The CyberWire Daily Podcast 6.24.20
Ep 1116 | 6.24.20

BlueLeaks updates and fallout. Hidden Cobra hunt. Hacking leads to trade wars. What the crooks are watching, from their home and yours.


Dave Bittner: Twitter permanently suspends DDoSecrets for violating its policy with respect to hacked material. DDoSecrets explains its thinking with respect to BlueLeaks. A quick look at a Hidden Cobra hunt. Sino Australian dispute over hacking may be moving into a trade war phase. Lessons on election management. What do cybercriminals watch when they binge watch? Joe Carrigan explains the Ripple20 vulnerabilities. Cybersecurity Canon Week continues with Joseph Menn, author of "Cult of the Dead Cow." And some notes on the most malware infested movie and television fan communities. 

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, June 24, 2020. 

Dave Bittner: Twitter told ZDNet that the social network has permanently suspended the DDoSecrets Twitter account, an account belonging to the group responsible for BlueLeaks, because DDoSecrets violated Twitter's policy against distribution of hacked material. WIRED reports texts from DDoSecrets' founder Emma Best, who explained in response to the observation that there's not a lot of illegal police activity on display in BlueLeaks. This shouldn't be surprising, she suggested. In DDoSecrets' view, the value of the material is that it shows that legal and normal police conduct is itself problematic, especially in terms of its tone and the attitudes it expresses. 

Dave Bittner: Best attributes the attack to Anonymous, to Anonymous with a capital A, as she puts it, and that's always a bit of a handwaving attribution since Anonymous is more brand than organization, more like being a New England Patriots fan than being a New England Patriots player. But this does seem to be the biggest operation credibly attributed to the anarchist collective since the 2011 operations of what WIRED calls, the Anonymous subgroup Antisec, who took and leaked law enforcement data in support of Occupy Wall Street. Best compares BlueLeaks to the work of Jeremy Hammond, currently still serving a 10-year sentence for his own hacktivism. 

Dave Bittner: A number of bloggers who've commented on BlueLeaks don't like what they see because what they see is a relatively indiscriminate revelation of names, addresses, phone numbers, license plates, banking information, allegations of crime and so forth. Best told WIRED that due to the size of the dataset, we probably missed things. I wish we could have done more, but I'm pleased with what we did and that we continue to learn. 

Dave Bittner: Security Boulevard published a sample of reactions to BlueLeaks under the headline BlueLeaks is a huge fail for Anonymous and DDoSecrets. They basically painted huge targets on an unfathomable amount of private citizens, said one representative comment. Unfathomable is an exaggeration. It's a finite database, after all. But the number is certainly a big one. 

Dave Bittner: Security firm Reversing Labs offers a walk through the tools North Korea's Hidden Cobra, also known as the Lazarus Group, uses. The lessons the researchers draw is that it's possible to develop a rich picture of a threat actor from a starting point of publicly available intelligence. 

Dave Bittner: Channel News writes that Beijing is expected to retaliate for Canberra's strong hint that Chinese intelligence services are hacking targets in Australia on a large scale. The response is expected to take the form of tariffs and bans on certain Australian exports. 

Dave Bittner: The Washington Post calls Kentucky's primary elections yesterday a success story worthy of emulation. The three lessons the post draws for the security and successful conduct of U.S. November elections from Kentucky's experience this week are the importance of bipartisan cooperation, lots of upfront planning and, perhaps most important from the point of view of security, no hasty introduction of novel and unfamiliar voting machines. 

Dave Bittner: A lot of people during the lockdowns and stay-at-home plans most of us are living with during the pandemic have turned to indoor amusement to pass time, like watching far too much television, for example. And so the use of streaming services has grown during the emergency. That's true, not only in the world at large, but in the underworld, too. Digital Shadows has noticed an interesting development in the anglophone cybercriminal platform Nulled. Its gangland proprietors have begun offering a livestreaming service, Nulledflix, to its members. The service offers television, blockbuster movies and various memes. It comes with a chat feature through which members can exchange tips, comments and so forth. 

Dave Bittner: Nulledflix is free to forum members, which probably means, first, that there's not a lot of money to be made from it, and second, that the proprietors are interested in building their brand and developing member loyalty. 

