The CyberWire Daily Podcast 8.8.16
Ep 158 | 8.8.16

DARPA CTF: Mayhem (win), Xandra (place), Mechphish (show). Blame it on Rio.

Transcript

Dave Bittner: [00:00:03:16] Hard forks and digital currencies, as Bitfinex recovers from its big heist. Cybercrime and hacktivism versus the Rio Olympics. HVAC vulnerabilities. “Quadrooter” Android chip firmware issues. NSA’s alleged trove of undisclosed vulnerabilities looks smaller than thought (a lot smaller). More Fancy Bear paw prints in the DNC and DCC hacks. Trends discussed at Black Hat. And DARPA’s AI capture the flag results are in: Mayhem to win, Xandra to place, and Mechphish to show.

Dave Bittner: [00:00:40:13] Time to take a moment to thank our sponsor, Cylance. Are you looking for something beyond Legacy Security Approaches? Of course you are. So you're probably interested in something that protects you at machine speed, and that recognizes malware for what it is, no matter how the bad guys have tweaked the binaries or cloaked their malice in the appearance of innocence. Cylance knows malware by its DNA. Their solution scales easily, and it protects your network with minimal updates, less burden on your system resources, and limited impact on your network and your users. Find out how Cylance is revolutionizing security with Artificial Intelligence and machine learning. It maybe Artificial Intelligence, but it's real protection. Visit cylance.com to learn more about the next generation of anti-malware. Cylance, Artificial Intelligence, real threat prevention. And we thank Cylance for sponsoring our show.

Dave Bittner: [00:01:37:03] I'm Dave Bittner, in Baltimore, with your CyberWire summary for Monday, August 8th, 2016. Bitfinex, the digital currency exchange that lost nearly 120,000 Bitcoin (about $63 million) to theft recently, is beginning its recovery, by spreading the losses among its customers. About 36% will be "shaved" and losses recorded to a "BFX" token that will either be redeemed or exchanged for iFinex stock at some future time. IFinex, Bitfinex's corporate parent, is working through its recovery from the theft. Some of that recovery will involve a hard fork of the Ethereum public blockchain-based distributed computing platform. We'll hear more about what that fork amounts to a bit later from our partners at the University of Maryland.

Dave Bittner: [00:02:22:16] The other major cybercrime news comes from Brazil, where the Rio Olympics are in full swing. Anonymous, to no one's surprise, is conducting denial-of-service operations against various Brazilian government sites to redress a set of grievances connected with the games. In the Anonymous view of the matter, the Olympics essentially paper over poverty, violence, and police misconduct in and around Rio de Janeiro. Another group, the New World Hackers, took down swimmer Michael Phelps's website shortly after he won his twentieth gold medal. They say they're doing it to expose the vulnerability of high-profile celebrity websites (and by extension other websites). But their concurrent offering of the BangStresser DDoS tool suggests that this is criminal marketing and not altruistic vulnerability demonstration.

Dave Bittner: [00:03:09:08] If you're down in Rio, what's the cybersecurity situation actually like? A mess, basically. We spoke with Grey Burkhart and Brad Medairy from Booz Allen Hamilton about the cyber security situation in Rio. First up is Grey Burkhart.

Grey Burkhart: [00:03:23:17] This is going to be a target-rich environment and Brazil has the most robust Internet infrastructure on the continent, the most bandwidth, the most proliferation of both wired and wireless access, broadband access. The cyber crime environment in Brazil is pretty grim. Enforcement, you know, first of all the legal framework is very weak. The criminal elements in Brazil are very prolific and very well developed. They're known for a wide variety of schemes. What would be most danger to travelers will be ATM skimming, point of sale breaches, where they'll actually get inside point of sale systems and steal credit card, payment card information when shoppers make a purchase. And also various kinds of Wifi fraud. The Olympic games folks are setting up a dedicated Wifi network around the Games venues in anticipation of having so many people with so many Wifi devices. And this is a great opportunity for criminals to set up their own WiFi networks mimicking the Olympic networks, and therefore becoming men-in-the-middle and stealing whatever information is being passed from your device to the network.

Dave Bittner: [00:04:43:10] Brad Medairy warns visitors to be particularly vigilant when it comes to phishing attempts.

