Hacking and hybrid warfare. Industry notes (including Wassenaar's next round).
Dave Bittner: [00:00:03:17] The Shadow Brokers and the shadowy world of hybrid warfare. Is someone using seized Silk Road Bitcoin wallets to bid on leaked files? Election hacking worries persist and concerns about secret ballots appear. Some Tor users want to call a general strike against the anonymizing network. Point-of-sale malware and what to do about it. And a new Wassenaar round will revisit cyber arms control next month.
Dave Bittner: [00:00:32:16] Time to take a moment to tell you about our sponsor Recorded Future. You've probably heard of Recorded Future, the real time threat intelligence company. Their patented technology continuously analyzes the entire web to give infosec analysts unmatched insight into emerging threats. We here at The CyberWire subscribe to, and read, their Cyber Daily. They do the heavy lifting in collection and analysis that frees you to make the best informed decisions possible for your organization. Sign up for the Cyber Daily email and every day you'll receive the top results for trending technical indicators that are crossing the web. Cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today and stay ahead of the cyberattacks. Go to recordedfuture.com/intel to subscribe for free threat intelligence updates from Recorded Future. It's timely, it's solid and the price is right. That's recordedfuture.com/intel. And we thank Recorded Future for sponsoring our show.
Dave Bittner: [00:01:37:22] I'm Dave Bittner, in Baltimore, with your CyberWire summary for Monday, August 22nd, 2016.
Dave Bittner: [00:01:43:22] The security community continues to follow the Shadow Brokers incident with close attention. Speculation continues to point to Russian intelligence services as the source of the compromise, which is now generally regarded as genuine. One of those suggesting Russian involvement is Edward Snowden, who is, one recalls, still resident in Moscow.
Dave Bittner: [00:02:03:07] The Intercept reports finding strings in documents Edward Snowden took with him when he defected to Russia that are identical to some strings in the documents the Shadow Brokers have released, ostensibly as loss leaders for their auction.
Dave Bittner: [00:02:16:07] No further leaks have appeared, and so far no one has ponied up the half billion dollars the Shadow Brokers are somewhat implausibly asking for. There has been some bidding on the unreleased files, but nothing approaching the asking price. ZDNet reports seeing Bitcoin wallets seized from Silk Road in the bidding, which leads some to speculate that the US Government is in on the auction.
Dave Bittner: [00:02:37:23] The compromise has prompted considerable discussion of hybrid warfare, cyber deterrence, retaliation, and government disclosure policy. Those who have commented on disclosure policy see the incident as tipping the balance in favor of disclosure as opposed to hoarding. Other observers see tension in NSA's dual responsibility for SIGINT collection and for information assurance.
Dave Bittner: [00:03:00:07] We heard from Will Ackerly, CTO and co-founder of secure email solution provider Virtru. Noting that the Shadow Brokers leaked exploits affected firewalls, he commented that, "Most often, data is stored on devices or transmitted without its own protections." Once an attacker is in your network, Ackerly says, the unprotected information there amounts to a sitting duck. He thinks the Shadow Brokers episode will accelerate movement away from network or device security and toward data security. "The ultimate goal is to protect data from inception and only unlock it during consumption."
Dave Bittner: [00:03:36:13] The Shadow Brokers incident also continues to stoke concerns about election hacking. Statements from US election officials seek to reassure voters, but their efforts to do so seem to have achieved little beyond a mood of resignation. Observers point out that properly secured electronic voting may inevitably be in tension with voters' expectations of a secret ballot.
Dave Bittner: [00:03:58:07] Some users are calling for a general strike against Tor to protest the service's investigation and ouster of a high profile Tor activist. The idea would be to take the anonymous service offline for a day. Journalist Jacob Appelbaum, who had been an important participant in the Tor Project, was removed from his position following the Project's investigation of allegations of misconduct.
