The CyberWire Daily Podcast 12.13.16
Ep 244 | 12.13.16

SWIFT issues new fraud warnings. US investigates Russian influence operations. Patch news. Wages of sin are in-game purchases?

Transcript

Dave Bittner: [00:00:03:19] SWIFT warns member banks of ongoing attempts at fraudulent funds transfer. US investigation of Russian influence operations continues, with bipartisan support. German fears of Russian election hacking persist. Apple iOS, McAfee VirusScan Enterprise, and AirDroid get patches. Tor releases a browser with upgraded anonymity. And some guy steals a million so he can spend it on in-game purchases.

Dave Bittner: [00:00:33:09] Time for a message from our sponsor, Netsparker. Are your security teams dealing with hundreds of vulnerability scan results? Netsparker not only automates scanning but it verifies the exploits it finds too. Reduce alert fatigue and improve security with Netsparker. Not only will your protection improve but your costs will drop and that's a good deal in anyone's book. Netsparker's automated approach to web application scanning lets your security team concentrate on the things best left to the human beings. Find out more about Netsparker desktop and Netsparker cloud. Whether you're pen testing or securing your enterprise online, you'll find what you need at Netsparker.com.

Dave Bittner: [00:01:11:08] And check this out, you can try it out for free with no strings attached. Go to Netsparker.com/Cyberwire for a 30 day fully functional version of Netsparker desktop. And by fully functional, we mean yes, really, really actually truly fully functional. Scan the websites with on obligation. That's Netsparker.com/CyberWire, and we thank Netsparker for sponsoring our show.

Dave Bittner: [00:01:43:21] I'm Dave Bittner, in Baltimore with your CyberWire summary for Tuesday, December 13th, 2016.

Dave Bittner: [00:01:50:19] SWIFT, the international funds transfer organization, has warned its member banks that attacks on the networks have continued since the Bangladesh Bank suffered a significant loss of funds almost a year ago. "The threat is very persistent, adaptive and sophisticated," said a letter from SWIFT obtained by Reuters, "and it is here to stay." Swift is characterized as reluctant to say how many banks had been affected, or how much money has been lost, but one of the system's security leaders acknowledged that there had been "a meaningful number of cases."

Dave Bittner: [00:02:22:04] Some of the local banks were compromised through technical support systems, which represents a new wrinkle in the attack technique.

Dave Bittner: [00:02:30:12] As bipartisan investigation of Russian influence operations continues in the US, President-elect Trump's skepticism over attribution prompts fruitful discussion of the topic. The President-elect is skeptical about attribution generally, wondering how you'd know who was in your network unless you caught them in the act. There are, of course, many forensic techniques that can help reveal who was responsible for a cyber event. The US Intelligence Community says it has "high confidence" in its attribution of influence operations to Russia. CrowdStrike goes farther, placing their confidence at "100%". The Democratic National Committee brought in CrowdStrike to investigate a suspected compromise of its networks back in May, and CrowdStrike is quite sure it caught both Fancy Bear and Cozy Bear, respectively the Russian intelligence services GRU and FSB, red-pawed in the systems.

Dave Bittner: [00:03:24:06] It's worth noting two things. First, while attribution is indeed tricky and often uncertain, there's a general consensus that in fact Fancy Bear in particular doxed the DNC and leaked discreditable emails through (probably) Guccifer 2.0, DCLeaks, and WikiLeaks. Second, the Russian activity has generally been characterized as an information operation, that is, an attempt to influence voter perceptions and choices during the election, and not an attempt to directly manipulate the vote tallies.

Dave Bittner: [00:03:54:08] The evidence that the Russians favored candidate Trump over candidate Clinton largely comes down to the relative paucity of evidence that Republican networks were similarly compromised. There were some early releases of Republican emails, mostly anodyne and routine communications among party members, organizers, and donors, but these slowed to essentially nothing after the parties had concluded their nominating process. Since there's no reason to suppose that Republican security was markedly superior to Democratic security, and since it's unlikely that any political organization could long withstand the attentions of a leading nation-state's intelligence services, the conclusion most drawn is that the Russian government favored Trump.

Dave Bittner: [00:04:35:15] In any case, there appears to be a solid bipartisan determination in Congress to get to the bottom of things, and the President has also directed that an investigation be done.

