ISIS messaging. Intel will roll out new Spectre/Meltdown patches. Identities for sale on the dark web. IDN spoofing. SpriteCoin ransomware, with a malware chaser. Three Sonic games may be trouble.

Dave Bittner: [00:00:00:16] Our Patreon subscribers get access to special content, bloopers, extended interviews and much more. Check it out at patreon.com/thecyberwire.

Dave Bittner: [00:00:12:24] ISIS howls "we are in your home" as they lose their own home. Intel says a new patch for Spectre and Meltdown is coming to fix instability problems. Look closely at URLs, IDN spoofing is out and about. Satori expands the reach of its botnets. New ransomware strains surface. SpriteCoin is no coin at all, and Sonic the Hedgehog fans, watch out, three popular games may expose you to hacking.

Dave Bittner: [00:00:43:13] Time to tell you about our sponsor, Recorded Future. If you haven't already done so, take a look at Recorded Future's Cyber Daily. We look at it, the CyberWire staff subscribes and consults it daily. The web is rich with indicators and warnings, but it's nearly impossible to collect them by eyeballing the internet yourself, no matter how many analysts you might have on staff, and we're betting that however many you have, you haven't got enough. Recorded Future does the hard work for you by automatically collecting and organizing the entire web to identify new vulnerabilities and emerging threat indicators. Sign up for the Cyber Daily email to get the top trending technical indicators crossing the web. Cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today and stay ahead of the cyber attacks. Go to recordedfuture.com/intel to subscribe for free threat intelligence updates from Recorded Future. That's recordedfuture.com/intel. And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:53:21] Major funding for the CyberWire Podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Tuesday, January 23rd, 2018.

Dave Bittner: [00:02:04:07] ISIS is seeking to inspire lone wolf terrorists and frighten infidels with the slogan "we are in your home". The slogan appears with an online picture of jihadist wearing an ISIS branded shemagh, only his pixelated eyes visible, posing in front of a snowy shot of New York's Central Park. This sort of campaign can be expected to continue as the Caliphate dwindles into its online diaspora.

Dave Bittner: [00:02:29:16] Intel tells users to disregard its recent Spectre patch. A new, less troublesome version is due out soon. The chip giant says it's figured out why machines based on its Broadwell and Haswell platforms reboot and become unstable after they've applied the patch Intel issued earlier this month for Meltdown and Spectre. So don't apply them, they'll have a new, better version out soon.

Dave Bittner: [00:02:53:01] Linux creator, Linus Torvalds, has been serving as a goad to better patching at Intel, whose approach to fixing the vulnerabilities he calls, "Complete garbage." He's told his Linux kernel mailing list, "They do literally insane things. They do things that do not make sense." Intel feels a bit picked on, asking if everyone could be, "less shouty," but admits that Linus may have a point or two.

Dave Bittner: [00:03:18:24] The recent revelations of the Meltdown and Spectre vulnerabilities have led to a great deal of uncertainty, as users continue to sort through their real world practical implications. Chris Webber is a security strategist at SafeBreach, and he takes us through their efforts to make sense of the situation.

Chris Webber: [00:03:36:06] The vast majority of computers, that's servers, that's end user computers, are going to be affected by this vulnerability where either an application or a specific wrong user can get protected data from places it shouldn't be able to get. So it is a little concerning in that way, that it's so widespread, certainly. And we also know that some of the patches that were pushed to try to fix this were pulled back as they were maybe rushed out a little hastily, and caused more harm than good in a lot of ways. And I think where we're at right now is that we're sort of at the tipping point to see whether we're going to be able to get out ahead of this or whether it's going to linger for quite some time.

Dave Bittner: [00:04:17:09] Now, one thing you all are doing there at SafeBreach is you're running simulations for these attacks. Can you take us through what that means and what the benefit is there?

Chris Webber: [00:04:25:13] Sure thing. So that's part of what SafeBreach does, you're exactly right, we simulate attacks or exploits, we simulate ways to take advantage of vulnerabilities, just like an attacker would. So in this case, though we haven't seen any real attacks out in the wild, we can create our own attacks that take advantage of this vulnerability, written simulations that try to get simulated application data, simulated protected data from the kernel space, out of that machine to our simulators. Now, we're not trying to get any real data, not any real customer information. We make up the data, we put it in there and we see if we can get it out. And in that way you don't have to just patch and hope, you can actually patch and validate that the patch has worked as you expected.

Dave Bittner: [00:05:09:15] And are there any specific insights that you all have gained from running these simulations?

Chris Webber: [00:05:14:12] On the right kind of machines, you know, Intel based servers for sure, running the right operating systems, the patch from Microsoft, for example, actually did help mitigate this, which early on there was some concern about. Since this is an architectural vulnerability, the industry wasn't sure if a software-only patch was really going to be helpful, we thought it was always going to have to be a combination of an operating system patch and certainly a firmware or microcode patch. But even the Microsoft patches seem to stop at least some of the vulnerabilities from being exploited very well.

Chris Webber: [00:05:45:24] Now, we've also seen in ensuing days that on the wrong kind of machines, those can be locked up, prevented from booting, with a patch that isn't well executed. So hopefully we see the trends towards the working side just expand over the next few days.

Dave Bittner: [00:06:00:18] And how do you see this playing out? I mean, I think rightfully so Meltdown and Spectre have taken, you know, a great deal of attention, this is certainly something the scale of which we have not seen before, or at the very least rarely see, but long term is this going to be something that requires our continuing attention, or could this even prove to be perhaps a distraction?

