The CyberWire Daily Podcast for 02.23.16

Anonymous hits Belgium & Cincinnati. Twitter vs. jihad? MouseJack. Apple, FBI dispute updates.

Transcript

Dave Bittner: [00:00:03:10] Twitter's version of interdicting extremism may have a few jihadist blind-spots. Anonymous cells hit Belgium and Cincinnati. Security experts tell power utilities not to expect all grid hacks to be noisy and catastrophic; attackers are likely to be subtle and quiet. BAE makes plans for a commercial cyber push. And what's at stake in the dispute between Apple and the FBI gets a little bit clearer.

Dave Bittner: [00:00:27:23] This CyberWire podcast is made possible by the Johns Hopkins University Information Security Institute, providing the technical foundation and knowledge needed to meet our nation's growing demand for highly skilled professionals in the field of information security, assurance and privacy. Learn more online at isi.jhu.edu.

Dave Bittner: [00:00:50:21] I'm Dave Bittner in Baltimore, with your CyberWire summary for Tuesday, February 23rd, 2016.

Dave Bittner: [00:00:57:05] Two Damascus-based jihadist groups have sworn fealty to Abu Muhammad al Julani, leader of the al-Nusra Front. Al-Nusra is an al-Qaeda affiliate and is a rival as opposed to an ally of ISIS. Nonetheless, the fact that al-Nusra has official Twitter accounts should give one pause before clapping Twitter on the back, as the social media company claims it's making significant inroads against extremism. Twitter is in a tough position, it's a business, not the U.S. government, so its relationship with the First Amendment is a lot more nuanced, but it doesn't particularly want to be perceived as a censor. But Twitter is getting a lot of stick in the blogosphere, for what many see as tendentious and ill-focused shuttering of accounts that are objectionable on some grounds and really do not have anything to do with the nominal main enemy.

Dave Bittner: [00:01:41:16] Hacktivists associated with Anonymous hit the Belgium government in a widespread denial-of-service effort apparently intended to protest the sad suicide of a girl who was cyber bullied, and a north-American Anonymous cell releases personal information on some fifty-two Cincinnati Ohio police officers and employees. In this case the cause of action is last week's death of Paul Gaston in a police shooting. We've seen no recent reports of attacks on electrical grids, but the threat continues to worry utilities. Late last week, security experts warned state utility regulators in the U.S. not to expect cyber attacks on their installations to be sudden, splashy or otherwise obvious. There won't necessarily be obvious catastrophes they say, and attackers can be expected to remain sly and discrete.

Dave Bittner: [00:02:26:03] Bastille Networks reports a new threat which is given the snappy name, "Mousejack". Mousejack is a set of nine vulnerabilities that affect non-Bluetooth wireless keyboards and mice used by PCs, Macs, and Linux machines. Bastille says that devices manufactured by Logitech, Dell, HP, Lenovo, Microsoft, Gigabyte and AmazonBasics share the vulnerabilities. Attackers could use a wireless dongle to spoof a mouse, and then generate keystrokes on a victim machine.

Dave Bittner: [00:02:53:22] It was disclosed yesterday that Virginia based company uKnowKids.com whose stock in trade is giving parents tools to monitor their children's online activity suffered from a misconfigured MongoDB installation that exposed nearly 2000 children's information online. The exposure appears to have lasted about two days.

Dave Bittner: [00:03:12:09] An upward trend in Facebook scams and LinkedIn fraud highlight social media users’ continued vulnerability to social engineering. The annual RSA conference opens in San Francisco next week, and several publications offer previews of the event. We're seeing the customary surge in new product announcements during the run-up, and by the way if you're planning to attend RSA be sure to stop by and say "Hello" to the CyberWire. We'll be in the south hall at booth 11-45.

Dave Bittner: [00:03:37:22] In other industry news, BAE offers more details on its plans for a major push into the U.S. commercial cybersecurity market. This comes at a time when other large defense and aerospace integrators notably, Lockheed Martin, Boeing, and Northrop Grumman seem to be exiting the field. Raytheon, like BAE, is an exception to this trend. BAE's new COO and perspective CEO-in-waiting is widely expected to shape the company's cyber security efforts.

Dave Bittner: [00:04:03:13] The dispute between Apple and the U.S. Department of Justice over a San Bernardino County issued iPhone used by one of the shooters in the recent California jihad massacre continues. There's growing consensus that San Bernardino County, which we'd do well to remember, owns the phone in question and could have avoided a great deal of trouble had it used the mobile device management tools available to it. The FBI disputes with some discernible heat that changing the iCloud credentials associated with the phone was a screw-up: rather, it was a step taken to preserve whatever data might have been on the phone against, for example, the possibility of wiping by some surviving accomplice. Several outlets, Dark Reading and KrebsOnSecurity prominently among them are offering rundowns on the case. Essentially the FBI wants access to the phone's data to determine if there's any evidence therein that could point to a broader conspiracy or plans for further attacks.

