In today's Daily Podcast we follow up on the Panama Papers' fallout. Leaker "John Doe" remains unidentified, and the scandal is roiling politics in Ukraine. Some observers think the Russian Financial Monitoring Service is behind the leaks. Dridex evolves into new lines of cyber crime. Juniper patches a suspect random number generator. GCHQ is said to have helped publishers stop the new Harry Potter book from leaking. And CyberWire editor John Petrik shares in interesting price list courtesy of Dell SecureWorks.
Dave Bittner: [00:00:02:24] The Panama Papers have helped bring down the government in Ukraine. Some observers see wheels within wheels, and Russian Intelligence services behind the Mossack Fonseca hack.
Dave Bittner: [00:00:12:09] The Dridex banking Trojan's infrastructure is now being turned toward paycard theft, and ransomware distribution.
Dave Bittner: [00:00:18:19] Flash Player users get a brief respite from zero-day exploitation.
Dave Bittner: [00:00:22:11] And we can now reveal the real location of the Ministry of Magic. It's been narrowed down to Cheltenham or Harrogate, and you muggles thought it was Durham.
Dave Bittner: [00:00:33:20] This CyberWire podcast is brought to you by SINET ITSEF, the IT Security Entrepreneurs Form, meeting in Mountain View, California, April 19th-20th, 2016. Bridging the gap between Silicon Valley and the Beltway, by bringing together the innovators, entrepreneurs, investors and policymakers who are shaping the next generation of security solutions. Learn more at security-innovation.org.
Dave Bittner: [00:01:03:10] I'm Dave Bittner in Baltimore, with your CyberWire summary for Monday, April 11th, 2016.
Dave Bittner: [00:01:09:12] The Panama Papers seem to have claimed another government in Europe, as Ukraine's Prime Minister resigned Sunday. The Prime Minister seems not to have been named in the leaked documents, but other names, including that of Ukraine's President Poroshenko, have appeared. UK Prime Minister Cameron is also addressing claims that he used offshore accounts.
Dave Bittner: [00:01:29:10] Investigations proceed. Reuters reports that authorities in El Salvador raided the offices of Mossack Fonseca, the law firm at the center of the incident, on Friday, seizing records and computers but detaining no one.
Dave Bittner: [00:01:42:20] How the leak was accomplished remains obscure, and Mossack Fonseca has denied it was an insider or whistleblower leak. Indeed, they've consistently denied any wrongdoing.
Dave Bittner: [00:01:52:19] All those who feel some nostalgia for the Cold War, will appreciate some Panama Papers speculation that surfaced Friday in Newsweek. An opinion piece suggests that Russian intelligence services may be behind the leak, given the relatively light treatment the leaks give to Russian figures. The world press has tended to fixate on the "Putin associates" mentioned in the leaks, but President Putin himself has gone largely unmentioned, and his associates represent only a fraction of those whose names appear in the papers. This suggests that Moscow's public stance of airy dismissal is probably workable, in the long run. But the damage done to some governments in the West and the Near Abroad, however, has been considerable.
Dave Bittner: [00:02:32:07] It's also curious that there have yet to be any significant or interesting leaks of American names. While this big gap could be explained by Panama's relatively low utility as an offshore haven for US tax avoidance, there is, on the other hand, the Süddeutsche Zeitung's curiously evasive you-ain't-seen-nothing-yet response to questions about American involvement. So a Newsweek opinion piece runs, suggesting the possibility that a Russian intelligence service was behind the leaks. The agency specifically called out in the Newsweek piece is the Russian Financial Monitoring Service, which answers directly to Russia's president. The aim, the article suggests, is essentially blackmail, presumably blackmail of the American public figures not mentioned. So, it seems, Moscow may be hoping that people fear being bitten by the dog that didn't bark.
Dave Bittner: [00:03:21:00] Anonymous dislikes the gig economy, at least in Italy. The hacktivist collective and its colleagues in LulzSec ITA, leaked personal information of CEOs and other managers as "hot" Italian companies, to protest Italy's new labor laws. They've also defaced at least one employment agency and claimed to have also targeted 45 others. The grievances are the familiar gig economy objections: poorer protection of workers, exploitive labor practices, diversion of wealth to corporations.
Dave Bittner: [00:03:50:15] Hack Read has looked through the leaked information and concluded that it looks new, that is not recycled from earlier data breaches, and legitimate.
Dave Bittner: [00:03:58:09] Researchers at buguroo and elsewhere - notably Trend Micro and Symantec, have been tracking the Dridex banking Trojan infrastructure. They believe they've discerned at least two axes of evolution. Dridex has, first, moved into paycard credential theft, and second, has been adapted to a ransomware distribution method. Locky is the strain of ransomware most often mentioned in connection with Dridex.
Dave Bittner: [00:04:21:20] Adobe patched Flash Player Thursday, but those whose patching may be lagging seem to have received a temporary respite. Malwarebytes reports that the criminals who attempted to exploit the now-patched zero-day in the wild seem to have botched the vulnerability's incorporation into the Magnitude exploit kit. That fumbling won't continue forever, of course, and there are other avenues of exploitation besides Magnitude. So all Flash Player users are still advised to patch their systems.
