The CyberWire Daily Podcast 12.29.15
Dave Bittner: [00:00:03:10] South Asian Islamists announce anti-Indian cyber attack cell. ISIS aspirational cyber offensive capabilities. Flash gets patched. New payment fraud patterns emerging. And Chinese and US cyber laws are reviewed.
Dave Bittner: [00:00:19:01] This CyberWire podcast is made possible by the Johns Hopkins University Information Security Institute, providing the technical foundation and knowledge needed to meet our nation's growing demand for highly skilled professionals in the field of information security, assurance and privacy. Learn more on line at ISI.JHU.EDU.
Dave Bittner: [00:00:40:14] I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, December 29th, 2015.
Dave Bittner: [00:00:47:16] ISIS/Daesh adherents appear to be attempting collaboration toward cyber attack capabilities. Consensus among observers of the group's dark web chatter is that Daesh hasn't progressed beyond low-grade, script-kiddie levels, and that any serious offensive capacity remains aspirational. Still, their efforts will bear watching. Persistence pays off.
Dave Bittner: [00:01:07:20] Elsewhere, Jammat-ud-Dawah, nominal charitable and political arm of the south-Asian Islamist group Lashkar-e-Taiba, barked an announcement that a 24/7 cyber operations cell has been established to hold Indian targets under threat. Indian businesses consider how they and their government should respond.
Dave Bittner: [00:01:26:13] Turkey continues recovery from the recent denial-of-service campaign it sustained. The government talks up its tighter security measures and reaffirms its commitment to building up a cybersecurity workforce. Observers foresee the usual labor market pinch.
Dave Bittner: [00:01:40:19] Adobe patches Flash Player in response to Huawei's discovery of a zero-day vulnerability. Analysts regard the out-of-band patch worth immediate attention. Huawei says the flaw they discovered is being exploited in the wild.
Dave Bittner: [00:01:54:16] Researcher Chris Vickery has found data for 191 million registered US voters. Essentially all of them, exposed online. Vickery blames an "incorrectly configured database." No one really knows who's responsible, but early speculation points toward an unidentified customer of political campaign service provider NationBuilder.
Dave Bittner: [00:02:15:17] A presentation at the Chaos Computer Club says flaws in payment communication protocols Poseidon and ZVT could compromise PINs and otherwise enable banking and payment fraud.
Dave Bittner: [00:02:26:22] Widespread US adoption of chip-and-pin payment cards in 2016 is expected to shift cyber criminals toward card-not-present fraud, with the sharing economy most heavily affected.
Dave Bittner: [00:02:38:13] Forbes reviews the "hottest cybersecurity startups" of 2015.
Dave Bittner: [00:02:43:22] New Chinese anti-terrorist legislation is characterized as requiring firms to decrypt on demand. It's unclear how different this will prove to be from requiring back doors. The Washington Post looks at recent US cyber legislation and thinks those who see it as a privacy disaster are making too much of a relatively modest attempt to foster information sharing.
Dave Bittner: [00:03:05:11] This CyberWire podcast is brought to you through the generous support of Betamore, an award winning co-working space, incubator and campus for technology and entrepreneurship located in the Federal Hill neighborhood of Downtown Baltimore. Learn more at Betamore.com.
Dave Bittner: [00:03:26:17] Joining me is Andre Protas, he's the Technical Director of the Security Research Team at CyberPoint International. Andre, I want to ask you about backdoors. Backdoors have been in the news with what's been going on with Juniper Networks. What is a back door?
Andre Protas: [00:03:40:08] So backdoor is code, intentionally left to regain access later by an adversary. So, for the Juniper case there are two backdoors that are being discussed. One is a cryptographic backdoor that is an implemented weak encryption mechanism that may allow somebody to decrypt traffic. The other one which we'll focus on is the actual code backdoor so, allowing somebody without access to know the route password and regain access later.
Dave Bittner: [00:04:12:13] And so again, just from a basic point of view, why would a backdoor like this be put in, in a case like what Juniper's dealing with?
