Voter dbase compromises. How not to sell security.

Dave Bittner: [00:00:03:18] Voter information is exposed in Mexico, even as Philippine authorities make an arrest in their own voter database hacking case. US court rulings affect the interplay of security and privacy. Reporters do the math on Director Comey's Q and A; they conclude the FBI spent something north of $1.3 million on a zero-day, used to unlock that Jihadist iPhone. Ransomware and point-of-sale hacks are this week's fashion in crime. And we take a look at some industry trends.

Dave Bittner: [00:00:32:13] This podcast is made possible by the Economic Alliance of Greater Baltimore. Helping Maryland lead the nation in cyber security, with a large highly-qualified workforce, 20,000 job openings, investment opportunities and proximity to key buyers. Learn more at greaterbaltimore.org.

Dave Bittner: [00:00:55:24] I'm Dave Bittner in Baltimore, with your CyberWire summary and week in review for Friday April 22nd, 2016.

Dave Bittner: [00:01:04:03] Authorities in both the Philippines and Mexico deal with exposed voter databases.

Dave Bittner: [00:01:08:22] In the Philippines, the Commission on Elections was initially defaced on March 27th, with personal information on about 55 million voters being posted online three days later.

Dave Bittner: [00:01:19:08] The Manilla Bulletin reports that police arrested a suspect at his home in Sampaloc, Manila, and that the National Bureau of Investigation is sifting through devices and other materials seized in the arrest. The suspect is said to be a recent IT graduate, who's styled himself a white hat hacker, committed to responsible disclosure. If still unconfirmed reports are correct, that self-presentation isn't without justification, as the suspect is said to have earned some bug bounties, and the thanks of the companies to whom he has disclosed his findings.

Dave Bittner: [00:01:50:22] Obviously, however, hacking into and then exposing the personal information of millions of registered voters, means you've changed hats. Philippine authorities apologize for the breach, but say they'll continue to hold elections as planned.

Dave Bittner: [00:02:04:01] In the Mexican case, Salted Hash reports that Kromtech researcher, Chris Vickery, discovered a 132 gigabyte misconfigured MongoDB instance, holding records of more than 93 million voters. The compromise was discovered April 15th and disclosed the next day, but the database seems to have been exposed on an Amazon Web Services account since September of last year. Authorities pulled the data offline this morning.

Dave Bittner: [00:02:30:22] The FBI paid at least $1.3 million for a zero-day that helped them access the San Bernardino jihadist's iPhone. The Bureau considers it a bargain at that price, but the purchase is unlikely to mollify those uncomfortable with the investigation's implications for privacy.

Dave Bittner: [00:02:47:13] There are of course many ways you can become infected with malware. One of the vectors is the phishing attack. Some phishing, like the venerable "Nigerian scam" designed to induce the unwary to give up their bank account credentials, is fairly obvious and easily recognized. But phishers are upping their game. We spoke with Phishlabs expert, Joe Opacki, about the growing sophistication of phishing schemes.

Joe Opacki: [00:03:09:22] Spear phishing remains a primary infection factor for APT actors. We all knew that. However, 22 percent of spear phishing attacks analyzed in 2015, were motivated by financial fraud or related crimes. The second thing is, we notice that there’s a large upscale in the number of business email compromise spear phishing attacks that we’ve seen in 2015, significantly more than we saw in 2014. And the threat actors that are using these types of attack techniques, are modifying their techniques to make the attack much more effective.

Dave Bittner: [00:03:43:05] Opacki reminds users to remember that phishing is often a single component of a larger, more sophisticated attack.

Joe Opacki: [00:03:49:18] So there have been numerous incidents over the last couple of years, in which law enforcement has actually arrested people who are known phishers. I think the bigger question is, what a lot of people don't understand is that phishing is also considered a gateway crime. We say a lot in our office, that 90 percent of all malware infections begins with phishing attack. And also, 95 percent of all corporate espionage attempts, begins with a spear phishing attack. So phishing is not a single crime, it's actually tired to larger organized crime.

Dave Bittner: [00:04:23:21] As time goes on, the phishers’ techniques grow more and more sophisticated.

Joe Opacki: [00:04:27:14] There’s two types that we really focused on. First off, consumer-focused phishing. What we've seen is authors who are creating what we call "phish kits" which are basically sites that are posted on compromised websites, that represent a brand that they're trying to scam. What we've seen is, we've seen a lot of authors who have injected codes that obfuscates data, will collect large amounts of data from people who are going to these scam sites. Have specific countermeasures in place to prevent analysis. Have specific countermeasures in place to prevent specific users from going to even a phish kit. So they have GOIP blocking, they use specific technologies to prevent IP address spaces from visiting. From a spear phishing side, we've seen a lot more sophistication around these business email compromise scams. There's more and more targeting by the phishers against the enterprise.