Dave Bittner: [00:04:45:22] Few think Russian interest in information operations ended with the US elections. German authorities continue to express concerns that their elections have become the next target of Russian operations. Other observers see former Soviet Republics and Warsaw Pact countries as likeliest to receive the ministrations of Russian intelligence services.

Dave Bittner: [00:05:06:19] Returning with some relief to more ordinary forms of cyber crime, we note that a new cryptocurrency, Zcash has already drawn the attention of crooks. Kaspersky reports that criminals are installing mining software on victim machines to accumulate a stake in Zcash. Older cryptocurrencies like Bitcoin are for various reasons less susceptible to this form of manipulation.

Dave Bittner: [00:05:30:24] As we head toward the end of the year and into the next, there's an important sunset on the horizon. The SHA-1 digital certificate standard is being phased out and being replaced with SHA-2. We checked in with Venafi's Kevin Bocek for the low down on the transition.

Kevin Bocek: [00:05:45:07] Hashing algorithms are only as good as they can create a unique output, and unique output that is not vulnerable to what's called collision. Collision is when we can create another hash and generally again, a hash algorithm's a fingerprint. You put in one number and you'll get out a completely unique number on the other end. And these collisions then when you have the ability to create essentially a forgery: something that is a duplicate of something that's supposed to be unique is a big, big problem. So the great thing is that both the browser, the operating system and the certificate authority world have realized this and finally we're going to be saying goodbye, or at least not trusting SHA-1 fingerprinted certificates anymore in the browsers and operating systems that we all use on our desktops, laptops and mobile devices.

Kevin Bocek: [00:06:53:01] So sunsetting will happen officially in February 2017, when our browsers, whether that be Microsoft Edge, Microsoft Internet Explorer, Apple Safari, Google Chrome, finally will display the insecure, not trusted, your connection is not private warning in all the browsers.

Dave Bittner: [00:07:17:15] And so what's involved in making the switch? How hard is it to upgrade from SHA-1 to SHA-2?

Kevin Bocek: [00:07:23:20] You've gotta know what you're using. So you've gotta know all the digital certificates that you are in fact using, which requires getting intelligence about what's deployed publicly, what might be inside your network, what might be deployed now out in cloud services or hosted by third parties. You then have to triage. You have to fix and replace these keys and certificates, get new SHA-2 certificates that have been issued for a few years by certificate authorities now. And as you're going through this whole process, validate that it's actually occurring to your policy, and validate that you've actually successfully replaced your old SHA-1 certificates or, gosh forbid you've got MD5 certificates, which we still see, replaced now with secure SHA-2 certificates.

Kevin Bocek: [00:08:18:15] That entire process doesn't happen by accident. That entire process, certainly, to a lot of security teams, network teams working in businesses or governments is difficult and that's why they're increasingly looking to automation, to systems to help them find out what they've got and walk them through their process and validate it.

Dave Bittner: [00:08:40:16] That's Kevin Bocek from Venafi.

Dave Bittner: [00:08:44:16] Several patches and upgrades are out this week. An alpha version of a sandboxed Tor browser was released over the weekend, promising more reliable anonymity. Apple has addressed twelve vulnerabilities in iOS 10.2. AirDroid has also received security updates that close off the possibility of recently discovered exploits. And, pushed by a vulnerability researcher, McAfee has shuttered ten holes in its VirusScan Enterprise security product.

Dave Bittner: [00:09:12:17] And finally, in crime and punishment, the Bulgarian Avalanche hacker Krasimir Nikolov has been extradited to the US, where he will stand trial thanks to the alert work of the alert G-Men of the FBI's Pittsburgh squad.

Dave Bittner: [00:09:26:17] Avalanche was elusive, and so was our final criminal-of-the-day. But it's difficult to see how this second gentleman escaped arrest as long as he did. Consider, if you will, the case of one Mr. Kevin Lee Co, late of Sacramento, California. Mr. Co is reported to have copped to a plea of embezzling some $4.8 million from his employer between 2008 and 2015. A thought experiment, if you will. If you were he, pause and imagine how you might spend your take. Snazzy cars? Check. Plastic surgery? Depends, but, okay, check. Season tickets for the 49ers and the Sacramento Kings? Check and double check. But that’s only $3.8 million or so. Here's where you may part imaginative company with Mr. Co. He spent $1 million on in-game purchases for Game of War. We hope the digital armor and virtual siege engines were worth it. Mr. Co is expected to become a resident of Club Fed sometime in the spring.

