The Manhattan terror suspect claims allegiance to ISIS, but ISIS hasn't claimed him. Crimeware notes. Patching news. Crypto wars update. What the Senate learned about info ops.

Dave Bittner: [00:00:01:07] Hey everybody, thanks for all the kind words about our Malware Mash song on Halloween. Do us a favor, if you really enjoyed it, share it with your friends. Send it around on social media and help spread the word. Thanks.

Dave Bittner: [00:00:14:24] The Manhattan truck-terrorist claims ISIS, but ISIS hasn't claimed him. Notes on conventional cybercrime with some resurgent banking Trojans and mobile malware. Apple patches iOS against KRACK vulnerabilities. WordPress issues another fix for SQL injection bugs. US Deputy Attorney General Rosenstein takes up the pro-access banner in the crypto wars, but few from the tech sector are rallying to him. And Senate hearings on Russian influence operations continue.

Dave Bittner: [00:00:48:21] Time for a message from our sponsor, Recorded Future. Recorded Future is the real time threat intelligence company, whose patented technology continuously analyzes the entire web, developing cyber intelligence that gives analysts unmatched insight into emerging threats. At the CyberWire, we subscribe to and profit from Recorded Future's Cyber Daily. As anyone in the industry will tell you, when analytical talent is as scarce as it is today, every enterprise owes it to itself to look into any technology that makes your security teams more productive and your intelligence more comprehensive and timely, because that's what you want, actionable intelligence.

Dave Bittner: [00:01:24:23] Sign up for the Cyber Daily email and, every day you'll receive the top-trending indicators Recorded Future captures crossing the web. Cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today and stay a step or two ahead of the threat. Go to recordedfuture.com/intel to subscribe for free threat intelligence updates. That's recordedfuture.com/intel. And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:02:02:05] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Thursday, November 2nd, 2017.

Dave Bittner: [00:02:12:07] The man arrested in Tuesday's truck-ramming killings in Manhattan has been charged. He appears to have been radicalized and inspired online. Sayfullo Saipov, a native of Uzbekistan living in Paterson, New Jersey, told investigators after his arrest that he chose Halloween as the date of his truck-ramming attack because he expected streets to be crowded and, thus, to be able to kill more people.

Dave Bittner: [00:02:36:10] Saipov claimed allegiance to ISIS, but so far, although ISIS-sympathizing Twitter accounts have been quick to celebrate the murders, ISIS official channels themselves have remained quiet. It's been ISIS's practice not to claim a terrorist attacker as a soldier when the attacker is in custody. Since Saipov failed to achieve martyrdom, instead having been arrested after a New York City police officer wounded him in the stomach, it seems likely that an official claim may not be forthcoming.

Dave Bittner: [00:03:04:23] Saipov told investigators that he was inspired to commit his attack, which he said he'd been contemplating for about a year, after watching ISIS videos on his phone. He was particularly influenced by Abū Bakr al-Baghdadi's calls for revenge against soft targets in the West.

Dave Bittner: [00:03:22:02] For now, Saipov is thought to be, probably, a lone wolf, although possible connections are being investigated. His phone at least has been seized, and authorities are working on it. The phone does indeed contain a lot of ISIS videos and images.

Dave Bittner: [00:03:36:24] Several criminal campaigns are receiving researchers scrutiny at midweek.

Dave Bittner: [00:03:41:02] A gang Kaspersky calls Silence is distributing a banking Trojan being tracked under the same name. The group isn't Carbanak, but researchers note that they're using some of the same techniques that Carbanak pioneered in its rise to underworld leadership. Prominent among those tactics is the use of screen grabs to record and profile ordinary daily activity on targeted enterprise's networks.

Dave Bittner: [00:04:04:18] Chinese speakers are afflicted with a new variant of iOS malware being distributed through two third-party app stores. According to Trend Micro, the malware appears to try to induce its victims to download repackaged apps.

Dave Bittner: [00:04:18:12] Proofpoint is following the resurgence of KovCoreG, a criminal gang distributing Kovter ad fraud malware. The threat group has been active since 2011.

Dave Bittner: [00:04:29:10] The sixth annual Mobile Pwn2Own is on in Tokyo. Apple's iPhone 7, running iOS 11.1, Samsung's Galaxy S8 and Huawei's Mate 9 Pro all fell to hackers on the first day.

Dave Bittner: [00:04:44:09] In patching news, Apple has fixed the KRACK vulnerability in iOS 11.1, addressing the key reinstallation issues implicit in the WPA2 protocol.

Dave Bittner: [00:04:54:24] WordPress has also patched, issuing a fix for an SQL injection flaw. The issue was exploitable in WordPress 4.8.2 and earlier versions.

Robert Knapp: [00:05:05:09] I think one of the biggest problems we are facing right now is, when it comes to attacks on companies with social engineering.

Dave Bittner: [00:05:13:07] That's Robert Knapp, CEO of VPN provider CyberGhost, stressing the importance of a company-wide focus on a culture of cybersecurity.

