podcast

The CyberWire Daily Podcast

In today's podcast, we hear about how Spectre and Meltdown mitigations are proceeding, with many successes (but some blue-screen-of-death failures, too). Psiphon looks like the souped-up VPN of choice for Iranian dissidents, as that country's Internet crackdown continues. Pop-up ads infest mobile devices as an old tactic finds new scope for its misapplication. Olympic phishing targets South Korean companies. China moves to stop illicit cryptocurrency miners. Jonathan Katz from UMD on bitcoin mining power use. Guest is Udi Yavo from Ensilo on Process Doppelganging. Is there an alt-coin bubble? Sure looks like it.

Transcript

Dave Bittner: [00:00:00:18] A big thanks to all of you who help spread the word about the CyberWire. Don't forget to check us out on social media. We're on Twitter, Facebook, and LinkedIn. Thanks for all the support.

Dave Bittner: [00:00:13:04] Spectre and Meltdown mitigations proceed, with many successes, but some blue-screen-of-death failures, too. Psiphon looks like the souped-up VPN of choice for Iranian dissidents, as that country's Internet crackdown continues. Pop-up ads infest mobile devices as an old tactic finds new scope for its misapplication. Olympic phishing targets South Korean companies. China moves to stop illicit cryptocurrency miners. And is there an altcoin bubble? Sure looks like it.

Dave Bittner: [00:00:45:23] And now some notes from our sponsor, Cylance. You've heard of Emotet, the banking Trojan that reemerged at the end of 2017 to trouble online banking customers. For now, it's hitting financial institutions, mostly in Austria and Germany. But even if you speak English, French, Hindi, Russian, Arabic, Chinese or Hebrew, well, don't get cocky, kid. Your language community could well be in the on-deck circle.

Dave Bittner: [00:01:09:13] The new Emotet has a bad new dropper. It knows when you're sandboxing it, and it evades attempts to analyze it. Fortunately, you're in luck, no matter where you are. Cylance can protect you. Check out Cylance's blog post about Emotet at cylance.com. That's Cylance. And we not only thank them for sponsoring the CyberWire, but we suggest you head on over to cylance.com for the skinny on Emotet.

Dave Bittner: [00:01:42:05] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Tuesday, January 9th, 2018.

Dave Bittner: [00:01:52:00] The very large task of mitigating the speculative-execution processor vulnerabilities, Spectre and Meltdown, continues, with a number of successes. Apple has addressed Spectre with a fix for iOS and macOS devices. On the whole, the cooperation vendors are showing in addressing the vulnerabilities seems commendable (at least Intel thinks so, and with some reason) but problems applying the fixes offered are widely reported, as one would expect. Microsoft has pulled its fix of Spectre and Meltdown for AMD-based devices: that patch is reported to have bricked some of the machines to which it was applied.

Dave Bittner: [00:02:28:02] There's a general lesson here about patching. Fixing problems that have ramifications across many platforms and many applications involves complex dependencies and often unintended consequences. This is particularly true for patches that touch systems where downtime or interruption are too costly to tolerate, as in industrial process controls and similar IoT environments. So the speed with which mitigations have been pushed out is encouraging.

Dave Bittner: [00:02:55:05] Where Twitter was the enabling technology of Iran's failed Green Revolution of 2009, current dissenters are turning to Canadian-made Psiphon, a firewall-evasion app that's seen up to 700,000 downloads a day in the new year, most of them in Iran. Psiphon, developed by the University of Toronto's Citizen Lab, isn't the only tool being used to circumvent Iran's "filternet," but observers are tending to keep quiet about other tools, lest they blow the gaff to the regime. That regime appears to be showing some internal ambivalence towards its own response to dissent.

Dave Bittner: [00:03:31:04] A surge in pop-up redirect ads is troubling mobile device users. The tactic isn't new, but it's recently become very widespread, and has begun infesting top-tier websites. Media outlets that depend upon ad servers for revenue are feeling a pinch, and are looking for ways to pressure those services into better behavior.

