Dave Bittner: [00:00:00:20] Still looking for a New Year's resolution? Here's a suggestion, go to Patreon.com/thecyberwire and find out how you can support your favorite podcast. Thanks.
Dave Bittner: [00:00:14:11] Iran's crackdown on Internet channels of dissent continues. Intel processors are determined to have a deep security flaw: cloud users are likely to be affected. A macOS local privilege escalation vulnerability is published. The "Trackmageddon" location service vulnerability seems to originate in a buggy API. The suicide forest video appears to have passed through YouTube's human curators. The man arrested in the Wichita police shooting may have been a serial SWATTER.
Dave Bittner: [00:00:47:24] And now some notes from our sponsor, Cylance. You've heard of Emotet, the banking Trojan that re-emerged at the end of 2017 to trouble online banking customers. For now it's hitting financial institutions, mostly in Austria and Germany. But even if you speak English, French, Hindi, Russian, Arabic, Chinese or Hebrew, well... don't get cocky kid, your language community could well be in the on deck circle. The new Emotet has a bad new dropper, it knows when you’re sandboxing it and it evades attempts to analyze it. Fortunately you're in luck no matter where you are. Cylance can protect you. Check out Cylance's blog post about Emotet at cylance.com. That's Cylance. And we not only thank them for sponsoring The CyberWire, but we suggest you head on over to cylance.com for the skinny on Emotet.
Dave Bittner: [00:01:44:13] Major funding for The CyberWire podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Wednesday, January 3rd, 2018.
Dave Bittner: [00:01:54:14] Iran continues to crackdown on dissent as the government faces street protests and online organizing. Protesters and their supporters are dissatisfied with the Islamic Republic on at least two points, they object to what they characterize as a badly mismanaged economy, whose privations have been rendered worse by official corruption, and they see the regime as being far too concerned with things going on outside the country. Support for Hezbollah in particular and the Palestinian cause in general, have been singled out for chanted denunciation by protesters. There have also been surprising expressions of nostalgia for Shah Reza Pahlavi, deposed by the Islamic revolution of January 1979. There seem to have been no calls by protesters for the release of still interned leaders of the failed 2009 Green Revolution.
Dave Bittner: [00:02:44:23] Statements by senior officers in Iran make it clear that in their view the unrest is driven by foreign enemies whose weapon is information. That concern is about alleged foreign involvement in what has the appearance of grassroots protests. The Chief Deputy of Staff of the Iranian Armed Forces, Brigadier General Jazayeri, said yesterday that anyone who remained silent in the face of what the Mehr News Agency called a "comprehensive plan of enemies to change beliefs, thoughts, and behavior of the nation", should be held to account. As Brigadier General put it, "In the current situation, urgent and decisive measures should be taken by the relevant agencies to achieve secure and domestic cyberspace."
Dave Bittner: [00:03:28:11] The leader of the Revolutionary Guard said this afternoon that the uprisings had been decisively put down, but few observers are so far willing to accept that assertion at face value. More than twenty are reported to have been killed since last Thursday, nearly 500 are thought to have been arrested. Government-organized counter demonstrators took to the streets this morning to denounce the protests and chant "death to America", following the regime's line that the unrest had been fomented by enemies abroad.
Dave Bittner: [00:03:57:17] Tehran has sought to restrict Internet access in order to deprive dissenters with both a platform and a means of organization. Telegram and Instagram have so far received most of the government's attention. As ready access to these platforms is lost, many in the country seem to be turning to Tor connections for Internet access.
Dave Bittner: [00:04:18:19] While the cyber implications of the Islamic Republic's response have for the most part been domestic, confined to Iran, security experts warn those outside of Iran who may have had actual or apparent contact with Iranian citizens, to beware of spear-phishing. This is expected to be carried out by the government-associated "Infy" threat group. Infy has in the past shown a willingness and ability to target foreign persons of interest.
Dave Bittner: [00:04:45:11] A major security flaw has been reported in Intel x86-64 processors produced over the past decade. Details remain sketchy as Intel prepares an announcement, but apparently attackers can identity and exploit normally protected kernel memory. All major operating systems are affected. Users of cloud services may also experience issues, noticeable as slow-downs in their service. Amazon Web Services has told users to expect a "major security update" Friday; observers speculate that Microsoft will address the problem in its January 10 patches.
Dave Bittner: [00:05:21:00] AMD has noted with pardonable satisfaction that its chips don't suffer from this flaw.
Dave Bittner: [00:05:28:02] On January 1st, 2018 some new security requirements kicked in for government contractors who work for the Department of Defense or intelligence community. They are now mandated to comply with a NIST special publication; 800-171.
Dave Bittner: [00:05:43:18] Thomas Jones is a Federal Systems Engineer with Bay Dynamics, and he helps us make sense of the new mandate.
