The CyberWire Daily Podcast 9.21.16
Ep 189 | 9.21.16

Russian hackers hit German targets. New ransomware. DPRK domains revealed.

Transcript

Dave Bittner: [00:00:03:13] Russian hackers appear to have turned their attention to German political targets as well as politicians in the US. New strains of ransomware are out. Mamba is as dangerous to networks as its namesake is to human tissue. The Air Force Association is taking up cyber in its annual meetings. And North Korea parts the curtain in front of its domains.

Dave Bittner: [00:00:29:09] It's time to take a moment to tell you about our sponsor, Recorded Future. Recorded Future is the real time threat intelligence company whose patented technology continuously analyzes the entire web developing cyber intelligence that gives analysts unmatched insight into emerging threats.

Dave Bittner: [00:00:43:19] At the CyberWire we subscribe to and profit from Recorded Future's Cyber Daily. As anyone in the industry will tell you, when analytical talent is as scarce as it is today, every enterprise owes it to itself to look into any technology that makes your security teams more productive and your intelligence more comprehensive and timely because that's what you want. Actionable intelligence.

Dave Bittner: [00:01:04:14] Sign up for the Cyber Daily email and every day you'll receive the top trending indicators Recorded Future captures crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today and stay a step or two ahead of the threat. Go to recordedfuture.com/intel to subscribe for free threat intelligence updates. That's recordedfuture.com/intel and we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:42:12] I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, September 21st, 2016.

Dave Bittner: [00:01:48:09] Election hacking may not be confined to United States targets. German news outlets are reporting that a number of senior politicians and their staffs have come under cyber attack, apparently by Russian actors. There's no name assigned to this particular bear, yet, but doubtless one is coming. The Bundestag sustained compromises last year.

Dave Bittner: [00:02:06:19] The current round of intrusions extends to political party organizations in the country's Länder, that is, down to what Americans would call the state-level. It appears the attackers' initial approach was through a long series of phishing emails purporting to originate in NATO. The timing of the attacks suggests an interest in elections, and German newspapers are significantly juxtaposing the story with coverage of election-related hacking in the US.

Dave Bittner: [00:02:32:11] The vulnerability Cisco found in the course of its investigation of the Shadow Broker exploits is said to be actively used by attackers in the wild. Patches and mitigations are expected soon.

Dave Bittner: [00:02:44:12] More ransomware enters circulation, some of it unsophisticated. DetoxCrypto is distributed in a poorly crafted imitation of Malwarebytes communication. Other strains are being carried by bogus FedEx failed delivery notices, but some of it is sophisticated indeed, and dangerous. Mamba, also known as HDDCryptor, is unusually dangerous. Mamba locks hard drives, encrypts files in mounted drives and network shares, and overwrites master boot records.

Dave Bittner: [00:03:14:05] We've been spending some time down at the Air Force Association's annual Air, Space and Cyber Conference just south of the District of Columbia. While the conference was, as one attendee put it, "heavy industry heavy," this year's version featured a conscious effort to devote significant attention to cyber.

Dave Bittner: [00:03:30:00] You'll find accounts of the conference at thecyberwire.com, but we were struck by the Air Force's Operations Chief's emphasis on working out effective command-and-control mechanisms for cyber operations, and by the Service's IT chief's commitment to looking for commercial solutions to Air Force challenges. And the chief of personnel faces the same tight labor market the cyber industry does, with the added challenge posed by a complex workforce and some cultural obstacles to what she called the "agility" necessary to recruit, develop, and retain cyber talent.

Dave Bittner: [00:04:01:12] Two initiatives stood out to us. Everyone had very good things to say about CyberPatriot, the Air Force Association-led, Northrop Grumman supported, youth cyber education program. And the Military Cyber Professional Association was also present on the floor, a young group organized to support and foster the growth of the profession. Both of these will bear watching.

Dave Bittner: [00:04:22:24] Matthew Green is an assistant professor at the Johns Hopkins University Information Security Institute and he's well known in the industry for his work in cryptography and other security technology. He's one of the keynote speakers at the AppSec USA 2016 conference, coming up in October in Washington DC. We checked in with Matthew Green for a preview of his presentation.

Matthew Green: [00:04:42:15] So there's been a pretty big debate going on right now about making encryption a little bit more tractable for law enforcement. So I spent a lot of my time in the last year, maybe year and a half, fighting with a lot of people about this because, you know, their-- the proposals that are being pulled out right now for making encryption easier for folks to decrypt, also have this kind of side effect that they make encryption a lot worse.