Robert Knapp: [00:05:22:06] The attacks are not really technical, they are more focused on vulnerabilities of people, and that is something you can train and teach. One of the examples is, simply teach people to check emails where they are from, not click on every attachment. Teach them how to detect a website that is https protected properly, or just pretends to be https protected. We have to, let's say, bring the people on the level of 2017 and the dangers of the Internet and you can only do that with proper training.

Dave Bittner: [00:05:57:20] What about the push back that people often have? Let's say, you know, my employees just want to get their job done and these things slow them down.

Robert Knapp: [00:06:07:15] Yes, that is right. You see that, as long as nothing happens, you know. The first time that you run a company, for example, that deals with sensitive customer data, and then you have a security breach and all your customer data is out there and your business goes from 100% to zero, then you don't say that people need too long to check if they're security vulnerable. It's simply not the right thing to say.

Dave Bittner: [00:06:35:10] It sounds to me that you're advocating that this really needs to come from the top, that this is something that the companies really need to embrace. It needs to be a regular part of the company culture.

Robert Knapp: [00:06:47:08] Absolutely. Look, we obviously need change. If you look at the cybersecurity landscape, and if you looked at what's happened in the last years, the data breaches get, first of all, bigger and bigger and more serious and more serious. So, that means, at the beginning we just had security breaches, let's say, in small companies, where you alright, maybe they don't have the money, they don't have the ability to build the proper infrastructure and teach people properly and whatever. But now we are at the level that we see security breaches at companies like Daewoo. That means, you need a company culture that deals with two different things; education of their own staff and building the proper infrastructure. The infrastructure that we need now looks different from an infrastructure that we had ten years ago.

Dave Bittner: [00:07:32:16] That's Robert Knapp from CyberGhost.

Dave Bittner: [00:07:36:07] In the cryptowars, US Deputy Attorney General Rosenstein advocates secure, responsible encryption, that is, encryption that would still permit lawful investigators to access the messages or other content that use it. He's been talking about this for some weeks and, on Monday, explained what he's urging as follows: "I simply maintain that companies should retain the capability to provide the government unencrypted copies of communications and data stored on the device, when a court orders them to do so. When a court issues a search warrant or wiretap order to collect evidence of a crime, the company should be able to help. The government does not need to hold the key."

Dave Bittner: [00:08:15:13] Thus companies, essentially, any who carry or store communications for their users and customers, would be required to hold a key to any encrypted content their systems handle and to produce such key when properly required to do so by a warrant. It would not, as some reports have said, require companies to store all messages transiting their systems in plain text.

Dave Bittner: [00:08:36:24] While Deputy AG Rosenstein has some nice things to say about encryption, calling it a foundational element of data security and essential to safeguarding data against cyberattacks, he nonetheless believes it should be effective, secure encryption, coupled with access capabilities.

Dave Bittner: [00:08:53:15] His appeal is falling on largely unsympathetic ears, at least as far as the tech sector is concerned. Cyber Security Hall of Famer, Susan Landau, recently described it in Lawfare as a keys under doormats approach to security. There's no way, critics argue, of ensuring that only governments exercising legitimate investigative authority, would be able to gain access to such keys. To provide for the government to have such access would also be to open up the possibility of such access by other governments, criminals, and so on.

Dave Bittner: [00:09:25:23] US Senate hearings into Russian influence operations find that foreign trolls can post the kind of stuff everybody else does: religious and anti-religious images, racial resentment, class disdain, gender aggression, conspiracy theories, and so on. Basically, the Internet's stock-in-trade. Senators told Twitter, Facebook, and Google executives hauled in to testify about foreign influence, that they should get their act together. Because, if they don't get a handle on their terms of service and enforce them, Congress will, or so said California Senator Feinstein.

Dave Bittner: [00:09:59:03] How the platforms might control what people say on them is difficult to say, particularly for observers with strong First Amendment sensibilities. But there might well be ways of limiting the amplifying effect of, for example, bots.

Dave Bittner: [00:10:12:11] Purchasing political advertising might be brought under the same restrictions that currently govern other forms of foreign contributions to political campaigns. The Internet Research Agency, a now well-known St. Petersburg troll farm, was active buying political ads on Facebook last year and was able to use Facebook's formidable analytics to target them to the demographics it was interested in reaching. This seems to have been straightforward marketing savvy on the Internet Research Agency's part. All the companies testifying said they'd found no evidence that anyone had used voter databases to target ads.

Dave Bittner: [00:10:47:20] Testimony also indicated that Russian messaging was distributed across the political spectrum, from far left to far right; from moonbats to wingnuts and most other niches in between. This would seem to confirm that the goal was chaos rather than any specific outcome.

Dave Bittner: [00:11:03:24] Back in Menlo Park, Facebook CEO Zuckerberg said, he was dead serious about curtailing problematic activity on the social media platform. He framed this as a security issue and warned that the company's security investments would be significant in the coming year, markedly increasing operating expenses.

