The CyberWire Daily Podcast 2.17.16
Ep 37 | 2.17.16

Dridex & Locky, macro-spread malware. Apple, FBI, spar in & out of court. Dark Reading watches 20 startups.

Transcript

Dave Bittner: [00:00:03:15] Anonymous actions. Controversy over US and Canadian anti-ISIS policies. ISIS has some cash flow and narrative problems. Crypto wars continue as ENISA comes down on the side of strong encryption and as the FBI takes a novel approach to getting Apple's help unlocking the San Bernardino shooter's iPhone. Symantec calls Dridex the most dangerous banking malware, and Palo Alto warns against "Locky" ransomware. Linux admins, it's time to patch. And Dark Reading names 20 cyber startups to watch.

Dave Bittner: [00:00:34:05] This CyberWire podcast is made possible by the Johns Hopkins University Information Security Institute, providing the technical foundation and knowledge needed to meet our nation's growing demand for highly skilled professionals in the field of information security, assurance and privacy. Learn more online at isi.jhu.edu.

Dave Bittner: [00:00:57:05] I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, February 17th, 2016. Anonymous is out and about this week with actions against Turkish police sites and a Tanzanian telecom provider. Nothing new from them as far as we can tell on the ISIS front but ISIS itself seems to be going through a rough patch. To be a convincing caliphate you have to be able to rule, and ISIS is having some problems in this regard. The AP reports that ISIS is experiencing cash flow issues and is cutting salaries and benefits. This has an informational ops dimension because, again, a caliphate has to be able to deliver.

Dave Bittner: [00:01:32:01] These internal troubles appear as US and Canadian intelligence, security, and information operations policies receive criticism over a roseate view of the situation on the ground and alleged weakening of security policies.

Dave Bittner: [00:01:44:11] ENISA reaches essentially the same conclusion encryption backdoors the recent Harvard study did. They weaken defenses without offering a compensating payoff in improved intelligence.

Dave Bittner: [00:01:54:07] Breaking device security moves prominently into the news as Apple receives a court order to assist the FBI in unlocking an iPhone belonging to one of the San Bernardino jihadists. The FBI has been unable to access the phone's contents, and it wants Apple to assist its efforts to brute force the password. Note that the Bureau hasn't asked Apple to give up the device's passcode, but rather to help the FBI bypass protections to prevent brute forcing.

Dave Bittner: [00:02:18:01] The device they want to access is a relatively old iPhone 5C. Errata Security describes the order as having three elements. First, the Bureau wants Apple to prevent the phone from erasing itself after ten attempts to guess the password. Second, it wants help from Apple to enable the Bureau to submit passcodes electronically which would be far faster than having someone type them in one at a time. And finally, there's some suggestion that the way to accomplish this would be through a firmware update. Apple says it won't comply.

Dave Bittner: [00:02:44:11] The case is interesting in several respects. For one thing, the Federal law under which the Bureau argues Apple should be compelled to help is an old one. Specifically the "All Writs Act of 1789." For another, this is not a request that Apple install a backdoor. It's a subtler, more limited request that Apple do something it can apparently do. An iPhone 5C could well be opened this way. Apple says it wouldn't be able to work these tricks on a later model, particularly an iPhone 6, and the general consensus is that Apple's right about that.

Dave Bittner: [00:03:13:11] And finally, some are asking, notably a story running in Quartz, whether Apple takes a similarly principled line in jurisdictions other than the US and the UK. Has the company agreed, for example, to the security audit the Chinese government has demanded as a cost of doing business in that biggest of all emerging markets? Quartz thinks Apple's statements, which Quartz says fall short of denying that it will comply with the audit, are at best ambiguous.

Dave Bittner: [00:03:38:00] The CyberWire sat down this morning with legal and policy expert Markus Rauschecker of the University of Maryland's Center for Health and Homeland Security. We'll hear from him after the break. We'll give Kevin Mitnick's Twitter feed the last word on Apple. He says, and we're going to edit a little bit since we're a family show, quote, "Tim Cook's response? FBI has good intentions. Boo to them, we aren't building an iPhone backdoor. FBI has good intentions. End of message."

Dave Bittner: [00:04:03:02] Turning to cybercrime, Symantec warns that Dridex, the credential stealing Trojan that affects bank customers is showing rising infection rates and has become the most dangerous species of financial malware. Dridex typically infects its victims when they open a Microsoft Office document with malicious macros. Palo Alto Networks has found a newly virulent form of ransomware called "Locky" that spreads in the same fashion.