Thomas Jones: [00:05:49:14] December 30th, 2015 the DOD actually admitted to their requirements for compliance with contracts. So if you're going to do business with the DOD, you have to actually fall in two new areas within the DEFAR contracts. One’s around protection of control of unclassified information, and the other one's around reporting breaches within your organization. So it reaches outside of what is normally considered Federal purview into the contractor community, or into the civilian community, and actually tells them how to set and control new safety standards in their IT systems. So this is one of the first times they've done that for non-classified information.
Thomas Jones: [00:06:34:00] There's always been something in place for classified information, things that are secret or top secret or what-have-you, but this actually touches upon the non-classified information; the social security numbers of individuals, the contact information, as well as sensitive but non-classified information that you simply wouldn't want other people to have. From an individual perspective and from a national perspective.
Dave Bittner: [00:06:57:24] So what are the real world practical implications of this?
Thomas Jones: [00:07:01:13] Well it's actually been very interesting. A lot of times you implement these with contractors and it's a fairly straightforward process. You tell them that their contracts are dependent upon them, and they roll them out. This ones a little different in that it's not just the prime contractors that have to be in line with these requirements, it's also the subcontractors, so each one of the prime's have to go back to their subcontractors and make sure that they are actually adhering to these best practices, and that becomes a little dicey, when you're talking about subcontractors that are two or three men, mom and pop shops where they don't have the resources to implement these. So the real world implications are, that you potentially have a situation where a prime contractor could lose a multi-million dollar contract based on a small sub-contractor not being able to, or not being aware of the requirements around protecting the control of unclassified information.
Dave Bittner: [00:07:59:09] Do these requirements become retro-active?
Thomas Jones: [00:08:03:03] No, it's not. There's actually been a softening of the general requirement. I call it a softening, the DOD is saying there's no change at all, but they're simply requiring by the January 1st deadline that people have a reporting mechanism in place. So you can generate a report saying that you're compliant with these 14 key areas of 800-171, and in those areas that you may not have actually implemented the controls, that you have a plan to get in place, and a date to get in place by: which is a little softer than having to have all those controls in place by the January 1st deadline, which is the way most contractors have been approaching this.
Dave Bittner: [00:08:43:24] So is there a secondary deadline now that's been put out there, for having to actually have things in place?
Thomas Jones: [00:08:48:24] Not that I've been able to find, and I've been searching long and hard for that. There doesn't seem to be anything in place that draws a line in the sand and says, "by this date you need to have these in place." What you do need to have in place by January 1st, is a plan to fulfill all 14 key areas within your organization, including identification of the data that has to be protected, a risk assessment of the organization to determine what the critical controls need to be in place first, what patches need to be implemented first, and what risks really are your greatest risk within the organization. As well as things like encrypting data and risk, data and motion, and doing things like controlling the flow of data within the organization. Where it can go, who can access it, and the ways it may be accessed..
Dave Bittner: [00:09:44:15] That's Thomas Jones from Bay Dynamics.
Dave Bittner: [00:09:49:08] A researcher known by the handle "Siguza" has published a macOS local privilege escalation vulnerability that could be exploited for root access and code execution. The vulnerability was apparently not disclosed to Apple before publication, there's currently no fix available, but Cupertino is doubtless working on one. The flaw is not believed to be remotely exploitable, you would need physical access to work your bad magic, which renders the bug less interesting to skids and script kiddies. Siguza cites this (and Apple's lack of a bug bounty program) in justification of his decision to publicly disclose his findings as opposed to giving Apple a heads-up.
Dave Bittner: [00:10:29:22] Two researchers yesterday disclosed issues with a vulnerable API used for GPS tracking services that can expose location data, audio recordings, image files, and device information, They're calling it "Trackmageddon." The afflicted sites are policing themselves up, one by one.
Dave Bittner: [00:10:49:14] Logan Paul's now infamous, and repellent, YouTube video from Japan's "suicide forest" has been taken down, and an apology from Paul posted in its place. Paul's fans and detractors have taken their predictable defensive or offensive stances. YouTube itself has come in for more interesting criticism. Both WIRED magazine and TechCrunch have called out the video platform, WIRED arguing that the incident should be "a reckoning," and TechCrunch deciding that YouTube is more responsible for the video than one might at first judge a platform to be. According to the report in TechCrunch, YouTube manually reviewed the video after concerned viewers flagged it. The content assessment team saw the video and, according to the report, left it up without so much as an age restriction. It’s not as if the nature of the content was particularly difficult to discern, of course.
Dave Bittner: [00:11:40:12] The video's title, you'll recall, was "We found a dead body in the Japanese Suicide Forest," and the thumbnail showed the suicide victim. Logan Paul might be accused of many things, but failure to judge what would prove to be clickbait is not among them. The incident again shows the difficulty of content management, whether by machines, humans, or some centaur-mix of the two. It also shows why Google is likely to remain in hot water in the UK, where it recently failed to respond to questions about extremist content posed by Parliament's Home Affairs Committee.
