Dave Bittner: [00:00:03:16] The US seems ready to attribute the 2013 hack of a dam in Rye, New York, to Iran with indictments expected next week. ISIS has an insider threat problem, disgruntled employees. Adobe and Oracle issue patches for Flash and Java. The FCC and FTC stay busy with cyber regulation as standards of care continue to evolve, and the Court fight between Apple and the US Department of Justice stays public and gets uglier.
Dave Bittner: [00:00:31:04] This CyberWire podcast is made possible by the generous support of Cylance offering revolutionary cybersecurity products and services that proactively prevent, rather than reactively detect, the execution of advanced persistent threats and malware. Learn more at cylance.com.
Dave Bittner: [00:00:51:04] I'm Dave Bittner in Baltimore with your CyberWire summary for Friday, March 11th, 2016.
Dave Bittner: [00:00:56:21] According to officials familiar with the investigation, the US will publicly attribute the 2013 hack of a small flood control dam in Rye, New York, to Iran. The Justice Department is expected to indict Iranian operators next week following its earlier practice of seeing value in charging even the unreachable as the Department did with Chinese officers involved in theft of trade secrets from US companies in Pennsylvania. Iran has long been the leading suspect in the incident, which has played a loud second fiddle to the big Ukrainian grid hack. The prospect of indictments, together with legislation pending in the Senate designed to protect the power grid, makes it worth reviewing recent expert commentary on ICS security. One set of observations leads from former US Secretary of the Navy, Richard Danzig, points out that there's still considerable security value in the legacy air-gapped by default world of mechanical switches. If your main system is digital, you're stronger if your safeguard is analogue, he says. ICS Security maven, Joe Weiss, also notes the risk of losing sight of defense in depth. Digital, Weiss notes, even when it claims to have multiple layers, is in a sense one layer.
Dave Bittner: [00:02:06:13] Turning to information operations in the war on terror, ISIS no doubt remains a force in social media, with estimates of the number of sympathetic accounts ranging as high as 90,000, but even the Caliphate has issues with insider threats. A disgruntled jihadist, disillusioned by what he saw as an excessive Baathist presence in ISIS, stole one of his bosses USB drives with data on some 22,000 ISIS fighters, then defected. The information on the thumb-drive is said to resemble what any HR department might collect: name; residence; skills; interests and so on. Western intelligence services are thought to be making appropriate use of the material.
Dave Bittner: [00:02:45:04] Adobe issues an emergency patch for Flash. Users and admins are urged to apply it quickly. The vulnerability the patch closes is being exploited in the wild.
Dave Bittner: [00:02:54:04] In industry news, analysts have good things to say about Symantec, Cisco, Check Point, Palo Alto and Fortinet. Speculation about the extent of IBM's layoffs continue, with financial analysts at Bernstein telling information week it expects Big Blue to shed about 14,000 jobs. Regular tour agencies are also pushing further into the sector. The US Federal Communications Commission says it intends to require Internet service providers to get customers' permission before sharing the sort of personal data used in targeted advertising. The FCC also intends to require more breach reporting from Broadband providers. We heard yesterday that the Federal Trade Commission was on what CSO magazine called an enforcement role as the FTC moved to require nine companies who audit payment processing specifically Price Waterhouse Coopers, Mandiant, Forsythe MSP, Freed Maxick CPAs, GuidePoint Security, NDB, Security Metrics, Sword & Shield Enterprise Security and Verizon Enterprise Solutions to respond to detailed questions about their auditing standards and practices.
Dave Bittner: [00:04:01:08] The IoT, or Internet-of-things, continues to provide an ever growing attack surface for cyber criminals. Tim Matthews represents Imperva's Incapsula service, which they say provides Cloud-based protection for web-sites while giving them a speed boost. He visited us at RSA and shared this warning about the IoT.
Tim Matthews: [00:04:19:20] A lot of people misunderstand website attacks, thinking they've got to be very big machines with a lot of bandwidth, but what we're seeing with the IoT is that there are so many of these devices out there that are so easily compromised because they typically have default passwords: they're not patched often if at all, and so the criminals know this since we've seen instances of close circuit TV networks being taken over, we've seen home routers, we've seen other types of IoT devices. It's really important to have your web-site protected because what the criminals are doing is scanning web-sites for vulnerabilities and then enlisting these armies of bots, these armies of devices that are compromised to attack you. I should point out that one of the nice things about working in the Cloud with so many customers - we have over 100,000 web-sites on our service - is we think of it like crowd-sourced security. So, somebody else gets attacked by some-thing new, we fix it and then you don't have to worry about that because you're taking advantage of the crowd.