Brad Medairy: [00:04:48:13] And I think there's going to be a lot of scams in terms of, you know, people looking for tickets, people looking to purchase other types of services. You know, I think that being very prudent in terms of what sites you're visiting and what emails that you're clicking on. You know, I think that, you know, with all the public Wifis down there, that being sensitive to visiting unsuspecting and malicious websites, using, you know, Https and secure connections.

Dave Bittner: [00:05:13:18] And it's not just visitors to the Games that should be on alert. Here's Grey Burkhart.

Grey Burkhart: [00:05:18:07] I'd also point out that, you know, Brad was mentioning phishing and malicious websites, and that's not just limited to travelers. That's anybody who has interest in the Olympics, and we expect there to be a lot of people who want to buy memorabilia, will be attracted by live streaming of some event, which turns out to be a watering hole. And they click on a website and they're infected. So this is potentially a global threat.

Dave Bittner: [00:05:44:02] That's Grey Burkhart and Brad Medairy from Booz Allen Hamilton. Trustwave's SpiderLabs reports vulnerabilities in the Trane residential Comfortlink XL850 thermostat. This is a smart thermostat that lets users set their heating and cooling schedules remotely from a mobile device. Unfortunately, it also exposes a great deal of information over weakly secured and easily compromised interfaces. It would be possible for an ill-intentioned third party not only to control heating and cooling (possibly damaging a building, in addition to simply causing discomfort and inconvenience), but also to gain information about the occupancy times (which, of course, is interesting to those who wish to schedule burglaries). Trustwave says that Trane was receptive to the vulnerability reports and has fixed the issues SpiderLabs found.

Dave Bittner: [00:06:32:09] Checkpoint has said it’s found four issues with Qualcomm chips widely used in Android devices. They’re calling the set of vulnerabilities “Quadrooter,” and say they could be used to trigger privilege escalation and ultimately to gain root access to the affected devices. Not all the vulnerability news is necessarily bad, however. Many in the security industry have long suspected that the US National Security Agency is sitting on a large, undisclosed hoard of vulnerabilities. In imagination this tends to look like the secret archive shown at the end of Raiders of the Lost Ark, a vast warehouse filled with everything from Father-of-Stuxnet to the results of that hackathon the Illuminati hold at the Bohemian Grove every Leap Day (and you didn’t hear that from us). But researchers at Columbia University have looked into it and say, no, really, there’s no such trove at all, the NSA really isn’t keeping a lot of undisclosed bugs from the rest of the world. Of course, as Russia Today might say, that’s what they would say, isn’t it?

Dave Bittner: [00:07:30:18] Speaking of Russia Today, they took strong exception over the weekend to advice from the Atlantic Council to countries whose relations with Russia are fraught. And the Atlantic Council apparently recommended that countries like Poland consider developing ways of holding Russian cyber infrastructure at risk. This isn’t an idea welcome in Moscow. More evidence has accumulated, this time courtesy of ThreatConnect and Fidelis, that Fancy Bear is indeed a Russian government operation, and that, yes indeed, Fancy Bear was behind the DNC and DCCC hacks.

Dave Bittner: [00:08:03:03] Last week's security events in Las Vegas have concluded, Black Hat, DefCon, and BSides are now in the books, but the news from them continues. The people we spoke to in Nevada last week tended to agree on several trends. First, the biggest challenge to the security industry remains the shortage of skilled labor, and the technical solutions people are interested in are those that help small staffs increase their productivity and effectiveness. Vendor and venture capitalists seemed equally convinced that the need to address labor shortages will continue to drive the direction of technology's evolution. Second, that shortage of labor also means delivering products, services, and solutions that integrate easily and quickly with customers' infrastructure. There's little demand, any more, for difficult to implement or operate products that seem destined to become shelfware. Third, the Internet-of-things remains a big concern, and here there were many presentations of vulnerabilities in everything from programmable logic controllers to seismic observatories to personal massage devices. (Did you know these last are often equipped with Bluetooth? Neither did we, but a team of Australian researchers noticed.)

Dave Bittner: [00:09:10:09] Miller and Valasek followed up last year's well-known Jeep hack with a more disturbing demonstration that exploited a vehicle's Controller Area Network, that's the CAN bus. OpenSource Security described "PLC-Blaster," a worm that automatically searches for and spreads among programmable logic controllers. And finally DARPA's machine-versus-machine capture-the-flag competition has a winner, announced at DefCon. If you were betting, here are the results: "Mayhem" from the ForAllSecure team took first place (and the $2,000,000 winner's stake). "Xandra" placed second (paying $1,000,000), and "Mechphish" showed at $750,000. Get your hacking forms out, tinhorns, there's a guy that says "Can do."

