Learn more about your ad choices. Visit megaphone.fm/adchoices
CyberWire Daily
The CyberWire 1.25.16
You're listening to the Cyberwire Network, powered by N2K. Connect to the world with special Turkish Airlines fares. Book your flight before November 30th and take advantage of great deals. Fly to the most exciting destinations with the award-winning airline that flies to more countries than any other. Terms and conditions apply. For more details, visit Turkishairlines.com. Turkish Airlines, widen your world. Hey everybody, Dave here. I want to talk about our sponsor, LegalZoom. You know, I started my first business back in the early 90s and oh, what I would have done to have been able to have the services of an organization like LegalZoom back then. Just getting all of those business ducks in a row, all of that technical stuff, the legal stuff, the registrations of the business, so the taxes, all of those things that you need to go through when you're starting a business, the hard stuff, the stuff that sucks up your time when you just want to get that business launched and out there. Well, LegalZoom has everything you need to launch, run, and protect your business all in one place, and they save you from wasting hours making sense of all that legal stuff. Launch, run, and protect your business to make it official today at LegalZoom.com. You can use promo code Cyber10 to get 10% off any LegalZoom business information product excluding subscriptions and renewals that expires at the end of this year. Get everything you need from setup to success at LegalZoom.com and use promo code Cyber10. That's LegalZoom.com and promo code Cyber10. LegalZoom provides access to independent attorneys and self-service tools. LegalZoom is not a law firm and does not provide legal advice except where authorized through its subsidiary law firm, LegalZ Legal Services, LLC. Scarlet mimic threat actors watching Tibetan and Uyghur dissidents and their allies. ISIS, whose cyber operators have increasingly been targeted by U.S. airstrikes, post another inspirational video threatening the U.K. Anonymous remains quiet with respect to ISIS, but punishes Japan for whaling, Ireland sustains another wave of denial of service, insurance markets and lawsuits shape cyber standards of care, and one risk analyst tool offers some insights. We learn some things about the internet of things security, and if you're worried about someone hacking your nanny cam, well for Mary Puffin's sake, password protect that thing. I'm Dave Fittner in Baltimore with your Cyberwire summary for Monday, January 25, 2016. Palo Alto Networks releases the results of a long-running study of cyber operations, mostly reconnaissance, conducted against Tibetan and Uyghur dissident groups in China. Palo Alto calls the threat group involved "Scarlet Mimic" and offers no other attribution, but other observers think the target set fits the interests of Chinese security services. The U.S. is reported to be actively targeting ISIS cyber operators with airstrikes. ISIS cyber operations, despite last week's minor defacement of a Chinese university's webpages, continue to concentrate on information ops. A particularly lurid instance of inspiration appeared over the weekend, as ISIS released a 17-minute clip of the Paris terrorists engaged in pre-attack training and local atrocities in Syria. In Pakistan, activists respond to last week's massacre at Bakukan University by taking control of websites belonging to Pakistan's Ministry of Health. The defaced pages expressed solidarity with bereaved families and demand vengeance against the attackers, thought to be a faction of Pakistan's Taliban. Anonymous remains quiet on the anti-ISIS front, but elements of the collective do hit the website of Japan's Narita International Airport to protest wailing. Irish government websites have come under a sustained distributed denial of service campaign. This follows last week's similar attack on the national lottery. No individual or group has claimed responsibility; authorities are investigating. Google disputes perception points claims of widespread Android device vulnerability to privileged escalation attacks through a kernel bug. The bug is real, and Google's patched it, but Google insists only a minority of devices would have been affected. The SSHback door recently discovered in Fortinet's Fortguard system has now also been discovered in the company's Fortis Switch, Forti Analyzer, and Forti Cash products. Fortinet advises moving to more recent versions, unaffected by the back door, and has also provided a set of manual workarounds to mitigate the vulnerability. AMX Harmon, provider of widely used audiovisual equipment and building system controls, denies deliberately putting a back door in its products. The putative back door is merely a legacy diagnostic and maintenance login for customer support, according to the company, and they say they removed it back in December. They also apparently pushed out a hot fix some ten days ago. The company that disclosed the vulnerability SEC consult says it hasn't had time to evaluate the patches yet. Shodon, the Internet of Things search engine, has added a category that displays screenshots