Dridex, Locky, PadCrypt, and extortion. Hollywood vs. ISIS? ISIS vs. ISIS? Apple vs. FBI.

Dave Bittner: [00:00:03:15] Ransomware update, Locky may be distributed by a tri-deck subnet. And PadCrypt's version of customer service recalls some of the marketing tricks that accompanied Cryptowall 4.0. Governments on both sides of the Atlantic look to modernization of legacy systems as a way of shoring up security. Washington asks Silicon Valley for help against ISIS. Now it's asking Hollywood too. And the crypto war partisans watch Apple and the FBI closely.

Dave Bittner: [00:00:29:11] This CyberWire podcast is made possible by the Johns Hopkins University Information Security Institute, providing the technical foundation and knowledge needed to meet our nation's growing demand for highly skilled professionals in the field of information security, assurance and privacy. Learn more online at isi.jhu.edu.

Dave Bittner: [00:00:52:21] I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday, February 18th, 2016.

Dave Bittner: [00:00:58:17] Ransomware, especially Locky which is distributed via malicious Word macros, like Dridex, but also PadCrypt which picks up the trend set by Crytowall 4.0, in which ransomware treats its victims as if they're customers, well, they continue to exercise researchers and security teams. Locky is apparently being distributed, according to Palo Alto Networks, through a revenant subnet of the old Dridex botnet. Authorities took down Dridex late last year but it began to reform in January.

Dave Bittner: [00:01:26:20] PadCrypt's customer service angle includes both an uninstaller - it won't help you, it only uninstalls the malware and leaves your files encrypted and unrecoverable - plus a live chat feature in which you, the victim, may consult PadCrypt's controllers, who'll guide you through the steps to easy payment. We note that you're probably better off not chatting with them at all.

Dave Bittner: [00:01:47:13] Cyber extortion seems to be paying off for the criminals. The Hollywood Presbyterian Hospital in Los Angeles, still recovering from a cyber attack, said yesterday that it paid the hackers $17,000 in Bitcoin to release control of some affected systems. And a survey by Bitdefender suggests that paying up as become increasingly common. US users are most likely to be hit by extortion but victims in the UK are willing to pay the most ransom. As always, the best defense is caution, backed up by, well, good backups of your files.

Dave Bittner: [00:02:18:03] In industry news, the approach of RSA is accompanied by the usual flurry of new product announcements. Consult the CyberWire daily news-brief for links to the most recent.

Dave Bittner: [00:02:26:19] Among the goals of the White House's plans for improving cyber security across the US Federal Government is the replacement of aging and vulnerable IT systems. Her Majesty's Revenue and Customs reaches the conclusion that it needs to pursue the same goal in the UK, moving away from what it calls a dangerous dependency on legacy mainframe systems.

Dave Bittner: [00:02:47:24] Amid conflicting reports over how well private sector cooperation against ISIS is going, some say Twitter's giving ISIS troubles, others say the blocked accounts amount to little more than a gesture. US Secretary of State Kerry visits California to solicit support of movie producers in building up a counter-narrative. Studio executives presumably know a thing or two about storytelling and the Secretary is looking for the kind of help from Hollywood on the content side the Administration recently sought from Silicon Valley on the technical side.

Dave Bittner: [00:03:16:04] Whatever Los Angeles and San Fransisco come up with, however, for now, ISIS seems to be its own worst enemy. Reports of widespread corruption and un-Islamic injustice in the territories it controls continue to undermine the caliphate's messaging.

Dave Bittner: [00:03:30:02] Admiral Rogers, Director of the US National Security Agency, who continues to say that, "encryption is foundational to our future," and that it's pointless to argue over whether strong encryption should be restricted, points out that widespread encryption does come at a price. He told Yahoo! News that the terrorist massacres in Paris could have been forestalled had the attackers not used encrypted communications. Ars Technica wonders whether he's alluding to knowledge not widely shared since public statements by French police indicate that the attackers coordinated their actions using quite ordinary SMS messaging.

Dave Bittner: [00:04:02:01] Elsewhere in the crypto wars, Apple continues to fight the court order it received to assist the FBI in the Bureau's efforts to unlock an iPhone used by the San Bernardino jihadists. Apple received support from rivals Microsoft and Google. It also gets support from, unsurprisingly, NSA leaker, Edward Snowden, and surprisingly, from former NSA director Michael Hayden. Hayden's support is based on his conviction that the general availability of strong encryption makes everyone more secure, despite the undeniable burdens it places on law enforcement.

Dave Bittner: [00:04:31:19] We heard a somewhat contrary nuanced view yesterday from Flashpoint's chief scientist, Lance James. Quote, "This is not the same as the crypto war," he said. "Apple didn't need to react this way, it was premature. Forensically speaking and legally speaking, the judge asked for reasonable assistance on unlocking this specific phone," James told us. He doesn't see this as the entering wedge of mass surveillance but rather, quote, "A reasonable search warrant request no different from a warrant to the free web-mail services or Facebook's asking for data," end quote.

