The CyberWire Daily Podcast 11.2.16
Ep 218 | 11.2.16

To disclose or not to disclose…in public. A look into the dark web. Chrome and Firefox disallow shaky certificates. Anonymous gets an incomplete. The Shadow Brokers are still after the Wealthy Elite.

Transcript

Dave Bittner: [00:00:03:13] Microsoft and Google disagree about when to publicly disclose a vulnerability. We get some industry reactions to the dispute. Terbium takes a good look at the dark web and finds it's not as uniformly sinister as many believe. Google and Mozilla move to reject dodgy certificates. NIST releases a job map. Anonymous gets a grade of incomplete in its trolling of ISIS. And the Shadow Brokers' news seems a bit old.

Dave Bittner: [00:00:33:18] Time for a timely message from our sponsors at E8 Security, putting your data together with E8's analytics for security that can handle the unknown unknowns. Consider what might warn you off to malware on your system. Listening or running programs on a rare or never seen before open port is one of them. It's easy to say that, but could you say what counted as rare or never seen before, or would that information jump out at you as you reviewed logs, if you had time to review your logs, and by the time the logs reached you the news would be old. With E8's analytical tools recognize and flag the threat at once, enabling you to detect, hunt and respond. Get the White Paper at e8security.com/dhr and get started. E8 security, your trusted partner and we thank E8 for sponsoring our show.

Dave Bittner: [00:01:25:10] I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, November 2nd, 2016.

Dave Bittner: [00:01:31:04] Microsoft says the Windows zero-day Google publicly disclosed this week is being actively exploited by APT28, the Russian threat actor also known as Fancy Bear, a GRU operation best known for recent incursions into US political organizations. (Britain's MI5 is also raising an alarm about Russian intelligence services' growing activity in cyberspace.) Microsoft is upset with Google over the disclosure, which Redmond says has needlessly exposed Windows users to attack. A patch won't be available until next week at the earliest.

Dave Bittner: [00:02:04:11] Industry reactions are of two minds on this, as observers see both companies' points of view. The CyberWire heard from Fidelis Cybersecurity's John Bambenek, who thinks in general the public is better served by disclosure even if a patch isn't available. However, as he goes on to say, “There will always be a risk with acknowledging weakness. Even releasing patches can give adversaries the very clues needed to weaponize and exploit. This was very much true with Microsoft patches years ago, which have been largely mitigated by automated patching and rebooting within 24 hours of release." In general, he'd like to see disclosure go hand-in-hand with mitigation strategies wherever possible.

Dave Bittner: [00:02:46:02] EnSilo CTO and co-founder, Udi Yavo, draws the lesson that regulatory requirements should come to guide disclosure practices. He thinks the industry practice of allowing ninety days for mitigation until public disclosure should become a regulatory requirement. Google's researchers disclosed the vulnerability earlier because they saw it being exploited in the wild, as has been Google's company policy. Yavo gets the point, but thinks the quick public disclosure was unwise. "To me, this doesn't ultimately help achieve everyone's goal, which should be keeping consumers and their data safe. By disclosing a vulnerability early, without allowing time for a patch, Google opened up the small pool of people who found the vulnerability and knew how to exploit it, to all."

Dave Bittner: [00:03:31:14] Terbium Labs has a report out on the sinister-sounding dark web, which became famous in the popular mind during the Silk Road prosecutions. But while there's certainly bad stuff going on there - sales of contraband, nasty "adult" content, and so on - most of the activity on the dark web is perfectly innocent, or at the very least legal: it's just the Tor accessibility that makes the dark web dark. You can find Terbium's report, "The Truth About the Dark Web," at terbiumlabs.com/darkwebstudy.

Dave Bittner: [00:04:02:08] Mozilla and Google are in the process of revoking trust from certificates issued by WoSIgn and StartCom. RiskIQ gives the CyberWire a satisfyingly precise tally of the number of websites using certificates belonging to those two CAs: they put it at 762,649. You may begin to see, if you haven't already, "secure connection failed" warnings coming up for sites that depend upon WoSIgn or StartCom. The concern is that inadmissible SSL certificates can expose users to man-in-the-middle attacks, domain squatting, and redirection to phishing or pharming sites. Any of these, of course, present the risk of compromise or data loss.

