The CyberWire Daily Podcast 1.29.16
Dave Bittner: [00:00:03:03] Spear phishing continues to work, and both allies and adversaries continue to snoop on one another. Utilities work to shore up their defenses, and experts warn them not to over-rely on incident response. ISIS may be trying to hire hackers in India. HSBC sustains a denial-of-service campaign against its online banking services in the United Kingdom. The RSA Innovation Sandbox's ten finalists are announced. In the US, NIST and the FDA post draft cyber guidelines. An audit suggests that Homeland Security's Einstein is no Einstein. Safe Harbor seems farther away. And whatever you do, Facebookers, don't be like Bill.
Dave Bittner: [00:00:42:08] This CyberWire podcast is made possible by the Johns Hopkins University Information Security Institute providing the technical foundation and knowledge needed to meet our nation's growing demand for highly-skilled professionals in the field of information security, assurance and privacy. Learn more on line at isi.jhu.edu.
Dave Bittner: [00:01:05:02] I'm Dave Bittner in Baltimore with your CyberWire summary for Friday January 29th 2016.
Dave Bittner: [00:01:12:04] Some notes on surveillance of Israeli targets by foreign intelligence services surface at week's end. Israeli officials cite leaks as they say British and American agencies monitored Israeli air force communications. Other sources claim Iran targeted Israeli generals in extensive spear phishing campaigns. (And more targets than one might expect opened the emails and consequently leaked information.)
Dave Bittner: [00:01:34:18] The post-mortem on Ukrainian grid incidents continues to focus on BlackEnergy and its distribution through compromised Word files. As utilities in the US and elsewhere look to their defenses, control system security experts warn that incident response—a staple of cyber defense in other sectors—is a bit more complicated in the industrial control system world. Dark Reading's interviews with experts surface two issues. First, availability is a matter of central concern to utilities. Their industrial control systems can't simply be taken offline without extensive, reliable backup. And second, cyber incident responders, including digital forensic experts, tend to be unfamiliar with ICS. As ICS security expert, Joe Weiss, told the CyberWire recently, "securing control systems in all industries is very different from securing business IT systems."
Dave Bittner: [00:02:24:06] FinFisher spyware has shown up in some Australian data centers. Hack Read, for one, points at Indonesia as a likely suspect, that country's presumed motive being "revenge" for alleged Australian surveillance of Indonesia. Both Australian and Indonesian agencies are reported to be FinFisher customers.
Dave Bittner: [00:02:41:22] Disturbing reports suggest that ISIS has begun recruiting hackers in India, offering monetary incentives to hack for the Caliphate. The India Times says that ISIS is willing to pay $10,000 for information stolen from government networks. This seems to be hacking-for-hire as opposed to an attempt to build a stable of coders that would give ISIS a credible cyber offensive capability, but there's certainly the potential for this effort to develop in more troubling directions. Offering money should lend urgency to government's efforts to disrupt ISIS finances.
Dave Bittner: [00:03:12:24] HSBC's online customer banking sites have been disrupted by a significant distributed denial-of-service attack. The attack, remediation of which is in progress as we go to press, comes at an inconvenient time for British banking customers—it's not only messing with end-of-month payroll disbursements, but also with freelancers ability to meet a tax deadline. BugSec and Cynet (that's C-Y-N-E-T, not to be confused with the other SINET, S-I-N-E-T) report finding a vulnerability in LG Android phones that could be exploited for data theft. The vulnerability lies in Smart Notice, a pre-installed widget that manages a range of notifications and alerts. LG has patched the bug.
Dave Bittner: [00:03:51:20] In other patching news, a Cisco firmware update closes a hole in that company's RV220W Wireless Network Security Firewall devices. And OpenSSL fixes an encryption weakness: its cryptographic library could, if so instructed, have reused prime numbers.
Dave Bittner: [00:04:07:19] In industry news, Proofpoint, Check Point, and Fortinet all posted encouraging numbers this week, so investors are breathing a bit easier about them. Check Point says it's "evaluating acquisitions, big and small."
Dave Bittner: [00:04:20:07] And the RSA Conference announces the ten finalists in its annual Innovation Sandbox competition. Congratulations to them all. The finalists, in alphabetical order, are Bastille Networks, illusive Networks, Menlo Security, Phantom, Prevoty, ProtectWise, Skyport Systems, Vera, and Versa Networks. The CyberWire will be covering RSA in San Francisco the first week in March, and we're looking forward to seeing the finalists in the Sandbox.
Dave Bittner: [00:04:46:00] Turning to emerging standards, the US National Institute of Standards and Technology is soliciting comment on its draft publication on random number generation, a topic of vital importance to cryptography.
Dave Bittner: [00:04:57:10] And the US Food and Drug Administration has a draft set of guidelines on improving medical device cyber security. The FDA would also welcome comment.
