Kenyan election nullified over electronic irregularities. South China Sea cyber espionage. WikiLeaks' Vault7 dumps Angelfire. Accused leaker wants her statements excluded. DPRK raids ROK Bitcoin. WhopperCoin is here.

Dave Bittner: [00:00:01:02] The CyberWire podcast is made possible in part by listeners like you who contribute to our Patreon page. You can learn more at patreon.com/thecyberwire.

Dave Bittner: [00:00:13:15] Kenya's Supreme Court voids that country's presidential election results over electronic irregularities in the balloting. The Chinese step up cyber espionage against Vietnam during South China Sea disputes. Ransomware continues to surge this week. WikiLeaks dumps Angelfire documents from Vault7. Reality Winner says she wasn't properly Mirandized by the FBI. North Korea raids South Korean Bitcoin exchanges and, get ready for WhopperCoin.

Dave Bittner: [00:00:47:12] It's time to take a moment to tell you about our sponsor, Recorded Future, the real time threat intelligence company. Recorded Future's patented technology continuously analyzes the entire web, to give cyber security analysts unmatched insight into emerging threats. We read their dailies here at the CyberWire and you can too. Sign up for Recorded Future's Cyber Daily email to get the top trending technical indicators crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and more. Subscribe today and stay ahead of the cyber attacks. They watch the web so you have time to think and make the best decisions possible for your enterprise's security.

Dave Bittner: [00:01:25:21] Go to recordedfuture.com/intel to subscribe for free threat intelligence updates from Recorded Future. It’s timely, it’s solid and it's on the money. That's recordedfuture.com/intel, and we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:49:09] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Friday, September 1st, 2017.

Dave Bittner: [00:01:59:16] In a surprise ruling, Kenya's Supreme Court voided that country's presidential elections over irregularities in the balloting. The August 8th elections had returned incumbent Uhuru Kenyatta to office, and the losing opposition candidate, Raila Odinga, had petitioned the court to nullify the results, charging that the vote had been hacked and otherwise electronically manipulated. Few thought Odinga's suit had much merit, particularly since international observers had concluded the election was fairly conducted. Mr Odinga himself seems as surprised as anyone by the decision. The court has directed that a new election be held within 60 days.

Dave Bittner: [00:02:39:16] FireEye says Chinese cyber operators have increased their attacks on government and business targets in Vietnam. The attacks coincide with increased tension over South China Sea territorial claims.

Dave Bittner: [00:02:52:11] Locky and other ransomware have surged this week. One strain is even reported to have been present in certain US government websites.

Dave Bittner: [00:03:01:05] WikiLeaks yesterday dumped documents purporting to describe a CIA implant framework, Angelfire, said to be effective against Windows 7 and Windows XP machines. Bleeping Computer sniffs that if Angelfire is indeed a CIA product, it doesn't represent Langley's best work. Its discussion characterizes the tools described as crude. The presumed targets are also old, which again leads one to wonder when and how WikiLeaks is getting the material it's producing.

Dave Bittner: [00:03:30:15] There are suspicions about other leaks, and some of those have taken the form of indictments. The legal proceeding currently in the news is the one in a Georgia US Federal Court.

Dave Bittner: [00:03:40:17] Accused leaker and former NSA contractor, Reality Winner, has told that court she wasn't properly Mirandized when she first spoke with FBI special agents searching her apartment. Her lawyers have petitioned to have the things she said to those agents excluded at trial. Reports indicate that her conversation with the Feds amounted to a confession, which would explain their eagerness to keep it out.

Dave Bittner: [00:04:04:16] Reality Winner, you will recall, is the former Air Force service member who was inadvertently outed to US authorities by The Intercept when it contacted them to authenticate the documents Winner allegedly passed to the publication.

Dave Bittner: [00:04:18:10] North Korean operators have this week been more closely tied to raids on South Korean Bitcoin exchanges. The DPRK is expected to make more such attacks as it seeks to compensate for revenue lost from sanctions imposed to constrain its nuclear and ballistic missile programs.