Dave Bittner: [00:04:43:17] This week, in conjunction with the National Initiative for Cybersecurity Education meetings in Kansas City, NIST has released CyberSeek, an online tool showing where the security sector's jobs are. NIST worked out this online interactive map with CompTIA. It's an interesting look at the labor market. Check it out at cyberseek.org.

Dave Bittner: [00:05:06:01] When it comes to keeping personally identifiable information safe online, many people have turned to identity protection firms to keep an eye on their online identity, to make sure crooks aren't opening accounts in their names and so forth. Identity Guard is one of those companies, and we spoke with Jerry Thompson about a new offering they're calling Privacy Now, which makes use of IBM's Watson technology to try to stay one step ahead of the bad guys.

Jerry Thompson: [00:05:30:19] The challenge with identity protection is that it's reactive. We're monitoring and scouring but when we find you, the damage is already done. About 90% of all the data that's available about you on the internet is called unstructured. It's in places like social media, professional websites. There was no ability for us to monitor that nor anybody else unless we use the technology like Watson from IBM, which is an artificial intelligence technology, that allows us to funnel massive amounts of data through that artificial intelligence engine to find the pieces of information about you that we can glean, so that we can do predictive or proactive protection for you.

Jerry Thompson: [00:06:19:08] We know from all of the algorithms and the models that we run that, with about 98% certainty, we can predict identity malfeasance or privacy intrusions for you or your family members if we are running it through the IBM Watson model.

Dave Bittner: [00:06:38:09] Can you take me through an example of how the system would work, of a sample attempted attack and how this system could catching things that previous methods could not?

Jerry Thompson: [00:06:50:16] You have told us about your children as part of a process of getting to know you. We see that your son or daughter is posting fairly innocent and innocuous Snapchat videos. However, it is not Snapchat, it's another service and they're not just going to a friend but they are going out to the wider internet. While there's nothing wrong with them, your kids are being exposed because they are now identifiable to a larger community on the internet. So we will tell you that, "Hey, while the videos are okay, be careful and cautious because thousands of people are seeing them and they could potentially target your children." Because we can scour the internet and look for all of this identifiable data, we can give you pieces of information that will help protect you and your family members from any kind of malfeasance that's out there.

Dave Bittner: [00:07:44:15] What about my personal information being scooped up and sold online?

Jerry Thompson: [00:07:49:04] If somebody is going to hack a major medical provider, we cannot stop the hack, but we can identify your exposure in near real time, and near real time is 30 seconds to three minutes. As soon as that information hits the dark web and is for sale, we can identify it. We're very confident we can identify it and then we can work with you to mitigate that exposure.

Dave Bittner: [00:08:13:13] That's Jerry Thompson from Identity Guard.

Dave Bittner: [00:08:17:14] ISIS territory continues to shrink, and its opponents turn to information operations against the Caliphate's coming diaspora. Various Anonymous-affiliated hackers have been after ISIS for some time; it's unclear, says Motherboard, with what effect. Give Anonymous an incomplete, and note that the hacktivist collective is predictably skittish about being seen as too cozy with governments, even its allies of convenience against ISIS.

Dave Bittner: [00:08:44:02] Analysts have now sifted through the Shadow Brokers' "Trick or Treat" data dump and find it mostly old news. The servers listed apparently weren't in Equation Group use after 2010. The Shadow Brokers are still grumping about the wealthy elites, how somebody ought to do something about the US elections, and maybe the Shadow Brokers will. Above all, how come no one's bidding on all those Equation Group exploits the Brokers are auctioning off? "Come on, sheeple, take your heads out of the sand," or so the Brokers might say, you Amerikanski you. Anyway, free elections, free beer, so we hear. And if you're taking orders, Brokers, make ours a Natty Boh.

