Patriotic and free-spirited hacking? WikiLeaks has a new Vault7 dump. Cyber conflict over the South China Sea. Fireball malware infests more than 250 million devices. Trident security. Kmart breach. Bikers turn hackers.
Dave Bittner: [00:00:00:20] The CyberWire podcast is made possible in part by listeners like you, who contribute to our Patreon page. You can learn more at patreon.com/thecyberwire.
Dave Bittner: [00:00:13:05] Russian hackers are free-spirited, patriotic artists, says a man in a position to know. WikiLeaks dumps more Vault7 documents. White hats reconsider crowdsourcing membership in the exploit-of-the-month club. OceanLotus may be weaponizing a ShadowBrokers' leak. Fireball malware used for ad fraud. A think tank warns of Royal Navy submarine cyber vulnerabilities. Kmart discloses a point-of-sale breach. And a motorcycle gang is hacking cars. Why? Because that's the way they roll.
Dave Bittner: [00:00:46:24] Time to take a moment to share some research from our sponsor Cylance. They've been looking at Ransomware-as-a-Service (RaaS), and they found that something old is new again. It's NemeS1S. This malicious code can be purchased in the crook de crook black market, and it reduces the average skids barrier to entry into the ransomware game to essential zero. It appeared in the wild this past January, and it's been advertising itself as new. But no, the binaries it generates are oldies but baddies, from the long familiar PadCrypt family. PadCrypt portrays itself by its behavior under dynamic analysis. So don't pay ransom, instead get protected. Visit cylance.com/blog and check out the threat spotlight paper on NemeS1S. That's cylance.com/blog. And we thank Cylance for sponsoring our show.
Dave Bittner: [00:01:52:04] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore, with your CyberWire summary for Friday, June 2nd, 2017.
Dave Bittner: [00:02:02:15] Russia's President, Vladimir Putin says he has no knowledge of anyone hacking US elections. He does speculate that, well sure, it stands to reason there could have been patriotic freelancers out there (hackerweight unspecified) who were hitting American networks. But that's just standing up for the Motherland, and rooting for good old Vlad Putin, as who wouldn't? Hackers are free spirits, Mr. Putin observed, just like artists, and after all, it's a free country, and so on. Besides, all he knows is what he reads in the papers.
Dave Bittner: [00:02:33:23] Elsewhere in the ongoing conflict in cyberspace, WikiLeaks yesterday released its latest tranche of Vault7 material. The latest dump deals with an alleged CIA implant, "Pandemic", said to be used to establish patient-zero machines on networks.
Dave Bittner: [00:02:49:17] HackerFantastic and x0rz have shuttered their crowdfunded attempt to buy an early look at the ShadowBrokers' next exploit dump. Their hope was to have done, and shared, some quick remediation, but it's just too risky from a legal point of view. Sophos advises all against subscribing to the Brokers' exploit-of-the-month club saying, "Would-be subscribers should ask themselves the following before diving in: what are you going to do if they don't deliver? Ask for a refund? Report them to the ombudsman?" Customer service just isn't what it used to be, especially in black market clubs.
Dave Bittner: [00:03:26:04] OceanLotus, also known as APT32, the threat group associated with the Vietnamese government that's giving Philippine difficulty, as the two countries squabble over economic and sovereign rights in the South China Sea, is believed to be working to reverse-engineer and weaponize ODDJOB, an earlier ShadowBrokers dump.
Dave Bittner: [00:03:46:15] Security company Check Point reports the discovery of "Fireball". A malware campaign said to have infected about 250 million computers worldwide. Fireball lets its masters execute code on victim machines, and to manipulate web traffic to generate ad revenue. Despite some spyware functionality, the chief motivation here seems to be fraud: Check Point says the Beijing digital marketing agency, Rafotech, is behind Fireball.
Dave Bittner: [00:04:14:10] The British-American Information Security Council think tank warns, with a degree of alarmism, that the Royal Navy's Trident missile submarines are in principle vulnerable to cyberattack. Sure, the boats are airgapped while submerged - hey, they'd better be - but the study argues that's not the point. The subs' supply chains are vulnerable, as are the patches and upgrades they receive in port.
