The CyberWire Daily Podcast 9.26.16
Ep 192 | 9.26.16

Yahoo! breach fallout, Krebs back online, election hack concerns.

Transcript

Dave Bittner: [00:00:03:19] Yahoo! Breach unsettles industry and casts doubt over Verizon's pending deal to buy Yahoo! Assets. British sources say GCHQ stopped a Russian attack on last year's UK general election. A White House staffer's email is hacked, KrebsOnSecurity is back but many see a lesson in the dangers of IoT botnets and democratized censorship. Researchers describe iOS and Android vulnerabilities. The FBI releases more documents from its State Department email investigation. Switzerland votes for more surveillance and US states reassure voters that the election won't be hacked.

Dave Bittner: [00:00:42:12] Time to take a moment to tell you about our sponsor, Recorded Future. If you haven't already done, so take a look at Recorded Future's cyber daily. We look at it. The CyberWire staff subscribes and consults it daily. The web is rich with indicators and warnings but it's nearly impossible to collect them by eyeballing the internet by yourself, no matter how many analysts you might have on staff. And we're betting that, however many you have, you haven't got enough. Recorded Future does the hard work for you by automatically collecting and organizing the entire web to identify new vulnerabilities and emerging threat indicators. Sign up for the cyber daily email to get the top trending technical indicators crossing the web. Cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today and stay ahead of the cyber attacks. Go to recordedfuture.com/intel to subscribe for free threat intelligence updates from Recorded Future. That's recordedfuture.com/intel. And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:50:20] I'm Dave Bittner in Baltimore with your CyberWire summary for Monday September 26th, 2016.

Dave Bittner: [00:01:57:07] Yahoo!'s disclosure Thursday that more than 500 million customers' account information was stolen, continues to excite much comment. The company disclosed that the customer information lost includes names, email addresses, telephone numbers, dates of birth, hashed passwords, the vast majority with bcrypt and, in some cases, encrypted or unencrypted security questions and answers. Many see the lost security questions as posing the most serious problems to customers affected by the breach. After all, your grandmother's maiden name, your first pet and the middle school you attended are unlikely to change.

Dave Bittner: [00:02:32:02] The breach dated to 2014 and was discovered during investigation of rumors that stolen credentials were being offered on the black market by the cybercriminal whose nom de hack is "Peace". What the investigation found was more extensive and serious than anything Peace had been woofing around in the dark web market.

Dave Bittner: [00:02:50:22] Yahoo!, whose business for the last few years had been facing turbulence and headwinds, has been seeking what investment analysts characterize as a soft landing in the form of a deal with Verizon to buy Yahoo!'s core assets for a reported $4.8 billion. That soft landing is now in doubt.

Dave Bittner: [00:03:08:04] According to the New York Times, Yahoo! stated in the merger agreement that there have not been any incidents of, or third-party claims, alleging security incidents that could affect Yahoo!'s value. That statement, of course, is now more than questionable. Some analysts see a possibility that the entire deal could be canceled, but most think it likelier that the acquisition will go forward but at a price renegotiated sharply downward. Yahoo! Blamed an unspecified state sponsored actor for the breach. There is, as yet, no attribution to any country, and it's worth noting that almost any business would prefer to be able to blame a successful hack on foreign intelligence services. You look less negligent that way. Who among us could stand up unaided against the PLA, the GRU or any of the Five Eyes? If you think you could, then go ahead and cast the first stone but think twice. Look at history.

Dave Bittner: [00:03:57:21] Sony's relief at being able to point even to North Korea - not in the Bears', Dragons' or Eyes league, was almost palpable.

Dave Bittner: [00:04:05:07] Speculation concentrates on Russia, lately much in the news for Cozy Bear and Fancy Bear, and China which has shown an appetite for engulfing credentials and PII with the appetite of a filter feeding baleen whale. But this is all still a priori speculation and both the attribution and the means of compromise remain up in the air.

Dave Bittner: [00:04:25:22] In other news of state directed activity, the Sunday Times reports that Britain's GCHQ successfully blocked Russian attempts to disrupt last year's general election in the UK.

Dave Bittner: [00:04:37:02] In the US, more political email hacking resulted in exposure of senior democrats, election related travel and appearances. The staffer's emails were posted to DCLeaks which has, in the past, been associated with Russian interests.

Dave Bittner: [00:04:50:10] KrebsOnSecurity is back after sustaining what essentially everyone is calling the largest distributed denial of service attack on record. The well known and well respected security site is now being hosted by Google. The site's former host, Akamai, had to sever services when the attack traffic began to affect its other customers. It's important to note, as Krebs does, that Akamai hosted the site pro bono and that they parted with Krebs on good terms and without acrimony.

Dave Bittner: [00:05:17:06] The attack against KrebsOnSecurity is seen by many as a troubling bellwether for two trends. The use of IoT botnets and high-volume DDoS campaigns and the privatization of censorship. Much of the traffic that flooded the site is believed to have come from a botnet of compromised security cameras, and other indifferently secured IoT devices. And the motivation for the attack is believed to be retaliation for Krebs' reporting on vDOS, allegedly a DDoS as a service criminal enterprise whose proprietors were arrested by police in Israel, on September 15th 2016, shortly after Krebs published his story.