Dave Bittner: [00:12:15:11] Tyler Raj Barriss, or at least his online persona "SWAuTisic," is said by KrebsOnSecurity to have Tweeted late last week a boast of having called in bomb threats or SWAT teams, at some ten homes and more than a hundred schools. Barriss was arrested in connection with the tragic and lethal swatting attack that took the life of an innocent and uninvolved father of two late last week. The victim's address seems to have been chosen for its plausible proximity to the actual target, and for the lulz. Explaining himself to KrebsOnSecurity, Barriss said, "Bomb threats are more fun and cooler than swats in my opinion and I should have just stuck to that. But I began making dollars doing some swat requests." The investigation continues, looking at both the police officer who fired,and for other gamers who might have been involved in the dispute that led to the swatting. Our heartfelt condolences to the family of the victim, Andrew Finch. May they receive comfort, consolation, and justice.
Dave Bittner: [00:13:24:02] And now a moment to tell you about our sponsor, Control Risks. For over 40 years across 178 countries, Control Risks has partnered with the world's leading companies to help them be secure, compliant, resilient and to seize opportunities. From kidnapping in the jungles of Columbia, to Cyber enabled extortion, they've been with their clients as risks have evolved. In an interconnected world, Cyber risks are everywhere you operate. Control Risks has a comprehensive view of cyber security, a critical business risk within a context of Geo-political, regulatory and competitive complexity. And thanks to their unique heritage, they provide clarity and actionable guidance that only decades of risk experience can bring. Control risk brings reassurance to the anxiety about your cyber risk. Let them show you what over 40 years in the risk business has taught them. Find out more at controlrisks.com. That's controlrisks.com.
Dave Bittner: [00:14:21:18] And we thank Control Risks for sponsoring our show.
Dave Bittner: [00:14:30:07] And joining me once again is Joe Carrigan, he's from the Johns Hopkins University Information Security Institute. Joe, welcome back.
Joe Carrigan: [00:14:36:12] Hey Dave.
Dave Bittner: [00:14:37:04] So, we have survived another holiday season and with that is going to come a flood of new IOT devices hitting the web. We will probably receive some ourselves.
Joe Carrigan: [00:14:49:13] Yes. Gadgets.
Dave Bittner: [00:14:50:18] Being gadget guys people will give us things with best intentions.
Joe Carrigan: [00:14:54:22] And say here, you can use this.
Dave Bittner: [00:14:56:17] Yes. And the first thing that device is going to want is your Wifi password.
Joe Carrigan: [00:15:01:01] That's right. Access to your network. And it wants to go and connect to some external server and start uploading data somewhere. And it may also want to create some external port. There might some kind of camera where you now can go out and view your camera, a security camera for example from the outside world. So if you're at work, you can check on your dog and your cat, watch what the nannies doing if you have a nanny. People should be aware that when these things come they're going to come with some default password, that's the first thing I'm going to recommend. If you get a new device that is accessible on the internet... first of all evaluate, do you truly need this device?
Dave Bittner: [00:15:42:21] Do you need that connectivity?
Joe Carrigan: [00:15:45:08] Do you need that connectivity? If you believe that you do, take the time to secure it and change the default passwords, so that people aren't just logging in remotely, or putting it in some bot-net, like the Mirai Botnet.
Dave Bittner: [00:15:58:18] And do that quickly, right away. Do that in a way before it's connected to... 'cause I've seen reports where people will hose up a camera to the internet and it takes moments before that thing is owned by outside forces.
Joe Carrigan: [00:16:12:07] That's correct. So if you can disconnect your internet connection, and then connect the new device to the wifi network. And you can still actually connect to it from your computer, it just can't reach the internet, and then you can go ahead and change the password if that's possible.
Dave Bittner: [00:16:26:04] And what about the idea of basically having a guest network for all your IOT devices? So it's separating it from the computers where you keep important information.
Joe Carrigan: [00:16:35:12] Yeah, I would definitely recommend doing that if you have that technical capability, and the hardware to do it. That's always a good thing to do. It's segmentation, it's a basic security practice, a good idea. However that's not going to stop those things from being attacked from outside of your network. They're still going to get attacked, you're just going to have that attack be isolated, it'll be less damaging. So you still need to take measures to make sure that the devices themselves are protected.
Dave Bittner: [00:16:59:18] Alright, good advice. Joe Carrigan thanks for joining us.
Joe Carrigan: [00:17:01:18] My pleasure Dave.
Dave Bittner: [00:17:05:16] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you through the use of artificial intelligence visit cylance.com.
Dave Bittner: [00:17:18:09] And thanks to our supporting sponsor E8 Security. Follow the behavior, find the threat. Visit e8security.com to learn more. The CyberWire podcast is proudly produced in Maryland out of the start-up studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology.
Dave Bittner: [00:17:37:17] Our show is produced by Pratt Street Media, with editor is John Petrik. Social media editor is Jennifer Eiben, technical editor Chris Russell. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.