Learn more about your ad choices. Visit megaphone.fm/adchoices
CyberWire Daily
The CyberWire 1.20.16
You're listening to the Cyberwire Network, powered by N2K. Connect to the world with special Turkish Airlines fares. Book your flight before November 30th and take advantage of great deals. Fly to the most exciting destinations with the award-winning airline that flies to more countries than any other. Terms and conditions apply. For more details, visit Turkishairlines.com. Turkish Airlines, widen your world. Hey everybody, Dave here. I want to talk about our sponsor, LegalZoom. You know, I started my first business back in the early 90s and oh, what I would have done to have been able to have the services of an organization like LegalZoom back then. Just getting all of those business ducks in a row, all of that technical stuff, the legal stuff, the registrations of the business, the taxes, all of those things that you need to go through when you're starting a business, the hard stuff, the stuff that sucks up your time when you just want to get that business launched and out there. LegalZoom has everything you need to launch, run, and protect your business all in one place, and they save you from wasting hours making sense of all that legal stuff. Launch, run, and protect your business to make it official today at LegalZoom.com. You can use promo code cyber10 to get 10% off any LegalZoom business information product excluding subscriptions and renewals. That expires at the end of this year. Get everything you need from setup to success at LegalZoom.com and use promo code cyber10. That's legalzoom.com and promo code cyber10. LegalZoom provides access to independent attorneys and self-service tools. LegalZoom is not a law firm and does not provide legal advice except where authorized through its subsidiary law firm, LegalZ Legal Services, LLC. Ukraine girds for more Russian hacking. British crypto policy moves closer to key escrow. The drydex banking Trojan picks up DNS cash poisoning capability. Perception Point finds a serious Linux kernel bug. Oracle, Apple, Linux, Find, and Yahoo issue patches. Lloyd's issues guidelines for common cyber risk data. Chinese cyber espionage is directed against the latest U.S. fighter aircraft and the U.S. Congressional Research Service recommends lawmakers take a closer look at cyber security and executive agencies. I'm Dave Bittner in Baltimore with your cyberwire summary for Wednesday, January 20, 2016. Wired offers a summary of everything known about the Ukrainian power grid hack. The big takeaway is that it was indeed a hack. A researcher from University College London reports dangerous weaknesses in a voice encryption protocol. Her Majesty's government is pushing on suppliers. Stephen Murdock argues that the Mickey Socky protocol would have service providers holding a master decryption key. And Mickey Socky stands for Multimedia Internet keying Socky Casa Haraki encryption. Easy for you to say. The government doesn't call it key escrow, but Murdock thinks that's what it amounts to. The report on Mickey Socky appears as parliamentary debate over the investigatory powers bill continues. The home office continues to disavow any intention of weakening encryption, instead representing the key escrow approach as serving both privacy and investigative needs, subject to warrants, appropriate oversight, and so on. There are no major policy moves reported in the U.S. and no new shots in the crypto wars between the Beltway and the Valley, but the Congressional Research Service has advised legislators to require more reporting on cybersecurity from the executive agencies. IBM's Force X notes an evolution in the long familiar drydex banking Trojan. Drydex is now using DNS cash poisoning to redirect traffic to clones of some 13 British bank sites. Researchers at Perception Point discover and disclose a serious Linux kernel bug that could allow remote, unauthenticated users root access to affected devices. The flaw appeared in Linux version 3.8, released in 2013. Patches are coming this week, but the notorious difficulty of pushing updates to endpoints makes it a lead-pipe cinch that the vulnerability will persist for the foreseeable future. Personal computers, servers, and Android devices are all at risk. Fishing attempts seek to spread the Gaza cybergang's dust sky persistent spyware to targets in Israel, Egypt, Saudi Arabia, and the United Arab Emirates and Iraq. Fishing and other social engineering approaches are implicated in other attacks, including attempts to harvest credentials from LastPass. LastPass has patched the flaw that enabled exploitation. Other significant patches released this week include updates from Apple for iOS, OS X, El Capitan, and Safari, Oracle, Yahoo Mail, and Bind. Laggers determined to struggle along with old versions of Internet Explorer get some good news. Trend Micro says it will continue to offer protection for the more venerable versions of Microsoft IE. Yahoo paid a reported $10,000 in bug bounty for the Yahoo Mail vulnerability. Those of you interested in finding and disclosing the bugs that get patched might be interested in consulting ANIZAs newly released set of best practices for disclosure. The cybersecurity of acquisition targets gets larger in M&A due diligence. Perspective buyers of banks in particular are giving close scrutiny to security posture before buying. Actuaries and accountants are playing a larger role in such scrutiny. Lloyd's releases a set of common core data requirements for cyber risks, and more firms work toward credible, quantified ways of putting a price tag on cyber value at risk. Students at Cornell are working on sarcasm detection, which they see as a means of improving the quality of online reviews. Like that's going to work. In industry news, iron scales and threat quotient announce new rounds of venture funding, and semantics sell a veritas to the Carlisle group will, it seems, be less pricey for Carlisle. About $1 billion less pricey, according to reports. In cyber crime and punishment, Chinese military officers and an accomplice in Canada are accused of attempting to hack into technical information related to development of the US F5 joint strike fighter. The Canadian accomplice awaits extradition to the United States. The Chinese principles? Well, they're in China. With Lulu Lemon, the real gift happens when they're living in it. When you give them the coziest scuba matching set, the real gift is