The CyberWire Daily Podcast 6.2.16
Ep 112 | 6.2.16

A look at markets, legitimate and criminal. ICS proof-of-concept exploit.


Dave Bittner: [00:00:04:01] Tumblr runs into the Great Firewall. Someone's profiling people interested in Taiwan's politics and everyone's looking at you, Beijing. Old versions of WordPress and Drupal may be setting some big companies up for a big fail. More on that alleged Microsoft zero-day. The security industry sees some big contracts and a bit of M&A activity and a look at the criminal market finds some shaky product being pushed toward some dumb money.

Dave Bittner: [00:00:30:08] This CyberWire podcast is made possible by the generous support of Cylance, offering revolutionary cybersecurity products and services that proactively prevent, rather than reactively detect, the execution of advanced persistent threats and malware. Learn more at

Dave Bittner: [00:00:51:15] I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday, June 2nd, 2016. Some apparently state-directed activity out of China this week. Tumblr seems to be inaccessible in China, at least for now, as Saturday's anniversary of the Tiananmen Square massacre approaches. China, of course, doesn't publish detailed information about such restrictions, still less their rationales, but the monitoring group thinks the outage looks like an attempt to interdict social media during the anniversary. Online censorship in China, generally called "the Great Firewall," may serve the government's interests in social control, but Chinese scientists increasingly complain that the policy is biting back at the country's drive toward greater capacity for rapid innovation.

Dave Bittner: [00:01:37:07] FireEye reports that Taiwan's ruling Democratic Progressive Party has been receiving the attentions of a cyber espionage group that's redirecting traffic to sites hosting malicious code. The apparent goal of the campaign is to profile visitors to the DPP's sites in an effort to gain insight into the party's policies with respect to Taiwan independence. As usual there's no attribution in the case, but signs do point toward Beijing.

Dave Bittner: [00:02:01:16] FireEye has reported finding some industrial control system malware that's being called "Irongate." Some are calling it "son of Stuxnet" because, like Stuxnet, it too targets Siemens programmable logic controllers or PLCs, but that's probably misleading. Irongate has been found in Siemens PLC simulation environments, not operational ones, where it executes a man-in-the middle attack on some custom PLC SIM code. Irongate looks like a proof-of-concept exploit used by security testers. As Dark Reading points out, the malware has been around since 2012, but only began to come to light, and that gradually, late last year. It's a sign of some of the ways penetration testers are attending to industrial control system. No-one seems to know who's behind Irongate, and security experts remind everyone that this should serve as yet another wake-up call for SCADA risk awareness.

Dave Bittner: [00:02:55:13] WordPress and Drupal bugs are being called the vulnerabilities that could enable the next Panama-Papers-sized leak. The bugs are in. Researchers at RiskIQ scanned companies on the old FT 30 index to see what software large companies are using to establish their web presence. What they found was disturbing. Just over a thousand sites were using either WordPress or Drupal. Of the 773 cases where they could identify the specific versions of the content management system in use, 307 were using old versions susceptible to exploitation through known vulnerabilities. RiskIQ primly notes that Mossack Fonseca, the law firm at the heart of the Panama Papers leak, was using outdated versions of Drupal and WordPress.

Dave Bittner: [00:03:40:21] The alleged zero-day Russian cyber mobsters are selling on the black market is still looking like a legitimate threat. Bidding starts at $95,000, not that you'd be interested in this particular auction, except of course conceptually. Researchers at Trustwave's SpiderLabs have been looking into the case, and we caught up with Trustwave's Ziv Mador for their take on what's going on here.

Ziv Mador: [00:04:02:13] A zero-day in Windows of this magnitude is quite rare. There are some strong indications in this post that make us believe that most likely it is legit. The cyber criminal offers to use the services of an escrow. The escrow he suggest to use is the admin form, which most likely is a well-respected cyber criminal in their community. And the second one is the fact that he released two videos to demonstrate how it works. Again, the videos don't show the fine details and that he did it on purpose because he doesn't want to reveal them. But when we looked at the videos, it looks like they were taken in one shot, so it doesn't seem like they were manipulated. And he first shows how he has all the most recent patches, the Patch Tuesday from May installed on the local Windows 10 computer, and right after, he shows how the exploit works. And so combining all that, that's a strong indication that probably the seller has a working exploit.

Dave Bittner: [00:05:13:01] This particular exploit is not only chilling because of how many systems it could potentially infect, but also due to what it's capable of once it's in.

Ziv Mador: [00:05:22:04] The exploit belongs to what's called local privileges collation class, which basically allows an attacker to get out of the boundaries of a limited user account and get full admin access to the computer. The seller claims that because the LP, local privileges, escalation expert works, it allows an attacker to use it to upgrade the access to that computer and get full admin access to that computer. Not only that, he also claims that by using that exploit, they will be able to modify the kernel. The opportunities here for sub-kernels are very-- almost unlimited. They can, after using that upgrade of their privileges, they can install malware persistently, they can change system settings, they can disable the security products on the computer, get better access to the network, change things in the kernel such as installing a rootkit, etc.