Dave Bittner: [00:05:05:18] In policy news, both Indonesia and Malaysia take steps to counter jihadist messaging and direct action.
Dave Bittner: [00:05:12:07] Safe Harbor renewal increasingly seems a forlorn hope, as US efforts to accommodate European concerns over privacy find little transatlantic love.
Dave Bittner: [00:05:21:16] The US Department of Homeland Security's well-known "Einstein" cyber security system, more formally known as the National Cybersecurity Protection System, may not, an internal assessment finds, be returning good value on its $6 billion investment. Defense One writes that Einstein "does not scan for 94% of common computer vulnerabilities, but that's not all of its shortcomings." The audit also found poor performance against Advanced Persistent Threats, coverage for only a small set of vulnerabilities, inadequate information-sharing capabilities, and an inability to spot zero-days until they're no longer zero.
Dave Bittner: [00:05:57:11] Canadian government watchdogs find that the country's Communication Security Establishment improperly collected Canadian citizens' information. The CSE is said to be moving toward some reduction in its cooperation with the other four of the Five Eyes: Australia, New Zealand, the United Kingdom, and the United States.
Dave Bittner: [00:06:15:10] And finally, if you're a Facebook user, take care before interacting with one of the current memes: "Be Like Bill." "Be Like Bill" posts use a cutesy stick figure generated from the Blobla website to give advice about keeping your updates non-obvious, and similar social media Emily-Postisms. Unfortunately, those who like the winsome stickman may find that an evil William got there first: scammers are tricking aspiring Bills into entering their Facebook credentials, then exploiting them to hijack accounts. So…don't be like Bill.
Dave Bittner: [00:06:49:24] This CyberWire podcast is brought to you through the generous support of Betamore, an award-winning co-working space, incubator and campus for technology and entrepreneurship located in the Federal Hill neighborhood of downtown Baltimore. Learn more at Betamore.com.
Dave Bittner: [00:07:09:18] I'm joined once again by Joe Carrigan, he's a Senior Security Engineer at Johns Hopkins University Information Security Institute, they're one of our academic and research partners. Reverse engineering, I know this is something that you have a lot of background on. Let's just start with the basics. Why reverse engineer something?
Joe Carrigan: [00:07:26:18] Right, so I'll give you an example from my career. When I was a young software engineer people would come to me and say "hey, we have this software package that does a very essential task but now it's outdated so we need to update it, so write us a new one, and make sure it does everything this one does". So I would have to actually sit down and figure out what it was and how it worked, then write software that replaced it.
Dave Bittner: [00:07:50:16] That's as simple as bringing something that's older up-to-date?
Joe Carrigan: [00:07:53:18] Correct.
Dave Bittner: [00:07:54:23] But in the case of malware, walk me through the process of reverse-engineering malware.
Joe Carrigan: [00:08:00:23] Right, well, it's the same kind of discipline that applies. Let's say I'm a security company, I've captured some malware from the wild, I want to know what it is and what it does. I can put the malware into a Sandbox environment and then monitor its behavior. I can also do the same thing with the malware that I did with my old software where I can decompile it and see what it is that it does and, hopefully, I can get some source code out of it, provided that the malware actually isn't encrypted with some key.
Dave Bittner: [00:08:26:08] So there are cases where the malware is actually sort of trying to actively defend itself from being reverse-engineered?
Joe Carrigan: [00:08:32:11] Absolutely.
Dave Bittner: [00:08:33:04] What happens in a case like that?
Joe Carrigan: [00:08:34:20] In a case like that what normally happens when there's successful reverse-engineering is somehow they get a hold of the key, they find the key because that key has to exist somewhere for the malware to decrypt its functionality. Now it's a combination effort, so you're monitoring it in its Sandbox environment to see when it accesses the encryption key, so it decrypts the part of itself that it needs.
Dave Bittner: [00:08:56:02] What's the balance between the practical applications of this and something that's more pure research?
Joe Carrigan: [00:09:01:00] Well, practical applications are developing software that does what old software did and it also helps in developing a signature for malware so that you can detect the malware.
Dave Bittner: [00:09:11:23] Alright, Joe Carrigan from Johns Hopkins Information Security Institute, thanks for joining us.
Joe Carrigan: [00:09:15:21] My pleasure.
Dave Bittner: [00:09:18:11] And that's the CyberWire. For links to all of today's stories along with interviews, our glossary and more visit the CyberWire.com. Look for our week in review podcast coming later this afternoon. And one more thing, a favor, if you enjoy the CyberWire podcast please go on iTunes and review the show. It really does make a difference and helps us spread the word. Thanks.
Dave Bittner: [00:09:39:01] The CyberWire podcast is produced by CyberPoint International, and our Editor is John Petrik. Thanks for listening.