Kenyan elections, not hacked? Someone's poking into DPRK systems. DDoS in Ukraine. Pseudoransomware protection. Spyware in Play Store. HBO hack.
Dave Bittner: [00:00:01:00] The CyberWire podcast is made possible by listeners like you who support us through our Patreon page. You can learn more at patreon.com/thecyberwire.
Dave Bittner: [00:00:13:13] Election monitors say Kenyan presidential voting went off without hacking. The losing opposition disagrees. Germany looks toward securing September's vote. North Korea receives cyber attention from somewhere in the civilized world. Ukraine's postal service sustains a two-day DDoS attack. There's WannaCry and NotPetya pseudo ransomware fallout. Spyware-infected apps are found in the Google Play Store and "Mr. Smith" comes to Midtown and he wants a raise.
Dave Bittner: [00:00:44:21] As our sponsors at e8 Security can tell you, there's no topic more talked about in the security space than artificial intelligence unless, maybe, it's machine learning. But it's not always easy to know what these could mean for you, so go to e8security.com/ai-ml and see what AI and machine learning can do for your organization's security. In brief, they offer not a panacea, not a cure all, but rather an indispensable approach to getting the most out of your scarce, valuable and expensive human security analysts. Let the machines handle the vast amounts of data. If you need to scale your security capability, AI and machine learning are the technologies that can help you do it. So, visit e8security.com/ai-ml and see how they can help address your security challenges today. And we thank e8 for sponsoring our show.
Dave Bittner: [00:01:43:05] Major funding the for CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday, August 10th, 2017.
Dave Bittner: [00:01:53:06] For all of you thinking hard about election hacking, here's a Sherlock Holmesian dog that didn't bark. EU observers who were monitoring Kenya's presidential election say that the contest appears to have been conducted without vote-tally manipulation. Incumbent Uhuru Kenyatta seems to be the winner, but opposition leader Odinga says the results were cooked. The country's electoral commission has said that the voter database was targeted by hackers, but unsuccessfully, and that voting proceeded without illicit manipulation. Neither the EU observers nor the electoral commission's statements are likely to mollify the opposition, which is disputing the results.
Dave Bittner: [00:02:32:05] Do note that most "election hacking" has involved influence operations, not directly finagling with the count. The next big event on the election-hacking scene, and yes, we're looking at you, Cozy and Fancy, will be the German Federal elections, set for September 24th. German authorities have for some time been on the alert for Russian interference. So, viel gluck Germany, and best wishes for a clean vote.
Dave Bittner: [00:02:57:11] Reports continue that North Korean targets have been infected with Konni and Inexsmar espionage tools. The incidents are not attributed, but speculation inevitably centers on the likelihood that the cyberattacks have been prompted by Pyongyang's increasingly aggressive and threatening missile and nuclear weapons programs. The civilized world is uneasy, to say the least, with the regime's very disturbing talk and even more disturbing demonstration of nuclear and ballistic missile capabilities. North Korea's news agency has promised that a plan to destroy Guam, which Pyongyang calls a "nest of American air-pirates," will be presented to Supreme Leader and Great Successor Kim Jong-un next week.
Dave Bittner: [00:03:39:19] Now, to be sure, Pyongyang does say a lot of stuff, but possession of nuclear weapons and quite possibly the means to deliver them over long distances leads people to take the things the Kim regime says with greater seriousness than they otherwise might. Thus it would be surprising if the North Korean regime were not being subjected to the attentions of foreign intelligence services, to which thinking people can only say, "good hunting."
Dave Bittner: [00:04:05:19] Ukraine's postal service, on Monday and Tuesday, came under a sustained distributed denial-of-service attack. Package-tracking was particularly disrupted. Investigation is in its early stages.
Dave Bittner: [00:04:18:23] Rapid7 does some self and sector examination on its look at the second quarter of 2017. The security company says its honeypots indicated that something was brewing after the ShadowBrokers dumped EternalBlue exploits in April. WannaCry and NotPetya, of course, hit in May and June respectively. Their success was in some ways surprising, given their attack against known vulnerabilities, but effective patch management can be surprisingly difficult. So hindsight makes it appear obvious that something big was up, but then, hindsight will do that. Another point Rapid7 makes is that criminals generally maintained their usual activity. While the good guys were focused on the large, splashy, and disruptive WannaCry and NotPetya, the bad guys were going about their usual petty larceny, too.