Dave Bittner: [00:04:21:19] Eddie Bauer, late last Thursday, disclosed a malware infestation in its point-of-sale system that exposed cards used in transactions between January 2nd and July 17th of this year. The infections appear to be part of the large campaign that's affected the hospitality industry. Chris Webber, Security Strategist at Centrify, sees the incident as a cautionary tale in the importance of securing privileged accounts. It's too easy to pivot from a single account and move through an entire network. "This is because that privileged account – often a systems administrator or service account – has deep access to everything inside a network." Webber advocates policies of least privileged access, tighter control over shared accounts, and more closely secured remote access.
Dave Bittner: [00:05:07:20] A growing trend has been the proliferation of malware as a service, providing those who are so inclined to the opportunity to do their deeds at a much lower cost of entry, both financially and when it comes to technical skills. Michael Marriott is a Research Analyst at Digital Shadows, where they've been tracking the deer.io marketplace.
Michael Marriott: [00:05:26:16] So, it's a one stop shop that many cybercriminals use to advertise and sell their goods. For eight rubles a month, which is under a dollar, you can get ready made templates, secure hosting, anonymity and payment processes to advertise and sell your goods. And we estimate, it's hard to be precise, but there are about 1,000 shops offering a variety of different goods and services on deer.io.
Dave Bittner: [00:05:57:05] And what kind of things are being sold here?
Michael Marriott: [00:05:59:18] So, there's a whole host of different services. There's the site that Tessa88 was advertising. So, these would be massive data dumps, such as the LinkedIn and Myspace ones. But there's also a lot of bot registered social media accounts, which although are not illegal, breach the terms and conditions of many sites. There's stolen and hacked accounts. There's dedicated servers. We also see the big cybercrime elements, like Dark Side Global, which is Tessa's.
Dave Bittner: [00:06:37:02] Is deer.io right out in the open? Can anybody just start shopping around in this marketplace?
Michael Marriott: [00:06:43:13] It's just on the surface web. They've got a great interface. You can use the search bar to search for particular items that you may want. And while it should be clear that deer.io is not criminal in and of itself, what it's doing is just making it so much easier for these cybercriminals, which constitute about 99% of its gray or black goods for sale.
Dave Bittner: [00:07:11:02] This is a Russian language site. Is it actually being hosted in Russian? If so, are the authorities simply turning a blind eye to it?
Michael Marriott: [00:07:20:08] There are a few different elements to that. It uses Voxility, which is, I believe, based in Romania. It has been shut down previously, or blacklisted by the Russian internet monitoring authorities for a brief period a couple of months ago. In Ukraine, a man was arrested for hosting a shop on one of these sites. But, as I'm aware, there haven't been any prosecutions within Russia itself.
Dave Bittner: [00:07:52:02] So, what do you think this speaks to in terms of this trend that we're seeing of cybercrime as a service?
Michael Marriott: [00:08:00:11] We've seen this before already with DDoS as a service, ransomware as a service. What I think is different about deer.io is that all these support services that we see fragmented across various different places on the open dark and deep web, they're all bundled together in one place, and this serves to lower the barriers to entry. It's this trade off between OPSEC and advertising that deters many cybercriminals from going about their day to day business. How much do you advertise, get your name out there, become a media hit and then through that you get more and more business. But you've got the risk of overexposing yourself and leaving yourself vulnerable to competitors or law enforcement. What this is doing is sort of taking that away. So, if somebody's got some site they can pay very, very little money for to host, then actually they can sell things which are pretty low level, not that expensive, but those niggling illegal goods that previously wouldn't have really been feasible to sell because of all the backend hosting and templates, payments, etc. So I think that's a really important point to bring up.
Dave Bittner: [00:09:18:13] That's Michael Marriott from Digital Shadows.
Dave Bittner: [00:09:22:24] In industry news, Cisco continues to reposition itself as a security provider. Dell talks about plans for SonicWall. And the aforementioned Virtru closes a $29 million Series A round led by Bessemer Capital.
Dave Bittner: [00:09:36:21] The next round of the Wassenaar cyber arms control talks is scheduled for September. The talks are expected to narrow the scope of intrusion software that controls industry found objectionable. The Bureau of Industry and Security at the US Department of Commerce withdrew its draft rule implementing the Wassenaar framework in 2015 after industry objections that the rule would essentially criminalize legitimate vulnerability research. A new draft rule is expected to be issued after the upcoming round of talks, probably in the spring of 2017.
