The CyberWire Daily Podcast 11.8.18
Ep 722 | 11.8.18

Post hack ergo propter hack: DHS calls Russian claims “noisy garbage.” Responsible and irresponsible disclosure. FCC wants an end to robocalls. USPS Informed Delivery abused. Post Canada—whoa.

Transcript

David Bittner: [00:00:03:22] Election hacking seems not to have happened in the US this week, but that hasn’t stopped the IRA and its mouthpieces in Sputnik, RT, and elsewhere from loudly claiming it has. Election influence operations continue long after the election. A VirtualBox zero-day disclosed. USCYBERCOM posts Lojack to VirusTotal. The FCC goes after Robocalls. The US Postal Services’ Informed Delivery has been exploited and Canada Post slips and reveal cannabis customers.

David Bittner: [00:00:41:00] It's time to tell you about our sponsor, ThreatConnect. With ThreatConnect's in-platform analytics and automation, you'll save your team time while making informed decisions for your security operations and strategy. Find threats, evaluate risk and mitigate harm to your organization. Every day, organizations worldwide leverage the power of ThreatConnect to broaden and deepen their intelligence, validate it, prioritize it and act on it. ThreatConnect offers a suite of products designed for teams of all sizes and maturity levels. Built on the ThreatConnect platform, the products provide adaptability as your organization changes and grows. Want to learn more? Check out their newest white paper titled Threat Intelligence Platforms, Open Source versus Commercial.

David Bittner: [00:01:27:01] As a member of a maturing security team, evaluating Threat Intelligence Platforms or TIP, you may be asking yourself whether you should use an open source solution, like a Malware Information Sharing Platform or MISP. Or buy a TIP from one of the many vendors offering solutions. In this white paper, Threat Connect explains the key technical and economic considerations every security team needs to make when evaluating threat intel solutions to help you determine which is right for your team. To read the paper, visit threatconnect.com/cyberwire. That's threatconnect.com/cyberwire. And we thank ThreatConnect for sponsoring our show.

David Bittner: [00:02:11:15] Major funding for the CyberWire podcast is provided by Cylance. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday November 8th 2018.

David Bittner: [00:02:24:05] The US Department of Homeland Security has said that Tuesday’s elections went off without disruption by cyberattack and at this point, that seems a fair assessment. Preparations are already underway to bring a comparable level of security forward into the 2020 election cycle. So hacking proper seems to have been a fizzle but there were some influence operations in play. DHS also notes that disinformation about election security and the effects of influence operations is being actively distributed. It’s hogwash from St. Petersburg, whose Internet Research Agency cries victory for its trolls.

David Bittner: [00:03:01:18] DHS cybersecurity leader Christopher Krebs points out that the influence ops from Russia right now are filled with noise and garbage, stuffing people up with phony stories about compromised systems and voting having been cyber rigged. Expect this to continue and remember that Moscow’s record suggests that it has a fairly simple and achievable goal, erode adversary populations’ trust in their governments’ institutions and in one another.

David Bittner: [00:03:29:18] Also from St. Petersburg comes a zero day for Oracle’s VirtualBox, posted to GitHub. This isn’t the IRA’s work but rather of one irritated freelance bug-hunter, Sergey Zelenyuk. Mr. Zelenyuk says he loves VirtualBox but that the industry just takes too long to evaluate reported bugs and so he’s dropped the zero day without prior disclosure as a gesture of defiance.

David Bittner: [00:03:57:13] US Cyber Command is also reporting bugs but in regular, non-angry way. The command has submitted samples of Russia-linked Lojack malware to VirusTotal.

David Bittner: [00:04:09:13] A major incident affecting banks in Pakistan appears to be a paycard skimming operation as opposed to a breach. The country’s Central Bank denies there was any breach but skimmers seem to have accessed around 20,000 paycards’ data. The affected cards are from a range of most of Pakistan’s major banks.

David Bittner: [00:04:30:07] We are all familiar with passwords, something you know. And of course, these days, they're often combined with some sort of second factor, typically something you have to verify you are who you say you are and that you should be granted access. The folks at Purolocks Security Solutions aim to take that to the next level, using behavioral biometrics to keep an eye on what you're doing and how you're doing it. Ian Patterson is CEO at PuroLock.

Ian Patterson: [00:04:56:19] Behavioral biometrics is the study of how people behave over time. We're all familiar with traditional biometrics, using Touch ID or Face ID, using fingerprint scanning or facial recognition. Behavioral biometrics is intended to be used on a continuous basis where we're constantly assessing the identity of a person. For example, the way that you walk has unique characteristics about yourself. It's called gait analysis. What we're doing at PuroLock is focusing on using behavioral biometrics of how people type and move their mouse to be able to authenticate them. The history is interesting, dating back to World War 2 where telegraph operators could detect who the other operator was just by the unique speed and cadence of how they were typing on the telegraph machine. It was a very early form of signals analysis. And what we do on keyboard to detect people's speed, rhythm and cadence, actually traces its roots back all the way to World War 2.

