Stealth Falcon, OEM issues, black market trends.

Dave Bittner: [00:00:04:06] Citizen Lab describes Stealth Falcon, and bids journalists beware. An apparent Windows zero-day is for sale on the Russian black market. Data breaches are getting bigger, but stolen data isn't exactly making the criminals rich. Software installed by some OEMs are showing signs of crypto fails. University of Michigan researchers demonstrate an insidious hardware backdoor proof of concept.

Dave Bittner: [00:00:24:22] We hear about the risks of public photo-printing kiosks, and we learn about the implications of the coming SHA-1 cert expiration deadline. And if you're a street criminal, you might want to stay off Facebook, at least if you're working in the English Midlands.

Dave Bittner: [00:00:40:14] This CyberWire podcast is made possible by the generous support of Cylance, offering revolutionary cybersecurity products and services that proactively prevent, rather than reactively detect, the execution of advanced persistent threats and malware. Learn more at cylance.com.

Dave Bittner: [00:01:01:10] I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, June 1st, 2016. State security and intelligence services have long made use of journalistic cover. But a report released early this week by Citizen Lab at the University of Toronto, describes one such apparent effort which Citizen Lab is calling "Stealth Falcon."

Dave Bittner: [00:01:21:05] The evidence is circumstantial, but the researchers think it likely that the United Arab Emirates government was using, among other tools, sock puppet journalists whose email and Twitter correspondence with other actual journalists, served as a vector for installation of spyware. The apparent goal was monitoring of dissident activity.

Dave Bittner: [00:01:40:22] Citizen Lab notes the possibility that they're observing criminal as opposed to state-directed activity, but thinks the evidence strongly suggests a security service. Foreign Policy notes that Citizen Lab has reported similar campaigns in Iran, Bahrain, and left-leaning Latin American states.

Dave Bittner: [00:01:58:23] Cyber criminals are offering what they claim is a very damaging Windows zero-day, almost amounting to a crimeware killer app. The purported vulnerability - and we stress purported because, as Microsoft points out, the bug is yet to be verified - is said to enable an attacker to obtain admin privileges on any machine running any version of Windows from Windows 2000, through a fully up-to-date Windows 10. The hackers' initial asking price was set at $95,000.

Dave Bittner: [00:02:27:01] The original "Dear friends, I offer you a rare product" offer appeared in a Russian criminal forum on May 11th. Payment would be made under escrow. Whether the hackers' claims are legitimate or not, the case is interesting for at least two reasons.

Dave Bittner: [00:02:41:01] First, whoever discovered the flaw - again, if it is a flaw, it's still early -apparently, they thought they could make more money hawking it in a crimeware bazaar than by using it themselves or selling it quietly to big buyers, as other zero-day vendors are known to do.

Dave Bittner: [00:02:56:14] Second, zero-days may be on their way to the sort of commodification long seen in the data theft racket. The fact that they're being offered to well-heeled but poorly-skilled skids, however, can't be a good sign. Trustwave's SpiderLabs is following the story closely. We'll hear from them tomorrow.

Dave Bittner: [00:03:15:00] That stolen data has become inexpensive commodities may be seen in the continuing story of the MySpace breach. To offer almost half a billion of even old credentials for about $2,800 suggests it's a buyer's black market. Balabit's István Szabó notes that passwords shouldn't be an account's principal or only protection. He recommends monitoring activity, especially privileged users' activity, and applying behavioral analytics as a check on this sort of threat.

Dave Bittner: [00:03:43:19] He told the CyberWire, "User behavior analytics can help detect, alert, and block access to an organization's data automatically if an attacker attempts to use the stolen credentials."

Dave Bittner: [00:03:57:01] Tumblr is also recovering from an old breach dating to 2013. The compromised information is worth even less than the stolen MySpace data. The hacker selling it, "Peace," is asking only $150. As Peace told Motherboard, he's essentially selling just a list of emails.

Dave Bittner: [00:04:13:20] We checked with Andrew Komarov, Chief Intelligence Officer at InfoArmor, who confirmed to the CyberWire that Tumblr's having hashed and salted the passwords makes them very difficult to crack, and thus of little black market value.

Dave Bittner: [00:04:26:24] Beyond the value of salted hash, these incidents suggest several lessons about securing information. Lastline security expert Craig Kensek observed to the CyberWire that enterprises should, again, consider using multi-factor authentication. For individuals, he told us, the advice is "don't ever use the same passwords across multiple accounts, do change them on a regular basis, and definitely consider licensing a password manager."

Dave Bittner: [00:04:52:11] A little bit of paranoia, Kensek says, goes a long way in information security and identity protection.

Dave Bittner: [00:04:59:08] Digital certificates are one of the key technologies that make the Internet useful by allowing users to have a high degree of confidence that the website they're visiting is actually the website they intend to visit. That little green lock icon in the address bar of your web browser that lets you know you're browsing securely: that functionality is made possible by digital certificates.

Dave Bittner: [00:05:19:00] They've evolved over the years as computing power has increased from the digital fingerprints of the MD5 algorithm to SHA-1, which is currently being phased out. Kevin Bochek is Vice President of Security Strategy at Venafi.

