The CyberWire Daily Podcast 6.19.17
Ep 373 | 6.19.17
Bouncing bad adware apps from Google Play. More on WannaCry attribution. Voter data exposed on an Amazon S3 account. Assessment of Russian influence on UK elections: they didn't do it. (Didn't need to?) Hackers sentenced.
Transcript

Dave Bittner: [00:00:00:19] I want to give a quick shout out to our latest Patreon supporters. Thank you so much for helping us do what we do here. If you want to help support the CyberWire, go to patreon.com/thecyberwire to find out more.

Dave Bittner: [00:00:14:05] Dragos and ESET bring clarity, and bad news, to investigation of December 2016's Ukrainian Power Grid hack. Cutter and its neighbors try to sort out hack-induced diplomatic troubles. Double switch social media malware hijacks dissidents accounts. CertLock impedes removal of unwanted programs by security software. Mac Spy and Mac Ransom appear as malware-as-a-service offerings. AMT vulnerability is exploited in the wild. And China arrest 22 for trading in stolen iOS user data.

Dave Bittner: [00:00:50:22] And now some information from our sponsors at E8. We all hear a great deal about artificial intelligence and machine learning in the security sector, and you might be forgiven if you've decided that maybe they're just the latest buzzwords. Well no thinking person believes in panaceas, but AI and Machine Learning are a lot more than just empty talk. Machine Learning for one thing, is crucial to behavioral analytics. You can't recognize the anomalous until you know what the normal is, and machines are great at that kind of base lining. For a guide to the reality, and some insights on how these technologies can help, go to e8security.com/cyberwire and download E8's free white paper on the topic. It's a nuance look at technologies that have both future promise and present pay-off in terms of security. When you need to scale scarce human

Dave Bittner: [00:01:36:10] Talent, AI and Machine Learning are your go-to technologies. Find out more at e8security.com/cyberwire. And we thank E8 for sponsoring our show.

Dave Bittner: [00:01:55:23] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Monday, June 19th, 2017.

Dave Bittner: [00:02:06:11] Bouncers have their place right? That is, it's good to have some way of ejecting bad behaviors without calling down the full weight and majesty of the law, right? So to with adware. You'd like to keep it out, or kick it out quickly. But the Android bouncers standing at the door of the Google Play Store, seem to be having trouble lately, and that trouble seems to be passed on - with interest - to Android users.

Dave Bittner: [00:02:28:17] Googles' struggle is with adware infestations in the Play Store. Over the past week the UK-based security firm Sophos identified 47 adware-infected apps that together have been downloaded more than six million times. The ads Sophos are studying were particularly irritating, because they continue to appear even after users take action that ought to have caused the apps to quit. The popups are triggered from a third-party library, App/MarsDae-A. Another security company, Trend Micro, is tracking a different third-party ad library, Xavier, which holds about 800 apps. Google has booted a few more than 70 of them, but most continue to sit on the Play Store unmolested by the bouncer. Xavier escapes detection and ejection by going quiet when it detects sandboxing or emulation.

Dave Bittner: [00:03:19:07] So dodgy apps, at best unwanted, at worst malicious, continue to trouble Google's Play Store. Ars Technica calls it "an uphill battle", Help Net Security calls it "whack-a-mole". There's a lot on offer in the Play Store, and all things being equal, maybe a lot is better than a little, but experts advise exercising some discretion.

Dave Bittner: [00:03:38:21] If you're an Android user, what should you do? Well first of all, don't download apps from third-party stores. As we've seen, just because an app appears in Google's Play Store is no guarantee that it's clean, but still, your odds are better if you stay there. Second, if it's a free app that displays pop-ups, think twice before you download it. And finally, of course, do look closely at the permissions you're asked to give an app. The fewer privileges the better, especially if it's unclear why the app would need what it's asking for.

Dave Bittner: [00:04:08:03] Last week ended with another intelligence service linking WannaCry to the North Korean government. On Friday the BBC reported that the United Kingdom's GCHQ said, yes, the ransomware does indeed come from the DPRK, and it's connected with the Lazarus Group. North Korea is unusual in that its intelligence services tend to self-fund through cybercrime. GCHQ's National Cyber Security Center hasn't discussed the evidence that leads it to that conclusion, but most observers believe that evidence probably lies in overlaps with earlier code. Both BAE Systems and Secureworks have told the BBC and the Guardian, respectively, that the telltale code is a module that goes by "Brambul", which has appeared in earlier Lazarus Group capers.

