Learn more about your ad choices. Visit megaphone.fm/adchoices
CyberWire Daily
The CyberWire 1.29.16
You're listening to the Cyberwire Network, powered by N2K. With Lulu Lemon, the real gift happens when they're living in it. When you give them the softest loungewear set, the real gift is this. And this. This holiday, Lulu Lemon makes it easy to give a gift that goes beyond. Open the moment, shop now at lululemon.com. Hey everybody, Dave here. I want to talk about our sponsor, LegalZoom. I started my first business back in the early 90s, and oh, what I would have done to have been able to have the services of an organization like LegalZoom back then. Just getting all of those business ducks in a row, all of that technical stuff, the legal stuff, the registrations of the business, the taxes, all of those things that you need to go through when you're starting a business, the hard stuff, the stuff that sucks up your time when you just want to get that business launched and out there. Well, LegalZoom has everything you need to launch, run, and protect your business all in one place. And they save you from wasting hours making sense of all that legal stuff. Launch, run, and protect your business to make it official today at LegalZoom.com. You can use promo code CYBER10 to get 10% off any LegalZoom business information product excluding subscriptions and renewals that expires at the end of this year. Get everything you need from setup to success at legalzoom.com and use promo code CYBER10 that's legalzoom.com and promo code CYBER10. LegalZoom provides access to independent attorneys and self-service tools. LegalZoom is not a law firm and does not provide legal advice except where authorized through its subsidiary law firm, LZ Legal Services, LLC. Spearfishing continues to work and both allies and adversaries continue to snoop on one another. Utilities work to shore up their defenses and experts warn them not to over-relie on incident response. ISIS may be trying to hire hackers in India. HSBC sustains a denial of service campaign against its online banking services in the United Kingdom. The RSA Innovation Sandbox's 10 finalists are announced. In the US, NIST and the FDA post draft cyber guidelines. An audit suggests that Homeland Security's Einstein is no Einstein. If harbor seems farther away, and whatever you do, Facebookers, don't be like Bill. I'm Dave Bittner in Baltimore with your Cyberwire summary for Friday, January 29, 2016. Some notes on surveillance of Israeli targets by foreign intelligence services surface at week's end. Israeli official site leaks as they say British and American agencies monitored Israeli Air Force communications. Other sources claim Iran targeted Israeli generals in extensive spearfishing campaigns. And more targets than one might expect opened the emails and consequently leaked information. The post-mortem on Ukrainian grid incidents continues to focus on black energy and its distribution through compromised word files. As utilities in the US and elsewhere look to their defenses, control system security experts warn that incident response, a staple of cyber defense in other sectors, is a bit more complicated in the industrial control system world. Dark readings interviews with experts surface two issues. First, availability is a matter of central concern to utilities. Their industrial control systems can't simply be taken offline without extensive reliable backup. And second, cyber incident responders, including digital forensic experts, tend to be unfamiliar with ICS. As ICS security expert Joe Weiss told the Cyberwire recently, securing control systems in all industries is very different from securing business IT systems. FinFisher spyware has shown up in some Australian data centers. HackRead, for one, points at Indonesia as a likely suspect that countries presume motive being revenge for alleged Australian surveillance of Indonesia. Both Australian and Indonesian agencies are reported to be finfisher customers. Disturbing reports suggests that ISIS has begun recruiting hackers in India, offering monetary incentives to hack for the caliphate. The India Times says that ISIS is willing to pay $10,000 for information stolen from government networks. This seems to be hacking for hire, as opposed to an attempt to build a stable of coders that would give ISIS a credible cyber offensive capability. But there's certainly the potential for this effort to develop in more troubling directions. Offering money should lend urgency to government's efforts to disrupt ISIS finances. HSBC's online customer banking sites have been disrupted by a significant distributed denial of service attack. The attack, remediation of which is in progress as we go to press, comes at an inconvenient time for British banking customers. It's not only messing with end-of-month payroll disbursements, but also with freelancer's ability to meet tax deadlines. BugSec and SINET, that's CYNET, not to be confused with the other SINET, SINET, report finding a vulnerability in LG Android phones that could be exploited for data theft. The vulnerability lies in smart notice, a pre-installed widget