Dave Bittner: [00:05:53:23] The incident suggests that all the usual threat actors, from hacktivists through criminals to states, now have the ability to round up, herd and stampede botnets in the direction of those who attract their displeasure.

Dave Bittner: [00:06:06:19] Fresh reports of increasing mobile threats are out. Elcomsoft says it's found an issue in iOS that enables attackers to crack passwords much faster than they'd hitherto been able to. The flaw is said to lie in iOS 10's back up mechanism which introduces a vulnerability not seen in earlier versions of Apple's mobile OS.

Dave Bittner: [00:06:27:19] The US FBI late Friday released more documents from its investigation of former Secretary of State Clinton's email practices. The documents include descriptions of grants of immunity and what appear to be emails from the President found on the former Secretary's private account.

Dave Bittner: [00:06:44:04] Switzerland yesterday voted to grant its government more extensive surveillance powers. The vote is seen as a popular expression of widespread concern about terrorist threats in Europe.

Dave Bittner: [00:06:54:12] And, finally, US states seek to reassure voters that elections can be conducted without undue risk of hacking. The National Association of Secretaries of States wrote Congress to say that they're working with federal security services, "To address any attempts by nation state adversaries to disrupt the presidential election and call its integrity into question." The Association also said, "Machines are stand-alone and do not connect to the internet" adding that there is no evidence that ballot manipulation has ever occurred in the US via cyberattack. The Nevada Secretary of State has offered the Silver State similar reassurance. We think you might be able to get odds on this in Vegas or Reno.

Dave Bittner: [00:07:39:15] We've got another message from our sponsor, Recorded Future. What are you doing the first week in October? If you're a threat intelligence enthusiast, consider joining Recorded Future for RFUN 2016 in Washington DC on October 5th and 6th. This year's annual conference promises to be at least as good as the last four, after all it's organized by Recorded Future - the people who know a thing or two about collection and analysis of the information out there on the web. Recorded Future customers, partners and threat intelligence enthusiasts are all invited to RFUN 2016. Meet others like you, people who understand that cybersecurity depends on actionable intelligence. Network with your information security peers to learn how others apply threat intelligence. RFUN is the place to be if you're a threat intelligence enthusiast. Register now, it's free, at recordedfuture.com/rfun. That's recordedfuture.com/rfun. And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:08:40:20] And joining me once again is Yisroel Mirsky. He's a PhD candidate, researcher and project manager at the Cybersecurity Research Center at Ben-Gurion University.

Dave Bittner: [00:08:48:18] You've been doing some research with some touch loggers, so what can you tell us about that?

Yisroel Mirsky: [00:08:53:21] Specifically with the Android operating system. When you download or install a new application, it asks you for some permissions and if you accept these permissions you're basically giving the application full access to those resources. For example, writing to a disc and accessing your contacts and so on. There is one set of permissions that an application does not need to ask for, and that's access to motion sensors - any kind of physical sensors on the device that indicate the motion or even lighting in the room. This is very important because that means you can download, for example, the classic Flashlight application and it will say that it doesn't require any special permissions, so it seems rather benign.

Yisroel Mirsky: [00:09:36:05] Meanwhile, it's recording all the motionary advice from your accelerometer, from your guidescope and it is trying to infer personal information about you. One of the things we've found in our labs was that you're able to determine a person's gender just by the acceleration of the device over the day. So you can imagine what kind of private information you can infer from a user and one of those things we were interested in was where the user's touching on the screen - much like a keylogger. Now this isn't a new idea, this idea was shown at the USENIX Conference, but the direction that we were taking it was that we're using a regression, a different type of machinery technique, to improve the process and, using this, instead of state of the art which is about 30% accuracy with 1500 key strokes, we got 30% accuracy with only 80 keystrokes.

Yisroel Mirsky: [00:10:28:15] The main difference here is that often researchers will see an interesting problem and show how it can be done; how can an attacker try to exploit a certain channel? Whereas they don't really think about how the attack model or the attack scenario can be implemented or how feasible it is. Without going into details, they were using classifiers which basically require a large number of data points in order to build your model, especially for an entire keyboard, whereas here we are using regression and we're just using a general approach of predicting the XY coordinates on the screen.

Yisroel Mirsky: [00:11:06:02] So, in general, to summarize here, it's not enough to ignore these motion sensors. It actually can infer quite a lot of private information, and they should really be added to these permission lists. If not, the user should be aware of possible attacks on their privacy.

Dave Bittner: [00:11:25:19] Are you aware of any cases of this being used in the wild?

Yisroel Mirsky: [00:11:30:15] I do know that all sorts of grayware uses any method of getting information from the device to provide advertisements, for example. I would not be surprised if they were using the motion sensors to try and understand the activity of the user.

Dave Bittner: [00:11:48:10] Yisroel Mirsky, thank you for joining us.

Dave Bittner: [00:11:53:02] And that's the CyberWire. For links to all of today's stories along with interviews, our glossary and more visit thecyberwire.com. Thank you to all of our sponsors who make the CyberWire possible, and if you're interested in reaching a global audience of security influencers and decision makers, well you've come to the right shop. Visit thecyberwire.com/sponsors to learn more.

Dave Bittner: [00:12:11:24] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, our social media editor is Jennifer Eiben, and our technical editor is Chris Russell. Our executive editor is Peter Kilpe and I'm Dave Bittner. Thank you for listening.