this. And this. And this. This holiday, Lulu Lemon makes it easy to give a gift that goes beyond. Open the moment. Shop now at lululemon.com. And now a word from our sponsor, No Before. It's all connected, and we're not talking conspiracy theories. When it comes to infosec tools, effective integrations can make or break your security stack. The same should be true for security awareness training. No Before, provider of the world's largest library of security awareness training provides a way to integrate your existing security stack tools to help you strengthen your organization's security culture. No Before's security coach uses standard APIs to quickly and easily integrate with your existing security products from vendors like Microsoft, CrowdStrike, and Cisco, 35 vendor integrations and counting. Security coach analyzes your security stack alerts to identify events related to any risky security behavior from your users. Use this information to set up real-time coaching campaigns targeting risky users based on those events from your network, endpoint, identity, or web security vendors. Then coach your users at the moment the risky behavior occurs with contextual security tips delivered via Microsoft Teams, Slack, or email. Learn more at nobefore.com/securitycoach. That's nobefore.com/securitycoach. And we thank No Before for sponsoring our show. Imagine this. Your primary identity provider goes down, whether it's a cloud outage, network issue, or even a cyber attack. Suddenly, your business grinds to a halt. But what if it didn't have to? Meet Identity Continuity from Strata, the game-changing solution that keeps your business running smoothly no matter what. Whether your cloud IDP crashes or your on-prem system faces a hiccup, identity continuity seamlessly shifts authentication to a secondary or even tertiary IDP, automatically and without disruption. Powered by the Mavericks Identity Orchestration Platform, Identity Continuity uses smart health checks to monitor your IDP's availability and instantly activates failover strategies tailored to your needs. When the coast is clear, it's a seamless switchback. No more downtime, no lost revenue, no frustrated customers. Just continuous, secure access to your critical applications every single time. Protect your business from the high costs of IDP outages, with Identity Continuity from Strata, downtime is a thing of the past. Visit strata.io/cyberwire to learn how Strata's Identity Continuity can provide seamless enhanced capabilities to your existing identity fabric and receive a free set of AirPods Pro. Joining me is Jonathan Katz, Professor of Computer Science at the University of Maryland. He's also the Director of the Maryland Cybersecurity Center. They're one of our academic and research partners. Jonathan, I want to talk about authentication today. Let's start off giving a definition what is authentication. At the most basic level, we've got passwords and then we've got multi-factor authentication. So as authentication gets more sophisticated, what are the ways we can protect ourselves? Yeah, passwords are here and they seem here to stay, even with all their problems. That's why people are now recommending that users use two-factor authentication to make authentication process more secure. At the most basic level, this might involve using a password in conjunction with some information on your mobile phone, for example. Google, as an example, offers two-factor authentication where they'll use some information, a code that comes up on your phone in addition to your password before they'll allow you in. And this can make users a lot more secure because it's a lot harder than for an attacker to both guess the user's password and also figure out the code from their cell phone. Do you ever see us coming to a time when we're not going to be using passwords anymore? Is there anything on the horizon that could replace them? Well, I think passwords are going to be here for a while, but I do think that people are working on newer forms of this two-factor authentication, all relying for now on mobile phones because of the fact that people are carrying them around with them all the time. So you can have a code popping up on your phone, you can have a text message being sent to your phone, you can rely on geographic information about where the user is, you can rely potentially on an IP address of a person's computer. But I do think that those are all still going to be used in conjunction with a password for the foreseeable future. And what kind of advice would you give to people who are looking to shore up their security when it comes to authentication? Well, really, there are two things. I mean, the first is to demand two-factor authentication and to use two-factor authentication when it's available. I mentioned earlier that Google allows users to use two-factor authentication and I would recommend that. Some banks now are also offering two-factor authentication, although not all of them. On the other side, when you have a site that does not offer two-factor authentication, you should take some steps to make sure that your password is not easily guessable. Even if that means actually coming up with a complicated password and then writing it down on a piece of paper that you keep in your wallet, these days that can actually be more secure than using a weak password that you can remember, but that hackers can easily go. All right, Jonathan Katz, thanks for joining us. The IT world used to be simpler. You only had to secure and manage environments that you controlled. Then came new technologies and new ways to work. Now, employees, apps and networks are everywhere. This means poor visibility, security gaps, and added risk. That's why CloudFlare created the first-ever connectivity cloud. Visit cloudflare.com to protect your business everywhere you do business. And that's the Cyberwire. We are proudly produced in Maryland by our talented team of editors and producers. I'm Dave Bittner. Thanks for listening. And now a word from our sponsor NordPass. NordPass is an advanced password manager from the team behind NordVPN. Designed to help keep your business safe from data leaks and cyber threats. It gives your IT professionals control over who has access to your company's data and makes it easy for everyone else on your team to use strong passwords. Right now you can go to www.nordpass.com/cyberwire for 35% off the NordPass business yearly plan. Don't miss out on that.