In today’s podcast we review some of the cyber implications and sequelae of the apparent failed coup d’état in Turkey. Signs in the Shumukh al Islam leaks suggest ISIS is making inroads among China’s Uighur minority. A Brazilian jihadist group pledges allegiance to ISIS online, adding to Brazil’s cybersecurity (and more importantly, physical security) concerns for the Rio Olympics. enSilo reports widespread code-hooking issues in security software. A look at ransomware, and an actual sockpuppet surfaces in Canada. Morphisec's Ronen Yehoshua describes a technique they call moving target defense, and Markus Raushecker shares his take on the sentencing of a swatter who targeted Brian Krebs.
Dave Bittner: [00:00:03:20] Turkey’s coup d’état and its online aftermath. ISIS doxing reveals interest in Uighur adherents. Brazil can add jihad to its Olympic worries. Taiwan’s jackpotters come up lemons. Code-hooking vulnerabilities affect major security products. SoakSoak serves up CryptXXX, F-Secure catphishes ransomware help desks and learns that, yeah, they really are serious about customer service. Serial swatter, Mir Islam, got a year in prison - is that enough? And an actual sockpuppet represents Phineas Phisher.
Dave Bittner: [00:00:39:12] Time to take a moment and tell you about our sponsor, Netsparker. Are your security teams dealing with hundreds of vulnerability scan results? Netsparker not only automates scanning, but it verifies the exploits it finds too. Reduce alert fatigue and improve security with Netsparker. Not only will your protection improve, but your costs will drop and that's a good deal in anybody's book. Netsparker's automated approach to web application scanning let's your security team concentrate on the things best left to the human beings. Find out more about Netsparker Desktop and Netsparker Cloud. Whether you're pen testing or securing your enterprise online, you'll find what you need at netsparker.com. You can try it out for free with no strings attached. Go to netsparker.com/cyberwire for a 30 day fully functional version of Netsparker Desktop. And by fully functional, Netsparker means, yes, really fully functional. Scan those websites with no obligation. Check it out at netsparker.com/cyberwire. And we thank Netsparker for sponsoring the CyberWire.
Dave Bittner: [00:01:43:04] I'm Dave Bittner, in Baltimore, with your CyberWire summary for Wednesday, July 20th, 2016.
Dave Bittner: [00:01:49:12] The aftermath of the apparent coup d’état in Turkey continues to be marked by purges and restrictions on various media. Wikileaks says it sustained a denial-of-service attack over the weekend after announcing plans to release a tranche of Turkish government documents. The leak-service has now recovered from the DDoS episode. Wikileaks itself, and many observers, think the incident was the work of the Erdoğan government, although in fairness the internet will slow under heavy traffic, and Twitter says it suffered some sluggishness of its own early this week. Wikileaks has now dumped the promised documents online, and has been duly blocked by Turkish authorities.
Dave Bittner: [00:02:27:00] It is, of course, possible to work around the block, even from within Turkey. The material released consists of emails belonging to the ruling AKP party. The emails go back to 2010, with the most recent ones dating to July 6, 2016. Wikileaks says the leaks have no connection to anyone involved in plotting the attempted coup d’état.
Dave Bittner: [00:02:46:20] Foreign Policy thinks the events in Turkey show that “the Internet has torn up the playbook for how coups are won and lost.” Many observers note Erdoğan’s use of Facetime, and suggest that the internet generally, and some social media platforms specifically, have superseded the easily interdicted press, radio, and television that earlier coups dealt with in well-understood ways. There are reports that cell phone carriers dramatically increased user bandwidth during the incident in ways that defeated some apparent attempts to shut down online services.
Dave Bittner: [00:03:18:19] Turkey has pulled out of some planned talks aimed at coordinating anti-ISIS operations. Whether this is a matter of policy or the accidental consequence of Turkish officials’ being busy with other things this week remains to be seen.
Dave Bittner: [00:03:32:08] ISIS itself has been busy elsewhere. Among the information leaked in the recent doxing of leading ISIS forum Shumukh al Islam, is correspondence with a number of Uighur fighters in China who appear to have hitched their fortunes to the Caliphate’s bandwagon. Uighur movements of various stripes have long been the subject of intense surveillance by Chinese security services.