David Bittner: [00:06:02:11] Let's dive into that. What are some of the things that you're tracking and how effective is it?

Ian Patterson: [00:06:10:00] We have a solution that is used primarily inside workplaces and we're able to constantly assess the identity of users on their devices. We look at speed, rhythm and cadence of how people type on a keyboard. We also look at the X and Y position of a cursor using a mouse or a touchpad. We extract unique biometric markers, some of them include how fast you type, how long you dwell on specific keys, how long it takes your fingers to go from one key press to the next. On mice, we look at how you move, click, scroll and the relationship between clicks, movements, scrolls and typing.

David Bittner: [00:06:57:22] I suppose there's a learning process that happens when you're on boarding someone to get the system to figure out what their normal range of activities is?

Ian Patterson: [00:07:07:18] It is. We use Artificial Intelligence to build a user profile. Depending on the environment, it could be as quick as 20 minutes to build the initial profile or it could be over several days. Once we have it built, we're constantly learning and adding to it. The system is unmanaged, sits in the background. In most cases, users don't interact with the system, it's just monitoring and protecting.

David Bittner: [00:07:34:24] Why do suppose this hasn't become popular up until now? What's been holding back these specific types of behavioral extra tests?

Ian Patterson: [00:07:47:08] Part of it is it's a hard problem to solve. Our technical team spent over 35,000 hours of research in the technology itself even before we started production. We have a core team of data scientists who spent most of their career around behavioral biometrics and CyberSecurity and are the leading sources in the academic journals. We are either offering those articles or we're the ones being cited. It's a hard problem to solve. It's also resulted in a lot of IP. We have a number of patterns that are filed in this area.

Ian Patterson: [00:08:23:01] What's happened in the industry is traditional identity systems like two factor authentication, traditional passwords, haven't proved to stop the data breaches. If we look at the cause of data breaches in 2016 and then going into 2017, the Horizon data breach incident report suggested that three to five data breaches originated from a weak or stolen password. In 2017, that went up to four to five. The problem is getting worse, not better. And what we're seeing is that the industry is demanding more and stronger identity defenses that operate not only at the time of log in but throughout the user session.

David Bittner: [00:09:09:23] That's Ian Patterson from Purolock Security Solutions.

David Bittner: [00:09:15:19] With next month’s Chrome 71 release, Google will give abusive advertisers thirty days to clean themselves up or face ejection from the company’s advertising service. This is going to be easier said than done. Misbehaving ads include ones that block content, keep users from scrolling, blast through settings that would mute autoplay and so on. But it also includes serious criminality, phishing, waterholing, tech support scams. How Google will wrangle this stuff remains to be seen and the 30 day limit may represent a quiet acknowledgment that Mountain View, which depends upon advertising, grasps the difficulty of the challenge.

David Bittner: [00:09:58:13] KrebsOnSecurity reports that the US Secret Service is circulating internally, a warning that its field offices have observed an uptick in criminals abusing weaknesses in the US Postal Service’s Informed Delivery service to commit identity theft and credit card fraud. Informed Delivery enables recipients of letters to view scanned images of inbound mail. Criminals have been able to use the service to watch potential victims of identity fraud, stealing mail containing, for example, credit cards, from mailboxes before the recipient can pick the mail up. This has continued despite the Postal Service’s recent attempts to increase security and make it easier for people to opt out of the service. One wonders if this particular form of crime won’t fade with traditional mail delivery. Informal checks suggest to us that the US Mail now consists mostly of advertising sprinkled with a few magazine subscriptions and the occasional wedding invitation, the way landline phone calls seem increasingly dominated by robocalls.

David Bittner: [00:11:02:02] Speaking of which, the US Federal Communications Commission is scolding and nudging phone companies to do more against robocalls. FCC Commissioner Pai in a letter to voice call providers Monday said, quote, Combatting illegal robocalls is our top consumer priority at the FCC. That’s why we need call authentication to become a reality. It’s the best way to ensure that customers can answer their phones with confidence. By this time next year, I expect that consumers will begin to see this on their phones. End quote. The FCC’s preferred anti-robocalling framework, which it’s urging on the telcos, has the vaguely James-Bondian name SHAKEN/STIR which stands for Signature-based Handling of Asserted Information Using toKENs that’s SHAKEN and Secure Telephone Identity Revisited, which would be STIR.