that manages a range of notifications and alerts. LG has patched the bug. In other patching news, a Cisco firmware update closes a hole in that company's RV220W wireless network security firewall devices, and OpenSSL fixes an encryption weakness. Its cryptographic library could, if so instructed, have reused prime numbers. In industry news, Proofpoint, Checkpoint, and Fortinet all posted encouraging numbers this week, so investors are breathing a bit easier about them. Checkpoint says it's "evaluating acquisitions big and small." And the RSA conference announces the 10 finalists for its annual Innovation Sandbox competition. Congratulations to them all. The finalists in alphabetical order, Bastille networks, elusive networks, Menlo security, phantom, pre-voti, protect-wise, Skyport systems, Vera, and Versa networks. The Cyberwire will be covering RSA in San Francisco the first week in March, and we're looking forward to seeing the finalists in the sandbox. Turning to emerging standards, the U.S. National Institute of Standards and Technology is soliciting comment on its draft publication on random number generation, a topic of vital importance to cryptography. And the U.S. Food and Drug Administration has a draft set of guidelines on improving medical device cybersecurity. The FDA would also welcome comment. In policy news, both Indonesia and Malaysia take steps to counter jihadist messaging and direct action. Safe Harbor renewal increasingly seems a forlorn hope, as U.S. efforts to accommodate European concerns over privacy find little transatlantic love. The U.S. Department of Homeland Security's well-known Einstein cybersecurity system, more formally known as the National Cybersecurity Protection System, may not an internal assessment fines be returning good value on its $6 billion investment. Defense One writes that Einstein, quote, "does not scan for 94 percent of common computer vulnerabilities, but that's not all of its shortcomings," end quote. The audit also found poor performance against advanced persistent threats, coverage for only a small set of vulnerabilities, inadequate information sharing capabilities, and an inability to spot zero days until they are no longer zero. Canadian government watchdogs find that the country's communication security establishment improperly collected Canadian citizens' information. The CSE is said to be moving toward some reduction in its cooperation with the other four of the five eyes, Australia, New Zealand, the United Kingdom and the United States. And finally, if you're a Facebook user, take care before interacting with one of the current memes, be like Bill. Be like Bill posts use a Cutesy stick figure generated from the blah blah website to give advice about keeping your updates non-obvious and similar social media Emily Postisms. Unfortunately, those who like the win some stick man may find that an evil William got there first. Scammers are tricking aspiring bills into entering their Facebook credentials and exploiting them to hijack accounts. So don't be like Bill. Bud Light knows that there's no better day than game day. With good food, great company, and plenty of cold ones for the tailgate, Bud Light makes football easier to enjoy, especially when your team scores. Bud Light, easy to drink, easy to enjoy. Enjoy responsibly, 21+ Copyright 2024, and has a Bush Bud Light beer, St. Louis, Missouri. And now, a word from our sponsor, No Before. It's all connected, and we're not talking conspiracy theories. When it comes to InfoSec tools, effective integrations can make or break your security stack. The same should be true for security awareness training. InfoBefore, provider of the world's largest library of security awareness training, provides a way to integrate your existing security stack tools to help you strengthen your organization's security culture. NoBefore's security coach uses standard APIs to quickly and easily integrate with your existing security products from vendors like Microsoft, CrowdStrike, and Cisco, 35 vendor integrations and counting. The coach analyzes your security stack alerts to identify events related to any risky security behavior from your users. Use this information to set up real-time coaching campaigns targeting risky users based on those events from your network, endpoint, identity, or web security vendors. Then, coach your users at the moment the risky behavior occurs, with contextual security tips delivered via Microsoft Teams, Slack, or email. One more at nobefore.com/securitycoach, that's nobefore.com/securitycoach. And we thank NoBefore for sponsoring our show. Not all agents use Zillow Solutions. After all, this industry is confusing and it's hard to know who to trust. But the truth is, we're an ally for agents. We want them to succeed. That's why we help agents get ahead with complementary resources, and stay ahead with premium solutions. Zillow works for agents, because home doesn't happen without them. Visit zillow.com/worksforagents to learn more. Imagine this. Your primary identity provider goes down, whether it's a cloud outage, network issue, or even a cyber attack. Suddenly, your