Dave Bittner: [00:05:12:00] You can learn more about Imperva's Incapsula service at imperva.com.
Dave Bittner: [00:05:17:10] Some regulation and legislation are producing more uncertainty than clarity. CIOs generally aren't sure what the coming European US privacy shield agreement will mean for them, and several laws pending in the US Senate, chief among them one that would fine companies who failed to decrypt their products for law enforcement, raise eyebrows among industry and policy observers.
Dave Bittner: [00:05:38:10] Apple and the FBI have moved into what observers are calling the open hostilities phase of their dispute over whether Apple should help unlock the San Bernardino jihadist county issued iPhone. Apple says, the FBI is an effect on the side of the hackers. The Department of Justice suggests that Apple has been a lot cozier and more forthcoming with the People's Republic of China than it seems willing to be with the United States of America, and that the company's public rhetoric has been false and corrosive, and Justice goes on to suggest that maybe simply requiring Apple to handover its signing keys would be easier for everybody. Apple says, with some heat, that the request from Justice sounds more like indictments than invitations to cooperate in an investigation, and there are of course no shortage of people pointing out that sound mobile device management on the part of San Bernardino County would have helped avoid the whole issue.
Dave Bittner: [00:06:29:00] We're turning for a moment to the travails of ISIS human resources. CSO Salted Hash has composed a breach disclosure letter that the Caliphate's HR might consider using. Buried in that letter is the offer of identity protection services, "We have partnered with a reputable firm in North Carolina to handle all applications for this valuable assistance." You may contact them directly. Simply provide your name, location and inform them that you were one of our members exposed during this incident. They'll take it from there. We're pretty sure that it's got to be a Fayetteville address. See you on Hay Street, Delta.
Dave Bittner: [00:07:05:17] This CyberWire podcast is made possible by the generous support of Cylance offering cyber security products and services that are redefining the standard for enterprise endpoint security. Learn more at cylance.com.
Dave Bittner: [00:07:25:10] Once again, I'm joined by Markus Rauschecker, he's from the University of Maryland Center for Health and Homeland Security, they're one of our academic and research partners. Markus, the role of the FTC, the Federal Trade Commission, what is their role in regulating cyber?
Markus Rauschecker: [00:07:38:12] So, the Federal Trade Commission has really been asserting itself when it comes to protecting consumers and cyber security matters. The Federal Trade Commission Act prohibits unfair and deceptive trade practices, and this is the language from which the FTC draws its authority. The FTC can go after businesses that conduct unfair and deceptive trade practices. The FTC has interpreted the unfair and deceptive trade practices language from the FTC Act and giving it the authority to go after businesses that aren't doing enough to adequately safeguard consumer information. There's always been a question about whether or not the FTC really has the authority to regulate businesses that aren't protecting consumer information. The important thing to note here is that the Third Circuit Court of Appeals ruled that indeed the FTC does have the authority to regulate based on the FTC Act and based on unfair and deceptive trade practices. So, if a business doesn't do enough to secure consumer customer information according to Third Circuit, the FTC does have the authority to go and regulate that business.
Dave Bittner: [00:08:45:01] So, what do we see on the horizon? How can we expect to see the FTC exerting their authority?
Markus Rauschecker: [00:08:50:04] Well, given the ruling by the Third Circuit, I think we'll see that the FTC will assert itself more and more, and I think a lot of people are looking to the FTC to actually fill that role of regulating when it comes to insufficient security practices. The FTC will also be a resource to consumers. An example of the FTC becoming more of a resource for consumers would be the creation of a website, identifytheft.gov, that the FTC has set up where consumers can go if they've been victims of identify theft. The website will guide them through the response to any kind of identify theft that they might have experienced.
Dave Bittner: [00:09:32:14] Markus Rauschecker, thanks for joining us.
Dave Bittner: [00:09:38:00] And that's the CyberWire. For links to all of today's stories, visit thecyberwire.com. The CyberWire is a production of CyberPoint International. Our Editor is John Patrick, and I'm Dave Bittner. Thanks for listening.