The CyberWire Daily Podcast 1.28.16
Dave Bittner: [00:00:03:17] Israel utility attack looks like ransomware. Update on Ukraine grid hack. ISIS information ops continue to look better than its hacking, but the Cyber Caliphate isn't giving up—they say they're going to take down Google. Dodgy apps for both Apple and Android appear—one from Apple. Oracle starts down the path of retiring Java browser plugins. Congress wants answers on Juniper's backdoored ScreenOS, and gives Federal agencies two weeks to come up with them.
Dave Bittner: [00:00:33:01] This CyberWire podcast is made possible by the Johns Hopkins University Information Security Institute providing the technical foundation and knowledge needed to meet our nation's growing demand for highly-skilled professionals in the field of information security, assurance and privacy. Learn more on line at isi.jhu.edu
Dave Bittner: [00:00:55:19] I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday January 28th 2016.
Dave Bittner: [00:01:01:23] Yesterday's attack on the Israeli power grid turns out to amount to less than it first thought. The group attacked, the Israel Electric Authority, is a regulatory body whose network is quite unconnected to utilities networks, still less connected to control systems. The attack seems to have been real enough but it also appears to have amounted to spear phishing with ransomware payloads and that, of course, would account for why there was no effect on power distribution.
Dave Bittner: [00:01:27:15] The Ukrainian power grid hack remains both interesting and complicated. Reuters reports that another, unnamed, utility was compromised back in October, and that the attackers were able to gain access by exploiting users' naiveté about phishing, and by utility network operators' willingness to connect control systems they ought by policy to have left air-gapped.
Dave Bittner: [00:01:48:00] The BlackEnergy3 malware dropped by phishing payloads still does not strike investigators as directly implicated in control system manipulation. But researchers at SentinelOne have determined that BlackEnergy did include a network sniffer.
Dave Bittner: [00:02:02:03] A Ukrainian telecoms engineer has told the Register that attribution of the attack to Russia is a provocation, a put-up job by Ukraine's government to whip up popular anger against its large and menacing neighbor. ESET (which did much of the initial investigation of the incident) when asked about the attribution points out, sensibly, that attribution is a slow and difficult process. While the association of BlackEnergy with Russian threat actors is fairly well-established, evidence of Russian responsibility for the attack remains circumstantial. (But one would have to note that evidence of Ukrainian provocation is less-than-circumstantial, resting as it does largely on the theoretical possibility.)
Dave Bittner: [00:02:41:07] The grid hack continues to alarm those who concern themselves with industrial control systems. There's much talk of the risks involved in networking such systems. And, to take one expert's opinion, Rob Joyce, chief of the US NSA's Tailored Access Operations (also known as TAO), yesterday told a conference in San Francisco that, "SCADA security is something that keeps me up at night." He commended the problem to industry and academic researchers.
Dave Bittner: [00:03:08:12] The ISIS-affiliated "Cyber Caliphate" is reported to be working on an unspecified attack against Google. Elsewhere on the ISIS cyber-front, the alleged security capabilities of the Alrawi messaging app, discussed recently by the Ghost Security Group, are now pretty conclusively debunked—not even Ghost Security seems to believe they amount to much. So far, then, ISIS cyber capabilities remain more aspirational than actual.
Dave Bittner: [00:03:33:04] Their information operation capabilities, on the other hand, remain very real. Retired US Army Lieutenant, General Jim Dubik, argues in an Army Magazine opinion piece that winning against ISIS will require defeating the group's narrative. US Secretary of Defense Carter has given Cyber Command marching orders to increase its operations against ISIS, and a Passcode poll shows sentiment among "influencers" now running narrowly in favor of nudging tech companies to do more to impede ISIS messaging.
Dave Bittner: [00:04:01:12] In other cyber risk news, FireEye warns that JSPatch, an open-source hot-patching tool available to apps in the Apple App Store, is vulnerable to exploitation. JSPatch could allow malicious actors to work around the review protections built into the Apple Store's "walled garden."
Dave Bittner: [00:04:18:08] Oracle announces that it will deprecate the notoriously risky Java browser plugin with Java version 9, and will remove it entirely in a subsequent release.
Dave Bittner: [00:04:28:12] Heimdal warns of a renewed, vigorous CryptoWall 4.0 campaign, and suggests that it might be preparing the way for a more dangerous CryptoWall 5.0 ransomware effort. Bleeping Computer reports discovery of a new ransomware strain, "7ev3n," we'll also call it “seven,” which is demanding a fairly pricey ransom: 13 Bitcoin, which comes to about $5,000 US.