Dave Bittner: [00:09:27:17] Time for a word from our sponsor, Delta Risk. You've heard, of course, that those who fail to plan, plan to fail. Sure, that's a bit of a cliché, but it's true nonetheless. Delta Risk is here to help you plan. Companies focus on preventing cyber incidents and they should, but they also need to realize that all prevention will, in all likelihood, at some point fail and, when that happens, you don't want to be improvising on an incident response. Delta Risk, a Chertoff Group company, has been in the business of helping enterprises improve their cybersecurity and protect their business operations since 2007. If you don't have an incident response plan, or if you're not sure you've got a good one, test yourself against the challenges Delta Risk outlines in their White Paper: Top Ten Cyber Incident Pain Points. Are you prepared? You can download it at delta-risk.net/topten. That's delta-risk.net/topten. Download the White Paper and check it out, and we thank Delta Risk for sponsoring the CyberWire.

Dave Bittner: [00:10:32:17] Joining me once again is Ran Yahalom from Ben-Gurion University. Ron, I know a lot of your research has to do with USB devices and I thought today we'd talk about ways that people hide data on USB devices.

Ran Yahalom: [00:10:44:06] Well, there are some very simple basic data hiding tactics. For example, you can always write malware that writes into the master boot record of partitioned devices or, alternatively, into a volume record. There is not a lot of space there available for writing but, for example, you can override the boot sector or other different areas. Those are pretty basic attacks. They are useful for holding certain values but not a lot of data. Other methods include writing inside reserve sectors, for example on a FAT partition if it has any reserve sectors, and even a more complex method would be to write into certain clusters on the partition and then just go back to the FAT table and, for example, mark them as bad clusters or used clusters so they might go unnoticed by the operating system's driver. You can also sometimes, if you really want to hide your data, go to the root directory table and then just delete the entries that lead to those clusters and then they won't be visible.

Ran Yahalom: [00:11:56:02] There have been more complex methods. For example, let's consider the Fanny malware. According to Kaspersky Lab's Global Research and Analysis Team, Fanny is a computer worm that is thought to have been created by the Equation Group way back in 2008, and distributed throughout the Middle East and Asia. Its main purpose was apparently to map air gap systems, and it was able to spread by exploiting the same vulnerabilities that were exploited by the famous Stuxnet or flame worm. So, when a USB stick is infected by Fanny, Fanny creates a hidden storage area on the stick using its own FAT file system driver. If an infected stick is plugged into a computer without an internet connection, Fanny will collect basic system information and save it onto the hidden area of the stick.

Ran Yahalom: [00:12:44:02] Later on, when the stick containing the hidden information is plugged into an internet connected computer, the data will be scooped up from the hidden area and then sent to a control center. How exactly is this done? Well, Fanny simply changed entries in the root directory table, so that they would be ignored by the file system drivers as if it were a data corruption or a bad block. As a result, this entry is not visible in Windows, Mac OS or Linux and it is probably not visible to all other implementations of any FAT driver. However, the Fanny malware is able to recognize those entries because it makes them using the magic value. So, with the help of its own FAT driver, it looks into the root directory and locates the entry which starts with the magic value. Then it navigates to the address on the partition that appears right after a special flag value in that entry, and this address will have a different magic value serving as a marker for the beginning of the hidden storage. So, you see, it's a very complex attack, all done by manipulating the FAT file system.

Dave Bittner: [00:13:51:16] Are there any ways that people can protect themselves from these sorts of attacks?

Ran Yahalom: [00:13:55:14] It pretty much usually goes undetected because it's very hard to detect these things, even by conventional or non-conventional forensic tools, because you simply don't know what you're looking for. The Equation Group is widely known for using encryption to protect its data. Specifically the Fanny did not make enough to encrypt data but, had it done that, you would not be able to distinguish between actual corrupt binary data or encrypted data, so it's very hard to detect these things. .

Dave Bittner: [00:14:28:15] Ran Yahalom, thank you for joining us.

Dave Bittner: [00:14:33:04] And that's the CyberWire. For links to all of today's stories along with interviews, our glossary and more visit thecyberwire.com. Thanks to all of our sponsors who make the CyberWire possible. The CyberWire Podcast is produced by Pratt Street Media. Our Editor is John Petrik, our Social Media Editor is Jen Eiben, and our Technical Editor is Chris Russell. Our Executive Editor is Peter Kilpe. I'm Dave Bittner. Thanks for listening.