David Bittner: [00:11:55:09] The framework digitally validates phone call handover as calls pass through various networks in a way that makes it possible for the company serving the recipient to verify that the call is from the person represented as making it. There are interesting analogies between this framework and the work on transparency and against coordinated authenticity currently in progress among social networks. For now SHAKEN/STIR is voluntary but the FCC suggests that if the phone companies don’t get on board, it may become compulsory.

David Bittner: [00:12:29:05] And, finally, we close with another postal story, this one from our neighbors to the north. The Ontario Cannabis Store warns that its delivery list for newly legal weed has been illicitly accessed due to missteps at Canada Post. Some coverage seems to show signs of the Butterfield Effect, representing a fairly obvious causal connection as paradoxical, a new and trendy industry already finds itself under cyberattack, which of course it does. Fashionable, only recently legal, young companies? Of course they’re going to be of interest to cybercriminals. That’s not the case with the Canada Post, naturally, which has been mushing around to deliver the letters since its founding as Royal Mail Canada back in 1867. So, they’ve been around the block a time or two.

David Bittner: [00:13:21:11] And now, a bit about our sponsors at VMWare. Their trust network for workspace one can help you secure your enterprise with tested best practices. They've got eight critical capabilities to help you protect, detect and remediate. A single open platform approach, data loss prevention policies and contextual polices get you started. They'll help you move on to protecting applications, access management and encryption. And they'll round out what they can do for you with micro-segmentation and analytics. VMWare's white paper on a comprehensive approach to security across the digital workspace will take you through the details and much more. You'll find it at thecyberwire.com/vmware. See what workspace one can do for your enterprise security. Thecyberwire.com/vmware. And we thank VMWare for sponsoring our show.

David Bittner: [00:14:22:04] And joining me once again is Dr Charles Clancy. He's the Executive Director of the Hume Center for National Security and Technology at Virginia Tech. Dr Clancy, it's great to have you back. You sent over an article from the Los Angeles Times. This is written by David Lazarus and the title is, It's time cellphone signal jammers were installed in people's steering wheels. I can't help but thinking you probably have some issues with this notion.

Dr. Charles Clancy: [00:14:47:14] I think the challenges would be tremendous. First of all, operating a cell phone jammer is illegal. Let's assume we can get past that point.

David Bittner: [00:14:58:12] Let's start off by describing what they're after here. Why do they think that having extremely low reach jammers might improve safety when it comes to cell phone use in cars?

Dr. Charles Clancy: [00:15:12:23] The concept is texting and driving. Other forms of distractive driving are a major safety issue on the road. If we had a way of blocking people's cell phones, we'd be in a better position. People wouldn't text and drive. People would drive more safely. That's the fundamental premise. In order to accomplish that, you need to extend a bubble of jamming that only affects the driver of an individual vehicle. There's a huge technical challenge there in being able to calibrate the power level to only affect that one localized spot.

David Bittner: [00:15:51:01] Is this the kind of thing where there could be more practical solutions? Apple has something in iOS that will allow you to opt in if it senses that you're using a maps app or traveling at a certain speed, you can have things like texts automatically put on hold until you finish your trip.

Dr. Charles Clancy: [00:16:09:08] The more proactive solution is to find automotive technology that will integrate with people's phones in order to safely engage the user in that phone. Easy to configure, to use hands free, was a huge technology game, now most people are not holding a phone to their head. Of course, we still have challenges of texting and emailing. If there's ways to figure out how to delay delivery of those texts or find others way in which the user can interact with that data in a more safe way, that's the proactive solution. We're also looking down the road towards self driving and autonomous vehicles. Having jammers in steering wheels would cause problems when your automobile is using the cellular network to do autonomous navigation and things of that nature. So, we don't want to jam the airwaves, we want cars to be able to navigate and support a lot of the economy features. And if your car is able to do adapted cruise control and lane assist, becoming increasingly autonomous, safety goes up significantly.

David Bittner: [00:17:19:24] The FCC doesn't take kindly to these sorts of things. In this story, they point to a gentleman who was hit with a $48,000 fine for playing around with his jamming device.

Dr. Charles Clancy: [00:17:31:02] Under the Communications Act of 1934, it is illegal to operate a jammer, cell phone or otherwise, unless you're with the Federal Government. Not a good idea.

David Bittner: [00:17:43:22] We'll hold off for more practical technical solutions, Dr Charles Clancy, thanks for joining us.

David Bittner: [00:17:54:10] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible. Especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using Artificial Intelligence, visit Cylance.com. And Cylance is not just a sponsor, we actually use their products to help product our systems here at the CyberWire. And thanks to our supporting sponsor, VMWare, creators of workspace one intelligence. Learn more at vmware.com. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co building the next generation of CyberSecurity teams and technology. Our CyberWire editor is John Petrik, social media editor, Jennifer Eiben, technical editor, Chris Russell, executive editor, Peter Kilpe. And I'm Dave Bittner. Thanks for listening.