Hamas calls for intifada; hacktivism expected. Ethiopian government surveillance ops. Crime and cryptocurrency. Keylogger in the wild. Fixes to MacOS, Android app development tools. Uber hack and bug bounties.

Dave Bittner: [00:00:01:05] A quick reminder that there is exclusive content available to our Patreon subscribers, publications, bloopers, extended interviews and more. So check it out at patreon.com/thecyberwire. Thanks.

Dave Bittner: [00:00:15:07] Hacktivist intifada warnings as the US recognizes Jerusalem as Israel's capital. How Ethiopia's surveillance was discovered. Criminals flock to cryptocurrency sites with everything from DDoS to miners to theft. Keyloggers are found infesting WordPress sites. Android app development tools get quick fixes. Apple updates MacOS High Sierra, again. What Uber may have thought it was doing when it paid off its hackers. A Section 702 surveillance authority update. And a Jeopardy champ faces hacking charges. And Kromtech warns about Ashley Madison, on grounds of security, not propriety.

Dave Bittner: [00:00:56:20] Now I'd like to tell you about a White Paper from our sponsor, Delta Risk. More than 90% of companies are using the cloud. Although the benefits are clear, moving to the cloud comes with new and unique security challenges. In the White Paper, Understanding The Challenges Of Cloud Monitoring And Security, Delta Risk cloud security experts, outline the key methods organizations can adopt to gain clearer visibility into their network and critical assets. You can get your copy of the White Paper by visiting deltarisk.com/whitepapers-cloudmonitoring. Delta Risk LLC, a Chertoff Group company, is a global provider of cybersecurity services to commercial and government clients. Learn more about Delta Risk by visiting deltarisk.com. And we thank Delta Risk for sponsoring our show.

Dave Bittner: [00:01:55:09] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Thursday, December 7th, 2017.

Dave Bittner: [00:02:04:09] As the US prepares to make good on its long-promised recognition of Jerusalem as Israel's capital, Israel and the US brace for a wave of hacktivism expected to accompany the promised "second Intifada." Security concerns center on fear of physical violence, of course, but ancillary hacktivism is to be expected.

Dave Bittner: [00:02:24:24] Citizen Lab confirmed the Ethiopian government's use of intercept tools procured from Cyberbit to surveil dissidents when it connected suspicious emails to a misconfigured command-and-control server that exposed the government's target list.

Dave Bittner: [00:02:39:04] Cryptocurrencies continue to draw criminal attention. Denial-of-service attacks remain popular against Bitcoin sites. Over the past quarter, a study by security company Imperva Incapsula found, some 73% of Bitcoin-related sites experienced a DDoS attack. Cryptocurrency sites are highly sensitive to disruption since they depend upon high availability for their viability.

Dave Bittner: [00:03:03:00] A planned Bitcoin rival, Electroneum, failed to launch as its proprietors pulled their offering in the face of effective hacking. An updated version of the Quant Trojan is raiding cryptocurrency wallets. And Nicehash, a popular Bitcoin mining tool, is reported to have suffered a compromise, with some $56,000,000 in coin stolen.

Dave Bittner: [00:03:25:11] A keylogger has been found in more than 5,000 infected WordPress sites. This sort of script has been circulating in the wild since April, according to researchers at security company Sucuri. It logs keystrokes site visitors enter into form fields, and it sometimes also loads a cryptocurrency miner. The most dangerous infections occur on sites that run online stores, where, of course, credit card details are entered at checkout. The keylogger picks those up as well.

Dave Bittner: [00:03:54:00] Russian cyber gangs are particularly active in ransom campaigns against businesses in the UK these days. Cerber remains their most popular strain of ransomware. Extortion demands commonly run to £100,000.

Dave Bittner: [00:04:09:02] Android app development tools are found vulnerable to backdoors. Fixes are in progress. Researchers at security firm Check Point found and disclosed the issues. They affect widely-used Android integrated development environments, including Android Studio by Google, Intellij IDEA and Eclipse, both by JetBrain, and several reverse engineering tools for Android apps, including Apktool and Cuckoo-Droid. The companies are working quickly to close the holes.

Dave Bittner: [00:04:39:07] While the West Coast and, in particular, Silicon Valley get the lion's share of the attention for tech start-ups, there's a growing number of companies getting their start on the East Coast, in no small part thanks to the security ecosystem built around the federal government. Drew Cohen is CEO of MasterPeace Solutions, a Maryland company that benefits from the pool of talent coming up through the federal government, and also helps grow new startups.

Drew Cohen: [00:05:04:00] It's easier today to start a business than it's ever been in terms of infrastructure, because I can get computing as a service, I can get kind of anything I need as a service, so I can start a small business that looks like it has scale very rapidly. So it's still a great climate for startups, and there are capabilities that are available to startups today that were never available in the past, pretty much anything as a service. The challenge is that today's startups can't just ride on other platforms, they have to solve what's typically-- What's beginning to be called deep technology problems.