Dave Bittner: [00:04:37:21] The UK's Defense Secretary Michael Fallon last month, declined to comment on whether the submarines used Windows XP, and were therefore vulnerable to WannaCry, but that shouldn't necessarily be interpreted as a non-denial denial. It would have been irresponsible to comment publicly on a matter affecting technology used by strategic systems, and besides, the question is a complex one. Windows XP is very unlikely to have been used out-of-the-box in any significant IoT system.
Dave Bittner: [00:05:06:20] We received some notes on the WannaCry episode from Cytellix, in response to our question about why old and vulnerable instances of Windows have remained in such widespread use. They told the CyberWire there are many reasons why this is so. "A variety of costs and obstacles contribute to persisted use of outdated systems. Some companies lack the financial or technical resources to update their systems accordingly. While others believe the older systems are more stable. New systems are often rolled out with various bugs. Some companies operate under the adage of, `If it's not broken, don't fix it.' While we would consider outdated security patches as contributing to a system that needs repair, not every IT team has the resources to understand and evaluate information security.
Dave Bittner: [00:05:53:07] They might be of the opinion that if their systems keep them productive, there is no reason to alter them, especially if an upgrade is expensive, from either a financial standpoint, or in terms of the time spent implementing."
Dave Bittner: [00:06:06:12] The Chipotle breach earlier this week, served as a reminder that point-of-sale attacks are still very much with us. Another retailer - Kmart - has also disclosed a customer data breach. Credit card data were exposed to hackers in the second such breach in three years. Kmart's parents, Sears Holding, says their investigation determined that no personally identifiable information was compromised, but that some credit card numbers were. A Sears spokesman also said the infection was undetectable by antivirus software.
Dave Bittner: [00:06:37:02] High-Tech Bridge's Ilia Kolochenko thinks the talk about anti-virus is misdirection. "Payment systems should be thoroughly isolated, and restrict any third-party code or applications from running on them. Apparently such fundamental precautions were at least partially missing." He also says big enterprises can't rely on basic security solutions like anti-virus software, if they're not designing security into their systems from the start.
Dave Bittner: [00:07:03:02] Finally, those of you who've been following the increasing commodification of cybercrime, crimeware, DDoS and ransomware-as-a-service, won't be surprised to learn that a bunch of denim-jacketed one-percenters have now roared into cyberspace astride their hogs. Yes, it's the Hooligans Motorcycle Gang, known for riding between Tijuana and San Berdoo. At least one outlaw biker club has apparently branched out from meth distribution and cigarette smuggling, to enter the IoT hacking game. Three members of the "Dirty Thirty", a sub-unit of the Hooligans, have got themselves arrested by the FBI on charges of boosting more than 150 Jeep Wranglers. Nine more suspects remain at large, and there are other people the authorities would like to meet too.
Dave Bittner: [00:07:49:11] The Hooligans allegedly stole the Jeeps by hacking into a proprietary database containing replacement key codes, then synching a replacement key code by connecting to a given vehicle's Onboard Diagnostic System. The Bureau called their investigation "Operation Last Ride", and they've been after the Dirty Thirty since 2015. The Feds, they are nothing if not patient.
Dave Bittner: [00:08:18:03] Time to take a moment to tell you about our sponsor, Recorded Future. You've heard of Recorded Future. They are the real time threat intelligence company. Their patented technology continuously analyzes the entire web, to give Infosec Analysts unmatched insights into emerging threats. We subscribe to, and read their cyber daily. They do some of the heavy lifting in collection and analysis, that frees you to make the best informed decisions possible for your organization. Sign up for the Cyber Daily email, and everyday you'll receive the top results for trending technical indicators that are crossing the web. Cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today and stay ahead of the cyber attacks.
Dave Bittner: [00:08:58:13] Go to recordedfuture.com/intel to subscribe for free threat intelligence updates from Recorded Future. It's timely, it's solid and the price is right. That's recordedfuture.com/intel. And we thank Recorded Future for sponsoring our show.
