears have other pursuits, right Fancy?) but because they see much risk coming in and few Bitcoins going out, sez they. So, as they bow, they release a bunch of alleged Equation Group weapons and say, in effect, dasvidaniya, we're outta here. Wealthy Elite will miss them, we're sure. And that big auction never went anywhere for them. Skeptics will be forgiven for suspecting that the auction wasn't the point of the whole exercise to begin with. So, ShadowBrokers, as you come in from the cold, stay warm, and keep the light on for Guccifer 2.0, who also frets another hour on the boards. This one is back to comment on the US Intelligence Community's conclusions that the Russian government has been up to no good in American political networks. Guccifer 2.0 says, and wants us all to know, "I have totally no relation to the Russian government." So that settles that, eh?

Dave Bittner: [00:07:39:15] Say hello to Fancy and the gang, Goose, and a happy Friday the Thirteenth to you and the gang.

Dave Bittner: [00:07:49:01] Time for a moment from our sponsor, Netsparker. You know how to tell a false positive from a real threat? Netsparker does. If it's exploitable, it's real. Netsparker's distinctive automated scans drive out the false positives, save you money and improve security, their approach is proof based scanning. Netsparker's innovative scanning engine automatically exploits the vulnerabilities that identifies in websites and presents you with a proof of exploit. You don't need to verify the scanner findings to see if they include false positives. If Netsparker tells you it's bad, trust them, it's bad. Remember, if it's exploitable, then it is definitely not a false positive. Learn more at Netsparker.com but wait, there's more. And we really do mean more. Go to Netsparker.com/CyberWire for a free 30 day trial of Netsparker desktop. It's fully functional. Scan your websites with Netsparker and let them show you how they do it. That's Netsparker.com/CyberWire. And we thank Netsparker for sponsoring our show.

Dave Bittner: [00:08:54:22] Joining me once again is Joe Carrigan, he's from the Johns Hopkins University Information Security Institute. Joe, I saw recently some, there's been some talk about this notion that our mobile phone numbers, we should be protecting them in the same sorts of ways that we protect our social security numbers. That perhaps we're being a little too cavalier in our willingness to give out our mobile phone numbers. What's your take on that?

Joe Carrigan: [00:09:21:01] I understand that there's a concern in there and I think the concern is not invalid, that at some point in time we're going to start seeing these man in the middle attacks on, like, two factor authentication. And I think the source your citing says that we shouldn't be using our mobile phone for two factor authentication, we should be using something else.

Dave Bittner: [00:09:40:04] Right, because of the possibility of a man in the middle that it's not as secure as we think it is.

Joe Carrigan: [00:09:46:02] And it probably isn't as secure as we think it is. But here's the difference between my mobile phone number and my social security number. It's very easy for me to get a new mobile phone number. I can change that and I can go through and change the information in the sites that I need to change it in and I'm done. Getting a new social security number is no so easy. Very difficult. Additionally, when you're talking about using your mobile phone for two factor authentication, the purpose of doing that is to take advantage of the multiplicative nature of adding a second factor. So now somebody not only has to have your username and your password, which is what we call a single factor, even though it's actually two things, but it's just a single factor. Now they have to get another factor of having your phone number and intercepting, physically intercepting the message from one point to the next. That makes it more difficult to do. So I still think it's good to use your mobile phone for two factor authentication. There are better options. In fact, some of them are even mobile phone based where they don't require your phone number, like Google authenticator.

Dave Bittner: [00:10:50:13] Right. So I guess for the time being, certainly two factor is better than single factor, no matter what. But there seems like there are certain news cases, perhaps people in certain situations who, I don't know, you know, high risk, high security kinds of things where it's important not to believe that two factor using a mobile phone number is more secure than it actually is.

Joe Carrigan: [00:11:16:05] Right, if you're of high enough value,then you should probably not be using your phone for two factor authentication. You should probably be using something like, like an RSA token or Google authenticator, which doesn't require any communication after the initial set up.

Dave Bittner: [00:11:30:14] Joe Carrigan, thanks for joining us.

Joe Carrigan: [00:11:31:23] My pleasure.

Dave Bittner: [00:11:38:03] Time for a message from our sponsor E8 Security. You know, once an attacker's in your network, there's a good chance they'll use command and control traffic to do the damage they have in mind. Couldn't you recognize it? E8's analytics can. Here's what malicious C2 traffic might look like, there'll be visited sites, visits to a website that doesn't have the features a legitimate site usually does, like a high number of pages, a fully qualified domain name or a distinct IP address. Or the association of a website with a limited number of user agents. That's tough for a busy security team but it's easy for E8's behavioral intelligence platform. For more on this and other use cases, visit E8Security.com/DHR and download their white paper. That's E8Security.com/DHR. E8 Security, detect, hunt, respond. And we thank E8 for sponsoring our show.

