Dave Bittner: [00:00:03:14] As ISIS loses on the ground in its declared territory, its online information ops target the Muslim diaspora's gangsta demographic and European Muslims say, "the gangstas aren't us." European authorities find their intelligence-sharing falls short, and look for ways to shore it up. RSA researchers look at the Apple and Google app stores and see serpents in the walled gardens. Ransomware both old and new circulates, and two well-known security outfits suffer security problems of their own. It's US tax season so what should you know about filing your state taxes?
Dave Bittner: [00:00:38:17] This CyberWire podcast is made possible by the Johns Hopkins University Information Security Institute, providing the technical foundation and knowledge needed to meet our nation's growing demand for highly skilled professionals in the field of information security, assurance and privacy. Learn more on line at isi.jhu.edu.
Dave Bittner: [00:01:01:04] I'm Dave Bittner in Baltimore with your CyberWire summary for Friday, March 25th, 2016.
Dave Bittner: [00:01:07:24] Observers see the Islamic State's bombings in Brussels as suggesting two trends with implications not only for physical combat, but for information operations as well. First, ISIS territorial losses and decreasing combat performance in Syria and Iraq are making its claims to have established a caliphate more difficult to sustain. Hence the turn to massacres planned and mounted from poorly secured Western neighborhoods as propaganda-of-the-deed, and a corresponding increase in information operations directed toward disaffected, semi-criminal elements, those who'd otherwise be likely recruits for ordinary gangs. Second, as it emerges that some of the killers were known to intelligence services, notably those of Turkey and the United States, but that European, especially Belgian, authorities were unprepared to handle such intelligence, more calls are heard for coordinated information-sharing throughout Europe.
Dave Bittner: [00:02:00:15] KrebsOnSecurity reports that Verizon Enterprise Solutions, the telecom giant's B2B service arm, has suffered a data breach, with 1.5 million customer records for sale in dark web black markets. The entire package is offered for $100,000, but less well-heeled criminals can also buy the data in 100,000 record blocks for a more affordable $10,000.
Dave Bittner: [00:02:23:04] In a preview of their Black Hat presentation, Check Point researchers outline problems with the walled-garden approach both Google and Apple have been following, responsibly following, we add, to screening out all but high-reputation apps from their respective stores. In some cases OEM-signed malicious apps gull users into installing them. In other cases modified versions of legitimate development environments posted to third-party websites infect the work of unwary legitimate app developers. You're still better off restricting your downloading to Google and Apple stores than you are foraging afield, but it's worth remembering that there are serpents even in the walled gardens.
Dave Bittner: [00:03:01:04] Microsoft and Samba are working, they say, on a fix for the Badlock vulnerability, but details on exactly what that vulnerability puts at risk remain obscure. Whatever Badlock actually is, it's said to be "critical." The flaw apparently sits at the intersection of Windows and Samba, where SMB/CIFS is used to share access to files and printers, and Active Directory is used for authentication and authorization. We'll no doubt learn more about this already branded and logo'd vulnerability come April's Patch Tuesday.
Dave Bittner: [00:03:32:14] A new, more virulent strain of ransomware, which discoverer Trend Micro is calling "Petya" , is also out. Petya locks users out of their systems by overwriting the master boot record. It displays its extortion message at system start-up.
Dave Bittner: [00:03:47:04] In better news, several patches are out. Google has a security update for Chrome, and Oracle issues another Java patch that fixes a problem with Java SE running in desktop web browsers. Microsoft is deploying a macro-blocking feature to Office. This is noteworthy given the frequency with which malicious macros are used as malware vectors. And Apple indicates it plans to turn iCloud encryption key management over to users. This is widely regarded as a preemptive move against the company's being forced to help law enforcement decrypt user information in the cloud.
Dave Bittner: [00:04:20:04] It's US tax season, and the unwary are being aggressively phished by fraudsters. It's worth remembering that fraud goes on at all levels of citizenship, Federal, state, and local. The CyberWire talked to Mark DiFraia of MorphoTrust about a program they're piloting in Georgia and North Carolina to help combat fraud.