Dave Bittner: [00:03:51:11] Concerns continue over phishing attempts during the run-up to the Winter Olympics. It appears to be a targeted campaign directed at selected South Korean companies. There's no attribution yet, but eyes are inevitably turning toward the usual suspects in Pyongyang.

Dave Bittner: [00:04:08:17] Researchers at security firm enSilo recently published work outlining an exploit they've named "process doppelganging." Udi Yavo is Chief Technology Officer at enSilo.

Udi Yavo: [00:04:18:22] Microsoft added the capability to enter first the support transactions. What this essentially means is that once you do file actions, you'll be able to easily hold them back. This is very useful, for example, for installers. When installers start putting files on disc, maybe at one point or another, it may have an error, it makes it really easy to hold it back. It holds back all the changes that were done to the file system. What we figured is, what's going to happen if we create an executable, map it as executable into memory, which means that it's added to execute, and then we hold back the transaction. So, essentially it means that what we see in memory, what's running is not related to the data on disc. So, if something tries to read from the disc, it will no longer read that, that action exists in memory.

Dave Bittner: [00:05:16:18] So you've got something on disc, and that's what you load in for your executable, and then at just the right moment, you execute this function in the NTFS file system that reverts the disc back to its previous state. So, from the disc's point of view, it appears as though the file never changed, and what's executing no longer matches what's on the disc. Is that correct?

Udi Yavo: [00:05:42:01] Exactly. And still, even though it's no longer there, everything that tries to look at the process will see the properties of the file that resides on disc. So, for example, if you tried to check its signatures, it will look okay.

Dave Bittner: [00:05:59:07] Is this process something that's at the research stage for you all? Was this an original bit of research that you all did? Or is this something that you've discovered that other people are using?

Udi Yavo: [00:06:09:02] No. It's research was done entirely by us.

Dave Bittner: [00:06:14:10] So, there's no evidence that anyone is using this out in the wild yet, for any bad things?

Udi Yavo: [00:06:19:01] No. This is also why we've not released any source code, because we don't want to make it easy to leverage at this moment.

Dave Bittner: [00:06:29:15] So, in terms of evading a standard AV software, how does it go about doing that? And then how can you detect this sort of thing?

Udi Yavo: [00:06:38:18] It depends on when exactly the AV is doing its scanning. Most AVs do the scanning either when the file is closed, or when the process is created. In both cases, it's going to be problematic, because the file is no longer the original file. Some AV vendors do it from user mode process, and then it's not going to be in the context of the transaction. So, this is why it's able to evade.

Dave Bittner: [00:07:05:21] So, is this a, a flaw in the NTFS file system, fundamentally? Or is it just someone being clever and taking advantage of something that's functioning the way it was intended?

Udi Yavo: [00:07:17:02] It's actually the second option. There is no type of vulnerability here, and no kind of bug. It's just a way to leverage features in an unpredictable way.

Dave Bittner: [00:07:29:16] That's Udi Yavo from enSilo. You can learn more about process doppelganging on the enSilo website. It's in their blog section.

Dave Bittner: [00:07:38:06] Criminals are showing sustained interest in cryptocurrency mining and hardware wallet pilferage as the altcoins very high valuations persist. Chinese authorities appear to be preparing a crackdown on the illicit installation of currency miners in unsuspecting third-parties. Miners are spreading to new mobile precincts, as they're reported to have appeared in BlackBerry sites. And the government of North Korea shows little sign of forsaking theft of cryptocurrency as a means of redressing the financial shortfalls imposed by international sanctions, and an economy that produces little that anyone wants to buy.

Dave Bittner: [00:08:14:03] Initial coin offerings continue, and both actual businesses and regulators are giving them some attention. The US Securities and Exchange Commission is devoting some of its beefed-up cyber oversight muscle to the initial coin offering market. And there are a number of start-ups going the ICO route as they seek funding for growth.