Dave Bittner: [00:12:37:16] My guest today is Allison Berke, Executive Director of the Stanford Cyber Initiative. The Stanford Cyber Initiative is a research and education initiative that was established by the Hewlett Foundation in 2014, to study how cybersecurity fits into society in a more general sense than the traditional notion that cybersecurity is mainly a problem for computer scientists.

Allison Berke: [00:12:58:24] Our particular purview in terms of research and education is what we're calling Cyber Social Systems. And those are the integration of secure cyber technologies into the different systems within society, like the health care system, the financial system, the labor system and so on. And so our research takes a unique view on those systems and looks at how secure cybertechnology is, are effecting and complementing the activities that already go on in those systems and what security needs those systems have that are unique that research could help with.

Dave Bittner: [00:13:30:05] So let's dig in a little deeper to that. 'Cause that cyber social systems is not a term that I've heard before. What are you hoping to achieve by approaching that side of things?

Allison Berke: [00:13:39:22] Yeah, so it's a new term that we came up with, that I suppose we're trying to popularize and our hope is that we can both produce policy relevant research that goes beyond the sort of academic or ivory tower view of cyber security as something that is highly technical or that is sort of a specialized set of skills. Our hope is that our research can show how cyber security is more of a shading to problems that might arise in other sectors of society, as opposed to sort of its own unique field or unique discipline. We want to show how cybersecurity affects problems in the labor industry, for example with new forms of worker platforms or ways for workers to combine different tasks and form a job that they can do remotely or that they can do as part of the gig contract economy. We wanna show how that affects both labor security and the security of the platforms that are offering those types of jobs. Another example is that we want to how how the healthcare system has unique cybersecurity needs that go beyond the issues of patient data security that are addressed by hyper high tech laws and look at how physicians are using patient records digitally to better serve patients, how patients can have a better relationship with their physician via things like video calling and online chat. And how patient data can be securely provided to health researchers in a way that would benefit the entire population while also preserving patient privacy.

Allison Berke: [00:15:13:11] So we do think that cybersecurity is something that will become more and more of a skill that's integrated into multiple professions and into different types of education, rather than just being something that only computer scientists focus on.

Dave Bittner: [00:15:27:15] And so what is the process by which you hope to explore these possibilities?

Allison Berke: [00:15:32:23] Sure. Education is a large part of it. We support undergraduate courses as well as cyber policy boot camps, or policy makers and congressional staffers and media. We're looking into offering those also for law enforcement and reaching out to other sectors of society. But our primary way of effecting this change is through research, so every year we fund approximately 1.1 million in research projects that are multidisciplinary which faculty on the Stanford campus who are running the projects. The multidisciplinary angle is important to us and also important to Stanford in the sense that every project involves a collaboration between schools or between departments that will have computer scientists working with sociologists of with people from the school of education, from the school of business or from the school of law, so that we can get that kind of better integration of cybersecurity into different disciplines through these projects. And then, of course communicating the results of those projects in such a way that they reach think tanks and policy makers and important decision makers and go beyond sort of the academic publishing platform is also important to us.

Allison Berke: [00:16:42:22] We're still searching for different and creative ways to do that. One way is through white papers and through sort of the executive educational conference events that we have. Another way is through the podcast that we run or through a weekly newsletter. But we're hoping to be able to reach a much broader sector of society than the traditional academic publication because we understand that people who are concerned with cybersecurity and for whom cybersecurity affects part of their job may not be reading conference publications or they may not be reading academic journals, but could still benefit from the research that we're producing.

Dave Bittner: [00:17:16:21] And looking forward, how will you measure success?

Allison Berke: [00:17:21:12] We're hoping to measure success based on our impact on policy and on conversations that occur around cybersecurity, both in the US and globally. Hopefully, one way we could measure that, is by the proliferation of this view of cyber social systems, or that cybersecurity is a firmly entrenched part of multiple jobs and sectors that aren't simply data science or computer science. We're also hoping to measure success by the number of projects that we're able to support and by the distribution of our research across fields. Our projects currently touch six out of seven of Stanford's schools and we're hoping to add a project that involves the School of Earth, Energy and Environmental Science and so hopefully our impact will be measured by the familiarity and the utility of our research results and of our contribution to the discourse.

Dave Bittner: [00:18:15:22] That's Allison Berke from the Stanford Cyber Initiative. They have a podcast by the way, it's called Raw Data. You can find it in all the usual places, check it out.

Dave Bittner: [00:18:28:24] And that's the CyberWire. For links to all of today's stories, along with interviews, our glossary, and more, visit thecyberwire.com. Thanks to all of our sponsors, who make the CyberWire possible. And special thanks to our sustaining sponsor, Cylance. Learn more about how Cylance prevents cyber attacks at Cylance.com.

Dave Bittner: [00:18:46:05] The CyberWire podcast is produced by Pratt Street Media. The editor is John Petrik. Our social media editor is Jen Eiben, and our technical editor is Chris Russell. Our executive editor is Peter Kilpe. I'm Dave Bittner. Have a great weekend, everybody.