Joe Opacki: [00:05:22:09] The business email compromise attacks not only grew in sophistication over the last year, but the actual attack techniques by the phishers change since what we've seen in 2014. What we've also seen, is we saw a modification recently that preys upon privacy. So we've seen a lot of emails that have gone out with the scam that uses some type of mergers and acquisitions ploy to reinforce the need for secrecy. So now what they're saying is this timely, do you need to do this because I'm the CEO? But also you can't tell anyone that you're doing this. And so we're seeing much more social engineering sophistication going into these types of attacks.

Dave Bittner: [00:06:02:00] According to Joseph Opacki, there's no silver bullet to protect your organization against phishing. It requires a combination of employee training, reporting, and automated monitoring.

Joe Opacki: [00:06:11:19] Phishing is 100 percent a social engineering attack. And essentially it preys upon on the fact that people want to believe what they read. There's no technical implementation that you can utilize that's going to 100 percent completely combat phishing. It's important for you to provide security awareness training - or what we call employee defense training - to educate your user base to identify what the attack looks like. And further, build this mentality within your company to provide reporting. Reporting absolutely is an important part of this process, because not only does it need to be identified, but it also need to be analyzed and it helps drive the response to the attack.

Joe Opacki: [00:06:55:09] There's lots of technical solutions that you can implement that will assist you with doing a lot of this, but as the attack methodologies change, and also as the adversary threat vectors change, there's always going to be phish that are going to make it through any solution we put in place in the enterprise level. Which is also why we need to reinforce that the security awareness training, or employee defense training, is important for your user base, and then constant testing to ensure that they know how to identify the attack, or the attack vector.

Dave Bittner: [00:07:29:01] Joseph Opacki is head of Threat Research Analysis and Intelligence at Phishlabs. Their website is Phishlabs.com.

Dave Bittner: [00:07:40:17] This podcast is sponsored by SINET, The Security Innovation Network, connecting the cyber security community, innovators, investors and customers, business and government. Learn more at security-innovation.org.

Dave Bittner: [00:08:01:19] Benjamin Yelin is a Senior Law and Policy Analyst at the University of Maryland Center for Health and Homeland Security, one of our academic and research partners.

Dave Bittner: [00:08:09:16] Ben,I think we all have a certain expectation of privacy on our mobile devices. But there's a device called a StingRay that comes up in stories about law enforcement investigations, and mobile devices. Can you describe for your audience what exactly is a StingRay?

Benjamin Yelin: [00:08:24:06] So a StingRay, and another brand name that's used called Hailstorm, is a device that acts as a cell-site simulator. So it tricks your cell phones into transmitting information that they would normally transmit to a cell tower. So it's actually identifying information that can reveal your exact location. These devices have been used by law enforcement as a way to track potential criminals, and they have tried to use evidence gleaned these searches by StingRay devices in courts of law.

Dave Bittner: [00:09:02:00] Now there was a case that just came up in Maryland regarding a StingRay device, yes?

Benjamin Yelin: [00:09:06:24] Yes, so the Court of Special Appeals just heard a case by the name of, The State of Maryland v Andrews. For background, the Court of Special Appeals is an intermediate court in Maryland, so we'll see if this case makes it up to the highest court in Maryland, The Court of Appeals. But the Intermediate Court held that searches under Hailstorm, which is a version of the StingRay device, are unconstitutional, are violations of the fourth amendment and any evidence gleaned from the use of these devices cannot be used in court, it has to be excluded. And the reasoning behind this is that people have a reasonable expectation of privacy, that their cell phone will not be used a real time tracking device. There's this legal concept called the "Third Party Doctrine" in which if you voluntarily submit information to third parties, such a cell phone company, then you lose your reasonable expectation of privacy, and there is thus no search for "Fourth Amendment" purposes.

Benjamin Yelin: [00:10:06:23] But I think what the court was saying here is that you are not voluntarily submitting any information. This is an active device that seeks out your information, that penetrates your device to get identifying information. So the court was saying that the "Third Party Doctrine" doesn't apply here. That means we have a search, people do have a reasonable expectation of privacy, and because of the search the Fourth Amendment applies. You either need a warrant, or a exception to a warrant. And in this case law enforcement did not have a warrant, so at least for the time being, the case has been thrown out and they'll need to try the case with new evidence.

Dave Bittner: [00:10:46:12] One of the things that puzzles me when I see these stories about StingRay devices, is that the FCC seems to be turning a blind eye when it comes to law enforcement pretending to be cell phone towers.

Benjamin Yelin: [00:10:59:00] It's very interesting, because last year Senator Bill Nelson from Florida sent a letter to the FCC and its Chairman, Tom Wheeler, asking about the use of these StingRay devices. And the FCC said that they have certified these devices. The only condition for their use, is that they can only be sold to law enforcement officials. Basically the Commission said they had no information about the extent to which, or conditions under which, law enforcement has obtained authority to use these devices. So they've been pretty hands-off about it. So I agree that it's surprising, especially something that has limitless potential to identify peoples locations and personal information. So I'm surprised they haven't taken a closer look at it.