taken from vulnerable webcams. For the most part, the vulnerable cameras are not protected by passwords, so the privacy fix seems obvious. Word protect your webcams, baby monitors, nanny cams, and so on. Malwarebytes describes a strain of ransomware, "Lashifra," which has been infesting Indian banks and at least one pharmaceutical company since early this month. Belying the French name, it's been given, "Lashifra" seems to have been written in Russia. It is Malwarebytes' sniffs, unprofessional in its lack of obfuscation, openness to analysis, primitive encryption, and unsophisticated mode of communication. It asks the victims to email the controllers, so probably the work of rookies, but troublesome nonetheless. RSA 2016 has disabled what appeared to be a Twitter credential collecting registration form. The misstep, as well as the choice of entertainment celebrities for a few of the expos much coveted keynotes, has provoked some pre-conference controversy. Skype has enhanced its users' privacy, it will henceforth hide their IP address. And here's a dog-bites man story from Blue Coat. The security company releases a study that points out that "browsing porn is bad for your smartphone," and presumably other devices as well. Not surprising, of course, but a reminder is always in order. Business insurance describes the patchwork quality of conventional insurance coverage for cyber incidents. Willis Tower's Watson Wire goes them one better, laying out in some detailed trends in what cyber policies cover and what they do not. Damage to digital assets is generally included. Death or physical injury typically would not be. In general, the trends would be unsurprising to those familiar with insurance markets. One big remaining area of uncertainty involves coverage for damages sustained in cloud operations. As insurance markets continue their contribution to developing cyber standards of care, so does the plaintiffs' bar. One case industry should watch closely is affinity gaming sued against TrustWave, which alleges the security provider failed to meet acceptable standards in investigating and preventing further damage from an incident affinity experienced. The outcome will have implications for both tort and contract law. Observers call it potentially disruptive to the cybersecurity industry, and they counsel, unsurprisingly, that security vendors should take a close look at their insurance coverage. Thus insurance markets and lawsuits will probably prove again to be reciprocally illuminating. Of interest in this regard is business insurance's announcement of its Innovation Awards, one of which goes to Pivot Point Risk Analytics for its new method of estimating and quantifying cyber value at risk. Pivot Point Risk Analytics was spun off from our publisher, CyberPoint International, last October. The US and EU are in the final stages of safe harbor negotiations, and whether they achieve a new agreement before the legacy one expires remains in doubt. US Attorney General Lynch denies its administration policy to require backdoors or weaken encryption. The government just wants some technical help from the tech sector to avoid the bugaboo of criminals going dark online. What such help would look like remains to be worked out. This is the energy of electrification, available type desk high performance variant with nearly 500 horsepower and 278 mile EPA range range. Choose from our complimentary charging packages so you can charge how you want the all-electric Acura ZDX. This is the energy of innovation, accurate, precision-crafted performance. Choose your local accurate dealer to lease the all-electric ZDX for $389 a month. And now a word from our sponsor, No Before. It's all connected, and we're not talking conspiracy theories. When it comes to InfoSec tools, effective integrations can make or break your security stack. The same should be true for security awareness training. So Before, provider of the world's largest library of security awareness training provides a way to integrate your existing security stack tools to help you strengthen your organization's security culture. No Before's security coach uses standard APIs to quickly and easily integrate with your existing security products from vendors like Microsoft, CrowdStrike and Cisco, 35 vendor integrations and counting. The coach analyzes your security stack alerts to identify events related to any risky security behavior from your users. Use this information to set up real-time coaching campaigns targeting risky users based on those events from your network, endpoint, identity or web security vendors. Then, coach your users at the moment the risky behavior occurs, with contextual security tips delivered via Microsoft Teams, Slack or email. And more at nobefore.com/securitycoach, that's nobefore.com/securitycoach, and we thank no before for sponsoring our show. This episode is brought to you by J.C. Penney. The holiday season is here, and at J.C. Penney, everybody gets more. Like for your loved one, designer perfumes from Versace or Carolina Herrera or the exclusive messy fragrance, for the foodie in your life, a cast-iron Dutch oven or cured coffee maker, or for the kids, all the toys they