Andre Protas: [00:04:21:24] So, Juniper is one of the largest, I guess, ISP grade router and switch suppliers in the world. It would be really nice for an adversary to have some sort of access to all those devices. It's really easy to gain access to a network if you have access to the router. So as opposed to having to send phishing attacks or to send malicious documents to users, all you have to do is just log into the router, set yourself up a VPN account and you can just walk in and do whatever you need to do.
Dave Bittner: [00:04:51:02] And who would we be looking at for being responsible for installing the backdoor in a case like this?
Andre Protas: [00:04:55:16] Yes there's a lot of speculation as to who would have done it. I think there's been a lot of finger pointing to the NSA and to GCHQ perhaps. But I think recent data has shown that it's likely not the NSA or GCHQ, because they're focused on doing more defensive work, and they would likely not backdoor software of US origin. So, it's kind of hard to tell who might be behind it. But based on the fact that it showed that an adversary was putting in not only a backdoor for a password but also some strong cryptographic backdoor code as well, shows that the attacker wasn't just somebody that knew how to Code C but also had a strong cryptanalysis background or department. So it'd probably be a larger organization, rather than just a rogue developer.
Dave Bittner: [00:05:52:15] Now are there tools for rooting out backdoors? Are there ways that you can go through your system and try to root them out?
Andre Protas: [00:05:59:13] There are, but it requires a lot of manual effort. So there's actually a project or a competition called Underhanded C which I have participated in in the past. It's pretty interesting but the idea is that you write a normal C code that has some sort of backdoor, or some sort of nefarious action that can be triggered by an outside attacker. This competition is trying to hide it. So whoever's able to make the most effective backdoor, but make it the most difficult to identify is effectively the winner. So, the reason that this backdoor in Juniper didn't seem to get identified is because it looked like normal code. It looked like a D bug string, and it would have taken a very smart eye to be able to identify this.
Andre Protas: [00:06:41:18] And this happened, I believe in 2012. So this has been sitting around for a long time. It required somebody to identify it at that change. So that code check must have been identified and I'm guessing that nobody was going to go back in time to review every code check in, as part of due diligence. So once it's checked in, once it's approved, once it passes quality assurance, then it's just pretty much in the code base forever, until somebody comes across it again.
Dave Bittner: [00:07:12:17] Alright, I think that's it. Should I ask you how they discovered the Juniper backdoor? Once it's in there, how do you know it?
Dave Bittner: [00:07:28:01] So in a case like this how is this backdoor discovered? All of a sudden was the vulnerability exposed? How did they know they had a problem?
Andre Protas: [00:07:41:08] Yes, so there is actually a lot of speculation about that right now. The thought is, nobody was just going to come across this backdoor unless there is a reason to see it. So, there is either the chance that it was identified in the wild. Some attacker may have been using this backdoor to gain access to a system over time, and somebody was able to identify what password they used. Identify that, yes, that is actually a backdoor password, alert Juniper and then, push out the patch. Or it might have come along during a security audit, either within Juniper or with an outside party. I know there is a lot of collaboration with critical infrastructure software like this, it's going to get a lot of eyes on it, to be able to analyze.
Andre Protas: [00:08:25:00] So, it's hard to say how it was identified, but my guess would probably be a real live attack was identified and analyzed, and they were able to identify that yes, there is a backdoor installed. And that led them to identify the second backdoor as well too.
Dave Bittner: [00:08:41:08] Alright interesting stuff. Andre Protas, Technical Director of the Security Research Team at CyberPoint International. Thanks once again for joining us.
Andre Protas: [00:08:49:06] Of course.
Dave Bittner: [00:08:52:01] A note to our listeners: we're back today but The CyberWire will be taking this Thursday and Friday off for the New Year holidays. We'll be back as usual on Monday, January 4th.
Dave Bittner: [00:09:01:17] And that's the CyberWire. For links to all of today’s stories, along with interviews, our glossary, and more, visit thecyberwire.com. The CyberWire podcast is produced by CyberPoint International, and our editor is John Petrik. Thanks for listening.