Dave Bittner: [00:00:03:01] The Patchwork threat group shows how you can be persistent (and effective) without being advanced. New adware called Pirrit is attributed to a marketing company's employee, and security experts worry that HummingBad has potential that goes far beyond clickfraud. D-Link routers are found vulnerable to remote code execution. Google patches more than a hundred Android issues. US-CERT warns as Symantec fixes bugs in some AV products. Avast buys AVG. Blockchain's potential goes beyond Bitcoin. Thoughts on cyber workforce development. FBI Director Comey testifies before the House about why the Bureau wouldn't recommend indicting Hillary Clinton (and defense attorneys are paying close and creative attention). And cyber criminals hit the gig economy.
Dave Bittner: [00:00:52:12] I want to take a moment to tell you about our sponsor E8 Security. YOu know once an attacker is in your network there is a good change they'll use command and control traffic to do the damage they have in mind. Could you recognise it? E8's analytics can. Here's what malicious C2 traffic might look like. Newly visit sites, visit to a website that doesn't have the features a legitimate site usually does or the association of a website with a limited number of user agents. That's tough for a busy security team but it's easy for E8's behavioral intelligence platform. For more on this and other use cases visit E8security.com/dhr and download their free white paper, “E8 Security - Detect, Hunt, Respond.” We thank E8 for sponsoring the CyberWire.
Dave Bittner: [00:01:44:11] I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday July 7th 2016.
Dave Bittner: [00:01:50:10] A newly described threat group, which Cymmetria is calling “Patchwork,” is active in South and Southwest Asia. Patchwork is interesting for at least two reasons. First, and it’s this that gives it it's name, the group uses attack code that appears to be assembled entirely from components cut-and-pasted from various sources on the Internet. And second, even with its patchwork code, the threat group has proven able to penetrate relatively hard targets.
Dave Bittner: [00:02:15:20] Cymmetria’s report says that Patchwork’s activity was first detected in December 2015. There are indirect indications of activity as far back as 2014. The campaign, Cymmetria says, seems to “focus on personnel working on military and political assignments, and specifically those working on issues relating to Southeast Asia and the South China Sea. Many of the targets were governments and government-related organizations.” These highly targeted attacks are, unsurprisingly, initiated by spearphishing, and their goal is espionage.
Dave Bittner: [00:02:47:19] The researchers specifically decline to attribute the attack to anyone, but they do suggest that circumstantial evidence points, in their view, to India. They also point out that the evidence is sufficiently circumstantial that it’s also consistent with a false-flag operation by another actor.
Dave Bittner: [00:03:04:17] The combination of operational success and “low technical ability,” as Cymmetria’s report puts it, is curious. (It’s also why writers at the SANS Internet Storm Center sniff at the notion that this threat, persistent though it might be, could be fairly called an “advanced persistent threat”). It also provides an object lesson in how the Internet itself can serve as effective R&D shop for attackers, making available commodity malware that the clever, determined, and ill-intentioned can turn to their advantage.
Dave Bittner: [00:03:33:20] We heard yesterday about the marketing company Yingmob and its alleged connection to the HummingBad adware campaign that amounts to an Android pandemic. Today another strain of adware—“Pirrit” [PIE-rit], which targets Macs—is attributed to another marketing outfit. Cyberreason says that an employee of Israeli marketing firm TargetingEdge is responsible for writing Pirrit. Pirrit by the way in this case is P_I_R_R_I_T.
Dave Bittner: [00:04:00:22] Adware is problematic and damaging even when used just for clickfraud. HummingBad has observers spooked because of the root access it achieves, and therefore the ease with which it could be converted into a DDoSing botnet or an espionage campaign.
Dave Bittner: [00:04:15:02] Researchers at Senrio [sen-REE-oh] have released details describing a flaw in popular D-Link routers. Some 400,000 devices are thought to be vulnerable. D-Link is rolling out fixes through its website.
Dave Bittner: [00:04:26:22] Google is also patching. It’s issued fixes for more than a hundred issues in Android components and “chipset-specific drivers from different manufacturers,” according to CSO. Some of those components are from Qualcomm, and the Register thinks the patches being pushed for those are likely to be connected with issues demonstrated last week in Qualcomm’s KeyMaster crypto. They speculate that the big problem and understated problem may be with Android full-disk encryption.