Dave Bittner: [00:04:53:05] A federal magistrate has directed Apple to provide a software image file that would override the device's auto-erase and enforced delay features. Such software would make it easier for the Bureau to bruteforce the phone. Security expert Bruce Schneier has pointed out that various intelligence and security agencies have almost certainly produced this kind of software on their own, and that time, labor and expense are the principal obstacles to the FBI doing so in this case. Tenable CEO, Ron Gula, speculates that if the dispute with Apple has become so public, this has happened because the Department of Justice wants it to be public. Apple continues to resist the order. Reactions remain mixed with industry somewhat favoring Apple, the general public inclining to take the FBI's view of things, and both Apple and the FBI avowing their belief in the other party's good, if in their view misguided, intentions.

Dave Bittner: [00:05:45:00] You'll find a useful guide to iOS encryption linked in today's CyberWire Daily News Brief. We also had the opportunity to speak with University of Maryland's Jonathan Katz about the details of iPhone encryption. We'll hear from him after the break. Whatever the outcome of the case may be, it's affecting the conversation on privacy and security in Europe, as well as the United States, and we know that European law enforcement agencies are looking to their own investigative tools. Reports from Germany say that country's interior ministry has developed, and is preparing to deploy, its own spyware, Bundestrojaner, the federal Trojan. They're also rumored to be in the market for lawful intercept tools similar to the well known FinFisher.

Dave Bittner: [00:06:25:05] This CyberWire podcast is brought to you through the generous support of Betamore, an award-winning co-working space, incubator and campus for technology and entrepreneurship located in the federal hill neighborhood of downtown Baltimore. Learn more at Betamore.com.

Dave Bittner: [00:06:43:20] Joining me is Jonathan Katz. He's a professor of computer science, and the Director of the Maryland Cyber Security Center at the University of Maryland. Jonathan, obviously Apple has been a hot topic these past few days, specifically the encryption on the Apple iPhone. Apple has gone to great lengths to make sure that the iPhone is secure. Tell us about security on iPhones.

Jonathan Katz: [00:07:05:04] Well, the truth is, Apple have done a pretty good job of securing the iPhone, and you can see that by the fact that the FBI has essentially been required to go to Apple, in order to get help to unlock the phone. What's interesting about the way that Apple protects the data on the phone, is that the data is encrypted now by default, and it's encrypted using a key that's actually stored in hardware and that's inaccessible by any software running on the device, and so the only way to unlock that key and gain access to it is via the passcode on the device. And that's what things are coming down to in the current case, is that the FBI is asking Apple for help in allowing it to repeatedly guess different passcodes, in an attempt to unlock the key and get access to the data.

Dave Bittner: [00:07:47:15] So, interestingly, Apple does have access to your data if you back it up on iCloud. Apple retains the keys to iCloud. Why would Apple choose to do that?

Jonathan Katz: [00:07:56:24] Well, that's an interesting question actually, because we've seen that Apple has already provided the FBI with the backed-up data from this phone that was present on the iCloud, but unfortunately, for the FBI that data only went up to a certain date, and the FBI is therefore looking to get access to the phone, in order to gain access to the data that had been collected on that phone from that date going forward. It's interesting that Apple was willing to give the FBI access to that data that was stored on the Cloud, but it's putting up such a fight with regard to access to the data on the phone, and what Apple's claiming is that, if they provide access to the data on the phone then they're potentially creating a trapdoor, or a backdoor, that could then enable people to access people's phones worldwide, but we see already that, by having the data stored in the Cloud that Apple has the key to that backdoor, as it were is already present for any backed-up data.

Dave Bittner: [00:08:47:15] And the FBI is claiming that all they're asking for is the access to this particular phone: that they are not trying to set a precedent. Does that sound reasonable to you, or is that disingenuous?

Jonathan Katz: [00:08:58:18] Well, it sounds reasonable. I think you have to separate two issues. I mean, the first issue is about whether the software that Apple creates in response to this request would work only on that phone, and it seems to me that that is feasible actually, that Apple could create software that would be able to be run only on this phone and would not be a general purpose trap-door, but nevertheless, I do think that the FBI is looking to set a precedent here, and they're hoping to make it easier the next time around that they request access to data on some-body's phone. So, from that point of view, it does make sense that Apple would at least put up a fight here, to at least show that they're serious about protecting user privacy.

Dave Bittner: [00:09:32:09] All right, Jonathan Katz, thanks for joining us, and that's the CyberWire. For links to all of today's stories along with interviews, our glossary, and more visit thecyberwire.com. The CyberWire podcast is produced by CyberPoint International, and our Editor is John Petrik. I'm Dave Bittner. Thanks for listening.

HOST(S):

Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.

Schedule: Monday-Friday

Creator: CyberWire, Inc.