KRACK attacks. Iran's growing capability in cyberspace. Swedish and Polish targets probed by state-directed cyber ops. QR code security issues. Russia to introduce official cryptocurrency.
Dave Bittner: [00:00:01:01] We passed a fun milestone over the weekend. The podcast has been downloaded over three million times since we started bringing it to you. Thanks for your support and continuing to listen to us every day.
Dave Bittner: [00:00:13:17] KRACK attacks get by secure wi-fi protocols. Probes and distributed denial-of-service incidents in Poland and Sweden have the look of state operations. East Asian threat actors move on from cyber espionage to supply chain attacks. Iran is blamed for June's hack of UK Parliamentary email. QR codes may pose security issues. Do FSB social media trolls really train against US targets by watching House of Cards? And can the CryptoRuble really complete with VopperCoin? Investors want to know.
Dave Bittner: [00:00:47:08] Time to take a quick moment to tell you about our sponsor Recorded Future. You've probably heard of Recorded Future, they're the real-time threat intelligence company and their patented technology continuously analyses the entire web to give infosec analysts unmatched insight into emerging threats. We subscribe to and read their Cyber Daily. They do some of the heavy lifting in collection and analysis that frees you to make the best informed decisions possible for your organization. Sign up for the Cyber Daily email, and everyday you'll receive the top results for trending technical indicators that are crossing the web. Cyber news, targeted industries, threat actors, exploited vulnerabilities, malwares, suspicious IP addresses, and much more. Subscribe today and stay ahead of cyber attacks. Go to recordedfuture.com/intel to subscribe for free threat intelligence updates from Recorded Future. It's timely, it's solid, and the price is right. And we thank Recorded Future for sponsoring our show.
Dave Bittner: [00:01:54:21] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Monday, October 16th, 2017.
Dave Bittner: [00:02:04:24] Researchers at KU Leuven, a leading Belgian research university, have announced discovery of a key reinstallation attack vulnerability that affects wi-fi connections hitherto believed to be secure. They're calling it a KRACK attack, from Key Reinstallation Attack. It works roughly like this: an attacker, within range of the intended victim, could get around the four-way handshake used in the WPA2 wi-fi protocol by inducing the victim to reinstall a key that's already in use. Success enables the attacker to access information assumed to be securely encrypted. The problem lies in the protocol itself, and not in any particular product, which means that there's no easy set of patches or upgrades that will secure users from KRACK.
Dave Bittner: [00:02:51:12] The researchers say that KRACK is most effective against Android, Linux, and OpenBSD devices. Windows and MacOS are also susceptible, albeit at a somewhat lower risk. Matthy Vanhoef, the principal researcher, wrote in his report, "This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on. The attack works against all modern protected Wi-Fi networks. Depending on the network configuration, it's also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites." End quote.
Dave Bittner: [00:03:30:10] We heard by email from Dr. Steven Murdoch, Innovation Security Architect at VASCO Data Security and Principal Research Fellow at University College London. He explained that in cryptographic protocols, a "nonce" - that is a number used once - should never be repeated, but sometimes design flaws in the software implementing a protocol permit this to happen. It's easy to complain that a bad designer made some buggy software, but Murdoch thinks a problem with nonce reuse is likely to crop up again elsewhere. He said, quote, "I think a better approach is to re-design protocols to be more resistant to nonce reuse, which we know how to do, albeit with a slight loss of efficiency." End quote. He added that nonce reuse will be even more serious in next generation wi-fi encryption (GCMP), where it could permit data to be tampered with as opposed to simply intercepted and read.
Dave Bittner: [00:04:24:05] So, should we be worried? Yes and no. The attacker has to be physically close to the device they want to exploit for a KRACK attack to work. Murdoch calls the vulnerability "serious," in that if successfully executed it can compromise sensitive traffic, but he also thinks that, quote, "the more valuable the network, the more likely it is criminals will make the effort to carry out the attack. So businesses are at a higher risk than average home users." End quote. The issue is likely to persist for years in devices that have a long, slow expiration. Android smartphones and wi-fi routers will probably be most affected. Frederik Mennes, also of VASCO Data Security, advises that users not only be on the lookout for patches, but also consider using cryptographic protocols at the transport or application layer, like SSH and TLS. They should also consider using virtual private networks.