Dave Bittner: [00:09:59:06] Time to take a break to tell you about our sponsor, ClearedJobs.net. If you're a cybersecurity professional and you're looking for a career opportunity, check out the free Cyber Job Fair on the first day of Cyber Texas, Tuesday August 23rd at the San Antonio Convention Center. Organized by ClearedJobs.net, a veteran owned specialist at matching security professionals with rewarding careers. The Cyber Job Fair is open to all cybersecurity professionals, both cleared and non-cleared. It's open to college students and cyber programs too. You'll connect face-to-face with industry leaders like Lockheed Martin, Booz Allen Hamilton, and the Los Alamos National Laboratory. You can also tune up your resume and get some career coaching (all of it's free) from career expert and army veteran, Bill Branstetter, author of the Six Second Resume. To learn more visit ClearedJobs.net and click job fairs in the main menu. Remember it's ClearedJobs.net and we'll see you in San Antonio, and we thank ClearedJobs.net for sponsoring our show.

Dave Bittner: [00:11:01:11] Joining me once again is Jonathan Katz. He's a professor of computer science at the University of Maryland, and also director of the Maryland Cyber Security Center. Jonathan, we got word recently that the Ethereum Project fork to the code. Let's start off, can you explain to us what is Ethereum and what's the significance of the code being forked.

Jonathan Katz: [00:11:18:12] Well, yeah basically Ethereum is a generalization of Bitcoin, or you see it as a generalization of Bitcoin. Where what Ethereum allows you to do is to write these smart contracts that perform computation and then can transfer coins based on the results of that computation, and it's developed on the Blockchain. And so what happened a few weeks ago was that there was a fund set up, that exactly allowed people to use these Smart contracts to invest money, and somebody figured out a way actually to manipulate the contract that would define the fund, and to manipulate it in such a way, that they were able to steal money from that fund.

Dave Bittner: [00:11:58:24] And so this left the people who operate Ethereum with a quandary of what to do next, and they decided to fork the code, yes?

Jonathan Katz: [00:12:09:22] Yes, that's right. So it comes down really to a question of whether or not to believe that the code defines what's allowed and what's not allowed. And so there are people who basically maintain that and are continuing to run what they're calling Ethereum Classic. And they basically say, well, you know, somebody was able to find a loophole as it were in this contract that was written, and so by the laws of Ethereum, as it were, that's allowed, and so there's nothing wrong with that. Whereas the people who forked the Ethereum chain, basically looked at this and said, well that's not what was intended to happen and so that's really an immoral, or even an illegal act. And so we want to undo that transaction. We want to undo the fact that those coins were stolen, and so they introduced a fork in the chain. So what's interesting is that you have these two groups of people, one of whom is continuing the original Ethereum chain; and one set of which is operating on this fork of the chain.

Dave Bittner: [00:13:04:09] And there are people who are saying that this is potentially setting a negative precedent. What's their argument?

Jonathan Katz: [00:13:11:05] Yes, I think so. I mean there are two things here, the first thing is just this question of whether or not, as I said, whether the code of a contract determines what's allowed and what's not allowed, or whether there are some rules outside the system, as it were, that determine what should be allowed and what should not be allowed. And so part of the ethos of Ethereum is, or was, that the code should determine what's allowed. And so people exactly like these distributed currencies, like Ethereum and like Bitcoin, because they don't rely on any central government to manage the currency, and they don't rely on any set of external laws. You just operate within the system itself. And so from a philosophical point of view, it's sort of an interesting question for people who use these crypto currencies. In addition to that, I think it throws the whole question of the long-term stability of these currencies into question, right. If you're going to have a fork every six months, then it leaves people with the question of what their coins are going to be worth in one year from now, and so this could really shake up confidence in these cryptocurrencies in general.

Dave Bittner: [00:14:13:17] All right, we'll keep an eye on it. Jonathan Katz, as always, thanks for joining us.

Dave Bittner: [00:14:19:08] And that's the CyberWire. For links to all of today's stories, along with interviews, our glossary, and more, visit thecyberwire.com. Thanks to all of our sponsors, who make the CyberWire possible. The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Our social media editor is Jennifer Eiben, and our technical editor is Chris Russell. Our executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.