Dave Bittner: [00:11:27:18] As our sponsors at E8 Security can tell you, there's no topic more talked about in the security space than artificial intelligence, unless, maybe it's machine learning. But it's not always easy to know what these could mean for you. Go to e8security.com/cyberwire and see what AI and machine learning can do for your organization's security. In brief, they offered, not a panacea, not a cure-all, but rather, an indispensable approach to getting the most out of your scarce, valuable and expensive human security analysts. Let the machines handle the vast amounts of data. If you need to scale your security capability, AI and machine learning are the technologies that can help you do it. Visit e8security.com/cyberwire and see how they can help address your security challenges today. We thank E8 for sponsoring our show.

Dave Bittner: [00:12:22:16] I'm pleased to be joined, once again, by Chris Poulin. He's a Principal at Booz Allen Hamilton Strategic Innovations Group. He heads up their Internet of Things Security Team. Chris, welcome back. You and I have spoken about medical devices before and, being someone who grew up in the era of the Six Million Dollar Man, I am very interested in the possibility of augmenting my human capabilities. This is something that you're interested in and some of these things are not that far off.

Chris Poulin: [00:12:51:02] That's true. I really do hope that you weave in the Six Million Dollar Man. [LAUGHS] In fact, it's kind of interesting, because I've been talking quite a bit about this and I'm fascinated. I actually got fascinated by watching somebody called Lepht Anonym, who actually has started pioneering Grinding, which is basically implanting magnets and things like that into our body, in her kitchen, with a bottle of vodka and a scalpel. It's moved on. There's an organization called Grindhouse Wetware, out of Pittsburgh, who do similar things and it's kind of fascinating. They'll use magnets and an echolocator to actually help blind people to navigate rooms. So, the magnet actually actually picks up on the return ping, basically. They've had great success in being able to accurately navigate rooms and determine the height and distance and all that, of objects that are in people's way.

Chris Poulin: [00:13:49:20] So, it doesn't really have a cyber implication right now, but I started thinking about, you know, what the future holds and even some of the stuff that's happening now. For example, Elon Musk is thinking about neural lace. So, effectively, it's a Utah array of sensors that you can overlay onto your brain. In fact, his podcast could be coming to you just by somebody sitting there and I could be thinking these words and it could be transmitted directly, without any translation through my mouth and airways, directly onto your brain. I could think of a picture and you could receive it in the exact form that I thought, potentially.

Chris Poulin: [00:14:30:21] That's where it gets scary is that, it requires, in order for this to work the way that we want it to, is a communications network, so think about telematics for your brain. If you've got a point of presence, or a thread surface, you know, literally here, then somebody could break in and, if you have access to somebody's brain, you can cause them to have purposeful hallucinations, or attacker controlled hallucinations. There's a really bad B movie from the 1990s, I think, called Idle Hands, where an evil possessed hand manages to find its way onto this young kid's body. It's a silly, stupid movie. It's great if you've had a couple of beers and it's a rainy day. Effectively, I think about that. You could cause somebody to cause motor movements that they were not intending. Something a little less juvenile would be, something like The Manchurian Candidate, right.

Chris Poulin: [00:15:20:15] So that's one aspect. The other one is, looking at actual nano-technology, where we've seen nano tubes that have actually been put into practice. It'll be things like, they might target certain cancerous cells, or whatever. So, basically you adjust this nano-technology. And it can be controlled through software. One of my friends and colleagues, Chris Roberts, actually, he has been doing some work in that area and has managed to figure out how to hack those. Effectively, if you've ingested those and their goal is to, I don't know, target cancerous cells, or whiten your feet, or whatever it is that they want them to do, he can change it so that it can do something more evil to somebody.

Chris Poulin: [00:16:03:12] So, again, one of these things, and I keep cautioning people, and this is how I like to end discourse on these types of topics is. It's always about attacker motivation. Unless you're some high profile target, I don't worry that much about people just taking control of these things and causing harm. But, quite honestly, I think it becomes a little bit more widespread when it's something like neural lace, where you could actually make people believe what you want them to believe. So, there there is actually a far more insidious motive than actually harming people. So, just sort of a cautionary note as we move into that realm.

Dave Bittner: [00:16:41:18] These are things that Oscar Goldman never had to worry about on the Six Million Dollar Man.

Dave Bittner: [00:16:47:03] Chris Poulin, thanks for joining us.

Dave Bittner: [00:16:51:12] And that's the CyberWire. For links to all of today's stories, along with interviews, our glossary and more, visit thecyberwire.com.

Dave Bittner: [00:16:57:22] Thanks to all our sponsors, who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com.

Dave Bittner: [00:17:08:19] The CyberWire podcast is produced by Pratt Street Media. Our Editor is John Petrik. Social Media Editor is Jennifer Eiben, Technical Editor is Chris Russell, Executive Editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.