Dave Bittner: [00:03:53:20] ISIS has also surfaced online in Brazil, where the small and little-known but still, to the authorities, worrisome extremist group, Ansar al-Khilafah, has taken to Telegram to pledge fealty to ISIS. This adds a specifically jihadist element to the mix of cyber threats Brazilian authorities are coping with during the run-up to the Olympics. Cybercriminals pose the usual problems they always do to high-profile international gatherings, and hacktivists have also surfaced, most recently in the form of a distributed denial-of-service attack anonymous mounted against a court. This action was retaliation for a Brazilian court order blocking WhatsApp - objectionable to the judge because of its strong encryption. A higher court has since overturned this order, and WhatsApp is now available again, as normal, in Brazil.
Dave Bittner: [00:04:41:02] In vulnerability news, enSilo warns that there are software code hooking issues affecting more than 15 security products from leading vendors. EnSilo promises a report at Black Hat, but they’ve posted an early version of their findings in the company’s blog. Among the companies whose products are said to be affected are McAfee, Intel Security, Kaspersky, Symantec, Trend Micro, Bitdefender, AVG, Avast, Webroot, Emsisoft, Vera, Citrix, specifically XenDesktop, and Microsoft, specifically the hooking engine “Detours”. The affected classes of products include data loss prevention tools, host-based intrusion prevention systems, anti-exploitation, and anti-virus products. Some have already been patched, other patches are in the works. EnSilo thinks thousands of products are likely to be ultimately affected, and that fixing the problems will involve a lot of laborious re-compiling of code. In the meantime, a lot of endpoints will be vulnerable to exploitation.
Dave Bittner: [00:05:38:22] We spoke to Morphisec’s Ronen Yehoshua about other aspects of endpoint protection, and he described the limitations of what it’s reasonable to expect in this area, and an innovation they've developed that they call Moving Target Defense.
Ronen Yehoshua: [00:05:52:15] Moving Target Defense is a concept that takes a target and changes it in such a way that the hacker doesn't recognize it anymore. Not only that, we do that in a randomized way each time the attacker gets into the system. So, even if the attacker would understand what we do and did an attack to overcome it, next time he meets the system it will be totally different. That's why we call it Moving Target Defense. That target constantly changes in front of the hacker.
Dave Bittner: [00:06:25:23] Yehoshua says that one thing attackers usually count on is that once they're inside a system they know what to expect, what files and applications will likely be found, and where they'll be located.
Ronen Yehoshua: [00:06:36:22] The way that advance attacks are able to penetrate organizations today, they are so successful, is because of the fact that those application operating systems are actually static. They do not change. There's one way they are working and hackers know that, and they know that when the attack will get to the organization they will meet the same application, the same operative system that they were designed to exploit.
Dave Bittner: [00:07:03:13] A Moving Target Defense, on the other hand, does pretty much exactly what the name implies. Yehoshua explains the technique.
Ronen Yehoshua: [00:07:10:19] We take the memory structure of the target and we use fully morphism in order to randomize it and change it, and then, once the attack meets the target, suddenly it finds a totally different structure than it was designed in advance to exploit. So, that's why we call it a Moving Target Defense. The target constantly moves in front of the hacker. Now, instead of chasing after the hacker trying to understand what they do, those hackers need now to chase after unpredictable moving targets.
Dave Bittner: [00:07:47:22] It's a clever innovation, but Yehoshua warns it's not a silver bullet.
Ronen Yehoshua: [00:07:52:04] The attack surface is very wide. An organization would need to protect itself with several layers. What we recommend is you keep your anti-virus there. That will probably stop, in a very efficient way, most of the usual known attacks and then implement exploitation mitigation like ours. Then, if you want to really close everything around your endpoint, you may install another layer. The whole discussion in the market today is, it's not what is the right product, because there is no one product that can do all, it's rather what is the right stack, what is the right combination of products an enterprise needs to have on its PC.
Dave Bittner: [00:08:40:19] That's Ronen Yehoshua, he's the CEO at Morphisec.
Dave Bittner: [00:08:46:08] Randsomware continues to be effective against a wide range of victims, and not all of them - or even most of them - are in the healthcare sector. The SoakSoak botnet is delivering CryptXXX ransomware through compromised business WordPress sites. The attackers are exploiting the Rev Slider plugin.
Dave Bittner: [00:09:02:17] Extortionists, using ransomware, have long imitated certain legitimate business practices, especially customer service ones. F-Secure catphished several ransomware help desks to rate their services. They conclude that extortionists need good help desks - if you can’t convince the customers you can actually restore their files, they've got little incentive to pay up.
