The CyberWire Daily Podcast 8.10.16
Ep 160 | 8.10.16

Australia's census clogged. Iran ups its offense? Ransomware and file deletion.

Transcript

Dave Bittner: [00:00:03:07] Spyware in the South China Sea from guess whom? And Iranian exiles and dissidents get spearphished by guess whom? Australia’s census suffers from either insufficient bandwidth or DDoS attacks, in any case, it had to be taken offline yesterday. A new ransomware strain skips encryption and goes for destruction. Oracle’s MICROS point-of-sale system issues may underlie a wave of retail breaches. QuadRooter might not be as bad as feared. And yesterday was Patch Tuesday, so get patching.

Dave Bittner: [00:00:38:19] Time to take a moment to tell you about our sponsor, Cylance. Are you looking for something beyond legacy security approaches? If you are, and who isn't, you're probably interested in something that protects you at machine speed, and that recognizes malware for what it is, no matter how the bad guys have tweaked the binaries or cloaked their malice in the appearance of innocence. Cylance knows malware by its DNA. Their solution scales easily and it protects your network with minimal updates, less burden on your system resources and limited impact on your network and your users. Find out how Cylance is revolutionizing security with artificial intelligence and machine learning, it may be artificial intelligence, but it's real protection. Visit cylance.com to learn more about the next generation of malware. Cylance: artificial intelligence, real threat prevention. And we thank Cylance for sponsoring our show.

Dave Bittner: [00:01:35:04] I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, August 10th, 2016.

Dave Bittner: [00:01:41:08] International cyber conflict news today returns to the South China Sea, where Vietnamese security researchers continue to track spyware that’s infested that country’s networks since June, at least, of this year. The compromises seem to have originated from a spoofed version of a Vietnamese Communist Party website. The spyware incidents are generally believed to be connected to ongoing conflict between China and its neighbors over disputed territorial waters in the South China Sea. The Philippines have seen similar incidents, also suspected to be associated with the Chinese Intelligence Services.

Dave Bittner: [00:02:14:16] Iran is also believed to have significantly increased its cyberattack capabilities in the wake of the international agreement that sought to arrive at a peaceful arrangement, with respect to the Islamic Republic’s nuclear ambitions. The annual report on Iranian military capabilities, the US Department of Defense renders to Congress, concentrated on conventional, kinetic capabilities, but it alluded to a growing ability to carry out operations in cyberspace. Bloomberg reports that the document echoes conclusions of a study by the Washington Institute for Near East Policy’s Michael Eisenstadt, who describes Iran’s cyber operations as having evolved “from a low-tech means of lashing out at its enemies, to a pillar of its national security concept.”

Dave Bittner: [00:02:59:11] Not all those enemies are foreign nation states. Amnesty International reports that actors, probably directed by Iranian Security Services, have been conducting an extensive spearphishing campaign against exile and dissidents. Some of the phishbait is presented as email correspondence from US immigration authorities concerning the targets’ green cards.

Dave Bittner: [00:03:20:05] The Australian Bureau of Statistics took its census website offline last night after sustaining what it characterized as multiple distributed denial of service attacks. The Australian Signal Directorate has trained its eye, one of the famous Five, on the incident, and the Bureau of Statistics says it will bring the census site back once it can do so safely. Not everyone’s convinced the problems were the result of an attack. Industry sources are wondering publicly if the Bureau provided enough bandwidth to handle the traffic of citizens logging on after supper to beat the reporting deadline.

Dave Bittner: [00:03:54:03] AVG reports a new strain of ransomware, “Hitler,” that continues a criminal trend toward file deletion. Thomas Pore, Director of IT and Services at Plixer, told the CyberWire that the ransomware appears to be in its testing and development phase. A string found in the malware, he said, contains the German words “Das ist ein Test,” “This is a test,” as well as some prominent, misspelled words. “This,” he told us, “suggests that we will likely see a more mature version popping up shortly.”

Dave Bittner: [00:04:23:00] The Hitler malware isn’t crypto-ransomware. Pore said, "It’s interesting that this variant does not actually encrypt the files, possibly for detection avoidance. Routine offsite or off-network backups is the only sure-fire way to recover from ransomware.” He added that many victims may feel they have little choice but to pay, since the alternative would appear to be deletion of all their files when they reboot after crashing.

