The CyberWire Daily Podcast 2.8.16
John Petrik: [00:00:03:20] A hacktivist doxes the FBI and DHS. Her Majesty's and Revenue and Customs is compromised for fraudulent tax returns. Banking Trojans are looking more like APTs. Anonymous undertake some operations over the weekend. Cyber stocks sell off. And a question: should China reign in North Korean hackers?
Dave Bittner: [00:00:26:12] This CyberWire podcast is made possible by the Johns Hopkins University Information Security Institute, providing the technical foundation and knowledge needed to meet our nation's growing demand for highly skilled professionals in the field of information security, assurance and privacy. Learn more online at isi.jsu.edu.
John Petrik: [00:00:48:20] This is John Petrik, the CyberWire's editor, in Baltimore, filling in for Dave Bittner with your CyberWire daily podcast for Monday, February the 8th, 2016.
John Petrik: [00:00:58:00] A hacktivist who "wishes to remain anonymous," as Motherboard rather primly puts it, releases what he alleges are personal data on some 20,000 FBI employees and about 8,000 US Department of Homeland Security personnel. It's so far unconfirmed whether the contents of the release, which have the look of information culled from staff directories, are genuine. The hacktivist told Motherboard that he made his way into networks at the Justice Department by posing on the telephone to a help desk as a befuddled new employee, and gained his credentials that way. There's no further identification so far of the gentleman, who wishes to remain anonymous, but the data dump was accompanied by a pro-Palestinian message.
John Petrik: [00:01:39:21] Anonymous was active on several fronts over the weekend. None of them, however, appeared to be on the anti-ISIS front. The hacktivist collective, under it's #OpAfrica banner, is reported to have doxxed government sites in Ethiopia, Sudan, South Sudan, South Africa, Tanzania, Rwanda, Uganda and Zimbabwe. Their proclaimed goal is exposure of corruption.
John Petrik: [00:02:01:17] On Friday an Anonymous affiliate, AnonPlus, noting that "we're at war," struck at the very dark heart of evil itself, which is to say they struck at the government of York County, Pennsylvania, posting a manifesto advocating returning sovereignty to the people. This would be accomplished, they say, by suppressing war, religions, what AnonPlus calls “politicals,” and financial power. The county's websites were restored to normal in somewhat less than two hours. A few lessons about hacktivism of this anarcho-syndicalist stripe are perhaps on display here. Much of this activity is probably best viewed as an expressive rather than persuasive gesture, an attempt at purity, as opposed to an attempt at conversion or inspiration. Contrast this, for example, with the hacktivism ISIS has succeeded in marshaling, where inspiration and recruitment seem to count for everything.
John Petrik: [00:02:49:10] And, of course, hacktivists are drawn inevitably toward relatively small, presumably lightly defended targets. That York, Pennsylvania, would have the best tangential relationship to oppressive global systems is beside the point. York was hacked probably because York could be hacked, and also probably without undue difficulty or onerous expenditure of resources.
John Petrik: [00:03:08:19] One Hacktivist tactic, which ESET calls haxposure, will probably see more widespread use this year. The Hacking Team and Ashley Madison breaches would be examples of haxposure. The goal is typically reputational damage, and while extortion or harm to a commercial competitor would certainly be possible, in these two cases at least there appears to be no such economic motive. Widespread availability of indifferently protected information and the tools to extract and disseminate that information are thought likely to drive an increase in haxposure.
John Petrik: [00:03:39:03] Turning to cyber crime news proper, online hoods appear to have made successful incursions into Her Majesty's Revenue and Customs. The Sunday Times reports that hackers have made off with UK tax filers' self-assessment records, and then used the information to file fraudulent claims for tax repayment.
John Petrik: [00:03:54:24] Researchers continue to work on last week's TeslaCrypt ransomware infestation, the one that's been plaguing WordPress sites. All would be well advised to be on their guard, and above all to back up their data.
John Petrik: [00:04:06:04] In another minor mystery, researchers also wonder who's been subverting Dridex malware download sites to serve up anti-virus software. The presumed white-hat hacker's identity is unknown, but people have begun calling him, or her, Batman. Note that Dridex's criminal proprietors have for some time gone by the direct if unimaginative name Evil Corp.
John Petrik: [00:04:27:09] Kaspersky researchers discern a trend in banking malware. It's begun to adopt some of the APT techniques, hitherto principally associated with cyber espionage. The Metel, GCMAN and Carbanak criminal groups all show signs of using tools from the spymasters' kits - GCMAN remaining, apparently, the most old-school of the three. The goal remains the same obviously theft, but the means of gaining access show a growing sophistication.