Dave Bittner: So what are they watching in the underworld? Maybe shows that provide a sympathetic take on the life of crime, you know, like "Sons of Anarchy," "The Sopranos," "Breaking Bad" or maybe even "Dexter." But actually, no. And if you were hoping that the crooks would go for more improving shows like "Oprah," "Bassmasters," "Bowling for Dollars," "Teletubbies," reruns of "The McLaughlin Group," well, you'd be off there as well. Judging from the small sample of chatter Digital Shadows shares, when the hoods aren't on the clock, they like to kick back with the same sort of stuff other kids do. Need anime/manga suggestions, read ones request. Hey, kid, tried "Sailor Moon"? "Space Battleship Yamato" is pretty good, too. Some chats are open-ended. Need Netflix suggestion. Still, others are invitations to critical engagement. "'Harry Potter' versus 'The Lord of the Rings'" - a tough call, but we're pretty sure that Radagast and the Brown would win in a fight with Albus Dumbledore. Or "Avatar 2" or "Avengers Endgame," another one that's too close to call. But we will say that neither of them is up to the standard of "Ant-Man," still less to the very high bar set by "Ant-Man and Wasp." Digital Shadows points out that there are probably self-esteem issues at play here. Members of English language criminal fora tend to be younger and less professional than the denizens of other languages' platforms - and Russian speakers, we're looking at you - so they can feel shunned and belittled by their more hardened colleagues. It's like Americans who join the French Foreign Legion. They've got a reputation as complainers and non-hackers. Come back and see us when you're ready to march or die, Yankee. So the underworld apparently has its tender sensibilities, too. 

Dave Bittner: And finally, some have wondered if particular television shows and movies are more dangerous than others. Researchers and security firm McAfee took a look at this question and concluded that yes, yes indeed, some shows are riskier than others. They list the top 10 titles that could lead you to a dangerous download. It's actually two top 10s, because they have a list for TV and one for movies. The dangerous TV shows include, in this order, "Brooklyn Nine-Nine," which is a police comedy procedural, "Elite," "Harlots," "Letterkenny," "Poldark," "Lost," "You," "Gentrified," "PEN15" and "Skins." The movies, also in order, "Warrior," "Zombieland," "The Incredibles," "Step Brothers," "Bad Boys," the 2019 version of "Aladdin," the 1994 "Lion King," "Swingers," "Frozen II" and "The Invitation." A lot of the risk comes from pirate streaming services, so if you must binge on "Poldark," do so from a legitimate source. And be careful of associated fan sites for these titles too, not to mention their appearance as phishbait. Why these titles? Popular culture is market intelligence for the criminal classes. They follow people's interests, the better to socially engineer their marks. You want "Poldark"? They got your "Poldark" right here. As for us, we're sticking to "Bassmasters." 

Dave Bittner: We continue our weeklong celebration of the winners of this year's Cybersecurity Canon Awards. In today's edition, CyberWire chief security officer and chief analyst Rick Howard speaks with Joseph Menn, author of "Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World." 

Rick Howard: The CyberWire is celebrating the Cybersecurity Canon Project this week in its sixth year identifying the must-read books for all network defenders. This week, the Canon committee announced the Hall of Fame inductees for the 2019-2020 season, and I am pleased to have on the show one of the winning authors for his book called "Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World." Joe Menn, welcome to the show. 

Joseph Menn: Hey, thanks for having me, Rick. 

Rick Howard: So, Joe, why'd you write the book? 

Joseph Menn: Well, I've been writing about cybersecurity for a long time. I wrote a book on it before. And it's basically - it's a grim picture. And rather than write yet another book about, you know, why things are so hard, I wanted to try and point to solutions. And the Cult of the Dead Cow was a great vehicle for that because they go all the way back. They go back 35 years. You know, they were involved one way or another in a lot of the inflection points in security. They're in the coordinated disclosure debate that's through the advent of hacktivism or sort of morally-driven hacking, which has come to mean many different things to different people. And then the fact that they contributed so much in so many different ways. 

Joseph Menn: So in the public sector, Mudge worked for DARPA on cybersecurity. In the private sector, DilDog, Chris Rioux, founded Veracode, which is a unicorn. And then in sort of the realm of, like, volunteers and hacktivists, they helped push Tor forward and many other things. So you can talk about all the big things that have happened in security through the lens of this one really interesting group that sort of had to keep levelling up in terms of their moral capacity as the challenges got bigger. 

Rick Howard: So because of the pandemic, this interview is a proxy for your acceptance speech of the Canon Hall of Fame Award. Any last words along those lines? 

Joseph Menn: Well, I would just - I guess I'd just like to say, first of all, I'm really honored. I've been a fan of the Cybersecurity Canon Project. And I actually obliquely mentioned it in the book - because it's really important. The shared knowledge and the institutional knowledge is something that's precious. And there needs to be common values as much as possible, a common vocabulary. We need to be talking about the same things in order to really make progress in something as complicated and daunting as cybersecurity. You know, I think there's been sort of an absence of discussion of moral issues in the field. But I think it's really important. And one of the important things that we can learn from the old-school hackers is they all developed their own moral codes. You may not agree with many of them, but they at least put some work into it. And they were willing to talk to their peers about that. And I think we need to go back to that. 

Rick Howard: The book is called "Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World," and it is now officially inducted into the Cybersecurity Canon Hall of Fame. Congratulations, Joe, and thanks for being on the show. 

Joseph Menn: Thank you so much, Rick. 

Dave Bittner: Our thanks to Joseph Menn for joining us. The book is "Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World." 