Dave Bittner: [00:05:19:15] A variety of probes and nuisance attacks surfaced in Europe late last week. Poland's Defense Minister says the country successfully parried a Russian cyberattack of unspecified nature and scope. In Sweden, denial-of-service campaigns affected transportation - especially rail transportation - in western regions of the county. There's no attribution of the DDoS attacks against Swedish targets, but Russian operators are widely suspected.
Dave Bittner: [00:05:46:16] British security researchers have concluded that Iran was behind the June 23rd brute-force attacks on Parliament's email system. Moscow had been the original and usual suspect, but Whitehall has determined it was Tehran.
Dave Bittner: [00:06:01:03] A number of researchers are warning of an increase in the tempo of cyberattacks against targets in East Asia. These no longer seem to be confined to espionage, but appear to pose a fresh threat to supply chains. A confusing set of Chinese and North Korean actors are named in dispatches.
Dave Bittner: [00:06:19:09] Turning to information operations, the odd-duck Russian television station Dozhd, or Rain, has broadcast an interview with one "Maksim" - face obscured - who claimed to have worked in the Internet Research Agency's St. Petersburg troll farm, disseminating fact and opinion about the US 2016 Presidential elections. The basic message, Maksim said, was, "Aren't you Americans tired of the Clintons?" But a great deal of the social media trolling was designed to inflame religious, racial, and gender divisions on hot-button cultural topics. Maksim said that the trolls were trained by watching House of Cards, which he thought a pretty good guide to American political culture. Treat this interview with appropriate caution - there are wheels within wheels in information operations, and even an outlier like Rain TV can't be assumed to be outside the reach of the official organs.
Dave Bittner: [00:07:15:00] Apple's iOS 11 is said to have an exploitable backdoor in its associated QR scanner. The problem lies in the nature of QR codes themselves. They're not readable by humans, at least not by any we know, and so it's possible to replace legitimate QR codes on, say, merchandise, with malicious codes. Security firm CyberInt, which has described the issue, intends to release a full study within a few weeks.
Dave Bittner: [00:07:40:13] Pizza Hut was breached. It's less serious than Equifax - but tastier. The transactions affected occurred early this month, so if you've recently used your credit card to buy a large, hand-tossed Cock-a-doodle Bacon pie, well look to your statements. Security expert Ilia Kolochenko of High-Tech Bridge thinks the scale of this breach is, relatively speaking, insignificant compared to some of the big slips we've seen over the past month. He said, quote, "Notification to the victims is indeed a bit protracted, but it can be explained by the difficulty in properly identifying all of the victims affected." End quote. And he thinks we should proceed with caution before we blame Pizza Hut until we know more about what actually happened. It strikes us that a lot of the interest in this breach is driven by the notorious, perhaps stereotypical, love of pizza associated with information technology. Pizza is to coders as doughnuts are to law enforcement professionals. We'll just say this: Mr. Kolochenko, if you visit Baltimore, we'll buy you a slice and throw in some Old Bay.
Dave Bittner: [00:08:44:23] And to return, in a way, to a story we discussed a couple of months ago, Russia is said to be on the verge of authorizing its first official cryptocurrency. They're going to call it the CryptoRuble and, unlike other cryptocurrencies, it won't be minable or decentralized, but rather issued and controlled by a central authority. Since these features would seem to be pretty much the whole point of a cryptocurrency, one is reluctantly driven to ask, what the heck? What's in it for the rest of us? We're not going to presume to give advice to the Kremlin, you understand, but it seems to us that they've already got an indigenous cryptocurrency, the VopperCoin Russian Burger King restaurants began issuing back in August as a reward for sandwich purchases at any of the franchise's convenient Moscow locations. By this time, any number of fast-food fancying oligarchs have doubtless eaten their way to a small and satisfyingly decentralized, if not particularly liquid, fortune.
