The CyberWire Daily Podcast 1.15.16
Dave Bittner: [00:00:03:17] Looking for the malware that enabled the hack of Ukrainian electrical power substations. DDoS grows in importance as misdirection. ISIS expands its media operations with an online cyber mag and a news service. Researchers find issues with Apple's Gatekeeper patching. The SlemBunk Android banking Trojan evolves into a more dangerous form. Kaspersky tells us how it used Hacking Team's docs to find a Silverlight zero-day. Fortune offers a nuanced take on David Chaum's proposal to end the crypto wars. And Twitter's being sued for permitting ISIS to use its service.
Dave Bittner: [00:00:39:22] This CyberWire podcast is made possible by the Johns Hopkins University Information Security Institute, providing the technical foundation and knowledge needed to meet our nation's growing demand for highly skilled professionals in the field of information security, assurance and privacy. Learn more online at isi.jhu.edu.
Dave Bittner: [00:01:01:24] I'm Dave Bittner in Baltimore with your CyberWire summary for Friday January 15th, 2016.
Dave Bittner: [00:01:08:06] The attack on power distribution substations that produced rolling blackouts across Western Ukraine late last month is pretty clearly a cyber attack. Breakers were cycled remotely, and BlackEnergy malware was found in the affected utility's networks, but how the breakers were cycled remains unclear. BlackEnergy, long familiar as an espionage kit, is in all probability not the means the attackers used to take down the grid. Industrial control systems security expert, Joe Weiss, told the CyberWire what investigators should be looking for.
Joe Weiss: [00:01:37:24] Breakers were opened in a whole series of substations and that led to somewhere between a three to six hour outage, to something like 80,000 customers. That's what we should be focusing on. The hacking questions all have to be in the context of: how did that relate to the breakers being opened in the substations?
Dave Bittner: [00:02:03:14] You can hear an extended version of our interview with Joe Weiss on today's CyberWire Week in Review. Other analysts continue to warn utilities, especially those engaged in nuclear power generation to be on their guard, and Corero warns utilities, telecom providers, and others, to watch for what it's calling, "dark DDoS." By this, they're not implying that there could be a "light DDoS," let us say Rey as opposed to Kylo Ren, but rather they're emphasizing the increased use of denial-of-service as a "smokescreen" for a more serious attack.
Dave Bittner: [00:02:34:14] DDoS does remain a threat. Akamai, for example, estimates that 2015 saw them increase in frequency by 180% but, as usual, it's possible to overhype any particular incident. A recent case may be found in the "New World Hackers" New Year's Eve test attack on the BBC. #TangoDown, the name of the op, and skidspeak for "io triumphe" claimed 600 gigabits per second in a "test of power" which would indeed be pretty big. As ZDNet observes, "You would think that after such a big bang, someone might have noticed," but no-one did. Tripwire sums up Akamai's findings as, "great number, smaller punch."
Dave Bittner: [00:03:16:06] ISIS has launched its own encrypted messaging app, but it continues to focus on information operations. It's offering not only grisly emojis, for inspiration across social media, but an online cyber warfare magazine, "Kybernetiq," published initially in German, and a news service, Amaq, that features early distribution of communiqués claiming responsibility for attacks.
Dave Bittner: [00:03:38:17] The SlemBunk android banking Trojan, discovered last year, is proving more persistent and dangerous than initially thought. It's got a longer attack chain and drive-by infection capability and, according to FireEye, it's being actively used in the wild.
Dave Bittner: [00:03:53:03] Researchers are finding Apple's patch of OS X's Gatekeeper security feature more porous than users might wish.
Dave Bittner: [00:04:00:18] Other researchers claim they've identified vulnerabilities in Advantech's EKI-1322 serial device server. The flaws may include a backdoor.
Dave Bittner: [00:04:10:21] Kaspersky describes how it used Hacking Team leaks to discover a vulnerability in Silverlight. eWeek describes Kaspersky's approach as "turning users into honeypots."
Dave Bittner: [00:04:20:24] In news techs can use, SANS shares a de-obfuscation tool, and Linux Journal describes what's actually involved in server hardening.