Dave Bittner: [00:04:54:06] Symantec is in the process of closing security holes in some of its AV products. US-CERT has issued a warning to users, advising them strongly to apply the patches as they become available.
Dave Bittner: [00:05:06:02] We’re five days away from Patch Tuesday proper, but Microsoft has offered additional information on how to fix the Group Policy issues its June patches presented users. Redmond says, "The official guidance from Microsoft is to ensure the computer accounts have 'Read' access to the user policies you wish to have applied.” And the company has gone on to explain to sysadmins the various ways in which they can accomplish this.
Dave Bittner: [00:05:30:16] In industry news, Prague-based Avast is buying Amsterdam-based AVG for a cool $1.3 billion. The acquisition is seen as giving Avast greater geographical reach. It’s also seen as an Internet-of-things play. And in private equity news, container security shop Twistlock has secured a $10 million funding round.
Dave Bittner: [00:05:51:17] Gatecoin, a Hong Kong Bitcoin exchange, is reported by Deal Street Asia to have raised $500,000 in equity funding as it recovers from a hacking incident.
Dave Bittner: [00:06:02:15] We often hear of Bitcoin and other cryptocurrencies in the context of attacks and investigations of money-laundering. It’s perhaps therefore worth mentioning that there’s nothing inherently nefarious about either Bitcoin or its underlying blockchain technology. The blockchain, indeed, is finding increased acceptance and utility in other applications, and Bitcoin seems no more susceptible to misuse than other more familiar forms of money. Jonathan Katz, one of our research partners at the University of Maryland, told us about a Bitcoin-themed conference he recently attended, and he outlined where and why blockchain technology is finding new uses outside cryptocurrency itself. We'll hear from him after the break.
Dave Bittner: [00:06:42:21] Over the summer many colleges and universities offer cyber camps designed to prepare students for careers in security. U.S. Cyber Challenge, for example, will open its annual Delaware Summer Cyber Camp program in collaboration with four academic and one state government partner next week. Such efforts aim at redressing the familiar shortage of qualified workers in the field. Companies, of course, have their own roles to play in bringing young workers on board. We spoke with Verodin’s Chris Key, who shared some insights on how you can prepare recent graduates for jobs in cyber security.
Chris Key: [00:07:15:05] There's a lot of people when they come into the cyber world. Obviously we have a lot of open positions that's really a crisis point, and we were accessing people and also just interacting with customers. I think one of the largest gaps that I see are defenders that don't really understand attacker behavior. What I've seen in some of the recent grads is maybe they've got experience with tools from labs and things like that, but they really don't necessarily understand the behaviors of the people that they're trying to defend against. There's an over-reliance on these tools to effectively spell out for them what's going on and to pop up and say hey, you know, you're being owned. And the reality is that it doesn't really work that way.
Dave Bittner: [00:07:57:23] Chris Key says that once graduates enter the workforce ongoing training is crucial and it needs to include realistic, real world scenarios.
Chris Key: [00:08:05:21] Regardless of the university training or the certification training or the job experience, I think one thing that is critically important is to make sure that security teams are testing and training in their live environments that they're defending against. 'Cause even if you understand what an attack pattern looks like, let's say with Snork for testing, that doesn't mean that's how it's gonna show up with the tools that are deployed in the company that you ultimately end up working for. And so it's critically important to, you know, just as support teams are constantly training or even militaries are constantly war-gaming, you know, our defenders after they get out of school and they get hired, need to be constantly being challenged in the environments that they're in from both to training and experience point of view.
Dave Bittner: [00:08:48:15] And it's not just training. According to Key employees need a clear pathway for professional growth.
Chris Key: [00:08:54:07] Even if we're starting to fill those positions, I think that the companies have to have an ongoing training program and also be willing to improve that employee standing because the challenge that a lot of organizations have is hiring somebody, training them up and then them just leaving for another job. And so I think that you really have to, specifically in cyber right now, have a program to say OK we're gonna bring you in, we're gonna keep making you better and we're gonna, you know, here's the path within the company that you can take. And look at your cyber team as a team that needs to be continuously getting better.
Dave Bittner: [00:09:28:00] That's Chris Key from Verodin.