Dave Bittner: [00:08:32:24] One of those is Telegram, the encrypted messaging startup whose service is among those currently blocked in Iran. Telegram is planning, according to TechCrunch, a multi-billion dollar ICO to put its own blockchain platform in place, complete with its own native cryptocurrency, said to represent an evolutionary advance over pioneers like Bitcoin and Ethereum. The new platform will be called TON, the Telegram Open Network, and will enable payments in the Telegram chat app and elsewhere. Founder Pavel Durov is said to be interested in the sort of independence of government control he wasn't able to attain with his earlier company, Russian social media platform, VK.

Dave Bittner: [00:09:13:09] So, is there a bubble in altcoins? A lot of people resist saying so, some of them apparently out of the kind of pardonable but starry-eyed technolibertarianism that seems to animate Telegram enthusiasts. But this market looks a speculative mania for the ages, one to rival tulip bulb futures, or maybe, to take a more recent bubble, subprime loan derivatives.

Dave Bittner: [00:09:36:19] Witness Dogecoin, named after a dog but not pronounced like "dog," because it came from an old meme that originated in the Homestar Runner puppet show, where Homestar Runner called Strong Bad his "Doge."

Homestar Runner: [00:09:48:24] You crack me up! Crack. Me. Up. That's why you're my D-O-G-E.

Strong Bad: [00:09:55:12] Your doge? What are you talking about? I'm Strong Bad.

Dave Bittner: [00:10:00:13] Various others picked this up, on Tumblr and elsewhere, with posts that featured pictures of a Shiba Inu dog, then encounters with this particular white, fluffy doge, and then the white fluffy doge making, as Ars Technica puts it, "excited but ungrammatical declarations."

Dave Bittner: [00:10:17:12] We explain this because, first of all, we are a bring-your-own-dog shop here at the CyberWire, so we're naturally attracted to news with a canine angle. But, second of all, because this back story should suggest that Dogecoin probably wasn't meant to be taken entirely seriously.

Dave Bittner: [00:10:33:00] Indeed, that seems to be the case. The cryptocurrency hasn't been under active development for about a year, and it was intended to be something people could goof around with until it faded naturally into oblivion.

Dave Bittner: [00:10:44:19] Only natural oblivion isn't in prospect. In fact, Dogecoin peaked at $2 billion this Saturday - that's buh-buh-billion, "billion" with a "B" - before a market correction yesterday brought it back to its current level of about $1.7 billion. Dogecoin co-founder Jackson Palmer, who really hasn't been actively involved with Dogecoin since 2015, told the altcoin news outlet CoinDesk, "It says a lot about the state of the cryptocurrency space in general that a currency with a dog on it which hasn't released a software update in over two years has a $1 billion plus market cap."

Dave Bittner: [00:11:25:08] You said it, Mr. Palmer. But all things blockchain are singing to speculators nowadays. The governments of Russia and Venezuela are introducing blockchain-based fiat currencies, which seems in some ways to be missing the point, but okay. The crucial question remains: will those fiat cryptocurrencies be convertible to Dogecoin? Or maybe even Voppercoin, if you're a coin trader with the munchies?

Dave Bittner: [00:11:55:05] Now, a moment to tell you about our sponsor, ThreatConnect. On Tuesday, January 23rd, at 10:00 AM Pacific and 1:00 PM Eastern Time, they're teaming up with DomainTools for a webinar on mapping connected infrastructure. As you know, the more information you have about a potential threat, the better you can defend against it. And in order to stay ahead of malicious actors, it is crucial that security teams add context and enrichment to their threat data. The combination of the ThreatConnect threat intelligence platform and DomainTools' Iris investigative platform empowers security professionals to hunt APTs efficiently and effectively.

Dave Bittner: [00:12:31:14] Join Director of Product Integrations at DomainTools, Mark Kendrick, and Threat Intelligence Researcher at ThreatConnect, Kyle Ehmke, to learn how the same techniques can help network defenders and incident responders efficiently protect their own organizations. In addition, get an inside view into how ThreatConnect and DomainTools work together to enable thorough domain actor and IP investigations. Sign up today at threatconnect.com/webinar. That's threatconnect.com/webinar. And we thank ThreatConnect for sponsoring our show.

