In today's podcast we hear about the ways in which some old breaches are resurfacing to trouble major social media platforms. Those old breaches are also looking far larger than initially suspected. We learn about "sandjacking" and "bug poaching" as new additions to the lexicon of cyber crime. Analysts continue to think threats will drive cyber industry growth, and venture capital interest seems high, but more selective. Dr. Vikram Sharma from Quintessence explains One Time Pads, and Threat Quotient's Ryan Trost shares the pros and cons of attribution.
Dave Bittner: [00:00:03:18] Tough times for social media as old hacked credentials turn up for sale on the black market. Pawn Storm is back serving Russian interests in Finnish networks. North Korea may be implicated in a series of ambitious bank raids in Bangladesh and elsewhere. Iran and Saudi Arabia appear to be swapping hacks, but whether criminal hacktivist or state-directed remains unclear. Danti espionage campaign remains under investigation. In industry news, VCs seem interested but selective in the cyber sector.
Dave Bittner: [00:00:35:13] This CyberWire podcast is made possible by the generous support of Cylance, offering revolutionary cybersecurity products and services that proactively prevent, rather than reactively detect, the execution of advanced, persistent threats and malware. Learn more at cylance.com.
Dave Bittner: [00:00:56:14] I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday May 31st, 2016.
Dave Bittner: [00:01:03:05] The past two weeks have been difficult ones for social media. LinkedIn realized that its 2012 breach was orders of magnitude worse than initially believed. The network began warning customers on May 18th of this year that their passwords may have been compromised, since then, stolen credentials for other social media have turned up for sale in criminal markets. LeakedSource, which maintains a searchable database of compromised credentials, announced Friday that it had added more than 427 million items to its listings, most of them apparently stolen from MySpace. Criminals are selling some 360 million MySpace credentials on the black market for the low, low price of six Bitcoin, which is about $3,250 US. The data was lost a few years ago and is now appearing on the black market in what some think may be the largest compromise of its kind on record.
Dave Bittner: [00:01:54:20] Reddit, not specifically mentioning the LinkedIn compromise but alluding to an uptick in account takeovers, is also requiring its users to reset their passwords.
Dave Bittner: [00:02:04:21] Tumblr is also suffering from the aftermath of an old breach, 65 million email addresses and hashed and salted passwords are up for sale by "Peace of Mind," also known as Peace, the same hacker or hackers who are selling LinkedIn credentials. Like the LinkedIn and MySpace breaches, the Tumblr compromise is an old one, dating to February 2013. Why data from three old breaches are surfacing now remains a matter of conjecture.
Dave Bittner: [00:02:31:11] Symantec offers more evidence of North Korean involvement in Asian bank fraud attempts. Malware used to facilitate theft from the Bangladesh Bank and elsewhere is sufficiently similar to that used by the Lazarus Group to induce Symantec to finger Pyongyang. Whether or not the DPRK was involved, investigators in Bangladesh have shifted their view of the incident in at least one respect, they now think the theft was facilitated by an insider.
Dave Bittner: [00:02:58:09] Pawn Storm, also known as Sofacy, is back in action against targets in Finland. The Russian espionage group is said to have hit media group Sanoma and at least one Finnish member of Bellingcat, a citizen journalist group watching war news in Ukraine, Syria and elsewhere.
Dave Bittner: [00:03:16:04] Cyber tensions rise around the Arabian Gulf, Palo Alto networks is following an espionage campaign it's calling OilRig that's deploying the Helminth backdoor against targets in Saudi Arabia's banking and defense sectors. It's unclear whether OilRig is criminal or state-directed, or both, but Helminth's command-and-control infrastructure contains clues pointing towards Iran. For its part, Iranian authorities say they've traced an unspecified cyber attack on the Statistics Center of Iran to Saudi IP addresses. They also said that there's been no organized attack by Iran against Saudi targets but that some Iranians might have hacked the Saudi's for "emotional," presumably patriotic reasons.
Dave Bittner: [00:03:58:10] Kaspersky continues to track the Danti cyber espionage group as it works its way through Indian targets. Danti spreads by spearphishing. Kaspersky believes it sees some commonalities between the spread of this relatively new Trojan and the NetTraveler and DragonOK groups. Chinese-speaking hackers are thought to be running NetTraveler and DragonOK.
Dave Bittner: [00:04:20:01] We often speak of attribution when we talk about specific malware exploits, attacks or campaigns, attribution is assigning credit or blame to a particular group, individual or even nation-state. Attribution can be tricky and not everyone agrees it's valuable. Ryan Trost is CTO at ThreatQuotient and suggests Attribution can be a valuable tool.
Ryan Trost: [00:04:41:14] Defenders start to learn the moves of the adversary, what they're experts in, what their weaknesses are, and that, ultimately, allows them to build a profile or a play book. So that, as events and incidents are being triaged, they have a faster place to go to look, to really kind of expedite the process completely. Once you start to see an alert and maybe that indicator is associated to a specific adversary group, a security analyst can ultimately look at the profile of that adversary and just have a little bit better of an idea of historically what have they targeted, who have they targeted from an endpoint standpoint, is it a specific person, is it a specific database server, and that will allow them to kind of ultimately just make better decisions with their incident response procedures. It just allows them to react significantly faster.
