Email client vulnerabilities. Sanctions and trade policy. FinFisher in Turkey. myPersonality data scandal. Patch news. High school phishing.
Dave Bittner: [00:00:03:22] Email client vulnerabilities reported. Worries about Russian and Chinese software and hardware vendors. Security and trade policy notes. FinFisher is found used in Turkey. The data scandal that brought down Cambridge Analytica moves to the University of Cambridge, but there the issues seem to be security, anonymization, and possible over-sharing. Adobe and Samsung issue patches and a California high school student is accused of phishing for grade books.
Dave Bittner: [00:00:36:21] Time to tell you about our sponsor, Recorded Future. If you haven't already done so, take a look at Recorded Future's cyber daily. We look at it, the CyberWire staff subscribes and consults it daily. The web is rich with indicators and warnings but it's nearly impossible to collect them by eyeballing the internet yourself, no matter how many analysts you might have on staff and we're betting that however many you have, you haven't got enough. Recorded Future does the hard work for you by automatically collecting and organizing the entire web to identify new vulnerabilities and emerging threat indicators. Sign up for the cyber daily email to get the top trending technical indicators crossing the web. Cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today and stay ahead of the cyber attacks. Go to recordedfuture.com/intel to subscribe for free threat intelligence updates from Recorded Future. That's recordedfuture.com/intel. And we thank Recorded Future for sponsoring our show.
Dave Bittner: [00:01:47:03] Major funding for the CyberWire podcast is provided by Cylance. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, May 15th 2018.
Dave Bittner: [00:02:00:11] Researchers report a vulnerability in the way email clients render content encrypted with the widely used PGP and S/MIME protocols. Jettisoning PGP, as some advise, seems unwise, since, as many others say, encryption is better than no encryption, and exploitation, while clever, isn't trivial. Graham Cluley's blog offers some reassurance. He says, "The sky is not falling, stop freaking out." It's probably a good idea to not load images by default, and some people are advising that you not load HTML by default, either.
Dave Bittner: [00:02:37:17] Russian and Chinese companies face an increasingly complicated set of sanctions, restrictions, and suspicions in Western governments. The basic issue is that the companies are thought to be too close to Russian or Chinese security and intelligence services.
Dave Bittner: [00:02:52:24] The US Administration's expressed intent to relax sanctions against China's ZTE has come under criticism from observers who see ZTE products as a security threat. US intelligence officials have expressed security concerns about both ZTE and Huawei devices, and the Department of Defense has ordered a halt to sales of ZTE devices in military exchanges.
Dave Bittner: [00:03:17:11] The US Department of Commerce recently banned ZTE from purchasing US components and software, mostly Qualcomm chips and Android software, which amounted to a near corporate death penalty. The Department's decision was a response to ZTE's evasion of international sanctions against Iran, North Korea, and a handful of other countries. The US Administration's gesture towards a lifeline for ZTE draws criticism from those who see ZTE as a security threat and not merely a sanctions-evader. President Trump is in the process of negotiating some form of reprieve, which he's indicated will be part of larger trade negotiations with China.
Dave Bittner: [00:03:59:04] Probably security negotiations, too. It's perhaps worth noting that China is closely interested in upcoming US talks with North Korea.
Dave Bittner: [00:04:08:21] Huawei is also under suspicion, most recently over its partnership with Chinese authorities to establish surveillance networks covering Xinjiang province. That province is noted for its relatively large share of China's Muslim population, an ethnic and religious minority that's long been a target of government surveillance and influence operations.
Dave Bittner: [00:04:31:21] Huawei's participation in the surveillance program has aroused concerns internationally that the company's products and cooperative practices could easily be turned against external as well as internal targets. Canadian media, notably the Globe and Mail, are expressing particular skittishness about Huawei, the company has made significant inroads into that country's markets.