Dave Bittner: [00:04:48:14] In other patch news, Juniper late last week, completed its update to ScreenOS, overhauling the way the system handles encryption, removing the suspect Dual_EC random number generator. The company hopes this removes lingering suspicion that its products had a backdoor that could be exploited by government intelligence services.
Dave Bittner: [00:05:08:02] A discussion draft of a US Senate bill that would require vendors to decrypt their products leaked late last week. The draft bill, with bipartisan sponsorship by Senators Burr, a Republican from North Carolina, and Feinstein, Democrat from California says, "All providers of communications services and products, including software, should protect the privacy of United States persons through implementation of appropriate data security, and still respect the rule of law and comply with all legal requirements and court orders."
Dave Bittner: [00:05:38:03] At the center of its provisions is this note: "To uphold both the rule of law and protect the interests and security of the United States, all persons receiving an authorized judicial order for information or data must provide, in a timely manner, responsive, intelligible information or data, or appropriate technical assistance to obtain such information."
Dave Bittner: [00:06:01:00] Few observers like what they see, although, oddly enough, the draft doesn't specify either criminal or civil penalties for violations. In any case, it's a draft.
Dave Bittner: [00:06:11:23] Now that it's withdrawn its demand for help unlocking another iPhone, used by one of the San Bernardino jihadis, the US Justice Department still wants Apple's help unlocking another iPhone. This one is involved in a conventional New York drug trafficking case that's been pending since before the San Bernardino massacre. In this case, the demand for assistance is more straightforward. Apple has long acknowledged it can access the particular phone in question without difficulty.
Dave Bittner: [00:06:37:02] Finally, did you know there's a new Harry Potter book coming out? There is, and it hasn't been leaked yet. And why hasn't it leaked? The publishers say it's been protected by GCHQ, which is Britain's Government Communications Headquarters. And you probably thought GCHQ was just this bunch of muggles, when it turns out they're in the Ministry of Magic itself. Arthur Weasley, call your office.
Dave Bittner: [00:07:05:11] This CyberWire podcast is brought to you through the generous support of Betamore, an award-winning co-working space, incubator and campus for technology and entrepreneurship, located in the Federal Hill neighborhood of Downtown Baltimore. Learn more at betamore.com.
Dave Bittner: [00:07:30:24] Joining me is John Petrik, editor of the CyberWire. John, there's a recent report from Dell Secureworks outlining some pricing. But it's not the kind of pricing you would expect to see from Dell is it?
John Petrik: [00:07:42:06] No, it's not. But before I answer any more of your questions, I need to know. Do you want to know this for yourself, or are you asking for a friend?
Dave Bittner: [00:07:49:01] I'm absolutely asking for a friend.
John Petrik: [00:07:50:24] Okay good, that's fine. This is Dell Secureworks look into what the current black market pricing is for various cyber ill-gotten goods. Whether they be credentials, whether they be hacks for hire or things like that.
Dave Bittner: [00:08:05:05] And what did they find?
John Petrik: [00:08:06:15] They're finding, unsurprisingly, several things. One is that the black market is actually functioning like market. And the other thing they're finding is that these kinds of exploits and stolen goods, are increasingly becoming commodified. They're the kinds of things that any number of people could afford to buy, if that's what they're in the market for.
Dave Bittner: [00:08:25:09] So give me some examples of things that I can buy, and what do they cost?
John Petrik: [00:08:28:12] Suppose you want to steal somebody's America Express card. That's $30 a time. You want to hire someone to conduct distributed denial of service, you can contract for that for as low as $5 an hour, and a remote access Trojan goes at the same rate. The angler exploit kit, you can get an angler license, not a fishing license, but an angler license for $100. You can find other sorts of things that haven't hitherto been offered much.
John Petrik: [00:08:54:03] You can find an ATM skimming device for $400 or less, for example. You want to hack a corporate email account? $500 a mailbox. That's about four times what it costs to hack into a Gmail or Hotmail account.
Dave Bittner: [00:09:07:12] So give me some perspective here. I mean, how do these prices compare to what these things went for historically?
John Petrik: [00:09:14:04] It's not all that clear because the market is a new one, so it's not clear that we have some strong comparison.
Dave Bittner: [00:09:21:16] I see.
John Petrik: [00:09:22:06] But what we can learn from this, is that this is definitely a market. There's a market for this stuff, there's a suke out there where people are trading these things in a kind of illegal bizarre.
Dave Bittner: [00:09:30:24] All right, John Petrik, thank you for joining us.
Dave Bittner: [00:09:35:13] And that's the CyberWire. For links to all of today's stories, visit thecyberwire.com, and while you're there, subscribe to our popular daily news brief. Our editor is John Petrik, I'm Dave Bittner. Thank you for listening.
Copyright © 2019 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
The Johns Hopkins University Information Security Institute provides the technical foundation and knowledge needed to meet our nation's growing demand for highly skilled professionals in the fields of information security and information assurance.