[MUSIC] You're listening to the Cyberwire Network, powered by N2K. [MUSIC] >> This episode is brought to you by GE Healthcare. GE Healthcare sees possibilities through innovation. They are partnering with their customers to fulfill healthcare's greatest potential through groundbreaking medical technology, intelligent devices, and care solutions, just like they have for over 125 years. The technology they're mastering today will help make care more personalized tomorrow. Find out more at gehealthcare.com. [MUSIC] >> Hey everybody, Dave here. I want to talk about our sponsor, LegalZoom. I started my first business back in the early '90s, and oh, what I would have done to have been able to have the services of an organization like LegalZoom back then. Just getting all of those business ducks in a row, all of that technical stuff, the legal stuff, the registrations of the business, of the taxes, all of those things that you need to go through when you're starting a business. The hard stuff, the stuff that sucks up your time when you just want to get that business launched and out there. Well, LegalZoom has everything you need to launch, run, and protect your business all in one place. They save you from wasting hours making sense of all that legal stuff. Launch, run, and protect your business to make it official today at legalzoom.com. You can use promo code Cyber10 to get 10 percent off any LegalZoom business information product, excluding subscriptions and renewals that expires at the end of this year. Get everything you need from set up to success, at legalzoom.com and use promo code Cyber10. That's legalzoom.com and promo code Cyber10. LegalZoom provides access to independent attorneys and self-service tools. LegalZoom is not a law firm and does not provide legal advice except where authorized through its subsidiary law firm, LZ Legal Services, LLC. [MUSIC] South Asian Islamists announce anti-Indian cyber attack cell, ISIS aspirational cyber offensive capabilities, flash gets patched, new payment fraud patterns emerging, and Chinese and US cyber laws are reviewed. [MUSIC] I'm Dave Bittner in Baltimore with your Cyberwire summary for Tuesday, December 29th, 2015. ISIS dash adherence appear to be attempting collaboration towards cyber attack capabilities. Consensus among observers of the group's dark web chatter is that dash hasn't progressed beyond low-grade script-kitty levels and that any serious offensive capability remains aspirational. Still, their efforts will bear watching. Persistence pays off. Elsewhere, Jeanette Yuditawa, nominal charitable and political arm of the South Asian Islamist group Lushkheritaba, barked an announcement that a 24/7 cyber operations cell has been established to hold Indian targets under threat. Indian businesses consider how they and their government should respond. Turkey continues recovery from the recent denial of service campaign it sustained. The government talks up its tighter security measures and reaffirms its commitment to building up a cyber security workforce. Observers foresee the usual labor market pinch. Adobe Patch's Flash Player in response to highway's discovery of a zero-day vulnerability, analysts regard the out-of-band patch worth immediate attention. Highway says the flaw they discovered is being exploited in the wild. Researcher Chris Vickery has found data for 191 million registered US voters, essentially all of them, exposed online. Vickery blames an incorrectly configured database. No one really knows who's responsible, but early speculation points toward an unidentified customer of political campaign service provider, Nation Builder. A presentation at the Chaos Computer Club says flaws in payment communication protocols Poseidon and ZVT could compromise pins and otherwise enable banking and payment fraud. Widespread US adoption of chip and pin payment cards in 2016 is expected to shift cyber criminals toward card not present fraud with the sharing economy, most heavily affected. Forbes reviews the hottest cybersecurity startups of 2015. New Chinese anti-terrorist legislation is characterized as requiring firms to decrypt on demand. It's unclear how different this will prove to be from requiring back doors. The Washington Post looks at recent US cyber legislation and thinks those who see it as a privacy disaster are making too much of a relatively modest attempt to foster information sharing. With Lulu Lemon, the real gift happens when they're living in it. When you give them the coziest scuba matching set, the real gift is this. And this, and this, this holiday Lulu Lemon makes it easy to give a gift that goes beyond. Open the moment. Shop now at lululemon.com. And now a word from our sponsor, know before. It's all connected and we're not talking conspiracy theories. When it comes to InfoSec tools, effective integrations can make or break your security stack. The same should be true for security awareness training. Know before, provider of the world's largest library of security awareness training provides a way to integrate your existing security stack tools to help you strengthen your organization's security culture. Know before's security coach uses standard APIs to quickly and easily integrate with your existing security products from vendors like Microsoft, CrowdStrike, and Cisco, 35 vendor integrations and counting. Security Coach analyzes your security stack alerts to identify events related to any risky security behavior from your users. Use this information to set up real-time coaching campaigns targeting risky users based on those events from your network, endpoint, identity, or web security vendors. Then coach your users at the moment the risky behavior occurs with contextual security tips delivered via Microsoft Teams, Slack, or email. Learn more at knowbefore.com/securitycoach. That's knowbefore.com/securitycoach. And we thank know before for sponsoring our show. So you want to be a marketer. It's easy. You just have to score a ton of leads and figure out a way to turn them all into customers. Plus, manage a dozen channels, write a million blogs, and launch 100 campaigns all at once. When that's done, simply make your socials go viral and bring in record profits. No sweat. OK, fine. It's a lot of sweat. But with HubSpot's AI-powered marketing tools, launching benchmark breaking campaigns is easier than ever. Get started at HubSpot.com/marketers. Imagine this, your primary identity provider goes down, whether it's a cloud outage, network issue, or even a cyber attack. Suddenly, your business grinds to a halt. But what if it didn't have to? Meet Identity Continuity from Strata, the game-changing solution that keeps your business running smoothly no matter what. Whether your cloud IDP crashes or your on-prem system faces a hiccup, Identity Continuity seamlessly shifts authentication to a secondary or even tertiary IDP, automatically and without disruption. Powered by the Mavericks Identity Orchestration Platform, Identity