Learn more about your ad choices. Visit megaphone.fm/adchoices
CyberWire Daily
The CyberWire 1.26.16
You're listening to the Cyberwire Network, powered by N2K. Connect to the world with special Turkish Airlines fares. Book your flight before November 30th and take advantage of great deals. Fly to the most exciting destinations with the award-winning airline that flies to more countries than any other. Terms and conditions apply. For more details, visit Turkishairlines.com. Turkish Airlines, widen your world. Hey everybody, Dave here. I want to talk about our sponsor, LegalZoom. You know, I started my first business back in the early 90s and oh, what I would have done to have been able to have the services of an organization like LegalZoom back then. Just getting all of those business ducks in a row, all of that technical stuff, the legal stuff, the registrations of the business, the taxes, all of those things that you need to go through when you're starting a business, the hard stuff, the stuff that sucks up your time when you just want to get that business launched and out there. LegalZoom has everything you need to launch, run, and protect your business all in one place, and they save you from wasting hours making sense of all that legal stuff. Launch, run, and protect your business to make it official today at LegalZoom.com. You can use promo code cyber10 to get 10% off any LegalZoom business information product excluding subscriptions and renewals. That expires at the end of this year. Get everything you need from setup to success at LegalZoom.com and use promo code cyber10. That's legalzoom.com and promo code cyber10. LegalZoom provides access to independent attorneys and self-service tools. LegalZoom is not a law firm and does not provide legal advice except where authorized through its subsidiary law firm, LegalZ Legal Services LLC. ISIS crypto claims are exposed as bogus. Patches are out from Magneto, Oracle, Free BSD, and Apple. Corporate cyber risk disclosures remain vague, but the insurance market is rapidly growing more rigorous than SEC regulations. Venture capital looks for the next generation of cyber unicorns, more international cooperation in cyber law enforcement, but U.S.E.U. save harbor negotiations continue to drag despite U.S. offers of a privacy ombudsman. And don't click on CrashMySafari. And no, sending that link is not funny. Thank you very much. I'm Dave Bittner in Baltimore with your Cyberwire summary for Tuesday, January 26, 2016. The video ISIS released over the weekend appears to contain some fakery, not alas the murders, but rather the claimed encryption. The encrypted email is patently bogus, faked according to informed observers. Why it was even included is the subject of some speculation. Perhaps it represents an attempted building internal morale, or perhaps it's intended to frighten the opposition. Or, more interestingly, some speculate ISIS's claims to have strong encryption is aimed at rushing governments into policies that would subvert or otherwise restrict encryption. Presumably, this would give pro-ISIS activists more access to their targets, and would also serve to, as old-line Trotskyites might put it, "heighten" the contradictions. But beware, one of those informed speculators is Edward Snowden, who's not entirely a disinterested party with respect to encryption policy. In what appears to be a dim-witted Internet gag, various trolls are circulating a link to CrashMySafari.com, which unsurprisingly does something close to what it advertises. The site will induce the browser to process an indefinitely increasing string of characters, thereby clogging memory and forcing devices to reboot. OS X, iOS, and Android devices are said to have been affected. One note, beware of shortened URLs and tweets sent by what hackread characterizes as "some idiots." The shorter URLs may be less immediately recognizable as leading to the gag site, so click with care. The Fort iOS SSH vulnerability, either a back door, as critics call it, or an oversight in a management authentication issue, as Fortinet maintains, has been found and fixed in additional Fortinet products. Active exploitation attempts are now being observed in the wild. Options one and two of the popular e-commerce platform Magneto have been found vulnerable to cross-site scripting, a patch is available, and analysts recommend it be applied as soon as possible. In other patch news, Oracle issues some Java patches, patch it or pitch it advises Brian Krebs. Free BSD fixes a kernel panic vulnerability that can lead to denial of service conditions, and Apple pushes out a security update that addresses multiple vulnerabilities in TVOS. An SSL is expected to issue two patches later this week. Risk management keeps its place center stage in industry news, a study of corporate risk disclosures in U.S. Security and Exchange Commission filings, finds such disclosures including those pertaining to cyber risk, generally generic and uninformative, especially in so far as they fail to identify company-specific risks. The insurance market, however, continues to move toward more rigorous characterization of cyber risk. Some of that movement comes from the UK, where companies partnering with Cambridge University's Center for Risk Studies have evolved a cyber risk exposure data schema. In the U.S., a variety of approaches to cyber risk analysis are on offer, ranging from traditional consulting interviews to various scans of the external environment. Venture capital continues to flow unabated into cybersecurity startups. Next generation appears to be the magic words being spoken to conjure unicorns. Proofpoint, subject to speculation that it will be an acquisition target, says that it doesn't intend to put itself on the block anytime soon. In policy news, more international security and intelligence cooperation is in the offing. Australia and Thailand are working on an agreement, and the European Union is opening a new counter-terrorism center. Law enforcement officials see such collaboration as particularly important to the investigation and prosecution of inherently borderless cybercrime. Negotiations over a successor safe harbor agreement between the U.S. and the EU proceed. The U.S. is said to have floated the idea of establishing a privacy ombudsman to address concerns EU citizens might have over U.S. government access to their data. Elsewhere in the U.S. has responsibility for security clearance information is set to shift from OPM to the Department of Defense, U.S. Cyber Command warns that the country faces technological peer competitors in cyberspace. The baffling case we saw last week of the couple in Atlanta be deviled by people whom find my iPhone kept sending to their address looks closer to solution. Flaws in cell tower triangulation might be leading tracking software to pick a single default location, and it may be that this location just happens to be that couple's home. They file the complaint with the Federal Communications Commission and the Senator. We wish them good luck. And in