The CyberWire Daily Podcast 10.3.16
Ep 197 | 10.3.16

Hackers said to "probe" US voting systems. IoT botnet source code released. "DressCode" malware afflicts Android devices. Industry notes. SEC urged to make an example of Yahoo!

Transcript

Dave Bittner: [00:00:03:03] Homeland Security warns states to be on their guard against election hacking. Newsweek speculates that a brief DDoS attack it sustained was election related. Mirai source code used in large KrebsOnSecurity DDoS published in a hacker forum. DressCode malware found in 3000 Trojanized apps and the SEC may investigate the Yahoo breach.

Jonathan Katz: [00:00:30:24] Time to tell you about our sponsor ClearedJobs.Net If you're a cybersecurity professional and you're looking for a career opportunity check out the free cyber job fair on the first day of CyberMaryland, Thursday October 20th at the Baltimore Hilton, hosted by ClearedJobs.Net, a veteran known specialist at matching security professionals with rewarding careers.

Dave Bittner: [00:00:50:10] The Cyber Job Fair is open to all cybersecurity professionals both cleared and non-cleared. It's open to college students in cybersecurity programs too. You'll connect face to face with over 30 employers like Swift, DSEMP and the Los Alamos National Laboratory. You can also tune up your resume and get some career coaching, all of it's free. From career expert and air force veteran Patra Frame. To learn more visit clearedjobs.net and click job fairs in the main menu. Remember that's clearedjobs.net and we'll see you in downtown Baltimore. And we thank ClearedJobs.Net for sponsoring our show.

Dave Bittner: [00:01:33:01] I'm Dave Bittner in Baltimore, with your CyberWire summary for Monday, October 3rd, 2016.

Dave Bittner: [00:01:39:14] The US Department of Homeland Security is still warning the States of the likelihood that hackers will take an interest in next month's elections. Speculation in the media tends to the view that these hackers are acting on behalf of the Russian government. Newsweek sustained a Distributed Denial-of-Service attack that took it's site down for a few hours Thursday.

Dave Bittner: [00:01:58:11] The reporter who wrote an article unfavorable to US Presidential candidate Trump thinks it was done to silence him and said there were a lot of Russian IP addresses involved in the attack. Odds are there would be a lot of Russian IP addresses in a lot of DDoS attacks, but in any event opposing Presidential candidate Clinton is far from flavor of the month in the Russian twitter verse. So perhaps there's something to the speculation.

Dave Bittner: [00:02:23:00] Investigation into the more serious DDoS attack of the week before last, the one that took down KrebsOnSecurity, maybe getting closer to the culprits. Someone using the handle Anna-chan or Anna-senpai has dumped the IoT bot hurting source code into the criminal market hack forums, Krebs reports. The code is named Miari. Such dumps are often a sign that a cyber criminal's beginning to feel some heat, or is at least moved to some caution. As Krebs puts it "Publishing the code on line for all to see and download ensures that the codes original authors aren't the only ones found possessing it, if and when the authorities come knocking with search warrants".

Dave Bittner: [00:03:02:03] More serpents have made their way into Google's Play Store garden. On Friday, Trend Micro found about 3000 Trojanized apps carrying the DressCode malware in the wild. Some 400 had made their way into the Play Store. Some, like a purported Minecraft version of Grand Theft Auto, are unlikely to draw enterprise users. But DressCode hides not only in games, but according to Trend Micro, in user interface themes and phone optimization boosters. The principal threat DressCode poses to enterprises is the ability to gain access to an infected phone and then move laterally to more sensitive precincts of a network.

Dave Bittner: [00:03:38:11] Researches at Princeton University, Karlstad University and KTH Royal Institute of Technology, demonstrate two proof of concept correlation attacks. They're calling them DefecTor, that could in principle, de-anonymise Tor users. DefecTor is unlikely to appear in the wild, the researchers say. First, the attacks require considerable engineering resources, and second, Tor is expected to upgrade soon to foreclose the possibility of this sort of de-anonymisation.

Dave Bittner: [00:04:08:04] Ransomware, of course, remains with us, as Kaspersky researchers identify the growing popularity of remote desktop protocol exploits against targets in Brazil. Stolen or weak credentials place users at risk.

Dave Bittner: [00:04:22:03] The Yahoo breach may become the subject of a US Securities and Exchange Commission investigation, at least if some senators have their way. Breach disclosure rules the SEC promulgated in 2011 have been regarded by many as vague. There's some sentiment in the senate that Yahoo may afford the SEC, the test case it needs to firm those rules up. The SEC has yet to bring an enforcement action for failure to disclose a breach. In this, their colleagues in the Federal Trade Commission are clearly the hot pencil.

Dave Bittner: [00:04:51:12] The FTC has brought 60 successful data security action since 2001. But, there's some government ambivalence showing. Commerce Secretary Pritzker last week cautioned against blaming the victim in hacking cases.

Dave Bittner: [00:05:04:23] How the Yahoo breach will affect Verizon's planned acquisition of Yahoo's core assets remains to be seen.

Dave Bittner: [00:05:11:15] There's a dust up between two notorious purveyors of stolen data. "Peace", best known for the MySpace hack and for claiming to have millions of Yahoo credentials available to sell, although not, investigators stress, the half billion stolen in the theft that's roiling Yahoo Verizon, their customers and their shareholders, is at war with WORM who trades mainly in data taken from news agencies. Peace defaced WORM's site on the grounds that WORM is a bad guy who's done Peace some unspecified wrong, and who's messed with the Hell Forum, a dark web market with a contentious turbulent history.

