Dave Bittner: [00:00:03:19] Bugs in OS X, iOS, SAP, SonicWall, and Outside-In Technology draw warnings and fixes. HolyCrypt is the latest bit of ransomware. A free decryptor is now available for Bart. Turkey’s crackdown on dissidents in the wake of the weekend's failed coup involves not only purges, but close attention to what’s being said online. ISIS tunes its inspiration and works through some jamming. And there’s now a fatwa against Pokémon Go. Hackers are expected to turn to the US Presidential campaigns, and neither Cozy Bear nor Fancy Bear are likely to be invited to the party.
Dave Bittner: [00:00:42:09] Time to take a moment to tell you about our sponsor, Netsparker. Still scanning with labor-intensive tools that generate more false positives than real alerts? Let Netsparker show you how you can save time and money and improve security with their automated solution. How many sites do you visit, and therefore scan, that are password protected? With most other security products, you've got to record a log-in macro, but not with Netsparker. Just specify the user name, the password and the URL of the log-in page and the scanner will figure out everything else. Visit netsparker.com to learn more. And if you'd like to try it for yourself, you can do that too. Go to netsparker.com/cyberwire for a free 30 day fully functional trial version of Netsparker Desktop. Scan your websites and let Netsparker show you how easy they make it. That's netsparker.com/cyberwire. And we thank Netsparker for sponsoring our show.
Dave Bittner: [00:01:41:13] I'm Dave Bittner in Baltimore, with your CyberWire summary for Thursday, July 21st, 2016.
Dave Bittner: [00:01:47:00] Consensus among experts at midweek is that several patches and hotfixes are indeed important, and should be applied as soon as reasonably possible. The first set of these affect Apple’s OS X and iOS systems. Because they involve exploitable vulnerabilities in image-handling capabilities, they’re being compared to last year’s Android Stagefright issue. The TIFF image processing bug is thought particularly easy to exploit. Many programs, notably messaging apps, email clients, and browsers, render images without using interaction. If left unpatched, vulnerable devices are susceptible to a buffer overflow condition. Once weaponized, the bugs could permit remote code execution. So, the consensus is, patch.
Dave Bittner: [00:02:28:01] Now that Apple has a fix for the responsibly disclosed issues, Cisco’s Talos Unit has released some detailed information on their vulnerability research, which you can find on their website.
Dave Bittner: [00:02:38:21] Oracle fixed 276 issues with its software on Tuesday. Seventeen of the high risk vulnerabilities patched also affect software developed by third parties. Vulnerability researchers at Cisco's Talos Unit, again, were the ones who found and disclosed them. The Oracle Outside-In Technology (OIT), a collection of software development kits, is the locus of the vulnerabilities. Since OIT is licensed to other companies for use in their own products, the likelihood is high that widely-used software is affected. Oracle hasn't said which third-party products are affected, but CSO Magazine notes that Microsoft Exchange, Novell GroupWise, IBM WebSphere Portal, Google Search Appliance, Avira AntiVir for Exchange, Raytheon SureView, Guidance EnCase and Veritas Enterprise Vault are known to use Oracle's Outside-In Technology.
Dave Bittner: [00:03:30:03] Dell has issued a hot fix for its SonicWall software, closing among six issues a backdoor disclosed by Digital Defense. That backdoor involved a hidden default account in Dell's Sonicwall Global Management System, weakly protected with a weak password. Sonic Global Management System is used for enterprise central monitoring and management of network security devices.
Dave Bittner: [00:03:52:10] And Onapsis details security issues it’s found with the widely used business software SAP HANA and SAP TREX. The flaws would permit various forms of privilege escalation within affected systems.
Dave Bittner: [00:04:05:07] AVG finds a new strain of ransomware. They’re calling it HolyCrypt, and the version they found seems to be a developmental one. HolyCrypt is written in Python and compiled into a Window executable. It's expected that HolyCrypt will use the customary Tor payment channels, but the story is still, as they say, developing.
Dave Bittner: [00:04:24:11] If you’re curious about Tor, by the way, we’ll learn more about it from the University of Maryland's Jonathan Katz later in this podcast. He’ll discuss Tor’s limitations and some emerging alternatives.
Dave Bittner: [00:04:34:23] AVG also has some good news. They've developed, and are offering for free, a decryptor for the recently discovered Bart ransomware. So bravo, AVG.
Dave Bittner: [00:04:45:07] ISIS sites may have come under hacktivist denial of service attack earlier this week. Some familiar tools, including NetStresser, are said to have been used in the incidents. As observers sift through the ISIS HR documents recently compromised and dumped on the internet, they conclude that ISIS recruiting themes seem to be tailored closely to local concerns. What plays in Tunis may not succeed in Anatolia. ISIS online operations continue to focus on inspiration, and their rivals in al Qaeda seem to be following a similar pattern. Howling to the lone wolves is likely to remain the jihadist template for information operations for the foreseeable future. Authorities in Germany see an absence of direct command and control in the recent train attacks, and discounting the role of inspiration, downplay the ISIS role. But inspiration, not direction, is what recent history should lead one to expect.
Dave Bittner: [00:05:37:09] Turkey’s President Erdoğan continues his crackdown in the wake of the failed coup attempt against him. Widespread purges continue, with senior military officials and judges regarded as likely sympathizers within the coup being the most prominent individuals purged. In sheer numbers, however, teachers seem most affected as thousands have lost their certifications and have been removed from the classroom. The number of people purged is said to be approaching fifty thousand. The government is also watching social media closely. Individuals who have tweeted either hostility toward the government or disrespect toward President Erdoğan have been arrested.
Dave Bittner: [00:06:14:11] Other attempts at narrative control are underway. Turkey’s government continues to seek to block Wikileaks, but the more than 300,000 emails that have been dumped remain widely available. Hacktivist, Phineas Phisher, claims to be the one who hacked the ruling AKP party.