Dave Bittner: [00:05:07:01] Security experts at Venafi have taken a look at what went wrong with M.E.Doc, the patient zero of NotPetya. They offer three bits of advice as well. First, "Every machine must have a unique identity." Second, "Make sure your software is code-signed. And third, "Machine credentials must be expertly defended." They think Intellect Service, M.E.Doctor's vendor, fell short in all three areas.
Dave Bittner: [00:05:32:14] A survey by the security company Tripwire finds that more than two-thirds of security personnel think their enterprises remain inadequately protected against a repeat run of these pseudo ransomware attacks.
Dave Bittner: [00:05:45:18] We've got a lot of technical terms and buzzwords in cybersecurity, to the point where it can be hard to know for sure what someone is really talking about when they're describing say, a phishing attack. Markus Jakobsson is Chief Scientist at Agari, a company that helps protect against phishing attacks. They've come up with a threat taxonomy to help standardize the way we describe attacks.
Markus Jakobsson: [00:06:07:04] So I spoke with vendors out there and customers of these vendors and a lot of people in general trying to understand what are they concerned with and the first things that came out of their mouths were things like phishing and hacking. Then I drilled a little bit deeper and I realized that they were not at all concerned about phishing or hacking, they might be concerned about targeted attacks such as business email compromised. They might concerned with ransomware attacks. They just did not have a meaningful terminology to express their concerns. Which, of course, is not their fault. It's our fault. The industry, as such, for not providing a terminology that is meaningful in terms of explaining what you want to achieve.
Dave Bittner: [00:06:49:08] And you use an analogy comparing it to a doctor?
Markus Jakobsson: [00:06:53:17] Right. Assume that you call a doctor and you can only say "pain" and "hurt" right, or something like that? No matter what your ailment is, this is not going to be helpful. You might have a toothache, I might come there with a pain in my leg and somebody else has a cramp in there back and the doctor is going to give us all the same treatment. Of course, that is idiotic and it would not occur to anybody that that would be a meaningful way of approaching a doctor's visit, but that is what we're doing collectively to security these days. We're calling everything phishing, we're calling everything hacking and we forget the nuances.
Dave Bittner: [00:07:36:11] So, give me an example of a common attack and how it would be categorized within your taxonomy?
Markus Jakobsson: [00:07:43:19] So, business email compromise is one increasingly common attack and the way it normally starts is that the attacker finds out information about your organization. They know the org chart or they know a couple of names within the organization and now they send an email that appears to come from one of them to another one. And the way they perform this identity deception, about half the time it's using spoofing and the other half of the time, pretty much, it's using display name deception. And so, then they are trying to use business as usual language, request information. So, if you get an email from your boss saying, you know, "I need the W2s." As a result of them responding and sending W2s, now the attacker has W2s for employees, which means that the attacker can file taxes. So, in this case, if you're looking at the sender, typically it's about display name or it's spoofing.
Markus Jakobsson: [00:08:45:12] So, if an organization wants to address this threat, they would know that since it's a con at the same time and there are no countermeasures that address cons per se, they would have to look at the ways in which identity deception takes place. If they already DMARC in place, that's great. Now it's only the display name aspect that they need to nail down. And so it gives you a recipe for what's next. Once they know what their solutions are and what these do, then they can go out and say well, where can we shut this down? And typically it's at the identity deception part.
Dave Bittner: [00:09:26:20] That's Markus Jakobsson from Agari. You can find out more about their cyber threat taxonomy at their website.
Dave Bittner: [00:09:34:24] SurfWatch published an analysis in IT Pro Portal that says the big story in cybercrime so far this year has been the extent to which such crime has been fueled by leaked Government exploits. The security firm thinks this is likely to continue, and it offers three general pieces of advice to companies as they brace for more attacks. First, continuously monitor for relevant external threats, second, have a structured way of prioritizing threats and taking meaningful action, and third, follow best practice and risk assessment recommendations. The third recommendation looks obvious, but, as SurfWatch's Adam Meyer acidly observes in the IT Pro Portal piece, if the US Intelligence Community had paid more attention to advice about internal threats, we might not be in the exploit pickle we find ourselves.
Dave Bittner: [00:10:23:14] Researchers at security company Lookout announced today that they've discovered approximately a thousand spyware apps infesting Google's Play Store. Lookout says the apps belong to the SonicSpy family, which began deployment in February of this year. Google has removed some of the apps after Lookout alerted Mountain View to the problem. SonicSpy is thought to be related to SpyNote malware, possibly descending from it by automated build processes. The hackers behind the malware are believed to be located in Iraq.