Continuity uses smart health checks to monitor your IDP's availability and instantly activates failover strategies tailored to your needs. When the coast is clear, it's a seamless switchback. No more downtime, no lost revenue, no frustrated customers. Just continuous, secure access to your critical applications every single time. Protect your business from the high costs of IDP outages with Identity Continuity from Strata, downtime is a thing of the past. Visit strata.io/cyberwire to learn how Strata's Identity Continuity can provide seamless, enhanced capabilities to your existing Identity fabric and receive a free set of AirPods Pro. Joining me is Andre Prota sees the technical director of the security research team at CyberPoint International. Andre, I wanted to ask you about Backdoors. Backdoors have been in the news with what's been going on with Juniper Networks. What is a backdoor? A backdoor is code intentionally left to regain access later by an adversary. For the Juniper case, there are two backdoors that are being discussed. One is a cryptographic backdoor that is an implemented weak encryption mechanism that may allow somebody to decrypt traffic. The other one, which we'll focus on, is the actual code backdoor. Allowing somebody without access to know of a root password and regain access later. Again, just from a basic point of view, why would a backdoor like this be put in in a case like what Juniper is dealing with? Juniper is one of the largest, I guess, ISP-grade router and switch suppliers in the world. It'd be really nice for an adversary to have some sort of access to all those devices. They would want access. It's really easy to gain access to network if you have access to the router. As opposed to having to send phishing attacks or to send malicious documents to users, all you have to do is just log into the router, set yourself up a VPN account, and you can just walk in and do whatever you need to do. Who would we be looking at for being responsible for installing the backdoor in a case like this? There's a lot of speculation, who would have done it. I think there's been a lot of finger pointing to the NSA and to GCHQ perhaps, but I think recent data has shown that it's likely not the NSA or GCHQ because they're focused on doing more defensive work and they would likely not backdoor software of US origin. It's kind of hard to tell who might be behind it, but based on the fact that it showed that an adversary was putting in not only a backdoor for a password, but also some strong cryptographic backdoor code as well, shows that the attacker wasn't just somebody that knew how to code C but also had a strong cryptanalysis background or department, so it'd probably be a larger organization rather than just a rogue developer. Now are there tools for rooting out backdoors or the ways that you can go through your system and try to root them out? There are, but it requires a lot of manual effort, so there's actually a project or a competition called Underhanded C, which I've participated in in the past is pretty interesting, but the idea is that you write normal C code that has some sort of backdoor or some sort of nefarious action that can be triggered by an outside attacker. This competition is trying to hide it, so whoever is able to make the most effective backdoor but make it the most difficult to identify is effectively the winner. The reason that this project or this backdoor in Juniper didn't seem to get identified is because it looked like normal code. It looked like a debug string and it would have taken a very smart eye to be able to identify this, and this happened I believe in 2012, so this has been sitting around for a long time, it required somebody to identify it at that change, so that code check-in must have been identified, and I'm guessing that nobody was going to go back in time to review every code check-in as part of due diligence. So once it's checked in, once it's approved, once it passes quality assurance, then it's just pretty much in the code base forever until somebody comes across it again. All right, I think that's it. What about, how did they discover? Should I ask you how they discovered the Juniper backdoor? Once it's in there, how do you know it? Yeah, you can frame that out. So again, I keep coming back, let me start that over. So in a case like this, how is this backdoor discovered? All of a sudden, was the vulnerability exposed? How did they know they had a problem? Yeah, so there's actually a lot of speculation about that right now. The thought is because nobody was just going to come across this backdoor unless there is a reason to see it. So there is either the chance that it was identified in the wild. Some attacker may have been using this backdoor to gain access to a system over time, and somebody was able to identify what password they used, identify that, yep, that is actually a backdoor password to alert Juniper and then push out the patch, or it might have come along during a security audit, either within Juniper or with an outside party. I know there's a lot of collaboration with critical infrastructure software like this. It's going to get a lot of eyes on it to be able to analyze. So it's hard to say how it was identified, but my guess would probably be a real live attack was identified and analyzed, and they were able to identify that, yes, there is a backdoor installed, and that led them to identify the second backdoor as well, too. All right, interesting stuff, Andre Protos, technical director of the security research team at CyberPoint International. Thanks once again for joining us. The IT world used to be simpler. You only had to secure and manage environments that you controlled. Then came new technologies and new ways to work. Now employees, apps, and networks are everywhere. This means poor visibility, security gaps, and added risk. That's why CloudFlare created the first-ever connectivity cloud. Visit cloudflare.com to protect your business everywhere you do business. Bud Light knows that there's no better day than game day. With good food, great company, and plenty of cold ones for the tailgate, Bud Light makes football easier to enjoy, especially when your team scores. Bud Light, easy to drink, easy to enjoy. Enjoy responsibly, 21+ Copyright 2024, and has a Bush Bud Light beer, St. Louis, Missouri. And that's the CyberWire. We are proudly produced in Maryland by our talented team of editors and producers. I'm Dave Bittner, thanks for listening. And now, a word from our sponsor NordPass. NordPass is an advanced password manager from the team behind NordVPN, designed to help keep your business safe from data leaks and cyber threats. It gives your IT professionals control over who has access to your company's data and makes it easy for everyone else on your team to use strong passwords. Right now, you can go to www.nordpass.com/cyberwire for 35% off the NordPass business yearly plan. Don't miss out on that. [MUSIC]