Dave Bittner: [00:06:30:22] Pokémon Go continues to give security teams, players, and advertisers fits. Its wild popularity continues to choke the bandwidth its proprietors have been able to give it, but they’re working hard to scale up. It’s also unwelcome in Saudi Arabia, where religious scholars have revived their earlier fatwa against Pokémon. It’s objectionable not, as one might have supposed, for any Shinto background, but rather because of the Darwinian undertones the scholars perceive in the way the Pokémon evolve. This suggests to some observers, not so much simply killjoy disapproval of Pikachu and the others, but some haziness about what Darwinian theory actually says about evolution.
Dave Bittner: [00:07:10:17] It’s a political year in the US, and a political season of that year, so hackers are turning their attention to the Presidential campaigns. This week their ministrations were directed largely to the Republicans. The Democrats will take center stage in cyberspace when their own convention opens. Avast set up a bogus wifi hotspot in Cleveland this week outside the Republican convention, and found that many delegates and others connected to read email, browse the web, and, especially, play Pokémon Go. Avast wanted to make the point that unsecured public wifi is risky. That, and encourage people to sign up for security services like those boys and girls from Prague sell. We’re sure, of course, that no one listening to this show would ever use free public wifi, right? I mean, we wouldn't, would we? Not even for a Charizard? Anyway, the Republican convention was affected this week. Expect the same when the Democrats meet next week. It’s a safe bet Fancy Bear and Cozy Bear won’t be invited to the podium.
Dave Bittner: [00:08:11:14] Time to tell you about our sponsor, E8 Security. The old perimeter approach to security no longer protects against today's rapidly shifting cyber threats. You've got to address the threats to your network once they're in your networks. E8 Security Behavioral Intelligence Platform enables you to do just that. Its self-learning security analytics give you early warning when your critical resources are being targeted. The E8 Security Platform automatically prioritizes alerts based on risks and lets your security team uncover hidden attack patterns. To detect, hunt and respond, you need a clear view of the real risks in your business environment. That's what E8 gives you. Visit e8security.com/dhr and download their free White Paper and learn more. E8, transforming security operations. And we thank E8 for sponsoring our show.
Dave Bittner: [00:09:05:12] And joining me once again is Jonathan Katz. He's the Director of the Maryland Cyber Security Center. Also Professor of Computer Science at the University of Maryland. Jonathan, there are lots of good reasons for people to want to be anonymous online or protect their identities. There are lots of legitimate reasons, people can be living under oppressive regimes, or things like that, and a lot of people have relied on Tor to be able to do those sorts of things but there are some problems with Tor that have been discovered recently, is that correct?
Jonathan Katz: [00:09:35:02] Yes, that's right. I mean, basically, what Tor provides, for those who are unfamiliar with it, is it's a system that allows a client to connect to a server in an anonymized manner. The way Tor achieves that is by routing the connection from the client to the server through several intimidate hops in the network. Rather than connecting directly from the client to the server, you would bounce, say, between three or four intermediaries until your connection, until your package would go to the server. This is meant to make it more difficult for an attacker to then track the source and destination of the communication. Nevertheless, it's been shown that certain information can still be extracted by a dedicated attacker, for example, timing information about when your package leaves your computer and is then received by the server. Even though an attacker can't see all the bounces that that's taking in the network, it can still correlate the outgoing time and the incoming time at the server and, from that, figure out who's communicating with whom.
Dave Bittner: [00:10:31:05] So there's a new system some researchers have come up with, that they say improves on this technique?
Jonathan Katz: [00:10:36:09] That's right. So, actually, it's been known for a long time that there is an alternate technique that you can use to try to achieve anonymity. It's called a Mixnet. The basic idea of a Mixnet is to take several communications from several clients at once and then randomly permute them, and have that occur several times in sequence before those packets from all different clients are routed to their respective destinations. This will prevent the kind of timing attacks I mentioned earlier, because you ensure that several clients are all communicating at once and having their messages all delivered at once, and so prevents exactly that attack that I talked about earlier. Now, the issue is that, in the past, these systems have been relatively inefficient and, to the best of my knowledge, have not been deployed widely - certainly not as widely as Tor - and this new research proposes a more efficient implementation of these Mixnets.
Dave Bittner: [00:11:27:03] So this new system, how exactly does it work?
Jonathan Katz: [00:11:30:12] Well, the reason Mixnets have historically been kind of slow is that they require the intermediate servers, who are doing this mixing, to prove correctness of their mixing, or their shuffling as it's sometimes called. Traditionally, that's been done using expensive public-key operations. What this new system has shown is how to do that using much cheaper symmetric-key operations and only relying on a single expensive public-key step once per epic of communication.
Dave Bittner: [00:11:56:13] When you say expensive or cheap, is that expensive in terms of processor power?
Jonathan Katz: [00:12:00:20] It's actually both, in terms of computational effort and also communication.
Dave Bittner: [00:12:05:09] Alright. Jonathan Katz, thank you for joining us.
Dave Bittner: [00:12:09:15] And that's the CyberWire. For links to all of today's stories, along with the interviews, our glossary and more, visit thecyberwire.com. Thank you to all of our sponsors who make the CyberWire possible. If you'd like to place your product, service or solution in front of people who'll want it, you'll find few better places to do that than The CyberWire. Visit thecyberwire.com/sponsors and find out how to sponsor our Podcast or Daily News Brief. The CyberWire Podcast is produced by Pratt Street Media. Our editor is John Petrik. Our Social Media Editor is Jennifer Eiben and our Technical Editor is Chris Russell. Our Executive Editor is Peter Kilpe. And I'm Dave Bittner. Thank you for listening.