LinkedIn may have been breached. Malicious apps, a new Skimmer, and honor among thieves.
Dave Bittner: [00:00:03:14] In a developing story, LinkedIn may have been breached. More information is out on bank's interactions with SWIFT. A banking Trojan finds its way into the Play Store. ATM malware performs the functions of a skimmer. Gray hats turn ransomware vigilantes. China quietly interrogates US IT companies on security. And while even cyber gangs have HR departments, you know what, there's still no honor among thieves.
Dave Bittner: [00:00:30:16] This CyberWire podcast is brought to you by Recorded Future, the real-time threat intelligence company whose patented web intelligence engine continuously analyzes the entire web to give information security analysts unmatched insight into emerging threats. Sign up for free daily threat intel updates at recordedfuture.com/intel.
Dave Bittner: [00:00:54:07] I've Dave Bittner in Baltimore with your CyberWire summary for Wednesday, May 18th, 2016.
Dave Bittner: [00:01:01:04] In a developing story, LinkedIn has reportedly been hacked. Account records for some 167 million users are said to be for sale on the black market site, The Real Deal. About 117 million accounts hashed passwords are among the data being hawked. Some observers have reached the preliminary conclusion that the breach is real, the data legitimate. The crooks selling the information is asking for five bitcoin, about $2,200 US, which suggests how rapidly data is being commodified in the black market. We'll be watching this incident as the story develops.
Dave Bittner: [00:01:35:13] Post-mortems on the Bangladesh Bank cyber theft trigger concerns over the integrity of SWIFT transaction records. Although SWIFT wasn't directly compromised, some bank's interactions with the system apparently were. Compromise of SWIFT interactions would be troubling and not only for the potential of theft. The US government, for example, uses SWIFT transaction data to monitor financial systems for illicit funds transfers. Should that data become unreliable that eventually could have significant ramifications for intelligence and law enforcement.
Dave Bittner: [00:02:07:24] Users are reminded again of the need for caution in the apps they download. Another malicious app has found its way into the Google Play Store. 'Black Jack Free' would appear to be a gaming app but in fact it's simply a vector for a variant of the Acecard banking Trojan.
Dave Bittner: [00:02:23:11] Another problematic app is a flashlight add-on, that is an app that lets you use your device as a literal flashlight for illumination. Many phones come with legitimate flashlight apps pre-installed. Those that don't, however, are at risk if they try to add this feature to their device. According to Trend Micro, 'Super-Bright, LED Flashlight', serves up advertising scareware, which falsely purports to be from Google, that tells users their device is infected with malware and offers to sell them a variety of anti-virus products. Our advice? Get an actual flashlight. Our stringers pick up two or three of them at every conference they attend.
Dave Bittner: [00:03:00:15] Kasperksy has discovered a new variant of ATM malware, essentially a software alternative to the hardware skimmers mules insert into gas pump payment stations. Kaspersky gives the malware the somewhat obvious name, 'Skimmer', and says that it can dispense money, collect and then print pay-card and account details and eventually delete itself. Skimmer uses the commercial Themida packer to help keep itself hidden.
Dave Bittner: [00:03:25:09] Ransomware seems to attract cyber vigilantes of various stripes. These range from the obvious white hats who develop decryption tools and make them available to the victims, to the gray hats who directly interfere with ransomware transmission. F-Secure has published a case study of one such action; the substitution of a public service announcement warning against phishing for the malicious Locky payload the criminals had intended to distribute.
Dave Bittner: [00:03:50:20] The long-familiar Microsoft Tech Support Scam, no association, of course, with Microsoft, is perhaps second in longevity only to the Nigerian Banking Scam, but it's now showing a new wrinkle. Malwarebytes has found a Windows locker that displays during booting and that temporarily locks a user's system. The screen display is a plausible looking dialog box that tells users they have an invalid product key, and gives them a support number to call. Once they call, of course, the victims are tricked into giving up sensitive data.
Dave Bittner: [00:04:21:16] As we've reported recently, the FTC and FCC have taken an increasing interest in how mobile service providers and device manufacturers are providing timely updates. John Michaelson is Chief Product Officer at Zimperium.
John Michaelson: [00:04:34:23] The reality is, the mobile platforms are fantastic, right? They're doing amazing things and they're growing, and the problem is that the rate of CVE's or vulnerabilities that are disclosed is still on the upswing, they're still going higher. So if you look at a stable platform like Linux, it peaked many, many years ago in terms of disclosures of vulnerability, and it's now quite rare to see a very significant vulnerability disclosed in Linux, for example. But in both Google and Apple's platforms, it's quite common to see high severity CVE's discovered. Every few years we see mobile devices that are radically improved in their capabilities, the things they can do, and of course wearables after that and IoT after that. These platforms are certainly still on the expanding side and because of that we're not going to see a slow down in CVEs for quite some time.
Dave Bittner: [00:05:32:10] So faced with ever-evolving platforms and threats, what's the best strategy to protect our mobile devices? Michaelson has some practical advice.
John Michaelson: [00:05:40:14] We all need to recognize that the least we could do is to make sure we're running the most current versions of the operating systems that are on our devices and that we're using devices that are well supported. Some manufacturers are slower to patch their devices than others and some telcos are slower depending on where you are in the world, slower to patch their devices, but we need to also come to terms with a reality here. The reality is when a vulnerability is discovered, that doesn't mean it was just invented, it doesn't mean it didn't exist before the discovery.