Kevin Bochek: [00:05:31:20] The bottom line when it comes to cryptography is that it is a battle against time and computing power. And the SHA-1 cryptographic method is hashing out. It's just a way that it allows us to put a fingerprint, and one way that, in the past, you couldn't copy.

Kevin Bochek: [00:05:51:08] But what we're finding is that the cloud and our increasing computational power, is catching up with that. Nowadays, what used to be thought of as impossible, to recreate one of these fingerprints, could perhaps be recreated on Amazon Web Services in the cloud for $75,000, or maybe even less.

Kevin Bochek: [00:06:15:08] And if a bad guy can do it in the cloud for $75,000, you know that intelligence services like the NSA can do it in their sleep.

Dave Bittner: [00:06:25:21] SHA-1 has been replaced by the more secure SHA-2. The problem, according to Bochek, is that many organizations have been slow to update.

Kevin Bochek: [00:06:34:01] What we know is at the end of last year, up to 25 percent of the top 100,000 websites that were using digital certificates to enable encryption and authentication, were still using SHA-1. The browser community has decided that starting January 1st 2017, the padlock that we all know on our browser will not show green and in fact, in some cases will show red, and not trust the SHA-1 certificates after January 1st.

Dave Bittner: [00:07:08:08] Kevin Bochek also warns organizations not to drag their feet and wait for the last minute. Chances are finding and updating all of your digital certificates is no small task.

Kevin Bochek: [00:07:17:24] You may think most of your digital certificates are exposed on the public network, but in fact they're all throughout your data center all throughout your network. Going about finding them, both in locations you know and don't know about, is the first step that you've got to do.

Dave Bittner: [00:07:36:05] That's Kevin Bochek from Venafi. They've got more SHA-2 migration tips on their website.

Dave Bittner: [00:07:43:15] Researchers at the University of Michigan have demonstrated a disturbing proof of concept: a microscopic hardware backdoor embedded on an otherwise innocent chip. Detection of such a backdoor would be, they say, difficult to the point of practical impossibility, especially since the backdoor exploits analog as opposed to digital features of chip operation.

Dave Bittner: [00:08:03:24] It's essentially a single-cell capacitor. Wired reports the reaction of Google researcher Yonatan Zunger: "This is the most demonically clever computer security attack I've seen in years." It's a proof of concept and not something seen for now in the wild, but chip fabs would do well to look to their manufacturing processes.

Dave Bittner: [00:08:25:02] Finally, a note on email security. Our suits tell us they're getting concerned emails from someone calling himself "Scooter Coffey." Scooter's attached an invoice from another company and wonders why he hasn't been paid. The suits wonder if they should open it. Oh, those suits. You'd think the signature "Scooter" would put them on guard, but then remember the old adage about what curiosity does to cats.

Dave Bittner: [00:08:47:14] Scooter, if you're listening, go fish.

Dave Bittner: [00:08:54:06] This CyberWire podcast is brought to you by the Digital Harbor Foundation, a non-profit that works with youth and educators to foster learning, creativity, productivity, and community through technology education. Learn more at digitalharbor.org.

Dave Bittner: [00:09:15:01] Joining me once again Joe Kerrigan; he's from the Johns Hopkins University Information Security Institute. Joe, over the weekend, I happened to go by my local CVS pharmacy and I printed out some photos for a family member. It was remarkably easy to do, but as I approached the kiosk with my little USB thumb drive and I inserted it into this computer that I knew nothing about, the thought crossed my mind: have I just made this thumb drive disposable?

Joe Kerrigan: [00:09:44:00] Probably. [LAUGHS] It's not because anybody is being malicious; it's because thumb drives and USB drives, whatever you want to call them, are vectors for malware distribution. I don't know that I would cause the drive disposable. If you have a Linux machine at home or an Apple - it was a Windows machine that you were working with, correct?

Dave Bittner: [00:10:09:02] I believe it was.

Joe Kerrigan: [00:10:10:12] That's going to run malware that's designed for Windows. So, if you take that and put it into a Linux box, you can actually execute a dd command. The original terminology was "disk duplicate"; it was how they would duplicate disks in the old days when they needed to back up master boot records and things of that sort.

Dave Bittner: [00:10:31:06] Your old floppies.

Joe Kerrigan: [00:10:32:06] Old floppies, exactly. But now it can also be used for wiping a disk completely by copying from dev/zero, which is an endless supply of zeros on a Linux device, and writing to the physical hardware on the USB drive. This is possible in Linux and pretty easy. The Wikipedia page on dd is very helpful for this. It even has a section on how to wipe data off a disk.

Dave Bittner: [00:11:06:11] So, this is different from just rewriting the directory of the file, this is zeroing out all the bytes on the device from start to finish.

Joe Kerrigan: [00:11:11:16] Exactly. It's taking everything off that device. You'll need to reformat the device when you plug it back into a Windows machine.

Dave Bittner: [00:11:18:20] [LAUGHS] Okay. All right, good advice as always. Joe, thanks for joining us.

Joe Kerrigan: [00:11:22:17] My pleasure.

Dave Bittner: [00:11:26:02] And that's the CyberWire. If you enjoy our show, we hope you'll help spread the word and tell your friends and coworkers, and recommend us on social media. It really does help, and we really do appreciate it. The CyberWire is produced by Pratt Street Media. Our editor is John Petrik, and I'm Dave Bittner. Thanks for listening.