Dave Bittner: [00:04:30:04] A Staten Island lawmaker would add New York State to the list of jurisdictions seeking to require device manufacturers to be able to decrypt traffic carried by their products. Legal observers think the bill has slim chance of passage and slimmer chance of withstanding the inevitable challenges in court.
Dave Bittner: [00:04:46:17] Elsewhere in the crypto wars, Fortune claims that cryptography guru, David Chaum's, PrivaTegrity, widely discussed as Chaum's contribution to achieving a modus vivendi between privacy and security, has been widely misunderstood. PrivaTegrity is not, Chaum tells Fortune, a backdoored encryption scheme, and he regrets having let earlier reports characterize it as having a backdoor, but rather one that features distributed ten-party control. The cryptography community will no doubt be discussing whether this changes the prevailing dim view of PrivaTegrity.
Dave Bittner: [00:05:19:24] Industry remains skeptical of cyber security rules that passed the European Union's Internal Markets Committee. While they must still clear the European Parliament, final passage is widely expected. Consensus among industry observers is that the measures are both expensive and fatally lacking in specificity.
Dave Bittner: [00:05:38:05] Google finds itself under US regulatory and Senatorial scrutiny for its handling of student data.
Dave Bittner: [00:05:44:21] Twitter is being sued by the widow of a man ISIS murdered in Jordan. She claims Twitter negligently permitted ISIS to pass on inspiration and direction to her late husband's murderers. Few legal observers expect the suit to hold up in court, but in the event it does the case's implications for online communication will be very large.
Dave Bittner: [00:06:04:01] In industry news, Appthority picks up $10m in Series B venture funding, IBM buys Iris Analytics in a fraud-prevention play, Raytheon and Websense will call their new combined venture "Forcepoint" and will integrate firewall shop Stonesoft, recently acquired from Intel, into the brand.
Dave Bittner: [00:06:24:16] This CyberWire podcast is brought to you through the generous support of Betamore, an award-winning coworking space, incubator and campus for technology and entrepreneurship located in the Federal Hill neighborhood of downtown Baltimore. Learn more at Betamore.com.
Dave Bittner: [00:06:44:03] Joining me is John Petrik, editor of the CyberWire. John, it seems like the bad guys have exploits. What is an exploit?
John Petrik: [00:06:51:19] An exploit is something used to exploit some computer system, network, or program, to accomplish some malicious action. So, you're exploiting a system, you're exploiting a vulnerability, if you're using software, data, commands, or hardware devices, to do something to that system that ought not to be done to it. It's used also as a noun, as an exploit that is some particular thing that an attacker can use against a system - that's an exploit.
John Petrik: [00:07:24:14] Exploits are often packaged into kits. You hear about exploit kits, and some of the exploit kits we read about in the news, like Angler, for example, are packaged sets of malware that automate the exploitation of vulnerabilities. That's very commonly some crimeware web application that enables attacks on unpatched systems. Exploit kits form a very important part of the criminal malware black market.
Dave Bittner: [00:07:48:23] So when we're talking about exploits, very often it is something that has been named - it's been prepackaged as something that's easy to use.
John Petrik: [00:07:58:11] That's right. There are also named vulnerabilities not to be confused with exploits but, yeah, an exploit is very often named. Some of the names are compelling, some of the names are slightly ridiculous, but everybody who does vulnerability research would love to name their own exploit.
Dave Bittner: [00:08:13:11] So just for clarity's sake, what is the difference between a vulnerability and an exploit?
John Petrik: [00:08:18:08] An exploit is something that takes advantage of a vulnerability. The vulnerability is the thing that the exploit exploits, that the exploit uses to get at you. It's the hole in the system that the attacker uses. The exploit is what he uses to get through that hole.
Dave Bittner: [00:08:36:06] Alright, John Petrik, thanks very much.
Dave Bittner: [00:08:40:21] And that's the CyberWire. A note to our listeners and readers. The CyberWire will be taking Monday off in observance of Doctor Martin Luther King Jr. Day. We'll be back as usual on Tuesday, January 19th. Enjoy the holiday.
Dave Bittner: [00:08:52:17] For links to all of today's stories, along with interviews, our glossary and more, visit The CyberWire.com. The CyberWire podcast is produced by CyberPoint International and our editor is John Petrik. Thanks for listening.