Dave Bittner: [00:04:55:17] Turning to Russian companies, the Netherlands has decided to ban Kaspersky products from government networks. The Dutch Justice Minister, Ferdinand Grapperhaus, informed Parliament that Kaspersky Lab's security software poses a national security risk to the Netherlands. Russia, Grapperhaus said, has an active program in cyberspace targeting Dutch interests, and the risk of using Kaspersky products is unacceptably high. The Justice Minister also urged Dutch companies to do likewise. It's a precautionary measure. Netherlands authorities say they've found no evidence that Kaspersky software is being abused, but the company is too close to the Russian government for comfort. Grapperhaus cited British and US concerns about the company in his letter. Kaspersky said, "Kaspersky Lab is very disappointed with this decision by the Dutch government based on theoretical reasoning, especially given that Kaspersky Lab is in the process of implementing a Global Transparency Initiative specifically aimed at alleviating any concerns."
Dave Bittner: [00:06:00:04] Some within the US Government are wondering whether bans and sanctions are an unmixed good. They're aware of the security issues and take them seriously, but they also see uncomfortable room for retaliation by Russia and, especially, China. Suppose Beijing gets its back up when a US tech company complies with a US subpoena, they ask.
Dave Bittner: [00:06:21:22] Advocacy group Access Now says it's found evidence Turkey's government is using FinFisher spyware tools against dissidents.
Dave Bittner: [00:06:31:09] The New Scientist reports finding that the University of Cambridge's Psychometrics Center culled data from a Facebook personality quiz, myPersonality, and shared it with hundreds of researchers over a period of four years. Some three-million individuals were affected. The data was poorly secured and imperfectly anonymized. This is the same data collection project whose results were used by now-defunct Cambridge Analytica. One wonders whether responsible human subjects research review boards at Cambridge were asleep at the switch or simply failed to recognize that the project might require their oversight.
Dave Bittner: [00:07:09:09] Thales eSecurity recently published the 2018 edition of their global encryption trend study. The report highlights how organizations are deploying and managing encryption around the world. John Grimm is Senior Director of Security Strategy at Thales eSecurity.
John Grimm: [00:07:26:03] One of the big trends that we saw over the last year is many more people are using multiple clouds, and what that has caused is some difficulty in managing encryption processes. So if you dig a layer beneath, you find that the reason people are encrypting has changed. Over the past several years, one of the big drivers for encryption has been compliance regulations, so needing to check a box if you will or show that you're doing diligence in some form to protect data. That is still a big driver, but the drivers that have really risen over the last couple of years, as shown by the survey, is the need to just apply increased diligence to protecting your customers' information or protecting things like your company's intellectual property. Although compliance is still a major driver, we're starting to see folks applying much more diligence to just good practice of protecting specific targeted data types.
John Grimm: [00:08:26:03] The move to the cloud has made that difficult in some ways because now their data is so many more places. One of the trends that this survey also revealed is the difficulties that folks are having finding all of their data, finding all of the different places that it is going.
Dave Bittner: [00:08:42:14] One of the things that stood out to me in the report was the difficulty people have in managing their keys.
John Grimm: [00:08:49:01] Absolutely. The more you use encryption and any sort of cryptographic process, the more diligence you have to pay to managing keys and it's a relatively simple problem when you've got a limited number of encryption deployments, limited amounts of data that you're encrypting but once you get to a state where you're encrypting multiple databases or data stores you're encrypting at rest, in motion; you're using multiple public clouds and encrypting in each of those. As you get further and further into it, it gets really hard to do the job of tracking keys properly and the linchpin of any good encryption system is how well you protect the key and, at the end of the day, if you don't account for that key through its entire life-cycle, from the time that it's created to the time that it's retired, there are actually quite a few phases in the middle there and it becomes a very big accounting problem to keep track of keys if you're following best practices such as rotating or changing your encryption keys every X amount of time in accordance with best practice.