love from Disney, Barbie, Lego and more, J.C. Penney. Make it count. Shop in store or online. Imagine this. Your primary identity provider goes down, whether it's a cloud outage, network issue or even a cyberattack, suddenly your business grinds to a halt. But what if it didn't have to? Meet Identity Continuity from Strata, the game-changing solution that keeps your business running smoothly no matter what. Whether your cloud IDP crashes or your on-prem system faces a hiccup, identity continuity seamlessly shifts authentication to a secondary or even tertiary IDP, automatically and without disruption. Powered by the Mavericks Identity Orchestration Platform, identity continuity uses smart health checks to monitor your IDP's availability and instantly activates failover strategies tailored to your needs. When the coast is clear, it's a seamless switchback. No more downtime, no lost revenue, no frustrated customers, just continuous, secure access to your critical applications every single time. Protect your business from the high costs of IDP outages. With Identity Continuity from Strata, downtime is a thing of the past. Visit strata.io/cyberwire to learn how Strata's identity continuity can provide seamless enhanced capabilities to your existing identity fabric and receive a free set of AirPods Pro. I'm joined by Joe Carrigan, Senior Security Engineer at Johns Hopkins Information Security Institute. They're one of our academic and research partners. Joe, the Internet of Things. Let's start with the consumer stuff. So what's the downside? What's the danger of my refrigerator being connected to the Internet? These are things that have not traditionally been internet connected, that are now becoming internet connected. About six months ago, Samsung had a refrigerator that they opened up for penetration testing, and somebody found that if you were on the network, you could perform a man in the middle attack on that refrigerator that would let you get the user's Google username and login, your name and password information. So is it a matter of it just being one more thing, one more place where someone has an opportunity to get at your information? Absolutely. This is what we refer to in security as your attack surface. And when you start putting all these other devices on your network, you start increasing your attack surface. But speaking of the industrial systems, what is the danger here? What are we up against? Well, actually, this is an interesting problem. We've seen three times now in industrial control systems that have caused real-world damage. First was in Iran, where we had the centrifuges fail because of the Stuxnet worm. We've also seen in a steel mill in Germany that we don't know which one because the information has not been released, but there was physical damage to a steel mill in Germany. And recently in the Ukraine, a power grid was taken down for several days remotely by attacking their industrial control systems on that power grid. Would your advice be stay away, be cautious, how should people protect themselves? My advice is to stay away. But I understand that there's a cool factor to it. And you should protect yourself, you should know what the device is doing, and you should stay. Now you have to keep up to speed on any security alerts that come out about that device. So it's one more thing in the home to worry about in terms of cybersecurity. Correct. And I don't know how many people actually keep up to speed even on the security issues of their own operating systems on the main computers they have that they use daily. Joe Kerrigan from Johns Hopkins University Information Security Institute, thanks for joining us. My pleasure. The IT world used to be simpler. You only had to secure and manage environments that you controlled. One came new technologies and new ways to work. Now employees, apps and networks are everywhere. This means poor visibility, security gaps and added risk. That's why CloudFlare created the first-ever connectivity cloud. Visit CloudFlare.com to protect your business everywhere you do business. So you want to be a marketer. It's easy. You just have to score a ton of leads and figure out a way to turn them all into customers. Plus, manage a dozen channels, write a million blogs and launch a hundred campaigns all at once. When that's done, simply make your socials go viral and bring in record profits. No sweat. Okay. Fine. It's a lot of sweat. But with HubSpot's AI-powered marketing tools, launching benchmark breaking campaigns is easier than ever. It's started at HubSpot.com/marketers. And that's the Cyberwire. We are proudly produced in Maryland by our talented team of editors and producers. I'm Dave Bittner. Thanks for listening. And now, a word from our sponsor, NordPass. NordPass is an advanced password manager from the team behind NordVPN, designed to help keep your business safe from data leaks and cyber threats. It gives your IT professionals control over who has access to your company's data and makes it easy for everyone else on your team to use strong passwords. Right now, you can go to www.nordpass.com/cyberwire for 35% off the NordPass business yearly plan. Don't miss out on that. [MUSIC]