Dave Bittner: [00:09:23:24] And, finally, speaking of catphish naturally turns our thoughts to sockpuppets. VICE Canada has a video interview with an actual sockpuppet, controlled by the famous hacktivist Phineas Phisher. Mr. Phisher agreed to be interviewed, but only if they would permit him to appear visually in the form of a sockpuppet. He looks kind of like Kermit, only paler, and with a sort of dinosaur haircut, or scalecut. We’re not sure.
Dave Bittner: [00:09:52:20] Time to take a moment to tell you about our sponsor, E8 Security. Putting your data together with E8's analytics for security that can handle the unknown unknowns. Consider what might warn you off to malware on your system. Listening or running programs on a rare or never seen before open port is one of them. It's easy to say that, but could you say what counted as rare or never seen before? Or would that information jump out at you as you reviewed logs? If you had time to review your logs, and by the time the logs reached you, the news would be old. But E8's analytical tools recognize and flag that threat at once, enabling you to detect, hunt and respond. Get their free White Paper at e8security.com/dhr and get started. E8 security, your trusted partner. We thank E8 for sponsoring the CyberWire.
Dave Bittner: [00:10:44:10] And I'm joined once again by Markus Raushecker. He's with the University of Maryland Center for Health and Homeland Security. Markus, interesting article on KrebsOnSecurity, Brian Krebs' security focused news and information blog, online publication, about the serial swatter, stalker and doxer, Mir Islam, who got one year in jail for his crimes. Brian Krebs was actually doxed and swatted by this guy. Let's just start off, explain to us what is doxing and swatting?
Markus Raushecker: [00:11:12:21] So, unfortunately, doxing and swatting are happening more and more frequently. Doxing, basically, is when an individual publishes private information about somebody online. A lot of times you'll see public figures or celebrities being doxed by an individual where public figures or a celebrity's private information such as home address, phone numbers, perhaps even social security numbers and other information gets published online for anyone to see. Swatting is also very serious. It's where an individual tricks police or law enforcement into responding to a phony incident, like a hostage crisis, or an active shooter incident, or bomb scare. Police are then responding to a residence or a business based on this threat that was provided to them. Remember, in this case, this threat is completely phony and totally made up but police, of course, don't know that they're responding to a phony threat. They think it's a real threat that they're responding to.
Markus Raushecker: [00:12:19:12] When they descend on a house, the individual inside is completely innocent and is completely surprised by this police presence. It can be very, very stressful and even a dangerous situation for everyone involved.
Dave Bittner: [00:12:36:21] Now, in the article, certainly Brian Krebs was making the point that Mr. Islam will only be serving about a year in Federal Prison after time served. He had a 24 month sentence, but they counted time served, so he's only going to be in for another year or so. According to Brian Krebs, that's a pretty short sentence for someone who had doxed and swatted up to 19 people.
Markus Raushecker: [00:12:59:10] I think Brian Krebs is right and that is a pretty lenient sentence considering what happened, or what might have happened, for these really serious actions here. I think a court is also always somewhat limited in their sentencing, because of the federal sentencing guidelines that exist which provide a court with a time range within which a court may sentence an individual. Perhaps even that Mr. Islam was suffering from some degree of mental illness, so that may have played into the court's decision on sentencing. If we want to prevent these kinds of actions in the future, I think one of the big pieces needs to be deterrents and if these sentences are not strong enough, the deterrent factor might not be as affective as it could be. So we'll see. Unfortunately, I think we'll see more of these types of incidents and we'll see what other courts may do in terms of their sentencing for those cases.
Dave Bittner: [00:14:05:24] Alright, Markus Rauschecker, thank you for joining us.
Dave Bittner: [00:14:10:20] And that's the CyberWire. For links to all of today's stories, along with the interviews, our glossary, and more, visit thecyberwire.com. If you enjoy our daily look at cyber security news, we hope you'll help spread the word by telling your friends and co-workers about our show, or leaving a review on iTunes. And thank you to all of our sponsors who make the CyberWire possible. The CyberWire Podcast is produced by Pratt Street Media. The Editor is John Petrik. Our Social Media Editor is Jennifer Eiben. Our Technical Editor is Chris Russell. Our Executive Editor is Peter Kilpe. And I'm Dave Bittner. Thank you for listening.
Copyright © 2019 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
DETECT. HUNT. RESPOND. Your data + security analytics will help you prevent your next security incident. Find out how. E8 Security.