Dave Bittner: [00:09:19:11] Joining me once again is Jonathan Katz. He's a Professor of Computer Science at the University of Maryland, and also Director of the Maryland Cyber Security Center. Jonathan, I saw an article on InfoWorld that was encrypted communications could have an undetectable backdoor. What are we talking about here?
Jonathan Katz: [00:09:36:03] Well some researchers showed that there will be ways to generate parameters for Diffie-Hellman Key Exchange which is used very often on the Internet, and also used in ACTPS. And they can generate these parameters in such a way that they had a backdoor in them. And that backdoor would allow anybody knowing the backdoor, to be able to break the security of any communication channels set up using those parameters. But the backdoor was also undetectable.
Dave Bittner: [00:10:01:20] They described it as being hard-coded primes, what does that mean?
Jonathan Katz: [00:10:06:20] So Diffie-Hellman parameters rely on prime numbers, as least the non-elliptic curve variants of Diffie-Hellman. And what the researchers showed was that by picking primes in a particular way, and embedding those into the Diffie-Hellman parameters, they were able to break the key exchange protocol using those parameters, and much more quickly than you would expect, if those primes were chosen at random.
Dave Bittner: [00:10:31:03] So is this something that we're seeing in the real world yet, or is this so far just in the lab?
Jonathan Katz: [00:10:37:10] Well we have no evidence that this has been carried out in the real world, but I guess we also have no evidence that it hasn't been. So I think the point the researchers were making, is that this kind of trapdoor might be present in some parameters that people are using. We have no way of knowing either way, but I guess there was a possibility that it could've been done at some point in time.
Dave Bittner: [00:10:56:13] And we're about 1024 bit keys, but they were saying taking it up to 2048 bit keys would obviously take it to another degree of difficulty.
Jonathan Katz: [00:11:09:11] Yes that's right. I mean you still have a possibility that these trapdoors would make it easier to break, even the 2048 version, than you would expect. But it's definitely true. Anyway there are recommendations for other reasons to start moving toward 2048 bit keys. But yes, that's definitely true that it would be harder to carry out this kind of attack on the longer key.
Dave Bittner: [00:11:29:08] Alright, Jonathan Katz, thanks for joining us.
Dave Bittner: [00:11:35:12] And now a word from our sponsor, UMBC, the University of Maryland Baltimore County, that world class university just to our south, has a question for you. In a world where over a quarter of a million cyber security jobs are unfilled, what are you waiting for? Especially if you're living in this part of the world. Because a lot of those jobs are right here. UMBC grants are well prepared and in demand. Come to UMBC's Information Session, to learn about their cyber security degree, and certificate programs. It's Thursday, June 15th, in the Camille Kendall Academic Center, at the Universities at Shady Grove in Rockville, Maryland. Get details at umbc.edu/cybernow. Find out how you can meet the demand for qualified and experienced cyber security professionals. That's, umbc.edu/cybernow. What are you waiting for? And we thank UMBC for sponsoring our show.
Dave Bittner: [00:12:36:23] My guest today is Leo Taddeo. He's the Chief Information Security Officer at Cyxtera Technologies. A company that provides secure infrastructure. Our conversation centered on the tension between advocates of privacy and strong encryption, and those who believe law enforcement has legitimate needs to be able to access encrypted data. We began our discussion reflecting on the recent firing of FBI Director, Comey.
Leo Taddeo: [00:13:02:02] I think we've lost an advocate for the debate over encryption. Jim Comey, of course, as a law enforcement officer, had his own views on whether or not the government should have access to secure devices. Whether that was through encrypted data at rest, or data in motion. But the encryption problem in general, according to Director Comey, was something that the country needed to debate, and it wasn't for the FBI to decide. But he did want the country to debate whether or not law enforcement had the tools necessary to continue to do its mission. I think we lost an advocate with Mr. Comey. His departure means that the next director will have to decide whether to pick up the mantle, if you will, and try to raise the issue, and try to get Congress to address it.