Dave Bittner: [00:09:45:18] Time for a message from our sponsors at E8. We've all heard a great deal about artificial intelligence and machine learning in the security sector, and you might be forgiven if you've decided that maybe they're just the latest buzz words. Well, no thinking person believes in panaceas, but AI and machine-learning are a lot more than just empty talk. Machine-learning, for one thing, is crucial to behavioral analytics. You can't recognize the anomalous until you know what the normal is, and machines are great at that kind of base lining. For a guide to the reality, and some insights into how these technologies can help you, go to e8security.com/cyberwire and download E8s free white paper on the topic. It's a nuanced look at the technologies that have both future promise and present day payoff in terms of security. When you need to scale scarce human talent, AI and machine-learning are your go to technologies. Find our more at e8security.com/cyberwire. And we thank E8 for sponsoring our show.
Dave Bittner: [00:10:50:11] And I'm pleased to be joined once again by Johannes Ullrich. He's from the Sans Technology Institute, he's also the host of the ISC Stormcast podcast. Johannes, welcome back. You know with these recent run of hurricanes that we've had, with any disaster there are those who look to take advantage of it. What are we seeing in terms of scam sites popping up?
Johannes Ullrich: [00:11:12:09] Yeah, luckily we don't see as many of them as we have seen in the past. If you remember Katrina, for example, it had a huge number of fake - or at least suspicious - donation sites. We have only seen a small handful of them so far with the hurricanes Harvey and Irma. So actually as hurricanes approach, we see hundreds of websites being registered with respective domain names. Many of these websites start out just being a part gift. Luckily, we've only seen a very few that solicit donations. Interestingly, a couple of the ones that I would consider more shady in the sense that they don't appear to be associated with a legitimate charity, they solicit donations in Bitcoin, which has, I guess, a little bit taken over here from Paypal. The large majority of the websites being registered at this point are also being used by lawyers. So, probably somewhat shady law firms here that are trying to solicit clients using this disaster.
Dave Bittner: [00:12:19:16] So are, are the ones being registered by lawyers, does it seem as though they're legitimate lawyers who are trying to capitalize on the event, or are they fake lawyers?
Johannes Ullrich: [00:12:29:06] That's a little bit hard to tell now at this point. There are only a couple of them that point to actual law firms. They appear to be legitimate law firms, so and so far, yes they're actual lawyers. Some of them don't actually appear to be sort of in the business of necessarily injury or lawsuits like that. So it's a little bit hard to tell what the real end goal is. The big number, the big majority of these websites is still parked at this point. So, we are monitoring them to see what will eventually show up on these sites. There's also the possibility that these websites are being registered just in case, to resell them later. There are always many ways to make a little bit of money with a disaster like that.
Dave Bittner: [00:13:15:07] So the advice to the user is, I suppose, make sure that you're dealing with a reputable charity and try to avoid a middle man?
Johannes Ullrich: [00:13:24:11] Yes. You should certainly not donate to a charity that you didn't hear about before a disaster came up. The other interesting little facet that has shown up, and particularly with Harvey, was that there was a number of websites that essentially asked people to register if they needed to be rescued. Now, many of them I believe are legitimate and certainly something that people just set up in order to sort of help each other out, but be careful who you give your personal information. In disasters like this, it's all too easy to give, for example, a charity or someone who offers help things like a social security number and while it's not always a bad or malicious, take care that the information is protected properly. So, don't let your guard down just because someone is offering you help.
Dave Bittner: [00:14:14:19] Right, all right. Good advice as always. Johannes Ullrich, thanks for joining us.
Dave Bittner: [00:14:21:21] And that's they CyberWire. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. A quick request to head on over to iTunes and leave a review for our show, and to subscribe there. It really is one of the best ways you can help other people find the CyberWire podcast. We do appreciate it. The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.