Dave Bittner: [00:04:48:23] The breach of Oracle’s MICROS network of retail point of sale systems is now suspected of providing the common factor behind a recent wave of breaches at stores and hotels. Itsik Mantin, Director of Security Research for Imperva, told the CyberWire that “It’s entirely possible that the data stolen in this breach, including user credentials, has been used to extend the hack into commercial web applications such as shops, hotels, and retail outlets.” He adds, "That no system is immune to breaches and advises planning to detect and contain point of sale breaches, especially those involving stolen or compromised credentials."

Dave Bittner: [00:05:26:05] Google thanks Check Point for discovering QuadRooter, but says most of the risk from this Android vulnerability is already mitigated by Verify Apps and SafetyNet features. More extensive patches are expected next month.

Dave Bittner: [00:05:40:00] A company calling itself Swirlds recently came out of stealth, and with a round seed funding led by Ping Identity, hopes to make its mark with a technology they believe will solve the challenges in creating trust within peer-to-peer networks. We spoke with Leemon Baird, the founder and CEO of Swirlds.

Leemon Baird: [00:05:57:19] So Swirlds is a platform that people can build apps on top of, and those apps then get distributed consensus, distributed security. So we can do things like crypto-currencies, like bit-coin; we can do distributed smart contracts. A stock market can be distributed so there's no central server. Basically anything you would normally do with a server, you can do just distributed. So you could have a game, but instead of having a server run the game, it's just running on everybody's computers. Just the players are running it.

Leemon Baird: [00:06:30:15] And yet, the rules are enforced. You could have something like an auction that's being run where everybody's computers are sort of jointly deciding what order the bids came in and who gets the prize, or who gets the thing. Same thing with the stock market, there's no central server, it's just all the traders are running this thing.

Dave Bittner: [00:06:53:21] The underlying technology behind what you're doing, is this something of your own development or is this something that's a known protocol?

Leemon Baird: [00:07:03:12] No, it's a new thing. It's called Hashgraph. It is a graph rather than a chain and it is remembering who has talked to whom, which is a very strange thing, it's gossiping about gossip. The result is we have a math proof that this is Byzantine Fault Tolerant. And what that means is that, even if almost a third of the group are trying to attack and they're trying to collaborate in their attack, and collude in their attack, and even if they control the Internet in some very powerful ways, they still can't break the system.

Dave Bittner: [00:07:36:18] The way that you have the system distributing everything to all the users, how do you keep it from collapsing under its own weight?

Leemon Baird: [00:07:45:15] So, we have an incredible amount of efficiency. What we end up sending over the Internet is not votes, it's not mining stuff, it's just the transactions themselves with a tiny bit of overhead over it, very little extra. So to be efficient, to keep it from collapsing, just your home ISP connection is fast enough to handle the entire Visa network of 4,000 transactions per second. There is digital signatures everywhere, there is encryption everywhere. So the digital signatures prevent spoofing, the encryption prevents eavesdropping and other problems like that.

Leemon Baird: [00:08:23:16] There are cryptographic hashes tying it all together and we have math proofs of the Byzantine Fault Tolerance. So we have solid math and solid crypto at every stage. You can't gain the system because it's using strong crypto and strong mathematics to prevent that.

Dave Bittner: [00:08:44:02] That's Leemon Baird from Swirlds.

Dave Bittner: [00:08:47:23] We’ve been hearing and reading a lot about Black Hat these days, and the prevailing mood was one of foreboding and dismay about the opposition’s agility and capabilities. Now, we should say that, at a security industry conference, this is hardly what the lawyers would call an admission against interest. It’s in the nature of the security sector to be unusually aware of and sensitive to threats, and a high level of fear, uncertainty and dread has long provided the community with its background noise, as well as much of its signal. Bear this in mind as you consider reports from Las Vegas.

Dave Bittner: [00:09:19:08] It’s also important to bear in mind that commodity attacks continue to succeed. Enterprises have a lot to do, their resources aren't unlimited and, for small and medium-sized businesses, as well as for private individuals, it's easy to fall into a kind of learned helplessness in which shutting your eyes and sticking your fingers in your ear, and hoping nothing happens, becomes a default security posture. So don’t neglect the obvious. If Cozy Bear and Fancy Bear, or even Sauron, even wanted to pawn your mom-and-pop shop, there’s probably not much you could do about it. But that doesn’t mean you should give up trying to keep out the skids and script kiddies. After all, they're the ones probably rattling your locks, Mom and Pop.