Dave Bittner: [00:04:36:07] Finally, cryptocurrency meets the Hamburglar. Well, not exactly, since it's a Burger King and not a McDonald's innovation, and we'd be the last people to suggest that there's no difference between the two global fast food titans. I mean, we've been to the food court at the Towson Town Center. We know what's up. So let's call it the blockchain comes to the Burger King.

Dave Bittner: [00:04:56:11] Here's what's up in the Arbat, and in lots of other convenient locations throughout Greater Moscow. Burger King has introduced its own cryptocurrency, WhopperCoin, to its Russian operations. Every ruble you spend on a Vopper, Vopper Jr., Gamburger, or even a [PHONETIC: Lonk Biff] in Chelyabinsk or Krasnodar will get you one WhopperCoin, which is a pretty sweet way of having it your way in our book. When you've amassed 1,700 WhopperCoin, you can exchange them for a tasty, flame-grilled, non-virtual Whopper.

Dave Bittner: [00:05:29:11] The BBC has saved our staff data scientists the trouble of checking menus, exchange rates, and actually adding and doing that troublesome long division, and the Beeb estimate that "customers will be able to get a free sandwich for every five or six they buy with real money." Real money, huh! Like cryptocurrency isn't real money. Get with the times, BBC. And while you're at it, put on your bowler, ankle on down to a local Burger King instead of the Drones Club, and just imagine the possibilities.

Dave Bittner: [00:05:57:22] Anyway, the King is working with the cryptocurrency start-up Waves, which says it's already generated a billion WhopperCoin to prep for the big launch, which they're not calling an Initial Coin Offering, but which we think they should.

Dave Bittner: [00:06:11:05] Why is this not just an ordinary loyalty program? Well, it sort of is, when you think about it, which is pretty much the point. One of the problems with all sorts of loyalty programs, from airline miles to supermarket bonus points, is the limited range of things you can exchange them for. Another is the difficulty of keeping track of them, the heated altercations at the counter, and so on, so a cryptocurrency would be a good way of having it your way, a little like the old S&H Green stamps your great-grandmother used to save, only without the gluey taste.

Dave Bittner: [00:06:42:21] Burger King Russia communications director Ivan Shestov says the company has transformed the Whopper into an investment vehicle. As he put it, "Now, it's not just a burger, which is loved in more than 90 countries, but it's also a tool for investment. Experts predict a rapid increase in the cost of cryptocurrency. Therefore, eating one today is a reserve for financial well-being tomorrow."

Dave Bittner: [00:07:07:20] Academic experts think Burger King is on to something. Cryptocurrency mavens at both Cambridge and Cornell think loyalty programs are a good use case for the blockchain. So the next time you're passing down Tsvetnoy Boulevard, remember, it's not just a sandwich, it's practically a 401K.

Dave Bittner: [00:07:30:06] Here's a quick note about our sponsor E8 Security. We've all heard a lot about artificial intelligence and machine learning. Who of a certain age doesn't know that Skynet achieved self-awareness and sent The Terminator back to take care of business? That's science-fiction, and not even very plausible science-fiction, but the artificial intelligence and machine learning that E8 is talking about isn't science fiction at all.

Dave Bittner: [00:07:51:16] They're here today, and E8's white paper, available at e8security.com/cyberwire, can guide you through the big picture of these still-emerging, but already proven, technologies. We all need to turn data into understanding and information into meaning. AI and machine learning can help you do that. See what they can do for you at e8security.com/cyberwire, and we thank E8 for sponsoring our show.

Dave Bittner: [00:08:22:18] I'm pleased to be joined again by Joe Carrigan, from the Johns Hopkins University Information Security Institute. Joe, welcome back. We saw an article come by from Quartz, and the headline was, "Using a fitness app taught me the scary truth about why privacy settings are a feminist issue". To summarize the article, a woman used an app to track her running, thinking she had disabled the ability for anyone else to see what she was doing. However, the app has a lot of different levels of security and while she had turned off public sharing, she hadn't turned off being posted to the leaderboard. As she was such a good runner, she made it to the leaderboard and suddenly started receiving messages from people she didn't know congratulating her on her run and its location, something she had never intended to share.