Dave Bittner: [00:06:19:20] That's Ziv Mador, he's Vice President of Security Research at Trustwave.

Dave Bittner: [00:06:25:00] In industry news, there's some acquisition activity. IBM is buying the application discovery shop EZSource. ServiceNow expands its security capability with the acquisition of BrightPoint, best known for its Sentinel security intelligence platform, and SolarWinds buys LogicNow as a managed service provider play. Infoblox has retained Morgan Stanley in what's seen as a defensive move against activist investors that's likely to delay any acquisition. Thoma Bravo made a run at Infoblox last month. In the US, the White House led push to shake up and clean out Federal cyber security is expected to yield significant opportunities for contractors. Some large Defense contract awards are already doing so. US Special Operations Command has awarded Palantir an intelligence software contract for $221,000,000, and both SAIC and Parsons have received prime positions in a multiple-award, indefinite delivery, indefinite quantity contract the General Services Administration has let to support US Cyber Command. This IDIQ is a five-year, multi-billion-dollar vehicle.

Dave Bittner: [00:07:32:01] Finally, Forcepoint takes its own look into the dark web and finds that Jigsaw, a ransomware variant that attacks Windows systems, is also for sale. The malware's authors are selling its source code for $139. That low, low price doesn't appear to be a special, nor are there any signs that the boss is on vacation and the boys have gone crazy. It's worth noting that the sellers think they'll find enough buyers to make it worth their while. Jigsaw typically demands a ransom of $150 from its victims. Forcepoint draws the lesson that there's poor product and dumb money in the black market, too. As Forcepoint puts it, quote, "A mediocre and greedy techie writes a second rate piece of malware that's designed to scare people into parting with their money. He or she sells it to a group of customers who are not that techno-savvy but are equally greedy and devoid of any morals. Hardly a happy story."

Dave Bittner: [00:08:28:14] This CyberWire podcast is brought to you by the Digital Harbor Foundation, a non-profit that works with youth and educators to foster learning, creativity, productivity and community through technology education. Learn more at

Dave Bittner: [00:08:50:13] And I'm joined once again by Jonathan Katz. He's a professor of Computer Science at the University of Maryland. Jonathan, I know with cryptography, random numbers are, are very important of course. And there are several different methods of generating random numbers.

Jonathan Katz: [00:09:02:14] Yeah, that's right, and it's important to distinguish here between maybe two different kinds of randomness. So the best kind of randomness, the most pure randomness, if you will, is when you have a string of bits that's completely uniform. So this means that each bit is equally likely to be zero or one and every bit is independent of every other bit. And then we've talked about this before, that if you have say an n-bit string, an n-bit key that's completely uniform, then each of the two to the n possibilities is equally likely. Now a little bit less good than that is something called unpredictable. And what you have there is a string, a string of bits where each bit is not necessarily uniform and there may be some small correlation between the bits. But nevertheless it's infeasible for an attacker to predict the exact bit sequence that you're using. And so in general for cryptography, we'd prefer to have uniform sources of randomness, although a lot of times in practice, we can get away with unpredictable randomness as long as it's a truly infeasible for the attackers to guess what those random values are.

Dave Bittner: [00:10:04:19] And we, we've seen word from the University of Texas at Austin that some of their computer scientists are saying that they've developed a new method for producing truly random numbers and this is a-- they're saying this is a breakthrough. What can you tell us about that?

Jonathan Katz: [00:10:17:08] This is truly an excellent theoretical work. What they've done basically is to take two independent and unpredictable random sources and combined them together in such a way as to produce a uniform source of randomness. So basically what this means is that you can take potentially two different mechanisms for generating random numbers, neither of which is perfect, but then somehow combine them and derive from them a pure source of randomness.

Dave Bittner: [00:10:43:04] And so what will be some of the practical applications of that?

Jonathan Katz: [00:10:47:16] Well, it's unclear how much of an impact this is gonna have in practice. It's right now in the early stages. It's not immediately clear actually whether this is going to be needed for cryptographic purposes, but it does show us the way forward for potentially combining multiple different sources of randomness together and deriving from them a perfect random source that can then be used for cryptographic key generation or during public key encryption or other things that you need randomness for in cryptosystems.

Dave Bittner: [00:11:13:11] Alright, Jonathan Katz, thanks again for joining us.

Dave Bittner: [00:11:19:21] And that's the CyberWire. You know, hardly a day goes by where someone doesn't approach me on the street and say, "Dave, I listen to the CyberWire every day. How can I support this show?" Well, it's easy. You can recommend us to your friends and co-workers, write a review on iTunes or Facebook, or share our show on social media. And we do appreciate it. The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik and I'm Dave Bittner. Thanks for listening.