Dave Bittner: [00:04:53:21] Some researchers expect to see another worm-borne attack in the wild. The technique may be attractive to others who've witnessed WannaCry's surprisingly quick havoc. WannaCry itself may be undergoing adaptation to fresh campaigns. It appears that WannaCry was released prematurely, leaked carelessly, perhaps by mistake, as its developers failed to contain it, left its Bitcoin wallets poorly crafted, and kept an exposed kill-switch.

Dave Bittner: [00:05:19:14] This carelessness strikes some as evidence the North Koreans weren't behind the incident after all. Security firm, Cybereason has an op-ed in SC Magazine, that argues the DPRK is better than that, more careful. But mistakes happen, even in the most careful organizations. And Recorded Future cautions against concluding that this sort of carelessness is evidence that the threat actors behind WannaCry are just stumblebums. If they indeed are, as most evidence suggests, North Korean government hackers, they've simply got a risk-reward calculus that leads them to a more indiscriminate style of operation.

Dave Bittner: [00:05:54:20] News media in India harrumph and point with concern to what they regard as their government's downplaying of the scope of WannaCry infestations in that country.

Dave Bittner: [00:06:04:22] Researcher Chris Vickery reports finding 198 million US voter records exposed in an unsecured Amazon S3 account. The data, which have since been secured, were left exposed by Deep Root Analytics, a political big data consulting firm that has worked for the most part, on behalf of the US Republican Party. While many enterprises have been seeing security advantages in moving to the cloud, there are risks too, as this and the recent exposure by a contractor of sensitive National Geospatial Agency information indicate. The NGA data was also left out on an S3 service. It's perhaps worth noting that failure to secure data properly, is a failure on the part of the user, not on the part of Amazon.

Dave Bittner: [00:06:49:08] Britain's National Cyber Security Center, declares the UK's recent elections to have been free of Russian influence - specifically that there were no signs of fraud, no outright manipulation of results. Some observers think the Russians just weren't interested. As one expert, Thomas Rid of King's College London put it - he's quoted in US News & World Report - if the Russian aim in the election meddling is to serve as a chaos agent, "It's already chaotic enough here. There's no need for Russian meddling in the UK. Basically, it's messed up enough on its own."

Dave Bittner: [00:07:23:10] And that's one way of looking at it. It's hard to tell from our perch on the other side of the Atlantic, but it would seem unwise to grow blasé about the matter. US investigations haven't withdrawn their teeth from the various inquiries into Russian influence operations, and NATO's frontline in the Baltic States remains on alert.

Dave Bittner: [00:07:42:16] Two hackers have received jail time. One was motivated by revenge, the other apparently by the lulz. The revenge hacker is Adam Flanagan of Bala Cynwyd (that's the Bala Cynwyd in Pennsylvania, not the one in Wales) who was sentenced to a year and a day in the joint, after pleading guilty to two counts of unauthorized access to a protected computer, that recklessly caused damage. Fired from his job with a company that makes water meter readers, he hacked his former employer's network and disabled the meters. He was arrested last November.

Dave Bittner: [00:08:15:15] The other case is that of a British gentleman, one Daniel Devereux, who will be a guest of Her Majesty's Government for 32 weeks as a reward for hacking websites belonging to the Norfolk and Norwich University Hospital, and Norwich International Airport. (That's the Norwich in East Anglia, not the one in Vermont). Mr. Devereux was caught after posting videos of his hacking prowess online. He says his victims blew off his warnings that their sites were insecure, and he wanted to make a point about the importance of security. The effects of his hacking weren't negligible. The airport says it lost the equivalent of $47,000 in the incident. Mr. Devereux, who goes by the nom du hack of "His Royal Gingerness", is said to suffer from mental health issues. At the time of sentencing, he was already in custody for another unrelated offense.