Dave Bittner: [00:04:54:07] Symantec describes a new strain of Android ransomware, "Android.Lockdroid.E," which uses clickjacking to acquire admin privileges on the targeted machine. The malware is available as an app, but not, one is happy to note, from the Google app store. So, Android users beware of downloading dodgy apps from third-party stores, or torrent sites.
Dave Bittner: [00:05:15:15] Members of Congress appear to have lost patience with US executive agencies' failure to account for and report on their vulnerability to compromise through the backdoor in Juniper Networks ScreenOS . The House Oversight and Government Reform Subcommittee on Information Technology wants answers within two weeks. The subcommittee chair, Texas Republican representative William Hurd, takes to the Wall Street Journal's op-ed page to call the vulnerability "the breach you haven't heard of." Homeland Security and other departments are investigating.
Dave Bittner: [00:05:46:08] Another rogue Google extension, "iCalc," poses as a calculator app but in fact, say researchers at Malwarebytes, installs spyware on unwary users' devices. (In a minor cruel twist, it doesn't even function as a calculator…I mean, come on criminals, really?)
Dave Bittner: [00:06:05:12] This CyberWire podcast is brought to you through the generous support of Betamore, an award-winning co-working space, incubator and campus for technology and entrepreneurship located in the Federal Hill neighborhood of downtown Baltimore. Learn more at Betamore.com.
Dave Bittner: [00:06:25:12] Joining me is John Petrik, Editor of the CyberWire. John, in the global arena what makes the US-China relationship so challenging?
John Petrik: [00:06:32:21] There is nothing mysterious really about why it's challenging. You have two countries that aren't enemies, they're not adversaries in that sense, they're huge trading partners with one another. It's difficult to imagine the Chinese or the American economies without one another. They have diplomatic relations with one another, there are all kinds of exchanges between the two countries. There are all sorts of relationships there but there's also this fraught competition. So they're competitors who depend upon each other and that makes for a difficult relationship.
Dave Bittner: [00:07:05:15] What are the Chinese capabilities in cyberspace?
John Petrik: [00:07:08:17] If you look at things that the US Cyber Command has published recently there's a lot of talk about the United States facing a peer competitor, a technological peer competitor in cyberspace. Peer competitor is an interesting term, the last peer competitor we had in general military terms was the Soviet Union. Since the Soviet Union went away the United States really hasn't had a clear peer competitor. So a peer competitor is somebody who has about the same kinds of capabilities that you have and can do many of the same things you can do. The People's Liberation Army, and it's a third department specifically which is responsible for cyber, certainly has capabilities or analogous to those that the US Cyber Command has.
Dave Bittner: [00:07:52:06] And this goes beyond just your run-of-the-mill spy versus spy espionage?
John Petrik: [00:07:57:09] Yes, it does. The Chinese have explicitly avowed that they have an offensive cyber capability. That's a declared capability, they declared that last year formally. So they want people to know that and there's no reason to think that they don't have that capability, they surely do. That kind of capability is more than just the modernized version of old signals intelligence, this is the ability to damage systems, to manipulate information, to do all the sorts of things that we associate with offensive cyber operations.
Dave Bittner: [00:08:29:19] And what is the United States doing in terms of deterrents?
John Petrik: [00:08:33:01] For deterrents to work and deterrents as a concept that really has its own historically in the cold war, it's nuclear deterrents is where all these concepts developed. So what you have, if you've got deterrents is you've fundamentally have two rational actors who are competing with each other and each one is able to hold something vital of the others at risk. Whether it be a capability, whether it be their people, whatever it is they value you hold it at risk. And the basic idea is that you're telling the opponent I have this capability and if you use your similar capability against me, expect retaliation or if you do these certain things you can expect us to do this. And the goal is that they won't do it, that both sides will be deterred from acting this way. It's not clear yet how well it will work out in cyber space or even if it works out at all in cyberspace.
Dave Bittner: [00:09:26:15] Alright, John Petrik, thanks for joining us.
Dave Bittner: [00:09:31:03] And that's the CyberWire. For links to all of today's stories along with interviews, our glossary and more visit the CyberWire.com. The CyberWire podcast is produced by CyberPoint International and our Editor is John Petrik. Thanks for listening.