Dave Bittner: [00:05:02:20] In any case, observers agree that the ultimate outcome of the case will be important in terms of judicial precedent. The case is also important in that it's likely to push Congress toward legislation on encryption. And of course for Apple, the company's strong stand for privacy seems to be good for business too.

Dave Bittner: [00:05:21:12] This CyberWire podcast is brought to you by the Digital Harbor Foundation, a non-profit that works with youth and educators to foster learning, creativity, productivity and community through technology education. Learn more at digitalharbor.org.

Dave Bittner: [00:05:40:04] Joining me is Joe Carrigan from the Johns Hopkins Information Security Institute. Joe, let's talk about passwords, specifically password cracking.

Joe Carrigan: [00:05:48:07] One of my favorite subjects.

Dave Bittner: [00:05:48:24] I know. I know it is. So before we get into how we crack passwords, let's talk about how passwords are stored and protected.

Joe Carrigan: [00:05:55:08] Right. Passwords are usually stored in some kind of hashed system. If they're stored in plain text then there's no security at all. So we use a, an algorithm called a hash algorithm that takes that password and turns it into essentially a one-way encryption function. The weakness there is that I can build a simple look-up table based on the hashes. So if your password is, is ABC123 and my password is ABC123 then our hashes are going to be the same. So we have a second protection against that called salting and that is where we take a random string of characters and add it to our passwords. So let's say that random string of characters is, for you, 123, so your password becomes ABC123123 and then that gets hashed. And then my password becomes ABC123 and then I have XYZ added to the end of my password.

Joe Carrigan: [00:06:51:15] In the password database the salts get stored with the hashes and now our hashes look different. So I can't just say, "Okay, these two users have the same password anymore." That's what we call a salted and hash password and that's the best way to protect the password in a database.

Dave Bittner: [00:07:06:11] Alright, so we've got our passwords stored, they've been, they've been protected through salting and hashing but now I want to have it, I want to start figuring out what the passwords are. How do I go about it?

Joe Carrigan: [00:07:17:04] Right. The very first thing you're going to do as, as a password cracker is you're going to run what's called a dictionary attack on that and there are programs out there that are specifically designed for doing this and there are lists out there, very large lists of known passwords and the thing about people is they're kind of predictable in this and you can break about 50% of the passwords just with a dictionary attack.

Dave Bittner: [00:07:41:10] You, you come at it with your dictionary attack and you're unsuccessful with that, what next?

Joe Carrigan: [00:07:46:15] So the next step would be brute force attacks. The same software tools that can run a dictionary attack can also do a brute force attack. There's one called HashCat that actually runs on graphics processors that makes it very fast.

Dave Bittner: [00:07:58:11] When I'm coming up with a password for myself, is there a way to protect myself against either of these attacks?

Joe Carrigan: [00:08:04:10] I use a password manager. What I do is I use random 20 character passwords at a minimum for my-- the websites I visit frequently and the websites I care about.

Dave Bittner: [00:08:15:14] Okay, how do you remember them?

Joe Carrigan: [00:08:16:24] I don't remember them.

Dave Bittner: [00:08:17:16] Alright, go on.

Joe Carrigan: [00:08:18:06] And if somebody asked me what my Facebook password is right now, I wouldn't be able to tell them.

Dave Bittner: [00:08:21:22] Okay. So how do you log onto Facebook then?

Joe Carrigan: [00:08:23:15] So I open up my password safe and I copy the password from the password safe into the Facebook interface.

Dave Bittner: [00:08:28:11] So what if I get access to your password safe?

Joe Carrigan: [00:08:30:08] That's an excellent question. [LAUGHS]. In fact there are-- there's now malware that's out there targeting password safes because they've realized that this is a, this is a high value target.

Dave Bittner: [00:08:40:19] So are you in effect just sort of shifting it one degree away because you still-- you have your password to get into your password safe, right?

Joe Carrigan: [00:08:47:10] Correct. Yes. Then-- that password to get into my password safe is a very long password.

Dave Bittner: [00:08:51:20] Does it really help to-- you know, you see people substituting characters for letters, you know, using an at symbol instead of the letter a and using a--

Joe Carrigan: [00:08:59:21] No, no, there-- those are-- I mean, it helps in that it might not show up in a first, first time dictionary attack but there are rules, substitution rules in these tools and it will go through the dictionary and start substituting out the existing characters, like it'll substitute As for fours, ones for Is and vise-versa.

Dave Bittner: [00:09:20:00] So in effect it's just making it harder to remember? [LAUGHS]

Joe Carrigan: [00:09:23:18] Sort of, yes. I say, the longer the password, the better the password.

Dave Bittner: [00:09:27:14] Alright, Joe Carrigan, thanks for joining us.

Joe Carrigan: [00:09:29:16] Thank you.

Dave Bittner: [00:09:32:10] And that's the CyberWire. For links to all of today's stories, along with interviews, our glossary and more, visit thecyberwire.com. The CyberWire podcast is produced by CyberPoint International and our editor is John Petrik. I'm Dave Bittner, thanks for listening.