Joe Carrigan: [00:09:15:01] This is one of the consequences of making everything social. Now people that you don't know become part of your social circle and I use the word "social" with scare quotes around it.

Dave Bittner: [00:09:28:02] You're a bit fan of social sharing, right?

Joe Carrigan: [00:09:30:04] Being someone who generally avoids social interaction myself, I don't have a complete profile on Facebook. I'm sure Facebook knows exactly where I live, but it's not listed on my profile because the data hasn't been entered into my profile. People need to be aware that when you're working with these apps that claim to be social - and I use a social fitness app - you are sharing this information with people, and you're making it available to people you might not want to make it available to.

Dave Bittner: [00:09:59:15] The woman who wrote this article made the point that this could be a safety issue, because she did not intend to share the location of her runs.

Joe Carrigan: [00:10:09:22] But just by using the app, she did, inadvertently.

Dave Bittner: [00:10:12:03] Is there also a point about whether you need to opt in or opt out?

Joe Carrigan: [00:10:16:11] There's a big debate around that. I see both sides of the issue. I see the personal responsibility side of the issue, but we are talking about large amounts of data being gathered, and I would rather opt in to that rather than have to opt out of it.

Dave Bittner: [00:10:34:23] It seems like the European standard is to opt in, while those of us in the United States, you are opted in automatically.

Joe Carrigan: [00:10:44:10] Correct, and therefore you have to opt out.

Joe Carrigan: [00:10:46:14] To be fair, if you go to a European website, their opt in policy is opt in or don't use the service. You log on, and this says, "This site uses cookies. If you don't like that, leave the site." If you click OK, they start gathering cookies, while if you leave the site you can't use the service.

Dave Bittner: [00:11:06:11] So the bottom line is buyer beware. I hate to say read the ULA because it's unrealistic. Who am I kidding? If privacy is a concern for you, it's worth shopping around. There's no shortage of fitness apps so try to find the one that respects your privacy, preferably one that you can opt-in to sharing at the start. Do you agree?

Joe Carrigan: [00:11:40:15] I do agree. It's caveat emptor, pretty much all the time. You're on your own.

Dave Bittner: [00:11:50:07] Joe Carrigan, thanks for joining us.

Dave Bittner: [00:11:56:14] Now a word about our sponsor, the forthcoming Cybersecurity Conference for Executives. The Johns Hopkins University Information Security Institute and COMPASS Cybersecurity will host the event on Tuesday, September 19th, in Baltimore, Maryland, on the Johns Hopkins Homewood Campus. The theme this year is emerging global cyber threats and the conference will feature discussions with thought leaders across a variety of sectors. You can find out more and register at thecyberwire.com/jhucompass. Learn more about the current and emerging cyber security threats to organizations and how executives can better protect their enterprise's data. Speakers include cyber lawyer, Howard Feldman, IoT engineering expert Dr Kevin Kornegay and healthcare data security thought leader, Robert Wood.

Dave Bittner: [00:12:43:13] You can find out more at thecyberwire.com/jhucompass, and we thank the Cybersecurity Conference for Executives for sponsoring our show.

Dave Bittner: [00:13:01:14] My guest today is Charles Henderson, the global head of IBM's X-Force Red, where he leads a team doing penetration testing as well as vulnerability research. His areas of research includes connected cars, and not long ago he had some direct experience with automotive vulnerability.

Charles Henderson: [00:13:19:10] Several years ago, I bought a connected car. It was an awesome convertible and my dream car. As the family grew, the car was no longer practical and so I traded it in. Interestingly, I had this app that controlled all sorts of things like geolocation of the car. When I got home and enrolled my new car, I noticed my old car was still listed. I had done a factory reset of the old car before trading it in so that my contacts from Bluetooth would not go to the new owner. I wanted the car to be fresh and clean and, as a security researcher, I'm paranoid about these things.

Charles Henderson: [00:14:08:05] I figured that eventually the dealership would reset the control of the car and that it was only a matter of time. Days turned into weeks, weeks turned into years and now, four years on, I still have access to that old car.