Leo Taddeo: [00:13:54:10] There are some technological challenges to law enforcement and how law enforcement can do its job, and unless addressed, technology will continue to outface traditional capabilities that law enforcement has today.
Dave Bittner: [00:14:09:07] Director Comey was different from the directors of say the NSA and the CIA, where they were more pro-encryption, and he was more skeptical of it.
Leo Taddeo: [00:14:18:01] Right. Well they have slightly different missions. Director Comey's mission is focused on primarily a law enforcement function. There are some intelligence authorities within the FBI, and we do have components of our mission that involve national security. But, for the most part, encryption was an obstacle, and didn't used to be an obstacle to the day to day work of FBI agents. That's different than say the NSA, or the CIA, Department of Defense and some of their roles, where they can use different authorities to break encryption, and may have better capabilities, to be frank. So the FBI is limited in what it can use, and it can't use state of the art techniques and tools, because they wouldn't be state of the art for very long. Once exposed in court during a prosecution, those tools would no longer be available.
Leo Taddeo: [00:15:11:02] So we have slightly different authorities than NSA, and CIA, and DoD, and those authorities changed the way we look at the problem. At the end of the day, if a technique or tool is required to be disclosed to a defendant, then that technique or tool no longer becomes effective. And that's not a problem that NSA or the other intelligence services has.
Dave Bittner: [00:15:38:01] You know, I talk to a lot of folks on the technology side of the encryption debate, and they look at this, I believe, partially as a practical issue. Where you know, encryption is readily available, it's not hard to do strong encryption and when we're talking about things being done across borders, they make the point that it's not really a practical thing that you can stop.
Leo Taddeo: [00:16:01:13] I agree with all of that, that strong encryption is easy to deploy, it's becoming part of every day devices. The question is how strong does it need to be, in my mind? And there's a debate about whether we need perfect security. So I look at it this way. We have to use encryption that is designed to address the threat that we face. So if we're trying to counter criminal groups who are stealing data, then you don't need AES-256 unbreakable cryptology. You can perhaps use a different algorithm or perhaps deploy it in a different way, that allows law enforcement with considerable resources, and access to the device, to obtain the evidence that it needs to complete its mission. So if you're trying to prevent a nation state from accessing your device, then you must be in a pretty small category, because it's not often that national states go after individuals, so I think we can address that problem on a case by case basis.
Leo Taddeo: [00:17:08:19] So, for example, a CEO that might have intellectual property, or sensitive business information on his or her cell phone, we can make strong encryption available to them. But the day to day, ubiquitous deployment of strong encryption, means that your average person has, what is in effect, government-proof communications capability. And in a world where we are saying, people with access to, I won't say weapons of mass destruction, but certainly weapons that can cause mass casualties and the propensity for people to use those weapons, whether it's a rifle, or we've seen recently a truck, we have to balance the risk and reward, if you will, of strong encryption. So what I mean by that is, it might be we have to have a balancing. If the privacy advocates of which I consider myself one in part, but I don't go as far as some groups, if privacy advocates are worried about government overreach, that is a threat, but so is the idea that there may be a mass shooting or a mass casualty event involving what we've seen, for example, in Europe and other places. And the real threat there is on the ground and present.
Leo Taddeo: [00:18:24:21] It's not theoretical. And I think that we have to balance the real threat with the potential for threat and that means strong oversight for the government, strong auditing of government use of the techniques. But also an understanding that in many cases, the government is the only thing standing between us and potentially great harm. So I don't think it's all or nothing, and my bottom line is, we have to find some way to come to an acceptable compromise between privacy concerns and legitimate law enforcement requirements, and we're not there yet.
Dave Bittner: [00:18:59:05] That's Leo Taddeo from Cyxtera Technologies.
Dave Bittner: [00:19:07:03] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can protect you through their use of artificial intelligence, check out cylance.com.
Dave Bittner: [00:19:21:04] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe, and I'm Dave Bittner. Have a great weekend everybody, I'll see you back here on Monday. Thanks for listening.