Dave Bittner: [00:09:52:19] Another thing that stood out to me was you all dug into how organizations protect data at rest when it's in the cloud. It was interesting to me to see the different approaches people take towards encrypting that data.
John Grimm: [00:10:05:11] Well I think we're seeing a bit of a perfect storm in terms of people's need to change how they're approaching it, the fact that folks are using multiple cloud providers. In many cases, the public cloud providers have done a nice job maturing their encryption tools over the last few years, but if you are using multiple cloud providers, you are going to use the individual encryption tools of each one; so now you're putting an extra burden on your staff to learn those tools, and it becomes a lot more challenging to have a very consistent policy across your enterprise when your administrators have to instantiate that policy across a different set of new eyes and tools that they use.
John Grimm: [00:10:45:05] On top of that, one of the findings in this survey that's very consistent over the years is that the top threat to data is mistakes. Mistakes that human beings make, even in the course of trying to do things right. You put together multiple clouds, the multiple tools, the fact that administrators and people knowledgeable about managing encryption and keys, pretty difficult to find that skill set, to find and retain it and the fact that mistakes are a big issue, it's no wonder that we're starting to see these instances pop up in the news of misconfigured encryption resulting in data leakage.
Dave Bittner: [00:11:21:10] That's John Grimm from Thales eSecurity. You can find the complete report, the 2018 Global Encryption Trend Study, on their website.
Dave Bittner: [00:11:31:19] Adobe yesterday patched 47 vulnerabilities in Acrobat and Reader. The products affected include Windows and MacOS versions of Acrobat DC, Consumer and Classic 2015, Acrobat Reader DC, Consumer and Classic 2015, Acrobat 2017 and Acrobat Reader 2017. Samsung also patched, stopping six critical bugs in its handsets.
Dave Bittner: [00:11:58:13] In a little bit of welcome good news, researchers at the University of Florida have tested a method of detecting cloned, fraudulent gift cards at the point of sale by the unstable "jitter" that cloning introduces. Similar techniques could be applied to cloned ATM cards.
Dave Bittner: [00:12:16:12] Crooks are phishing for Apple credentials. Their bait is a GDPR "hardening" offer. Criminals always chum the Internet with phishbait drawn from current events, and GDPR goes into full effect in ten days. Expect more of this, and be careful what emails you open and what links you follow.
Dave Bittner: [00:12:35:18] Finally, a California high school sophomore is facing 14 felony counts for getting some teachers or teacher to enter their online grade book credentials into a bogus site. He's said to have changed grades for several students, raising some and lowering others, but he didn't get to his own transcript before the Concord, California, Police Department got to him.
Dave Bittner: [00:12:57:12] The student who was arrested is a minor, just 16, who apparently did it for the lulz, and we won't repeat his name. The kid did go to a local TV station and say that phishing the Mount Diablo Unified School District was like "taking candy from a baby." He says he did so because he "did kind of want to give awareness to cybersecurity." We sympathize with his aggrieved family. As his father put it, "I'm frustrated he did this and I don't want him in juvenile hall."
Dave Bittner: [00:13:27:08] An interesting side note, the police used a dog to sniff out the location of an SD card hidden in a tissue box. Like we said, we won't mention the youth's name, but we will give a shout-out to the dog, a pleasant-looking lab named "Dug." He's got a nose for removable storage devices so, good dog, Dug.
Dave Bittner: [00:13:51:11] And now a bit about our sponsors at VMware. Their trust network for Workspace ONE one can help you secure your enterprise with tested best practices. They've got eight critical capabilities to help you protect, detect and remediate. A single open platform approach, data loss prevention policies and contextual policies get you started. They'll help you move on to protecting applications, access management and encryption. And they'll round out what they can do for you with micro segmentation and analytics. VMware's white paper on a comprehensive approach to security across the digital workspace will take you through the details and much more. You'll find it at the cyberwire.com/vmware. See what Workspace ONE can do for your enterprise security. The cyberwire.com/vmware, and we thank VMware for sponsoring our show.