John Petrik: [00:04:51:09] In documents filed last week with the US Securities and Exchange Commission, Arrow Electronics reported the loss of some $13m in fraudulent transfers to various Asian bank accounts. An investigation is in progress, and observers speculate that the incident involved a privileged account attack.
John Petrik: [00:05:07:08] ERPScan describes a cross-site scripting vulnerability in SAP Afaria. The security firm notes that SAP has published a fix for the problem, and it encourages users to apply it.
John Petrik: [00:05:17:20] In the marketplace, a broad selloff that began late last week continues to affect cyber security stocks. Observers cite weaknesses in some allied IT sectors as a partial cause, along with concerns about possible over-valuation and, of course, the unsettling story of Norse Corporation's apparent implosion. The pullback doesn't appear to have affected plans for IPOs, including KnowBe4's aspirations in this respect, nor has it dampened speculation about the mergers and acquisitions, that many think FireEye and Symantec are likely to undertake.
Dave Bittner: [00:05:49:18] This CyberWire Podcast is brought to you through the generous support of Betamore, an award winning co-working space, incubator and campus for technology and entrepreneurship. Located in the Federal Hill neighborhood downtown Baltimore. Learn more at Betamore.com.
John Petrik: [00:06:07:20] In a crypto war seesaw battle between privacy and security one approach that crops up frequently in debates is key escrow. We sat down last week with the University Maryland's, Jonathan Katz, who takes us through the concept.
Dave Bittner: [00:06:19:24] Once again, Johnathan Katz joins me, he's a professor of computer science at the University of Maryland, and Director of the Maryland Cyber Security Center - they're one of our academic and researcher partners.
John Petrik: [00:06:29:20] Jonathan, there's been a lot of talk about key escrow. Can you walk us through exactly what it is?
Jonathan Katz: [00:06:34:21] There are many different ways that key escrow could be implemented, but this is one way you could do it. Most cryptography is based on secret keys, that are held by the individual who is going to be decrypting the data. So we can imagine that somebody has a key on their phone, for example, that's used to decrypt any messages being sent to them. What you could do is set things up in such a way that the maker of the phone, say Apple for example, would have the ability to derive the key on any phone from some master key that would be held by Apple possibly, or other companies, or possibly government agencies as well. And then, in case police or other government agencies wanted to get access to the encrypted communication to that phone, they would be able to go to Apple, get a copy of the master key, derive the users key that they're using on their phone, and that way would gain access to their communication.
Dave Bittner: [00:07:26:22] It sounds pretty straight forward, but there are various concerns about this, right?
Jonathan Katz: [00:07:31:16] That's right, it is very straight forward. The problem is that you need to be very careful about protecting that master key. Anybody who gets access to that master key would then have the ability to break in to the secure communication going to anybody's phone. That master key would have to be protected not only from people outside the organization, but it would also have to be protected from people within the organization, people who have access to that master key. It's just a mess if that key ever becomes exposed in any way, you have no way of then ensuring the security for all the phones who are using anything derived from that key.
Dave Bittner: [00:08:07:16] Is it correct that it's a situation where people who wanted to encrypt things would probably just turn to other ways to do it?
Jonathan Katz: [00:08:19:13] That's exactly right. Nothing prevents anybody from downloading other software that's available that would enable them to encrypt, using a key that has no connection to the master key being stored by Apple. And so, ultimately, anybody who's even mildly technologically savvy would be able to circumvent the whole key escrow to begin with.
Dave Bittner: [00:08:36:01] All right. Johnathan Katz, thanks for joining us.
John Petrik: [00:08:40:20] A Passcode opinion piece argues that China bears a disproportionate responsibility for reigning in the nuisance of North Korean cyber operations. The DPRK, being almost as isolated in cyberspace as it is in physical space, Kim's hackers typically have recourse to resources physically located on China's side of the border.
John Petrik: [00:08:59:09] And finally, the science is now settled. Criminal nitwits outnumber criminal masterminds by several orders of magnitude. One fugitive from British justice was nabbed after two years on the lam by police who tracked him to a Merseyside address on the basis of the catch-me-if-you-can gasconade he posted to Facebook. And in the US, the Show Me State is not to be outdone by their trans-Atlantic cousins: Missouri authorities can show you a pretty cage-full of burglars who incautiously tried to frighten their intended victims from their homes, not thinking that they might also frighten them into calling police. In this case, the mug shots tell the whole story.
John Petrik: [00:09:35:23] And that's the CyberWire for Monday, February the 8th, 2016. For links for all of today's stories along with interviews, our glossary and more, visit the CyberWire.com. The CyberWire podcast is produced by CyberPoint International, and this is the editor, John Petrik. Our regular host, Dave Bittner, will be back from his travels sometime on the 16th. Until then, I'll be filling in. Thanks for listening.