Dave Bittner: [00:13:12:24] And joining me once again is Jonathan Katz. He's a Professor of Computer Science at the University of Maryland, and also Director of the Maryland Cybersecurity Center. Jonathan, welcome back. There's been a lot of news lately about Maryland Cyber Security Center mining in particular, and the amount of power that it uses. And I was hoping you could just spread some light on why is that? Why is the energy used so significant for Bitcoin mining? And is it going to eventually collapse under its own weight?

Jonathan Katz: [00:13:38:18] Yeah, that's a really interesting question, and there were some reports going around a couple of weeks ago about the amount of electricity being used for Bitcoin mining, and how it compares to the electricity usage of even certain countries. And fundamentally, the reason is that the Bitcoin network is secured by the computational processing being done by all the nodes in the system. And as more and more nodes are joining, as more and more people are becoming interested in Bitcoin, and as more and more people want to mine Bitcoin, you see more people investing more and more effort into solving these computational puzzles that reward the miners with Bitcoin when they can find the solution. And people are worried about this. People are concerned about the amount of electricity that Bitcoin is using, and also concerned about the huge waste of this electricity, because essentially, it's not doing anything useful for anybody, other than allowing the people who solve the puzzle to get some reward in Bitcoin. So, there's definitely a concern about that.

Jonathan Katz: [00:14:34:22] People have been thinking about ways to design systems that don't use as much energy. Those have so far remained academic proposals. They haven't really become as popular as Bitcoin, but it's definitely something to keep an eye on. And it's a concern for how much the Bitcoin network can continue to grow in the future.

Dave Bittner: [00:14:53:05] And, and is there any risk of these blockchain systems sort of collapsing under their own weight?

Jonathan Katz: [00:14:58:18] I wouldn't quite say collapsing under their own weight. I think there's always the concern that these things are a bit of a bubble. I mean, we've seen this even with Bitcoin itself, that as it becomes harder and harder to solve these puzzles that underlie Bitcoin, the average user, the hobbyist who might be interested in being a Bitcoin miner for fun, is being, as it were, priced out of the marketplace. And what you have instead are people who run small businesses, essentially, where they have these huge mining farms, investing quite a lot of money, still able to turn a profit, but nevertheless, you're kind of getting rid of the small people and only leaving room for larger people who can do the mining. And there's always the risk that that will eventually collapse as the average person can't get in anymore at ground level, and loses interest. So, there is a potential concern there.

Dave Bittner: [00:15:47:19] And using a lot of electricity as they go.

Jonathan Katz: [00:15:50:15] Yeah, that's right. That's right. So, I think about it in terms of just the environmental impact. It's still small relative to all the other things we're doing to the planet, but it's something to think about, and the amount of electricity and consumption that's being wasted essentially, just to keep the Bitcoin network going.

Dave Bittner: [00:16:08:05] Jonathan Katz, thanks for joining us.

Dave Bittner: [00:16:11:17] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you through the use of artificial intelligence, visit cylance.com.

Dave Bittner: [00:16:25:11] And thanks to our supporting sponsor E8 Security. All of the behavior, find the threat. Visit e8Security.com to learn more.

Dave Bittner: [00:16:34:14] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology.

Dave Bittner: [00:16:44:02] Our show is produced by Pratt Street Media with Editor John Petrik. Social Media Editor Jennifer Eiben. Technical Editor Chris Russell. Executive Editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.

Copyright © 2019 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.

Supported by:
Cylance

Cylance is revolutionizing cybersecurity with products and services that proactively prevent, rather than reactively detect the execution of advanced persistent threats and malware. Learn more at cylance.com

ThreatConnect

The more you know about potential threats, the better you can defend against them. To stay ahead of malicious actors, it’s crucial security teams add context and enrichment to threat data. Join DomainTools and ThreatConnect live webinar to learn techniques to help network defenders and incident responders efficiently protect their organizations.

Subscribe to the CyberWire
Subscribe to the CyberWire Podcast: RSS Stitcher Google Play Music Castbox
Follow the CyberWire