Mark DiFraia: [00:04:38:05] Essentially what we're doing is we're using a new solution that we've brought to market called Electronic ID. An electronic ID is an online credential that you would use to log into websites securely but it's based on the trustworthiness of your driver's license. Essentially it's almost like putting a credit lock on your tax ID account. At registration time, when you first get your account set up, you're going to have to scan the front of your driver's license with the camera on your phone and what that scan is going to do is authenticate and make sure that your driver's license is real by looking at security features that are embedded in the document. It will read the barcode information on the back of your driver's license to extract the right user data and then it's gonna ask you for a selfie and that selfie and the data from the barcode are going to be passed through us to our partners within either North Carolina DOT or to the Divisional Drivers Services in Georgia where they issue their driver's licenses. And we will do a one to one match of the selfie against the photo on record through software that we provide as well as look at the data points from the bar code and the data points that are on the system of record.
Dave Bittner: [00:05:50:15] MorphoTrust's website is morphotrust.com.
Dave Bittner: [00:05:55:12] As long expected, the US Attorney for the Southern District of Manhattan yesterday returned indictments against seven Iranian nationals for, among other crimes, their now famous cyber reconnaissance of a small dam in downstate New York. So why, some of our more bellicose listeners are probably asking, isn't the US military retaliating against an act of war? It's not that simple. As the Defense Department explained to the Senate when asked about earlier PLA hacks, quote, "First, you have to identify the geographic location of where the attack came from. Then you have to identify the actor. Then you have to identify whether the government of that geographic space was in control," end quote. So again, it's not that simple. Attribution never is. Evidence good enough to indict usually isn't evidence good enough to go to war over.
Dave Bittner: [00:06:44:05] And finally, we're happy to say we have a winner in the CyberWire's inaugural name-that-tune competition. The prize, and our prizes are all glory, go to the sagacious and persistent Cuckoo's Egg, who determined that the mystery music we played at the end of our March 23rd episode was from that 1978 television series "Project UFO", produced by none other than Jack Webb. Congratulations, and visit Ms Egg via her Twitter handle, @Cuckoos_Egg. Well done, Ms Egg.
Dave Bittner: [00:07:17:02] This CyberWire podcast is brought to you through the generous support of Betamore, an award-winning coworking space, incubator and campus for technology and entrepreneurship located in the Federal Hill neighborhood of downtown Baltimore. Learn more at betamore.com.
Dave Bittner: [00:07:36:19] I'm joined once again by Joe Carrigan. He's from the Johns Hopkins University Information Security Institute. They're one of our academic and research partners. Joe, when you download an app for your mobile device, that app is going to ask you for permission to access various things on your device. This is an area that requires your attention, yes?
Joe Carrigan: [00:07:55:24] Yes, yes, it does. It requires your astute attention. For example, if you look at a flashlight app, what does a flashlight app need to have access to? Chances are it needs to have access to your camera because that's where the LED is attached to the system, it's part of the camera and that is probably all it needs and it doesn't need access to your contact list, your Wi-Fi states, your full network access. There are a lot of apps out there that require these things. Just recently I was-- you know, I have a daughter who is looking at purchasing a car so I was looking at the various apps for pricing cars and some of them required a huge amount of permissions. However, not to endorse anyone over the other, but the Kelley Blue Book app did not require a huge amount of permissions, so that's the one I installed and that's the one I was using.
Dave Bittner: [00:08:46:18] It's clear that a flashlight app doesn't need to necessarily know your GPS location.
Joe Carrigan: [00:08:50:04] Correct.
Dave Bittner: [00:08:51:13] But there are occasions where these apps can have enhanced functionality if you give them permission to access things on your phone, like your location, things like that.
Joe Carrigan: [00:09:00:19] Absolutely. Like, if you download Waze which is a navigation app, that's going to need your GPS location, presumably to use for the purpose of getting you to your destination. Of course you have to understand you're making a trade-off, that GP-- that Waze now has access to your GPS information but, as a user of Waze myself, I, I'm comfortable making that trade-off.
Dave Bittner: [00:09:22:18] So it's a balance between the cool features [LAUGHS] and protecting your personal information.
Joe Carrigan: [00:09:28:01] Right, and the cool features is how they get you, right?
Dave Bittner: [00:09:31:08] Every time. They get me every time Joe, every time. Thanks again for joining us.
Joe Carrigan: [00:09:35:04] It was my pleasure.
Dave Bittner: [00:09:39:10] And that's the CyberWire. For links to all of today's stories visit thecyberwire.com and while you're there subscribe to our popular daily news brief. Our editor is John Petrik. I'm Dave Bittner. Thanks for listening.