Dave Bittner: [00:05:47:07] So in the case of Peace versus WORM, it's in the interest of the civilized world that both sides should lose.

Dave Bittner: [00:05:54:12] The Shadow Brokers re-surfaced Saturday, miffed that no-one is taking their auction of Equation Group tools seriously. Here's a sample of what they have to say. "Hello world!, the Shadow Brokers are sending message number 2 weeks, but media no make big story? The Shadow Brokers is calling this message, message number three. The Shadow Brokers is realizing peoples is not thinking option is being real".

Dave Bittner: [00:06:20:11] We'll stop at this point because the diction swiftly becomes lurid and demotic in ways unsuitable for a family show, but you get the syntactic and semantic drift.

Dave Bittner: [00:06:30:04] Observers continue to draw attention to the Shadow Broker's implausibly broken English. Motherboard calls it "Borat-like". And we've been reminded of F-Troops Hekawi. But, with Saturday's emission it hit us, the Shadow Brokers are the male crocodiles from Steve Pastis's comic strip "Pearls before Swine". Think about it, if you're not too hip to read the Sunday funnies in their Dead Tree edition.

Dave Bittner: [00:06:53:23] Anyway, we think the answer to the question posed by message number three, (it comes after message number two), for make benefit those of us who might be slow on the uptake, would be, "No, the peoples is not thinking auction as being real." The auction, if you're keeping score at home, is still stuck at 1.76 Bitcoin. Or roughly $1,082, a bit south of the $1 million the Shadow Brokers is being asking the peoples to be opening the bidding on. Sorry, we hate it when we get infected with broken diction.

Dave Bittner: [00:07:30:15] Time for a message from our sponsored Netsparker. You know web applications can have a lot of vulnerabilities. Of course you do, you're listening to this podcast, and, of course, every enterprise wants to protect it's websites. But, if you have a security team, you know how easy it is for them to waste time calling out false positives.

Dave Bittner: [00:07:47:07] Check out Netsparker. Their technology not only automatically finds vulnerabilities in web applications, but it automatically exploits them too, and even presents a proof of exploit. Netsparker Cloud scales easily. You can use it to automatically scan thousands of websites in just a few hours. Learn more at netsparker.com. But don't take their word for it, go to netsparker.com/cyberwire for a free 30 day fully functional trial of Netsparker Desktop or Cloud. Scan your websites with Netsparker for a whole month, no strings attached. That's netsparker.com/cyberwire. And we thank Netsparker for sponsoring our show

Dave Bittner: [00:08:30:17] Jonathan Katz joins me. He's a Professor of Computer Science at the University of Maryland and Director of the Maryland Cyber Security Center. Jonathan, I saw an article recently in SC Magazine, and they were talking about ransomware criminals were increasing the use of asymmetric encryption. Can you help us understand what's the difference between symmetric and asymmetric encryption?

Jonathan Katz: [00:08:50:09] Sure. So, symmetric encryption is kind of what has been used historically for cryptography. And, in such an encryption scheme, you have a single key that's used by both the sender and receiver. So, the sender will use the key to encrypt a plain text and get a cipher text, and the receiver will use that same key to decrypt the cipher text and recover the plain text. And, in contrast, asymmetric encryption is what was invented in the 1970s and has become a lot more prevalent today, where you have different keys used for both encryption and decryption. So, you have a public key, which is used by the sender to encrypt, and then a private key which is used by the receiver to decrypt. And what's fundamentally different about public key encryption and what makes it so useful, is that you can have many different senders all communicating with this receiver, because the public key, as the name suggests, can be public. So, anybody can encrypt a message using this publicly available public key, but only the receiver who has the corresponding private key will be able to decrypt.

Dave Bittner: [00:09:47:00] How is combining these two techniques an attractive thing for ransomware criminals?

Jonathan Katz: [00:09:52:24] Well, first of all ransomware criminals are using public key encryption because it exactly exploits the same symmetry. So, what they'll do is they'll put the malware on your computer and then encrypt your files using the public encryption key in such a way that only the writer of the ransomware will have the corresponding private key and be able to decrypt. And, then , of course, they ask you for money in order to be able to decrypt.

Jonathan Katz: [00:10:16:19] Now, what's interesting is that you can combine public key asymmetric techniques and symmetric key encryption to kind of get the best of both worlds, and to get the functionality of asymmetric encryption with the efficiency of symmetric key encryption. And, what you do is simply use the asymmetric encryption to encrypt a short key and then use that key for asymmetric encryption scheme and to encrypt the long data, the files or what have you. So, this is really giving the ransomware writers, unfortunately, the best of both, because they're able to very efficiently encrypt your files and then force you to pay them in order to recover them.

Dave Bittner: [00:10:51:10] Alright, clever bad guys. Jonathan Katz thanks for joining us.

Dave Bittner: [00:10:57:09] And that's the CyberWire. A quick reminder it's the first week of National Cyber Security Awareness Month in the US. The theme of the first week is Stop, Think, Connect. The basic steps to online safety and security.

Dave Bittner: [00:11:10:01] For links to all of today's stories, along with interviews, our glossary and more visit thecyberwire.com. Thanks to all of our sponsors who make the CyberWire possible. And if you're interested in reaching a global audience of security influencers and decision makers, well, you've come to the right shop. Visit the cyberwire.com/sponsors to learn more.

Dave Bittner: [00:11:28:06] The CyberWire podcast is produced by Pratt Street Media. Our Editor is John Petrik. Our Social Media Editor is Jennifer Eiben, and our Technical Editor is Chris Russell. Our Executive Editor is Peter Kilpe and I am Dave Bittner. CyberWire.