Benjamin Yelin: [00:11:46:02] I'm aware that the ACLU and other groups have raised concerns about these devices, and they're basically operating as remote cell phone towers that are gathering metadata on all the phones in their vicinity, and that's a significant intrusion on people’s privacy.

Dave Bittner: [00:12:02:21] Well time will tell, and we'll continue to keep an eye on it. Ben Yelin thank you for joining us.

Dave Bittner: [00:12:10:06] This CyberWire podcast is made possible by the Johns Hopkins University Information Security Institute, providing the technical foundation and knowledge needed to meet our nation's growing demand for highly skilled professionals in the field of information security, assurance and privacy. Learn more online at isi.jhu.edu.

Dave Bittner: [00:12:42:19] Looking back at the week, we find some recent US court decisions affecting private and security. Senior United States District Judge Susan Illston, of the United States District Court for the Northern District of California, has ruled that changes to law and policy have now rendered National Security Letters constitutional. National Security Letters are demands for personal information, accompanied by a gag order prohibiting disclosure of the demand. The judgment was unsealed yesterday. Judge Illston had earlier ruled National Security Letters unconstitutional. The Electronic Frontier Foundation plans to appeal.

Dave Bittner: [00:13:18:09] In a quite different case with a markedly different outcome, Judge William G. Young of the US District Court of Massachusetts, ruled inadmissible evidence in a child abuse imagery case. The FBI had obtained the image by using network investigative techniques to plant spyware on a suspect's device. The investigation was conducted with a warrant, but Judge Young found that the warrant had been granted without proper jurisdiction.

Dave Bittner: [00:13:44:06] Point-of-sale attacks spiked this week. Much of this appears to represent a criminal scramble to take advantage of legacy card swiping systems, before their imminent replacement in the big US retail market, by the (one hopes), more secure EMV systems. Commonly called "chip-card," EMV point-of-sale systems are the ones in which you insert, rather than swipe your card. They're clearly coming to US stores, but merchants are dissatisfied with the way they're being pushed out. Retailers began assuming liability for paycard fraud about six months ago and they're unhappy with the confusion customers experience at checkout. They blame card companies for the problems. The card companies, retailers complain, have been too slow in certifying EMV software.

Dave Bittner: [00:14:28:02] The week also saw the continuing rise of ransomware, including the newly discovered CryptXXX. Researchers are finding that the criminal proprietors of the well-known Nuclear exploit kit are profiting from the trend. Their product has become a popular adjunct to ransomware campaigns.

Dave Bittner: [00:14:44:19] And of course, the most important protection any enterprise or user can adopt against the effects of ransomware, is regular, secure backup.

Dave Bittner: [00:14:52:20] The week saw some patching. Cisco patched, among other issues, a denial-of-service vulnerability in its wireless LAN controllers. And Oracle issued 138 fixes to products that include Oracle Database Server, E-Business Suite, Fusion Middleware, Oracle Sun Products, Java and MySQL. A significant change to Oracle's patching practices, is the company's adoption of Common Vulnerability Scoring System (or CVSS) version 3.0. This caused more of its patches to be scored "high" or "critical".

Dave Bittner: [00:15:24:04] And in industry news, Dell SecureWorks priced its initial public offering late Thursday. In the IPO, some eight million shares were sold - lowered by a million from what was expected - and the price was $14 per share - also a bit lower than the estimated $15.50 to $17.50 range. SecureWorks will trade under the SCWX ticker symbol.

Dave Bittner: [00:15:47:17] Other security stocks exhibited mixed performance in trading. IBM's disappointing earnings brought is shares down. But a number of analysts think the company's repositioning of itself - especially its repositioning as a player in the security market - make it a long-term bargain.

Dave Bittner: [00:16:02:22] Another company attracting favorable reviews from analysts, is Palo Alto Networks. Morgan Stanley thinks "under-appreciated" free cash, justifies continuing its positive "overweight" rating.

Dave Bittner: [00:16:14:14] And finally, have you ever received emails from security vendors, urging you to "act now", or warning you that this is your "last chance?" We have. Sometimes they even address us by our first name. When we were out at SINET ITSEF, if we heard about one big burr under everyone's saddle, it was the last-chance cold call or email.

Dave Bittner: [00:16:35:04] So we close with this advice to security company sales staff everywhere: act now, stop the nagging and learn something about your prospects. Act now.

Dave Bittner: [00:16:47:00] And that's the CyberWire. For links to all of today's stories, visit thecyberwire.com. And while you're there subscribe to our popular daily news brief. Our editor is John Petrik. I'm Dave Bittner. Thanks for listening.