Dave Bittner: [00:10:07:16] Finally, we're pleased to say that we have nothing whatsoever to say this afternoon about either Pokémon or the Incredible Hulk. Actually, we're a little sorry we don't have any more Hulkspeak to share with you. Perhaps the Shadow Brokers will release some fresh communiqué and we'll hear more from Natalia Romanova. Did you know that the Shadow Broker is an information dealer in the Mass Effect video game? And why do threat actors like action role playing so much? Maybe the question answers itself. In any case, Crash Bandicoot was unavailable for comment.
Dave Bittner: [00:10:42:03] Time for another message from our sponsor Recorded Future. You know, Recorded Future's conference RFUN 2016 is coming to Washington DC October 5th and 6th, 2016. The fifth annual edition of this threat intelligence conference brings together the talented diverse community of analysts and operational defenders who apply real-time threat intelligence to stay ahead of the adversaries. And since it's real-time threat intelligence, you know it's organized by Recorded Future, the people who know a thing or two about collection and analysis. Recorded Future's customers, partners and threat intelligence enthusiasts are cordially invited to attend RFUN 2016. Improve your analysis, stay ahead of cyberattacks by learning about the latest threat intelligence techniques and best practices. If you're a threat intelligence enthusiast, register for free now at recordedfuture.com/rfun. That's recordedfuture.com/rfun. And we thank Recorded Future for sponsoring our show.
Dave Bittner: [00:11:43:05] And I'm joined once again by John Leiseboer. He's the CTO at QuintessenceLabs, one of our academic and research partners. John, I know you wanted to share some information with our listeners about the standards when it comes to cryptographic and key management. What do we need to know about that?
John Leiseboer: [00:11:57:24] Common standards help enable interoperability. It's important that the standards we use are properly signed, unambiguous and vendor independent. There are standards to almost every technical field. For cryptography and key management there are standards from organizations such as the IETF, OASIS, LSI, the Payment Card Industry, and plenty of others. There's no problem finding a standard in the cybersecurity world. Two of the most, more important interoperability further standards for cryptography and key management would be PKCS 11, which is public-key cryptography standard number 11, and KMIP, the Key Management Interoperability Protocol. Both of these standards are currently managed by OASIS, the Organization for the Advancement of Structured Information.
Dave Bittner: [00:12:52:13] So, digging into those, I mean, how do we deal with them and what part do they play in cryptography and security?
John Leiseboer: [00:13:00:02] PKCS 11 is a standard for cryptographic application programing interface. It decides a vendor independent API, forming cryptographic operations, such as encryption and digital signatures and also key generation. PKCS 11 turned 25 this year, so it's quite an old standard. It was originally managed by RSA,but moved to OASIS just over three years ago. P11 is widely used in cryptographic products, from smart cards, to hardened security modules, and database encryption to web servers. Similar standards to PKCS 11 would be Microsoft CNG, or API in the old days, the OpenSSL API and the Java JCE interface. In fact, both OpenSSL and JCE support cryptographic providers that present a PKCS 11 interface. The other standard I mentioned, KMIP, specifies a protocol for the exchange of key management messages between key management clients and servers. It specifies operations such as create, register and get for objects like symmetric keys, key pairs and certificates. It's a relatively new standard and was first published in 2010.
Dave Bittner: [00:14:13:11] Alright. Interesting stuff. John Leiseboer, thanks for joining us.
Dave Bittner: [00:14:19:08] And that's The CyberWire. Thanks to all of our sponsors who make The CyberWire possible. Our ad space is filling up fast through this fall and into next year. So, if you want to reserve a spot on our show or Daily News Brief, don't delay. We've got a limited number of spots, and according to our advertisers, they get results. Visit thecyberwire.com/sponsors to learn more.
Dave Bittner: [00:14:39:02] The CyberWire Podcast is produced by Pratt Street Media. The Editor is John Petrik. Our Social Media Editor is Jennifer Eiben and our Technical Editor is Chris Russell. Our Executive Editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.