business grinds to a halt. But what if it didn't have to? Meet Identity Continuity from Strata, the game-changing solution that keeps your business running smoothly no matter what. Whether your cloud IDP crashes or your on-prem system faces a hiccup, identity continuity seamlessly shifts authentication to a secondary or even tertiary IDP, automatically and without disruption. Powered by the Mavericks Identity Orchestration Platform, Identity Continuity uses smart health checks to monitor your IDPs availability and instantly activates failover strategies tailored to your needs. When the coast is clear, it's a seamless switchback. No more downtime, no lost revenue, no frustrated customers. Just continuous, secure access to your critical applications every single time. Visit your business from the high costs of IDP outages. With Identity Continuity from Strata, downtime is a thing of the past. Visit strata.io/cyberwire to learn how Strata's Identity Continuity can provide seamless enhanced capabilities to your existing identity fabric and receive a free set of AirPods Pro. I'm joined once again by Joe Carrigan. He's a senior security engineer at Johns Hopkins University Information Security Institute. They're one of our academic and research partners. Reverse engineering. I know this is something that you have a lot of background on. Let's just start with the basics. Why reverse engineer something? All right, so I'll give you an example from my career. When I was a young software engineer, people would come to me and say, "Hey, we have this software package that does a very essential task, but now it's outdated, so we need to update it. So write us a new one and make sure it does everything this one does. So I would have to actually sit down and figure out what it was and how it worked and then write software that replaced it." That's as simple as bringing something that's older up to date. Correct. But in the case of malware, walk me through the process of reverse engineering malware. Well, it's the same kind of discipline that applies. Let's say I'm a security company, I've captured some malware from the wild, I want to know what it is and what it does. So I can put the malware into a sandbox environment and then monitor its behavior. I can also do the same thing with the malware that I did with my old software where I can decompile it and see what it is that it does and hopefully I can get some source code out of it, provided that the malware actually isn't encrypted with some key. So there are cases where the malware is actually sort of trying to actively defend itself from being reverse engineered. Absolutely. What happens in a case like that? In a case like that, what normally happens when they're successful at reverse engineering is somehow they get a hold of the key, they find the key, because that key has to exist somewhere for the malware to decrypt its functionality. So now it's a combination effort, so you're monitoring it in its sandbox environment to see what it accesses the encryption key so it decrypts the part of itself that it needs. So what's the balance between the practical applications of this and something that's more pure research? Well practical applications are developing software that does what old software did and it also helps in developing its signature for malware so that you can detect the malware. Alright, Joe Carrigan from Johns Hopkins Information Security Institute, thanks for joining us. My pleasure. The IT world used to be simpler, you only had to secure and manage environments that you controlled, then came new technologies and new ways to work. Now employees, apps and networks are everywhere. This means poor visibility, security gaps and added risk. That's why CloudFlare created the first-ever connectivity cloud, visit cloudflare.com to protect your business everywhere you do business. This episode is brought to you by Etsy. Oh. Hear that? Okay. Thank you. Etsy knows these aren't the sounds of holiday gifting. Well, not the ones you're hoping for. You want squeals of delight, happy tears, and spontaneously written songs of joy. Okay, the song needs a bit of work, but anyway, to get those reactions, make sure everyone on your list feels heard with handmade handpicked and designed gifts from small shops on Etsy. Just like personalized jewelry, custom artwork, cozy-style items, vintage pieces, and home decor to celebrate all of your favorite people and their specific kind of special. For original gifts that say, "I get you," Etsy has it. And that's the CyberWire. We are proudly produced in Maryland by our talented team of editors and producers. I'm Dave Bittner, thanks for listening. And now, a word from our sponsor NordPass. NordPass is an advanced password manager from the team behind NordVPN, designed to help keep your business safe from data leaks and cyber threats. It gives your IT professionals control over who has access to your company's data and makes it easy for everyone else on your team to use strong passwords. Right now, you can go to www.nordpass.com/cyberwire for 35% off the NordPass Business Yearly Plan. Don't miss out on that. [MUSIC]