John Michaelson: [00:06:13:22] When we identify in the security business, here is a zero day discovery of some new exploit, on average it's been in the world for 200 days already. So in fact we've been vulnerable to this new disclosure or discovery for at least 200 days already. So certainly patching is good but patching itself is not sufficient. For those customers, especially enterprises that trust their mobile devices, who need to trust their mobile devices; they have sensitive assets on them, they have access to sensitive data, you really should think about on-device detection of these kinds of exploits so that you aren't always late. Because the disclosure and the discovery is, as I say, hundreds of days after the thing has already been in the wild.
Dave Bittner: [00:07:01:15] That's John Michaelson from Zimperium.
Dave Bittner: [00:07:05:16] Chinese authorities are querying US IT companies about security matters. This is being done quietly in face-to-face interviews. The companies who have been summoned include Apple, Cisco and Microsoft.
Dave Bittner: [00:07:17:24] Criminals markets have for some time been evolving into shadow versions of legitimate markets. According to an HPE report on the state of the black market, illicit enterprises now have most of the familiar trappings of business. They've acquired FAQs, help desks, customer relations people, quality assurance, even HR and recruiting. They're also adopting the language of the boardroom, which one might hope will impede their rate of technology advance. After all, if CISOs are to be believed, boards often don't get it. And if boards are to be believed, CISOs struggle to discuss risk in business language. Maybe the cyber crime-lords will find themselves grappling with the same failures to communicate. We can hope anyway.
Dave Bittner: [00:08:00:00] And, finally, there's no honor among thieves is there? Because not only do cyber gangs have management challenges, they've also got, well, other cyber gangs. The criminal forum, Nulled.IO, a popular bazaar for stolen information, has itself been robbed. Various crooks have made off with data without paying for it. If they have HR departments, we're pretty sure the outraged gangs have got collection agencies too. We hope the good guys get there first.
Dave Bittner: [00:08:32:15] Today's podcast is made possible by ClearedJobs.Net. Find rewarding IT engineering opportunities in Maryland, tackling complex security challenges in the defense arena. Join G2, a growing company where creativity, curiosity and playfulness lead to innovative problem solving. Learn more at thecyberwire.com/clearedjobs.
Dave Bittner: [00:08:59:23] Joining me once again is Jonathan Katz, he's a professor of computer science at the University of Maryland. Jonathan, ransomware is a recurring theme on our show, it seems like there's always new ransomware tools. One of the things that ransomware relies on is encryption. What kind of encryption schemes are we usually seeing in ransomware?
Jonathan Katz: [00:09:17:12] These ransomwares are actually quite vicious, and what they do is they turn cryptography on its head and they use it against the honest party that they're attacking. What they're typically doing is actually using public-key cryptography, public-key encryption, and the ransomware is generating a random key, encrypting the contents of the user's hard drive using that key and then encrypting that key using a public-key encryption scheme with respect to a public-key that the creator of the ransomware, for which they know the corresponding secret-key.
Jonathan Katz: [00:09:47:17] So what this allows is that if the honest user is willing to pay some ransom to the creator of the ransomware, then the person who created the ransomware is actually able to decrypt and allow the user to decrypt the contents of their hard-drive.
Dave Bittner: [00:10:01:23] Now we've seen there has been some success with folks developing decryption tools for ransomware.
Jonathan Katz: [00:10:08:24] Yes, that's right. It's really interesting there because what they're basically relying on is the difficulty of getting implementations of public-key cryptography right. If the ransomware does not implement the public-key encryption correctly then researchers can potentially crack it. In a lot of these cases, what happens is, that the random number generation or the random numbers that are used to either encrypt the user's hard-drive or to do the public-key encryption itself, is actually using poor quality randomness. And that basically gives the good guys a toehold with which they can actually decrypt the user's hard-drive without having to pay the ransom at all.
Jonathan Katz: [00:10:48:10] So it's really interesting as a demonstration of on the one hand how the bad guys are trying to use encryption for their own purposes but because they can't or they're unable to implement it correctly, it actually backfires on them and allows people to recover their data.
Dave Bittner: [00:11:02:01] It's a good thing for us that none of these bad guys have you as their professor, right?
Jonathan Katz: [00:11:07:21] That's right. It's going to be a little dangerous when they start taking crypto classes and learning how to implement it correctly. I guess it just serves as a warning for everybody about how difficult the topic really is.
Dave Bittner: [00:11:15:22] Alright, Jonathan Katz, thanks for joining us.
Dave Bittner: [00:11:20:15] And that's the CyberWire. For links to all of today's stories along with interviews, our glossary and more, visit thecyberwire.com. Thanks to all of our sponsors who make the CyberWire possible. If you'd like to place your products, service or solution in front of people who want it, you'll find few better places to do that than the CyberWire. Visit the thecyberwire.com/sponsors to find out how to sponsor our podcast or daily news brief.
Dave Bittner: [00:11:43:08] The CyberWire's produced by Pratt Street Media. The Editor is John Petrik. I'm Dave Bittner. Thanks for listening.