Dave Bittner: [00:10:32:08] Time from a message from our sponsor, Recorded Future. Recorded Future is the real-time threat intelligence company whose patented technology continuously analyzes the entire web to develop information security intelligence that gives analysts unmatched insight into emerging threats. And when analytical talent is as scarce and pricey as it is today, every enterprise can benefit from technology that makes your security teams more productive than ever. We at the CyberWire have long been subscribers to Recorded Future's Cyber Daily and if it helps us, we're confident it will help you too. Subscribe today and stay a step or to ahead of the threat. Go to Recordedfuture.com/Intel and subscribe for free threat intelligence updated from Recorded Future. That's Recordedfuture.com/Intel and we thank RecordedFuture for sponsoring our show.

Dave Bittner: [00:10:56:13] We at the CyberWire have long been subscribers to Recorded Future's Cyber Daily and if it helps us, we're confident it will help you too. Subscribe today and stay a step or two ahead of the threat. Go to Recordedfuture.com/Intel and subscribe for free threat intelligence updates from RecordedFuture. That's Recordedfuture.com/Intel and we thank RecordedFuture for sponsoring our show.

Dave Bittner: [00:11:25:11] Joining me once again is Ben Yelin, he's a senior Law and Policy Analyst at the University of Maryland Center for Health and Homeland Security. Ben, welcome back. Interesting article in Ars Technica. An appeals court has ruled that "it does not matter how a wanted man is found, even if it is via a stingray." There's some interesting stuff going on here. Fill us in.

Ben Yelin: [00:11:47:11] Sure. So this case is called United States v. Patrick and it took place in the Seventh Circuit Court of Appeals. And the majority held in that case, it was a three judge panel, that because there was an outstanding arrest warrant for the defendant in this case, the defendant had forfeited his reasonable expectation of privacy and therefore a warrant was not required to use a stingray device to identify his location. Basically the judge said, "Once you have an outstanding arrest warrant you have forfeited that reasonable expectation of privacy therefore it doesn't really matter what method law enforcement uses to find you. It can be a police informant, it can be a location identifying device like a stingray."

Ben Yelin: [00:12:35:03] This is somewhat of a workaround of the really serious issues that are invoked with stingrays about whether in general there needs to be some framework within law enforcement as to whether warrants are required and what that process should be.

Dave Bittner: [00:12:49:04] Yeah, I thought it was notable that there was a lengthy dissent, the Circuit Chief Judge, Diane Wood concluded, she said, "It's time for the stingray to come out of the shadows so that its use can be subject to the same kind of scrutiny as other mechanisms." And she listed things like thermal imaging devices, GPS trackers and so forth. You know, it just, it strikes me that these stingray devices really seem to be a catalyst for a lot of interesting tests and conversations about our fundamental right to privacy.

Ben Yelin: [00:13:20:00] Absolutely and this dissent carries a lot of weight. Diane was a very prominent Circuit Court Judge. She was considered for a Supreme Court appointment by President Obama in both 2009 and 2010. And I think she brings up a very good point. Because of the secrecy surrounding this device and because of the haphazard way it's been implemented across different jurisdictions, both at the state and local level, the judicial branch knows very little about it. And I think that got to the broader point that she brings up that it's time for the judicial branch to come up with some sort of framework to evaluate this device. They've done so with all different types of devices. There's been cases on thermal imaging, on GPS trackers, on pen registers. The judicial branches flow, but they do have an obligation to keep up with the technology, especially because this is such a novel issue.

Dave Bittner: [00:14:13:10] All right, we'll keep an eye on it. Ben Yelin, thanks for joining us.

Dave Bittner: [00:14:19:00] And that's the CyberWire. Thanks to all of our sponsors who make this CyberWire possible.

Dave Bittner: [00:14:23:05] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Our social media editor is Jennifer Eiben, and our technical editor is Chris Russell. Our executive editor is Peter Kilpe. I'm Dave Bittner. Thanks for listening.