Drew Cohen: [00:05:43:04] So they really have to invent something new that creates kind of a ten-x change in whatever sector that technology is being applied to, and so the interesting part about that is that means you need talent, that means you need experience. It can't just be a couple of guys in their dorm creating a web page, a social network, if you will, and having the next Facebook. You have to have guys that really understand technology deeply and can innovate and create new hard technologies. And the interesting part about that is that's kind of typically what the government's been focused on, and so the skills that people have learned doing government research and government technology development is more applicable to kind of today's startup world than the rapid throw something together, make an app, stick it on the app store and see if you make money approach. And I think that benefits this area, and it's one of the reasons why I think you're seeing a shift from west coast investment to an emerging ecosystem here in Maryland.

Dave Bittner: [00:06:49:10] Yeah, it's interesting. It's almost as if there's a, I would say, a maturation of the ecosystem.

Drew Cohen: [00:06:55:09] Yeah. I would call it, you know, experience-driven startups. That's kind of the term that we're using. So you can't just get into it, you know, as kids out of school, you've got to have some basis of knowledge and experience and technical depth, applied technical depth that can only be learned over time, in order to really have the kind of breakthroughs that can be the foundation and underpinning of the next generation of innovation.

Dave Bittner: [00:07:22:23] And I suspect, too, from an investor's point of view, that puts investors at ease when they're putting their money toward people who can demonstrate their abilities through their government experience.

Drew Cohen: [00:07:34:09] Yeah. The combination of the demonstrated abilities, but also there's technical vetting, right? Now, I can look at something and go, "I see why this is ten-x better. I see why this is hard to replicate, and I see why there's a competitive advantage in doing it this way, right, a sustainable competitive advantage." And those are things that-- So, yeah, I think you hit it right, investors invest in teams and they invest in real innovation that provides a sustainable competitive advantage at scale.

Dave Bittner: [00:08:04:16] That's Drew Cohen from MasterPeace Solutions.

Dave Bittner: [00:08:09:14] Apple has again updated MacOS High Sierra to fix security holes. This latest upgrade includes a permanent fix to the root bug, the one that let you in by typing "root," that proved surprisingly slippery last week.

Dave Bittner: [00:08:24:06] A bit more has emerged concerning the Uber data breach. The ride-share company paid hackers who got into its data $100,000 to quietly destroy the information they took. It now seems, according to Reuters and Business Insider, that the identity of the hackers are known, and that they weren't the cliché Russian mobsters. They were instead the even more cliché, if that's possible, young man living in Florida with his mom, and a subcontractor he engaged to help him with GitHub. Their combined hackerweight isn't stated in the coverage. It would be too much to hope that it was 400lbs.

Dave Bittner: [00:08:58:24] The story is particularly interesting, however, for what it reveals about the then-current thinking at Uber. They decided to treat it as part of their bug bounty program, and Uber did, and presumably still does, have a bug bounty program operated by HackerOne. It's easy to think that if you've handled it as a bug report, you're done, and one can imagine how the Uber security and legal executives could have talked themselves into this way of looking at things. After all, bug bounties are legitimate, useful ways of helping security, but there are three problems. First, you generally want people to know you've paid a nice bug bounty, that's how you get more people involved. Second, the hacker's ask had at least the coloration of extortion, "Pay or I'll tell everyone." And third, data was stolen, and there was a breach, and paying a bounty isn't an alternative to compliance with disclosure laws and regulations.

Dave Bittner: [00:09:50:19] As Section 702 electronic surveillance authority approaches sunset and renewal works its way slowly through the US Congress, the Administration suggest that aspects of the program might legally continue in the absence of reauthorization.

Alex Trebek: [00:10:08:07] This is Jeopardy!

Dave Bittner: [00:10:11:21] I'll take accused hackers for 500, Alex. The answer is, the former Jeopardy champion accused of illegally accessing systems at Adrian College in Michigan. Who is Stephanie Jass? That's right, the 2012 Jeopardy champ who held the, since broken, record for longest winning streak ever by a woman on the popular game show is facing two felony counts in Michigan, unauthorized access to a computer, computer program or network, and using a computer to commit a crime. The first charge carries a punishment of up to seven years in prison, a $5,000 fine and paying the cost of prosecution. The other charge is punishable by up to five years in prison, a $10,000 fine and the cost of prosecution. Ms Jass is, of course, to be considered innocent until proven guilty.

Dave Bittner: [00:10:59:01] Let's play another round. I'll take leaky hanky-panky emporia for 300, Alex. And the answer is, the default security setting is to share your private key right back. The question? What does Ashley Madison do when someone shares their private key with you?