Dave Bittner: [00:05:38:08] Ryan Trost is sympathetic to those who doubt the value of Attribution, but he warns that they shouldn't dismiss it out of hand.
Ryan Trost: [00:05:45:07] There's so much subjectiveness in Attribution, there's so much shared malware and shared infrastructure out there that a lot of people think it's too diluted, you can't really get at true sense of attribution, because nobody can agree on Attribution, even at the highest levels they can't really agree on Attribution too easily. So, that's one side of the fence, and they do have a valid point. The other side of the fence is, well, even if it's murky water it's still hugely beneficial, because the more you know about the adversary the better you can defend yourself. Even if you're not in the business of prosecuting that criminal activity, as defenders you still want to start to really organize and structure it so that your IRTs and your instant response efforts can be streamlined based on the intelligence that you've built that profile off of, just the historical knowledge that your team really holds.
Dave Bittner: [00:06:43:12] That's Ryan Trost, he's the CTO and co-founder at ThreatQuotient.
Dave Bittner: [00:06:48:04] IBM warns of a new trend in extortion, or, at least, quasi-extortion. They're calling it "bug poaching," and it may be understood as an attempt to force a bug bounty. Hackers intrude into a network, contact the enterprise with evidence that they've done so, and offer to explain the vulnerability they exploited in exchange for payment. The asks are said to be running at about $30,000.
Dave Bittner: [00:07:10:11] IBM is also reporting an increase in observed cases of "sandjacking," in which attackers show an ability to escape IOS sandboxing.
Dave Bittner: [00:07:19:13] In industry news, financial analysts continue to see growing cyber threats driving further growth in the security sector, whatever bearish cloud's recent results seem to have to cast. A recent influx of venture capital is also taken as a positive sign, although, as eWeek sees it, VCs appear to have grown more selective in looking for high pay-off technologies. These include, "email authenticity, password security, privacy, automation and segmentation."
Dave Bittner: [00:07:46:24] Cyber security stocks have experienced a general increase in short interest after last week's results-driven volatility, but there's one interesting exception. Palo Alto, which saw its share price drop after reporting a loss, has also seen a decline in short interest.
Dave Bittner: [00:08:03:01] And, finally, lest rogue states feel left out from recent social media turmoil, there are reports that a teenager from Scotland hacked North Korea's Facebook clone, Starcon.net.kp, shortly after the world became aware, on Friday, that the DPRK had launched its own version of Facebook. How did the young man get in? He used 'admin' and 'password' as his credential and, well, there you go, Bob's your uncle.
Dave Bittner: [00:08:35:06] This CyberWire podcast is brought to you by the Digital Harbor Foundation, a non-profit that works with youth and educators to foster learning, creativity, productivity and community through technology education. Learn more at digitalharbor.org.
Dave Bittner: [00:08:56:07] And joining me, one again, is Dr. Vikram Sharma, he's from QuintessenceLabs. Dr. Sharma, we had talked previously about quantum technology and you touched on something called a "one time pad," could you tell us a little bit more about that?
Dr. Vikram Sharma: [00:09:08:06] Absolutely, Dave. As we touched on, the quantum key distribution allows you an absolutely secure method of transporting keys between two locations. What this opens up the opportunity for is something called the "one time pad". This was a cypher that was actually invented 90 odd years ago in the '20's by a couple of folks in the US Army Signal Corps. It relies on the idea that, if you have a completely random set of keys, and you use them only once, the length of the key is as big as the data, you apply this operation called an XOR between the data and the key, the output of that cypher operation is indistinguishable from white noise, thereby you have no patterns whatsoever that can be leveraged to crack that code, therefore making it even unbreakable by a so-called quantum computer when they do come into practical existence.
Dave Bittner: [00:10:12:10] Is this something that is on the horizon? Is this something that we're going to see being put into use anytime soon?
Dave Bittner: [00:10:19:13] Well, the cypher is already being used in certain circles, however, the issue is, how do you transport that one time key material securely between two locations? Typically that's being done manually to date. What the quantum key distribution allows you is an optical means of transporting that key material securely between the two locations.
Dave Bittner: [00:10:45:23] Alright, fascinating stuff. Once again, Dr. Vikram Sharma, thanks for joining us.
Dave Bittner: [00:10:53:05] And that's the CyberWire. For links to all of today's stories along with interviews, our glossary and more, visit thecyberwire.com. Thanks to all of our sponsors who make the CyberWire possible. And if you're interested in reaching a global audience of security influencers and decision-makers, well, you've come to the right shop. You influencers know who you are, even if the suits from down the hall are worried that on last Friday's show I pronounced it infooencers. I mean, come on, that's just leetspeak for influencers. Anyway, that's what the editor told me to tell the suits when I meet with them later today. He said I could easily consuade them with an explanation like that. So, infooencers, visit thecyberwire.com/sponsors to learn more.
Dave Bittner: [00:11:35:09] The CyberWire podcast is produced by Pratt Street Media, our editor is John Petrik and I am Dave Bittner. Thanks for listening.
Copyright © 2020 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
Cylance is revolutionizing cybersecurity with products and services that proactively prevent, rather than reactively detect the execution of advanced persistent threats and malware. Our technology is deployed on over 4 million endpoints and protects hundreds of enterprise clients worldwide including Fortune 100 organizations and government institutions.