Dave Bittner: [00:09:31:07] In the US, FBI Director Comey is explaining to the House Oversight Committee the Bureau’s decision not to recommend indictment of former Secretary of State Clinton for mishandling classified information. It’s generally expected that Director Comey will be fluent and persuasive. Absent indictment, however, the case is thought by many observers likely to have two effects: It may be difficult for some of the former Secretary’s close aides to obtain or retain security clearances, and defense attorneys representing defendants in other security cases are already preparing their no-reasonable-prosecutor-would-indict defenses.
Dave Bittner: [00:10:07:03] Finally, do you work in the gig economy? If you do, be on your guard. Kaspersky says cyber criminals are phishing freelancers with bogus promises of work that take the victims to the legitimate AirDroid app, then sends them credentials for a test account. Taking the login bait infects the freelancer’s device. So if you see that bait, don’t bite. (And if you’ve already bitten, get help spitting out that hook.)
Dave Bittner: [00:10:35:03] This CyberWire podcast is made possible by the generous support of Cylance, offering revolutionary cybersecurity products and services that proactively prevent rather than reactively detect the execution of advanced persistent threats and malware. Learn more at cilance.com.
Dave Bittner: [00:10:58:05] And I'm joined once again by Jonathan Katz, he's a Professor of Computer Science at the University of Maryland and Head of the Mail and Cyber Security Center. Jonathan, you recently attended a conference that was related to a bitcoin and blockchain technology. First of all I want to give us an overview, what is blockchain?
Jonathan Katz: [00:11:15:19] So blockchain is basically a distributed mechanism that allows people to keep a global history of all the transactions in the system, and in this case we're talking about a bitcoin so this basically allows everybody to keep a global view of exactly how many bitcoins correspond to each person, or each address, and then to keep a view also of when those bitcoins are spent and who is transferring them to whom.
Dave Bittner: [00:11:38:10] And so what were the topics covered at this conference? What kind of things were they talking about?
Jonathan Katz: [00:11:43:14] Well it was actually meant... It was a summer school and it was intended actually to get people up to speed on bitcoin itself as well as current research in bitcoin. It was quite popular actually, in the end they had to turn people away. There were a lot of students there, some faculty, but also interestingly a lot of people from start ups. People, a lot of interest in developing start ups, related to or around bitcoin, and many of those were there as well. What's interesting is that even with the popularity of bitcoin there's still so many things that are either poorly understood, or things that we'd like to do better on if we could develop a next generation of bitcoin.
Jonathan Katz: [00:12:22:18] For people we're looking at things like, what level of anonymity bitcoin provides and how to ensure better anonymity, or to develop systems with better anonymity and on the flip side, to come up with tools that allow government officials or legal officials to trace transactions, and make sure that they can prevent fraudulent transactions, or illegal transactions on the blockchain.
Jonathan Katz: [00:12:45:09] Other things people were looking at were things like getting better mining protocols that aren't so wasteful in terms of the energy that they're using. And also developing proofs of security for the bitcoin protocol itself.
Dave Bittner: [00:12:58:16] So what were some of the areas beyond crypto currency where people are interested in applying blockchain technology?
Jonathan Katz: [00:13:05:06] Well actually people have suggested it for a number of other things since it took off for bitcoin. I think one of the ideas that I've seen is to use it as a mechanism for registering public keys. You can imagine using this as a next generation version of a PKI where rather than having to rely on some central authority to validate the binding between a public key and an identity, what you could do is you could just publish the binding between your identity and your public key on the blockchain and then that would serve as a global irrefutable proof of the fact that that's your public key. So there's still lots of ideas in this space for potential applications of the blockchain.
Dave Bittner: [00:13:42:00] Alright Jonathan Katz thanks for joining us.
Dave Bittner: [00:13:45:09] And that's the CyberWire. For links to all of today's stories along with interviews, our glossary and more visit thecyberwire.com. If you enjoy our daily look at cyber security news we hope you'll hope spread the word by telling your friends and coworkers about our show or leaving a review on iTunes. And thanks to all of our sponsors who make the CyberWire possible. The CyberWire podcast is produced by Pratt Street Media. The Editor is John Petrik, our Social Media Editor is Jennifer Eiben, our Technical Editor is Chris Russell, our executive Editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.