Dave Bittner: [00:04:26:01] Linux admins should take note. The new Clibrary implicated in the GHOST vulnerability discovered last year, has another flaw that affects Linux devices, API web services and many important web frameworks. A patch is out, and admins should do well to apply it as soon as practical.

Dave Bittner: [00:04:43:02] Investment analysts continue to speculate that the cyber security market is in for a round of consolidation in 2016. As the annual RSA conference approaches, such rumors will continue, as will coverage of aspiring unicorns and potential acquisition targets. Dark Reading contributes to the conversation by naming "twenty startups to watch." Here they are. ZeroFOX, Twistlock, Threat Quotient, Tenable, Synack, Sentinel One, Pindrop Security, Menlo Security, Malwarebytes, LookingGlass, Illumio, HackerOne, Fireglass, Exabeam, Digital Shadows, Cynet, Cymmetria, Cybereason, Argus Cybersecurity, and Appthority.

Dave Bittner: [00:05:26:23] Did you notice we read them in reverse alphabetical order? You're welcome, ZeroFOX.

Dave Bittner: [00:05:34:01] This CyberWire podcast is brought to you by the Digital Harbor Foundation, a non profit that works with youth and educators to foster learning, creativity, productivity and community through technology education. Learn more at digitalharbor.org.

Dave Bittner: [00:05:52:17] Joining me is Markus Rauschecker. He's the cybersecurity program manager at the University of Maryland's Center for Health and Homeland Security. Markus, things in the encryption debate just got a lot more interesting.

Markus Rauschecker: [00:06:03:10] Yes, they certainly have. So this debate about encryption has been going on for a long time now. There's a battle between law enforcement and companies like Apple and Google and others and we've recently had a court order now that actually has compelled Apple to find a way to circumvent the encryption on one of its devices, a device that was used by one of the San Bernardino terrorists. Law enforcement, FBI has been trying to get access to that device that was used by the terrorists, but have been unable to do so up to this point because of the encryption on the device.

Dave Bittner: [00:06:39:15] They're not asking Apple to decrypt the phone, they're asking Apple for basically help in brute force-- brute forcing the phone, is that correct?

Markus Rauschecker: [00:06:48:04] That's correct, yes. So the court order that was issued requires Apple to provide reasonable technical assistance to the FBI to figure out a way to get at the encrypted data and essentially then allow law enforcement to, as you said, brute force their way into the device by attempting all the different passcode variations that could eventually unlock the phone.

Dave Bittner: [00:07:13:07] So what are Apple's options in terms of fighting the court order?

Markus Rauschecker: [00:07:16:15] Well, the court order says that they have five days to go back to the court and appeal this decision and Apple has already indicated that they will do so. So, you know, we'll have to see exactly what they will base their appeal on but we should be seeing that within a matter of days.

Dave Bittner: [00:07:35:05] It's interesting that, that the government is using the All Writs Act of 1789 to make their argument, you know, an old law for new technology.

Markus Rauschecker: [00:07:45:14] Right. So we, we actually see that every once in a while where the government will, will look for any kind of law that they can hang their hat on and this All Writs Act of 1789 certainly is an old law, but government has interpreted it in such a way as to give judges broad powers in terms of compelling third parties to enforce court orders. On the other hand, Apple is arguing that this old law should be d-- should be interpreted very narrowly and should not be interpreted in a way that gives judges the authority to, to compel them to, to carry out their court order. You know, we'll have to see. This is really an issue of statutory interpretation and since this law is very old, it can be a little difficult sometimes to interpret exactly what it's saying.

Dave Bittner: [00:08:39:14] Apple posted a public message to their customers today laying out their case. If nothing else this really brings this issue of encryption more to the public eye.

Markus Rauschecker: [00:08:49:04] Absolutely. I think this issue of encryption has, has been in the public eye for the past few months. We've seen testimony on the Hill, we've seen advocacy groups arguing on behalf of this issue. But I think this court order really has put the issue to the absolute forefront, and, and especially with a public statement from Apple's CEO, I think, you know, we're seeing this story in the news everywhere now. I think everyone is going to be talking about it and I'm sure everyone will have their own opinion on how things should develop.

Dave Bittner: [00:09:24:04] Alright Markus, we'll keep an eye on it and we'll check back in with you as things develop. Thanks again for joining us.

Dave Bittner: [00:09:31:02] And that's the CyberWire. For links to all of today's stories, along with interviews, our glossary and more, visit thecyberwire.com. And we truly appreciate your help in spreading the word about our podcast, and you can review the show on iTunes, like us on Facebook, find us on LinkedIn and on Twitter. The CyberWire podcast is produced by CyberPoint International and our editor is John Petrik. I'm Dave Bittner. Thanks for listening.