Dave Bittner: [00:14:52:12] And joining me once again is Ben Yelin. He's a Senior Law and Policy Analyst at the University of Maryland Center for Health and Homeland Security. Ben, welcome back. We had a story come by from NPR and this was called "A needle in a legal haystack could sink a major Supreme Court privacy case." a lot is going on here, it involved Microsoft and data stored overseas. Fill us in - what's going on?
Ben Yelin: [00:15:14:08] So there was this very prominent Supreme Court case came up for oral arguments I think in January. Microsoft has a data storage facility in Ireland and the US sought and obtained a warrant to collect information that was housed at this facility. Microsoft is trying to argue that that warrant is not applicable to data that is stored overseas. It went in front of the Supreme Court. We don't have a decision yet but, based on the legal analysis that I saw, oral argument went very poorly for Microsoft. It looked like they were going to lose. Enter Congress who steps in before this case is even decided and they pass, as part of a much larger omnibus spending bill, what's called The CLOUD Act, and of course it has one of those clever acronyms, Clarifying Lawful Overseas Use of Data. This would make the Microsoft v United States issue moot. What the Act does is that it gives an incentive to our government and to foreign governments to make bilateral one-on-one agreements that would allow the tech companies to honor court-approved search warrant, so it would encourage the United States to make some sort of agreement with Ireland where they will agree under which circumstances a US warrant would apply at an Ireland facility.
Ben Yelin: [00:16:31:22] The way they are able to enforce this is they say that if a company does not come up with some sort of bilateral agreement, with an overseas territory, then the presumption is that the warrant is valid, another company would have to execute the warrant, so that is how they are going to try to enforce this legislation.
Ben Yelin: [00:16:48:22] There are a couple of issues here. One is that it is more of a transparency issue. This piece of legislation has been in the works for a while in Congress, but it was tucked into a 2100-page omnibus spending bill. People just didn't really realize that the Act had been incorporated into the bill so there was really no time for public consideration or public comment. I think that that is pretty detrimental to both transparency and, potentially, the long-term outlook of this legislation.
Ben Yelin: [00:17:19:03] Having said that, I think the tech companies support this because, A, it avoids the worst case scenario where in all the circumstances they have to abide by US law enforcement warrants - they can come up with these extra territorial agreements - and it also passes the burden onto the government. They can tell their customers, now, according to this CLOUD Act, if there isn't some sort of agreement we do have to hand over your data even if it is stored overseas. That might help them blunt the publicity if they say the government passed this law; they're forcing us to do it. What is very interesting to me in terms of future outlook is what is going to happen with the Supreme Court case. The Solicitor-General's Office under the Trump Administration filed a petition with the Court. It was basically just an Amicus Brief, so a friend of the Court brief arguing why this particular case should be moot in light of the new legislation, and we'll see if that impacts the Court's decision, if they decide to dismiss the case or it they decide to qualify their opinion based on this new information that they have. I think it was certainly surprising that Congress, which as we know doesn't really do anything, was able to get its act together even if it was what amounts to a footnote in a large piece of legislation to address a very live legal problem.
Dave Bittner: [00:18:36:24] All right. We'll keep an eye on it. Ben Yelin, thanks for joining us.
Ben Yelin: [00:18:41:00] Thank you.
Dave Bittner: [00:18:46:02] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. And Cylance is not just a sponsor, we actually use their products to help protect our systems here at the CyberWire.
Dave Bittner: [00:19:05:14] And thanks to our supporting sponsor, VMware, creators of Workspace ONE intelligence. Learn more at vmware.com.
Dave Bittner: [00:19:14:09] The CyberWire podcast is proudly in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our show is produced by Pratt Street Media with editor John Petrik. Social media editor, Jennifer Eiben, technical editor Chris Russell. Executive editor Peter Kilpe and I'm Dave Bittner. Thank you for listening.