Dave Bittner: [00:14:27:21] What does that enable you to do? Can you remotely start it and freak out the new owners?

Charles Henderson: [00:14:33:02] I think the headline would be "Car Possessed". I can geolocate it. Shortly after we reported this issue, many of the car companies changed their geolocation capability so that you had to be within one mile of the car to geolocate it. The problem is that your phone self-reports its location. I wrote an app that basically lied about where my phone was located and in roughly 300 web requests, you can cover most metropolitan areas. I think New York City was 312.

Charles Henderson: [00:15:11:18] I can geolocate it, I can honk the horn, adjust the climate control and I can actually unlock it. The reason that this still works is that they didn't take away my access. It's important, because that second owner doesn't think of their car as a connected car. They think of their car as a car because it functions exactly the way it's supposed to and there's no warning light on the dash that tells them that Charles Henderson's accessing the car. It's the same phenomenon as IoT in general. What does a connected light bulb look like? It looks like a light bulb.

Dave Bittner: [00:15:46:20] What was the response from the manufacturers when you notified them of the issue?

Charles Henderson: [00:15:52:03] At first the manufacturer said that it was a dealership problem. I went through the vulnerability disclosure process with the dealership, mainly just to see what would happen. It turns out that a dealership is not equipped to handle this, and you would really have to notify thousands of dealerships across the world.

Charles Henderson: [00:16:15:12] Initially there was a response that it was the first owner's responsibility to ensure that their access is de-provisioned. Interestingly, in some car companies the legal teams had obviously thought about this, stating in the terms and conditions of the contract that it was the first owner's responsibility to decommission the access to the app. Other car companies compared it to having and retaining a set of keys. It is however very different to keys because my keys don't geolocate the car. It's a heightened level of access.

Charles Henderson: [00:16:54:19] In the long run though, the car companies realized it was an issue and you're starting to see them try to deal with it. We've been in contact with them, running through some of the scenarios they might use to solve the problem. The key is that at the design stage of connectivity for the car, they were thinking so much about selling the car the first time, and not about subsequent sales.

Dave Bittner: [00:17:19:20] Was there no provision for either the car's new owner or the manufacturer to disable your access to that car?

Charles Henderson: [00:17:29:08] The car's new owner could, if they knew that I had access to the car. It's almost a catch-22 where they don't know I have access without checking and they don't check, because they don't know I have access.

Dave Bittner: [00:17:45:15] So somewhere buried in a menu there may be a list of the people or devices that have access to this car, but why would you go looking for that menu if you think you were getting a clean car?

Charles Henderson: [00:17:56:16] It isn't actually a menu in the car. They would have to go to the dealership and talk to someone often called by dealerships a provisioning specialist, who goes deep into the system. In the early stages of connected car, the account sub-system wasn't really exposed. Even if there's a web portal where you log in and check who has access to the car, unless you're using the connected car function, you're probably not going to see that web portal. So increasingly what manufacturers are doing is to put a menu in the car to show who has access.

Charles Henderson: [00:18:40:18] It also underscores a problem seen in a lot of areas in security: everyone thought it was someone else's responsibility. The new car dealership thought it was the used lot's responsibility; the used car dealership thought it was the car manufacturer's responsibility; the car manufacturer thought it was the owner's responsibility; the owner thought that as they didn't have access to the system, it wasn't their responsibility. It becomes a convoluted web of ownership and the truth is, if there's a disagreement about whose responsibility security is, security is no-one's responsibility. There needs to be a clearly defined chain of responsibility for security to work. This is an example of security failing because no-one had ownership.

Dave Bittner: [00:19:32:19] That's Charles Henderson from IBM's X-Force Red. We have an extended version of this interview on our Patreon page for our supporters there. Go to patreon.com/thecyberwire to check it out.

Dave Bittner: [00:19:48:12] And that's The CyberWire. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you through the use of artificial intelligence, check out cylance.com.

Dave Bittner: [00:20:01:08] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.