Dave Bittner: [00:11:15:06] Researchers at security firm Kromtech are the ones sounding this particular warning. It's not that Ashley Madison has been hacked. That happened back in 2015. Instead, it's possible, Forbes magazine notes, to set up a bunch of bogus accounts and share your way into a trove of private pictures and other stuff. Pictures, of course, can be deanonymized with a variety of readily available and entirely legal tools, like Google Image Search or TinEye. The potential for blackmail seems real enough, especially since some 64% of Ashley Madison users are thought by Kromtech to simply leave the default settings in place.

Dave Bittner: [00:11:52:02] Ashley Madison's corporate parent, Avid Life Media, disagrees that this is a bug. They told Gizmodo that they don't intend to make any changes, since they see "the automatic key exchange as an intended feature." That's one way of looking at it.

Dave Bittner: [00:12:06:11] In the meantime, why not take fidelity for a gazillion and avoid this kind of jeopardy? As Ashley Madison itself points out, life is indeed short.

Dave Bittner: [00:12:17:06] One final note, a more serious one. It's Pearl Harbor Day, and it's a good time to remember the veterans of the greatest generation for their service and sacrifice.

Dave Bittner: [00:12:31:12] Now I'd like to share a message from our sponsor, Nehemiah Security. Fellow cyber security leaders, when your CEO asks department heads for a status update, do you envy your colleagues, like the VP of Sales or CFO, who only have to pull a report from a single system instead of deploying a team of people to check multiple systems and then waiting for them to report back? Do you wish you had a single place to get the information you need to communicate with the CEO? Nehemiah Security is here to put that power in the hands of the cybersecurity leader. It's time for a quick solution that allows you to go to one place to get the security information you need, quickly, and in business terms your CEO can understand. Nehemiah Security gives cybersecurity leaders the ability to report cyber risk in terms of dollars and cents. Visit nehemiahsecurity.com to learn more and get a free customized demo just for CyberWire listeners. Visit nehemiahsecurity.com today. That's n-e-h-e-m-i-a-hsecurity.com. And we thank Nehemiah Security for sponsoring our show.

Dave Bittner: [00:13:41:15] And I'm pleased to be joined once again by Jonathan Katz. He's a Professor of Computer Science at the University of Maryland, and also Director of the Maryland Cybersecurity Center. Jonathan, welcome back. We saw recently that NIST actually wrapped up a call for algorithm nominations for post-quantum computing. Can you give us an overview? What is NIST after here?

Jonathan Katz: [00:14:01:00] So a lot of people are very worried about the impact that a quantum computer will have on the cryptography that we currently use on the Internet. It's been known for a while, actually, that if a quantum computer were ever built, then all the cryptography we use right now, all the public key cryptography, I should say, would be vulnerable. And so, people have always been concerned about that possibility and, more recently, they've been worried that quantum computers seem to be coming faster than expected, and also the standardization process for new public key algorithms that would be resistant to those quantum computers would take some time.

Jonathan Katz: [00:14:36:01] And so NIST is trying to get ahead of things here, and they've put out a request for researchers to submit different proposals for cryptosystems that would be resilient to quantum computers and the deadline for that was just at the end of November. It remains to be seen how many got submitted, but it'll be really interesting to follow this process.

Dave Bittner: [00:14:46:13] So NIST gets these submissions and what happens next? Is there a public review process?

Jonathan Katz: [00:14:58:12] Yeah, that's one of the great things about this, actually, is that everything's going to be done in public. All the candidate submissions are going to be placed on a web page, and it's going to allow researchers to evaluate each other's submissions. So people then can look at what other people are thinking, and eventually the hope is that the research community will converge on a few favorites, essentially, that have the best security, the best efficiency and other desirable properties, and then some subset of those will be chosen for standardization.

Dave Bittner: [00:15:25:20] And what kind of timeline do you suspect we're on with that sort of thing?

Jonathan Katz: [00:15:28:20] Well, the call for nominations just ended, like I said, at the end of November. By the end of December, I think NIST is planning to put up on their web page a list of all the, all the submissions, and then NIST is looking at roughly a two-year timeframe over which to evaluate the submissions and then come to a conclusion.

Dave Bittner: [00:15:43:12] Alright. So not right around the corner, but still not that far out either.

Jonathan Katz: [00:15:48:14] That's right. And, like I said, people are getting very concerned. We've seen announcements from IBM and from Google over the course of the past year about developments and progress that they've had in building smaller scale quantum computers, but this is making people, like I said, get really concerned about the possibility that a larger scale quantum computer will be built within the next decade.

Dave Bittner: [00:16:06:19] Alright. Jonathan Katz, thanks for joining us.

Dave Bittner: [00:16:11:06] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, check out cylance.com.

Dave Bittner: [00:16:23:19] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our show is produced by Pratt Street Media. Our editor is John Petrik. Social media editor is Jennifer Eiben. Technical editor is Chris Russell. Executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.