Matthew Green: [00:05:06:02] And if you've been paying any attention the last however many years, you know that things aren't going very well for us and by us, I mean everybody who uses computers and relies on them being secure. So encryption is one of the best tools we have for fixing that problem. If we start by weakening it, or doing something to limit it, we're really starting out on the wrong foot and so I'm going to talk a little bit about how we've done that wrong in the past and what we could do wrong in the future.

Dave Bittner: [00:05:33:22] So let's dig into that a little bit. I mean, there's, there's been this notion-- certainly, you know, we saw in the last year the incident with Apple and the FBI, this notion of is it possible to have a, a se-- a backdoor that is both a backdoor and secure? What are your thoughts on that?

Matthew Green: [00:05:49:04] I mean, the way you just put it I think is a pretty good illustration of why it's so difficult. You want to let other people in, but only the right people. However, the right people are going to be a, you know, a lot of right people, so you have a lot of different people in law enforcement, courts, all over the place. Not very technically savvy people. All of those people have to be able to get into your encryption and by your encryption, I mean everybody's encryption. It's not just going to be Apple and Google. It's going to be small, you know, companies developing apps, you know, everybody who, who does anything with encryption in the long run.

Matthew Green: [00:06:21:15] So you want to let all of those people get into your encryption, you want to keep all of the very sophisticated, sometimes nation-state-funded attackers out. And I have a very hard time seeing how we're going to do that. Because the difference between somebody like Guccifer, you know, where we have somebody who's extraordinarily sophisticated and pretty good at getting into things, and at the same time, you know, that's the person we want to keep out but at the same time we want to keep-- let in folks who are very technically unsavvy who are writing pieces of paper and saying, you know, "Here's a court order, let somebody into this encryption."

Matthew Green: [00:06:53:15] I see a very-- I think it's going to be very hard to make that kind of system work. And at a technical level, in the process of trying to make it work, I think we're going to screw it up in all kinds of new and exciting ways we haven't even thought of yet.

Dave Bittner: [00:07:04:15] So where do you see this headed? Is, is there a possible-- is there some meeting in the middle where both sides can get closer to what they want?

Matthew Green: [00:07:13:00] Right now, I think we already are meeting in the middle to some extent. So you probably saw the headlines in the last day or two about the FBI gaining, you know, really powerful hacking powers. They are now legally allowed or, or about to be allowed to essentially hack anything they want, and that includes end devices.

Matthew Green: [00:07:30:11] The FBI's developing this capability and they're getting pretty good at it, and, you know, clearly they got into the San Bernardino iPhone last year and they didn't do it through a backdoor. They did it by hacking. So I think we're already heading towards some kind of meet in the middle where this is how device access is handled, is, is the FBI just learns to hack. That doesn't mean they see this as a compromise, they, they want backdoors too.

Dave Bittner: [00:07:55:08] The good guys say though, the people who are calling themselves good guys, they say, "Well, you know, as long as we have judicial oversight, what's the problem here? What's, what's the worry?"

Matthew Green: [00:08:04:09] What I'm going to talk about in my presentation is kind of the history of how, you know, good ideas, you know, the, the road to hell is paved with good intentions and how apparently good ideas can turn into bad ideas, and those bad ideas can hurt us, even, you know, a decade plus after the initial idea's over. And so really, you know, I'm going to give a little bit of a history lesson talking about previous attempts to limit and weaken encryption and how they didn't really go very well.

Matthew Green: [00:08:33:04] So, you know, for example back in the 90s, there were laws that said if you want to download a browser, you had to either download the strong US one and prove, you know, assert you were from the US or if you were from another country you had to download the weak one. And that stuff, you know, with these export-grade crypto systems, as recently as 2014, 2015, there were bugs in SSL and TLS that were still exploitable because those leftover systems were still in the standard.

Matthew Green: [00:09:00:21] And so, so it's kind of an illustration of how even well-meaning ideas can lead to all sorts of unintended consequences and they just linger.

Dave Bittner: [00:09:09:17] That's Matthew Green from the Johns Hopkins University Information Security Institute. He'll be keynoting at the upcoming AppSec USA 2016 conference in October in Washington DC.

Dave Bittner: [00:09:21:10] It's gratifying to see responsible disclosure of an Internet-of-things vulnerability on the part of researchers and equally gratifying to see receptivity and responsiveness on the part of the vendor whose product is affected. We mean, of course, the demonstration by a group of Chinese researchers of vulnerabilities in Tesla cars. They were able to open sunroofs, turn blinkers on, and, most disturbingly, apply the brakes while the car was in motion.