Dave Bittner: And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute, also my co-host over on the "Hacking Humans" podcast. Joe, always great to have you back. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: You know, interesting story came by. This is from the folks at the security company JSOF, and this is getting a lot of attention. They've released information about a collection of vulnerabilities they're calling Ripple20. What's going on here? 

Joe Carrigan: So what's happening is there is a company called Treck - T-R-E-C-K - that has something that is called a TCP/IP stack. And for our less technical listeners, this is essentially the software that connects the operating system to the network. So if you look at the layered model - like, the OSSI-layer (ph) model, or maybe the internet model, the five-layer model - there is a stack-like structure for sending data across a network. And at the very top of the stack is an application, and that takes its information and puts it into the next transport layer. That goes down into - and it's all encapsulated inside of each other like the Russian babushka dolls - right? - so that when you send the big doll across the line, it goes to the other side and it gets taken apart, all the way up to the other application it needs to talk to. And that's called the TCP/IP stack. It's actually more than just TCP/IP. It can include some other protocols. Like, for example, your web browser uses HTTP. That's just above the TCP part. And in between there, there may be other protocols as well. 

Joe Carrigan: This is an integral part of everything that's connected to the internet, to the IP network. It has to have some kind of TCP/IP stack built into it or in the operating system. And what these guys have done is they found a set of 19 vulnerabilities in the Treck TCP/IP stack. Now, this is really significant because some of these are critical. They can result in remote code execution, which means I can do anything I want on these devices. But what's most significant about this is how broadly-distributed this software is. It is in a lot of devices from a lot of different manufacturers. And the reason for that is, if I were to start up a product and I want that product to be connected to the internet, why would I waste my time writing my own TCP/IP stack when I can just go out and get one and license it from somebody else like Treck, right? 

Dave Bittner: (Laughter) Right. It's the internet's version of the red Lego brick that's, you know, two-by-four, the standard. 

Joe Carrigan: Exactly. 

Dave Bittner: Yeah, it's a basic building block that everybody has. 

Joe Carrigan: Right. And furthermore, that might be the right thing to do from a security standpoint - right? - because if I don't have the expertise in-house to write a secure network stack, I'm going to invariably write something with vulnerabilities and defects in it. And that's what's happened here. I'm not saying that Treck doesn't have the expertise. They spend almost all their time doing this, I guess. There's a team that is devoted to this product. But any software product is going to have vulnerabilities in it. Treck is actually taking this seriously. They have a response on their website as to how they're doing this. But really, this is going to come down to these individual device manufacturers, whether or not these device manufacturers have built their devices to be updateable. You know, let's say, one of them - and I'm going to wage - I'm going to go out on a limb here, Dave, (laughter) and I'm going to say they didn't do that (laughter). The vast majority of these folks didn't do that. 

Dave Bittner: Yeah. I mean, this library goes back 20 years... 

Joe Carrigan: Yeah, yeah. 

Dave Bittner: ...And is used in all sorts of devices, including industrial control systems, you know, things like embedded devices that don't get replaced for 20 years. So... 

Joe Carrigan: Yeah, that's right. And the problem with updating this is you can't just go into a system, an industrial control system, and say, we're going to upgrade the TCP/IP stack on this device. There's a ton of testing you have to do and configuration management that you have to do before you do that. Now, there is some comfort here - I'm not sure if it's actually comfort - that a lot of this stuff can't be exploited unless you're on the same network as the device. But if that device is connected to the internet and it's exposed to the internet, then it's available for exploitation. And getting over that hurdle of getting into inside a network is not that significant of a feat, right? I mean, we see it happen every single day. 

Joe Carrigan: The article here from JSOF says that there's one critical vulnerability in the DNS protocol that may potentially be exploitable by a sophisticated attacker over the internet from outside the network boundaries even on devices that are not connected to the internet. So I don't know how this works. They're going to do a demo of this at Black Hat. I'm going - I really want to see that. I'm kind of curious. It seems to me like they still either need a really sophisticated attacker who can compromise a DNS server that they know this device talks to, or, again, they need to get inside the network and make a request, a DNS request, to a server they control so they can send back the corrupted DNS packet that gives them code execution. That's how it works. A DNS response, a bad DNS response, has to be received. And you can't just send a DNS response to somebody. It has to be in response to a request. 

Dave Bittner: So this is one that people should pay attention to and take a closer look at. 

Joe Carrigan: Yeah. This is something that if, you know, if you - everybody should look at whatever Internet of Things devices they have on their networks. If they can't be updated, it might be time to start moving those things towards disposal. And when it comes time to replace them, make sure that these devices can be updated, have new firmware flashed to the devices without causing too much overhead and consternation for the user. 

Dave Bittner: Yeah. Yeah. All right, well, Joe Carrigan, thanks for joining us. 

Joe Carrigan: It's my pleasure, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa Smart Speaker, too. 

Dave Bittner: The CyberWire is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. See you back here tomorrow.