Dave Bittner: [00:10:55:14] To take one of the more prominent bad apps Lookout has discerned, the one called "Soniac" is marketed as a messaging app, and does appear to provide some messaging functionality through a customized version of Telegram. But its malicious components include, as Lookout says, "the ability to silently record audio, take photos with the camera, make outbound calls, send text messages to attacker specified numbers, and retrieve information such as call logs, contacts, and information about Wi-Fi access points."
Dave Bittner: [00:11:27:08] The extortionist "Mr. Smith" claiming responsibility for the HBO hack has escalated his or her or their game by releasing mobile phone numbers and email addresses belonging to Game of Thrones stars Lena Headey, Peter Dinklage, and Emilia Clarke. The hackers are also said to have released emails from HBO vice-president Leslie Cohen. "Mr. Smith" threatens a bigger release today if his demands for a six-month "salary" thought to be between $6 million and $7.5 million, are not met. "Mr. Smith" has also said he will only deal only with "Richard," presumably HBO chairman and and CEO Richard Pepler. So far no word on further developments, but there are a few hours left in August 10th as we speak. And, as we know, winter is coming.
Dave Bittner: [00:12:21:16] Now a word about our sponsor The Cyber Security Conference For Executives. The Johns Hopkins University Information Security Institute and COMPASS Cybersecurity will host the event on Tuesday, September 19th in Baltimore, Maryland on the Johns Hopkins Homewood Campus. The theme this year is emerging global cyber threats and the conference will feature discussions with thought leaders across a variety of sectors. You can find out more and register at the thecyberwire.com/jhucompass. One of the keynotes will be delivered by US Cyber Command's Guy Walsh, who will cover emerging threats and the innovative solutions you can implement to mitigate them. And that's just one. There will be expert presentations from a range of sectors. Check out the details on the event site, thecyberwire.com/jhucompass. And we thank the Cybersecurity Conference For Executives for sponsoring our show.
Dave Bittner: [00:13:19:15] Joining me once again is Jonathan Katz. He's a Professor of Computer Science at the University of Maryland and also Director of the Maryland Cybersecurity Center. Jonathan, welcome back. We had a story come by from Security Affairs and it was talking a site channel attack on some RSA encryption. They were claiming that they can crack 1024 bit RSA encryption. Bring us up to date here. What's going on?
Jonathan Katz: [00:13:42:00] So, this is an example of a side channel attack, where basically the attacker is using information that they're obtaining by watching the execution of the algorithm. Say if they have a virus running on the same machine that the algorithm is executing on. And by looking at very small differences in the timing that various parts of the algorithm take, it turns out that it's possible to extract bits of information that allow them to recover the secret key for 1024 bit RSA, as you say.
Dave Bittner: [00:14:10:22] And one of your colleagues at the University of Maryland had a hand in this?
Jonathan Katz: [00:14:15:11] Yes, that's right. Actually, Daniel Genkin is one of the co-authors of the paper describing this work and he's currently a post doc, splitting his time actually working with me at the University of Maryland and also working with Professor Nadia Heninger at the University of Pennsylvania.
Dave Bittner: [00:14:30:12] So, how big a deal is this? How big a threat is this? Is this something to be taken seriously or is this more of an academic kind of thing?
Jonathan Katz: [00:14:39:16] Well, it's a little bit mixed actually. So, it's something to be taken seriously from the point of view that there are actually deployed products. In particular the GnuPG crypto library that are vulnerable to this attack and they've ended up patching their system and fixing the bug that led to this attack, so they certainly took it seriously. On the other hand, the conditions that an attacker would need in order to carry out this attack are pretty severe and, like I said earlier, the attacker would basically have to be running on the same machine that the cryptography was being executed on which, if that's the case, if you have an attacker running on your machine, you probably have bigger problems to worry about.
Dave Bittner: [00:15:19:08] So, there are some specific concerns when it comes to cloud computing?
Jonathan Katz: [00:15:22:16] Yes, that's right. When you're implementing cryptography in the cloud, you might have actually different users programs being run on the same physical machine and it's potentially possible, in that case, that an attacker running on the same machine as an honest user, would be able to get the information that's needed to carry out this attack in that case as well.
Dave Bittner: [00:15:42:18] Alright. Jonathan Katz. Thanks for joining us.
Dave Bittner: [00:15:47:08] And that's the CyberWire. For links to all of today's stories, along with interviews, our glossary and more, visit thecyberwire.com. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.