Dave Bittner: [00:09:45:09] They disclosed the issues to Tesla, which has patched them and thanked the researchers. The researchers coordinated their announcement with Tesla's fix. We heard at the Billington Automotive Cyber Security Summit in July that the auto industry was determined to invite, and encourage, and act on responsible disclosure. The Tesla fix looks like a good omen.

Dave Bittner: [00:10:05:11] And finally, we hear a great deal about North Korean activity in cyberspace, from the country's alleged role in the Sony hack to perennial expressions of concern from Seoul that Pyongyang has its fingers in as many South Korean networks as possible. But we hear much less about what the internet might actually look like inside North Korea itself.

Dave Bittner: [00:10:23:19] If you were betting that the North Korean web wasn't exactly that familiar mash-up of Woodstock, Burning Man, the Wild West, Bronycon, and Moss Eisley that most of the rest of us have grown accustomed to, you'd be right. Late Monday an IT error in the hermit kingdom inadvertently, we think, allowed domain administrators to request a list of the DPRK's top-level domains. An alert watcher did just that, and posted the results to Reddit.

Dave Bittner: [00:10:49:13] There are, it turns out, a total of 28 dot PK domains. Not 28,000, just 28. And TechCrunch thinks the sites on those top-level domains are likely to be busy, because, as TechCrunch says, that's what being on Reddit will do for you.

Dave Bittner: [00:11:09:23] Time for another message from our sponsor Recorded Future. So, attention threat intelligence enthusiasts, the first week in October, consider heading to Washington DC and joining Recorded Future and the rest of your community in DC for RFUN 2016 this October 5th and 6th. Share experiences, insights and best practices. Learn from exclusive presentations by threat intelligence thought leaders and you can be the first to know, get a sneak peek of new Recorded Future product features and the company's development road map.

Dave Bittner: [00:11:38:11] Meet others like you, people who understand that cybersecurity depends upon actionable intelligence. Network with your information security peers, to learn how others apply threat intelligence. RFUN is the place to be if you're a threat intelligence enthusiast. Register now, it's free, at recordedfuture.com/rfun, that's recordedfuture.com/r-f-u-n. And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:12:08:16] Joining me is Jonathan Katz, he's a professor of computer science at the University of Maryland and director of the Maryland Cybersecurity Center. Jonathan, we saw a story come by recently that Google is turning on HSTS encryption on its domain. Give us some background here, what are we talking about with HSTS encryption?

Jonathan Katz: [00:12:25:07] Well, as you know when you're connecting to a sensitive website like a banking website or your email or things like that, you generally want to do that over a secure connection, over https. And what this new mechanism does is actually it's something that the website will provide which will tell the user's browser to only allow secure connections to the site. And this would basically have the effect of preventing the user from mistakenly opening up an insecure connection with that website.

Dave Bittner: [00:12:56:15] So is this basically protecting the user from themselves? So they don't, you know, inadvertently pass along insecure data?

Jonathan Katz: [00:13:04:14] Yes, exactly. So what a user might do for example is go to-- you know, if they're connecting to Gmail, they might go to their web browser and type in http://mail.google.com. And if they did that in general, then that would open up an insecure connection. To open up a secure connection they would have to know to type in https, mail.google.com and what this HSTS does for you actually is if the user ever connects securely to the Gmail back end server, then from that point on, the browser will ensure that the user only ever opens up a secure connection.

Jonathan Katz: [00:13:40:14] So even if the user mistakenly types in http and forgets the s, the browser will know to automatically initiate a secure connection anyway, and in fact it won't even allow the user to initiate an insecure connection.

Dave Bittner: [00:13:52:03] So we're really heading towards, towards this time of-- when all connections really should be secure?

Jonathan Katz: [00:13:59:15] Yes, that's right. So, so, you know, Google has moved toward that in general and they've been-- they've made available secure connections to all of their services. And what this does is add an extra layer of protection to protect either against user mistakes like I was talking about earlier, or also phishing attempts. Right? If a-- if an attacker sends the user an email with an embedded link to Google.com which is a link with an http rather than https, then this mechanism will still protect the user in that case and again will only allow the user to open up a secure connection.

Dave Bittner: [00:14:31:15] Alright, Jonathan Katz, thanks for joining us.

Dave Bittner: [00:14:36:01] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible.

Dave Bittner: [00:14:40:01] The CyberWire podcast is produced by Pratt Street Media. The editor is John Petrik. Our social media editor is Jennifer Eiben, and our technical editor is Chris Russell. Our executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.