Dave Bittner: [00:09:11:11] Time to share some news from our sponsor ThreatConnect. You know them as the Threat Intelligence Specialists. ThreatConnect arms organizations with a powerful defense against cyber threats, and gives them the confidence to make strategic business decisions on the basis of sound risk analysis. Built on the industry's only intelligence driven extensible security platform, ThreatConnect provides a suite of products designed to meet the threat intelligence aggregation analysis and automation needs of security teams at any maturity level. But is anyone who's given the matter any thought knows, intelligence isn't just information. It's analyzed and actionable, and above all, it serves orchestration. To learn how to orchestrate your defenses against today's advanced malware, sign up for ThreatConnect's webinar, June 22nd, at 1pm Eastern time, 10am Pacific time at threatconnect.com/webinar. That's threatconnect.com/webinar. Check it out. And we thank ThreatConnect for sponsoring our show.

Dave Bittner: [00:10:14:23] Joining me once again is Dr. Charles Clancy. He's the Director of the Hume Center for National Security and Technology at Virginia Tech. Dr. Clancy welcome back. You know, the Dyn attack from last year was really a wakeup call for a lot of organizations and you wanted to talk today about some of the actions that people are taking to try to keep something like that from happening again.

Dr. Charles Clancy: [00:10:36:08] Of course, the Dyn attack which happened in October of 2016, resulted in a three hour outage of Internet service on the East Coast of the United States and was the largest distributed denial of service attack ever witnessed on the Internet, and interestingly leveraged a lot of consumer electronic devices as part of that attack. This, as you mentioned, was a wake up call to much of the industry that is now getting serious, or at least seeking to get serious, about IoT security. The challenge we have with IoT is that the business model really doesn't lend itself towards security. The goal is to mass manufacture inexpensive electronic devices for consumer markets that happen to have an Internet connection in them. Really security is not a driving factor in the manufacture of these devices. So, if I go online and purchase some consumer electronic device from a manufacturer in China, for example, what motivation

Dr. Charles Clancy: [00:11:35:21] Do they have to implement appropriate types of security protections in that product? Right now they really have none. And this has led to a range of things, to include the Dyn outage that we saw last October. So if you look at how you would try and address this. One of the proposals on the table is to create the underwriter's laboratory equivalent for Cyber security. And this has talked about on and off over the years. Can we have this notion of cyber security UL? Just as an example right now, if you go to the store and buy a toaster, it's likely going to be tested by UL and make sure that when you plug it in it doesn't catch on fire.

Dr. Charles Clancy: [00:12:14:16] The challenge is, how do we achieve something similar in the IoT space, to ensure that if you plug that new Internet-connected toaster in, it's going to have the appropriate Cyber security safeguards without it getting hacked. So if you look at the approaches that are being considered, one is this notion that we need managed ecosystems. Stand alone IoT devices that are not managed, and have no way of receiving firmware upgrades, or software updates, or the ability to have a strong enrollment process, i.e., they just have default passwords on them. These are all major challenges for the long term security of the Internet. So there's this drive, I think, towards trying to ensure that every IoT device, is connected up to some cloud service that is responsible for provisioning it, and managing it, ensuring its long term security.

Dr. Charles Clancy: [00:13:01:13] But there's a lot of unanswered questions about how that would work in practice. So, for example, what if the vendor of that IoT device goes out of business, and they shut down their cloud service? Does that mean that the IoT device stops functioning? Who's responsible for continued software updates? And if the company goes out of business, the source code from which you can even build the patches is now no longer available. So currently some of the research that we're doing, is looking at how you could begin to establish some sort of functional testing program that would provide this certification and accreditation of these devices. That they at least meet some basic Cyber security fundamental principals. Like, not having default passwords, and preferably having mechanisms to do software update.

Dr. Charles Clancy: [00:13:46:15] Although, as I mentioned, that's, a non-trivial thing to accomplish in practice.

Dave Bittner: [00:13:50:01] All right Dr. Charles Clancy, thanks for joining us.

Dave Bittner: [00:13:54:22] And that's the CyberWire. For links to all of our stories, along with interviews, our glossary, and more, visit thecyberwire.com. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. Thanks to all of our supporters on Patreon. You can find out more at patreon.com/thecyberwire. And don't forget to check out my regular segment on the Grumpy Old Geeks Podcast, it's called Security Ha, and it's a rollicking good time. You can find the Grumpy Old Geeks Podcast wherever all the fine podcasts are listed. It's less of a family show than the CyberWire is, so consider yourself warned. There is salty language. Not by me of course, but it's there.

Dave Bittner: [00:14:37:05] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.