some final crime and punishment news, one, Lord Bastian, allegedly associated with the crackers with attitude, doxes the Miami Police Department via what he or she claims is the compromise of an FBI database. The declared motive is revenge over a raid on a Miami House that Lord Bastian and some of his or her friends rented sometime last year. Observers wonder why it's taking law enforcement so long to round up the Lord and his colleagues. Some news reports casually refer to the crackers with attitude as a defunct group, which raises the question of how so casually assembled a group could be said to go out of existence. Logicians may recognize this as an instance of the Surites Paradox, attributed to eubolities of Myletus. We'll leave this as an exercise for you, dear listener. And now, a word from our sponsor, Know Before. It's all connected, and we're not talking conspiracy theories. When it comes to InfoSec tools, effective integrations can make or break your security stack. The same should be true for security awareness training. Know Before, provider of the world's largest library of security awareness training provides a way to integrate your existing security stack tools to help you strengthen your organization's security culture. Know Before's Security Coach uses standard APIs to quickly and easily integrate with your existing security products from vendors like Microsoft, CrowdStrike, and Cisco, 35 vendor integrations and counting. Security Coach analyzes your security stack alerts to identify events related to any risky security behavior from your users. Use this information to set up real-time coaching campaigns targeting risky users based on those events from your network, endpoint, identity, or web security vendors. Then, coach your users at the moment the risky behavior occurs with contextual security tips delivered via Microsoft Teams, Slack, or email. Learn more at knowbefore.com/securitycoach. That's knowbefore.com/securitycoach. And we thank know before for sponsoring our show. My hospital stay would have cost $25,000. But with VA health care, it's free. My education would have cost $42,000. But with VA benefits, my books, tuition, and housing are all covered. The down payment for my home would have been $74,000. But with my VA home loan, my down payment was zero. My service was then. My benefits are now. Get what you earned. Visit chews.va.gov. Not all veterans are eligible for this hyper-amount of benefits mentioned here. Imagine this. Your primary identity provider goes down, whether it's a cloud outage, network issue, or even a cyber attack. Suddenly, your business grinds to a halt. But what if it didn't have to? Meet identity continuity from Strata, the game-changing solution that keeps your business running smoothly no matter what. Whether your cloud IDP crashes or your on-prem system faces a hiccup, identity continuity seamlessly shifts authentication to a secondary or even tertiary IDP, automatically and without disruption. Powered by the Mavericks Identity Orchestration Platform, identity continuity uses smart health checks to monitor your IDP's availability, and instantly activates failover strategies tailored to your needs. When the coast is clear, it's a seamless switchback. No more downtime, no lost revenue, no frustrated customers, just continuous, secure access to your critical applications every single time. Protect your business from the high costs of IDP outages with identity continuity from Strata. Downtime is a thing of the past. Visit strata.io/cyberwire to learn how Strata's identity continuity can provide seamless enhanced capabilities to your existing identity fabric and receive a free set of AirPods Pro. Joining me is Jonathan Katz. He's a professor of computer science and the director of the Maryland Cybersecurity Center, one of our academic and research partners. Jonathan, I want to talk about back doors, specifically the tension that exists between law enforcement who likes back doors and industry who seems to be resistant to them. Yeah, that's right. And I'm actually receptive to the idea that we want to provide law enforcement or government agencies with the ability to access communications of criminals or terrorists or people that they're investigating for one reason or another. But I think the fundamental problem is that anytime you allow the presence of these back doors, you're inherently weakening the security of the system. It's all very well and good to say that this back door, this key, for example, will be protected and will only be given to government agencies upon the presentation of a warrant or some other legal mechanism. But nevertheless, you have to then worry about protecting that key. You have to then worry about which people, which employees of the organizations involved have access to that key. You don't have to worry about hackers potentially breaking in and getting information about those back doors. And so, inherently, you're undermining the overall security of the system. What's your sense for where this is going? Well, it's really unclear. I mean, the talk right now among the politicians seems to be that they're all in favor of the idea of having some kind of a backdoor of the sort. But I don't think that they all fully understand the technological implications of that or the technological difficulties that will be involved in making such a system. So, I think it's very easy for them right now to say that, sure, in an ideal world, we'd like a backdoor that only law enforcement can access. But if they sat down and hopefully, at some point, they will sit down and meet with technical people and try to understand the issues involved, they may come to the realization that that's simply not feasible. All right, Jonathan Katz, thanks for joining us. The IT world used to be simpler. You only had to secure and manage environments that you controlled. Then came new technologies and new ways to work. Now, employees, apps, and networks are everywhere. This means poor visibility, security gaps, and added risk. That's why CloudFlare created the first-ever connectivity cloud. Visit cloudflare.com to protect your business everywhere you do business. With Lululemon, the real gift happens when they're living in it. When you give them the softest loungewear set, the real gift is this. And this. And this. This holiday, Lululemon makes it easy to give a gift that goes beyond. Open the moment. Shop now at lululemon.com. And that's the Cyberwire. We are proudly produced in Maryland by our talented team of editors and producers. I'm Dave Bitner. Thanks for listening. And now a word from our sponsor NordPass. NordPass is an advanced password manager from the team behind NordVPN. Designed to help keep your business safe from data leaks and cyber threats. It gives your IT professionals control over who has access to your company's data and makes it easy for everyone else on your team to use strong passwords. Right now you can go to www.nordpass.com/cyberwire for 35% off the NordPass business yearly plan. Don't miss out on that.