Dave Bittner: [00:10:00:08] And did we mention that yesterday was Patch Tuesday? It was relatively light, just nine patches from Microsoft, five of them rated critical. An Adobe patch too, but for once there was no patch for Flash Player. So, Mom and Pop, get that niece or nephew who knows computers to come over and get patching.

Dave Bittner: [00:10:21:08] Time to take a break to tell you about our sponsor, clearedjobs.net. If you're a cyber security professional and you're looking for a career opportunity, check out the free cyber job fair on the first day of Cyber Texas, Tuesday, August 23rd at the San Antonio Convention Center. Organized by clearedjobs.net, a veteran owned specialist at matching security professionals with rewarding careers. The Cyber Job Fair is open to all cyber security professionals, both cleared and non-cleared. It's open to college students and cyber programs too. You'll connect face-to-face with industry leaders like Lockheed Martin, Booz Allen Hamilton and the Los Alamos National Laboratory.

Dave Bittner: [00:10:56:20] You can also tune up your resume and get some career coaching, all of it's free, from career expert and army veteran, Bill Branstetter, author of the Six Second Resume. To learn more, visit clearedjobs.net and click job fairs in the main menu. Remember, it's ClearedJobs.net and we'll see you in San Antonio. And we thank ClearedJobs.net for sponsoring our show.

Dave Bittner: [00:11:23:13] Joining me once again is Joe Carrigan, he's from the Johns Hopkins University Information Security Institute. Joe, you've got a tale to tell us about a friend of yours with a kid, not unusual these days who was interested in Pokemon Go.

Joe Carrigan: [00:11:37:00] That's right, I got a phone call from a friend of mine the other day and one of her children, older child, had figured out how to essentially side load Pokemon Go on a phone that the Android Play store said wasn't supported by the app.

Dave Bittner: [00:11:52:18] So she had a phone that was too old to load Pokemon Go and this kid found a work around?

Joe Carrigan: [00:11:58:05] Correct, she found a way to install it with what's called sideloading, which is anytime you go and get an app that's not from the Google Play store, it's called sideloading. And there's a number of ways you can do it, you can use a secondary marketplace; Amazon has a marketplace that will let you do this. You have to go into your developer options in the phone and allow this to happen.

Joe Carrigan: [00:12:23:03] The problem is that you don't know where this app is coming from and you may not have the trust level for it. Amazon, you can probably trust that, although probably not as much as the Google Play store itself. And even the Google Play store had it's malicious problems, code has gotten through their review process. But when you go out to a third party and you start downloading apps and allowing them to operate on your phone, you have no idea where that's coming from.

Dave Bittner: [00:12:51:10] We've covered this on our show, that it may even be an app that to you, looks like it's running fine, but in the background it's doing bad things.

Joe Carrigan: [00:13:01:18] Right, if I'm a malicious actor then it's relatively easy for me to get a hold of what's called the APK, which is the android application, and alter it to do something I want it to do. Then put it out into a different marketplace or different area, make it available to people and just wait for them to install it and then conduct my malicious activity.

Dave Bittner: [00:13:23:14] So what was your advice to your friend?

Joe Carrigan: [00:13:25:07] I said that she shouldn't be doing this, that if they really want to play Pokemon Go then maybe it's time to upgrade to a newer phone. These phones or hardware ages, it needs to be replaced on a regular basis. It's just part of the cost of maintaining your security on these devices.

Dave Bittner: [00:13:41:20] So that device, the one that had Pokemon Go side loaded, should that device now be considered a compromised device?

Joe Carrigan: [00:13:47:11] That was my advice, I told her you have no idea where she got the app, she might not even know where she got the app and, yes, you don't know what it's doing on your phone.

Dave Bittner: [00:13:58:09] Alright, stuff to watch out for. Joe Carrigan, thanks for joining us.

Joe Carrigan: [00:14:01:19] My pleasure.

Dave Bittner: [00:14:04:16] And that's the CyberWire. If you enjoy our show, we hope you'll help spread the word and leave a review or rating on iTunes, it's the easiest way you can help us grow our audience. To subscribe to our daily podcast or newsbrief, visit thecyberwire.com. The CyberWire podcast is produced by Pratt Street Media. The editor is John Petrik. Our social media editor is Jen Eiben, and our technical editor is Chris Russell. Our executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.