Chris Webber: [00:06:22:02] I think that's a great question. It is extremely widespread, it's a really big impact, and it's at a very low level, so it's something that we all should focus on, we should understand and we should try to mitigate as best we can. But like any vulnerability, or any patch, there's going to come a point where we reach diminishing returns. Some operating systems may never be patched, certainly there's lots of hardware out there that's no longer supported, or even some of the supported hardware might be a little arcane and might not be getting those firmware patches soon. And we could spin around and around on this as an industry for a long time, being worried, but we have to remember defense in depth. If we have systems that we can't patch, that might have this vulnerability, an attacker needs multiple phases in order to get to those systems. We need to make sure that we've got defenses in the network to stop them from getting there, we need to make sure that we segregate our networks so that lateral movement is harder, and certainly if data is compromised, we need to try to make sure it never leaves our environments, never leaves those machines. So even if we can't fix the Spectre or the Meltdown problem, we might be able to fix the overall exploitation problem by looking elsewhere in our environments.

Dave Bittner: [00:07:33:11] That's Chris Webber from SafeBreach.

Dave Bittner: [00:07:37:06] Security company, RepKnight, says it found a collection of compromised credentials from top-500 law firms in the UK. They say that around one million email credentials are in the cache, a number which seems very high indeed. Some of the data came from the firms themselves, but much of the stolen information originated in third party breaches. In this case, the risk is not so much direct identity theft, although of course that's a possibility too, but rather the use of the credentials for dangerously plausible social engineering campaigns.

Dave Bittner: [00:08:10:03] Farsight Security has issued a study of how Internationalized Domain Names, IDNs, can use non-Latin characters from, say, the Greek or Cyrillic alphabets, to craft sites that impersonate URLs that use the more familiar Roman characters. Spoofed sites are used for more persuasive phishing. Thus a Cyrillic soft sign, for example, can be used to spell Facebook, which might fool the casual eyes of users normally alert to the URLs they follow. Other examples are easy to come up with. Companies whose sites have been impersonated in this way include Apple, Adobe, Amazon, Bank of America, Cisco, Coinbase, eBay, Bittrex, Google, Microsoft, Netflix, New York Times, Twitter, Walmart, Yahoo, Wikipedia, YouTube and Yandex.

Dave Bittner: [00:08:58:22] IoT devices containing ARC chipsets are turning up in Satori botnets, which indicates that botnet controllers have significantly increased the number of maverick devices they can rope into their herd. 32-bit ARC processors are power-efficient chips found in automobiles, including electronic steering controls and entertainment systems, consumer goods like smart thermostats, personal fitness devices, and TV set tops, and also in industrial control systems. Arbor Networks, the firm warning of Satori's expansion, estimates that more than a billion and a half systems with ARC chips ship every year.

Dave Bittner: [00:09:37:00] An open-source ransomware project forms the basis of a new family of ransomware, desuCrypt and its Deuscrypt variant, now being widely distributed in criminal markets. Researcher, Michael Gillespie, has developed a decryptor for infected files, so bravo Gillespie, and let's hope that this sector of the criminal-to-criminal market remains largely frustrated.

Dave Bittner: [00:10:00:08] Security company, Acronis, warns that Paradise ransomware, which saw a flurry of activity this past September, has resurfaced. It spreads in a commonplace but nonetheless dangerous way, as a malicious zip file distributed by spam email.

Dave Bittner: [00:10:16:07] There are a number of different cryptocurrencies in circulation, but at least one of them isn't what it appears to be. In fact, it's not a cryptocurrency at all. Researchers at security company, Fortinet, report that SpriteCoin is a bogus cryptocurrency that's nothing more than phishbait. It leads the unwary to ransomware. It also adds not just insult to injury, but further injury to injury by not only encrypting victims' files, but installing other malware that lingers after decryption. Once the marks cough up the ransom, payable only in the genuine cryptocurrency, Monero, SpriteCoin's decryptor uploads a fresh malicious executable and leaves malware behind on their machines that parses images, harvests certificates and activates web cameras. So remember, there is no such thing as SpriteCoin, it's a scam whenever and wherever it appears.

Dave Bittner: [00:11:10:03] The Muscat Securities Market in Oman, a stock exchange with a $23 billion market cap, has closed a telnet vulnerability. Telnet is always bad news nowadays. And also changed the credentials on one of its routers. Those credentials were, of course, wait for it, username "admin" and password "admin."

Dave Bittner: [00:11:32:03] Finally, researchers at Pradeo Security Systems have found that three Sonic the Hedgehog games for Android, all available in the Google Play Store, are leaky. They could expose users' geolocation, and they could also expose them to man-in-the-middle attacks. The games are Sonic the Hedgehog Classic, Sonic Dash 2: Sonic Boom, and Sonic Dash. The information leaked includes mobile network information, service provider names, network types, OS version numbers, and device model and manufacturer. The problem seems to lie in the use of a third party library, Android/Inmobi.D, which allows campaign monitoring, crash reporting and software analysis. The library does so through 11 servers, three of which are insecure.

Dave Bittner: [00:12:17:15] Maybe you're not worried because you're more of the Crash Bandicoot type, but with more than a hundred million downloads of these Sonic apps, come on, let's get secure and make America fast again. After all, we hear the Federal Government is open for business again, for now anyway. Is that anthem petition for City Escape still open?

Dave Bittner: [00:12:42:04] Time for a message from our sponsors at E8 Security. They understand the difference between a buzz word and a real solution, and they can help you disentangle them too, especially when it comes to machine learning and artificial intelligence. You can get a free white paper that explains these new, but proven technologies, at e8security.com/cyberwire.

Dave Bittner: [00:13:02:01] We all know that human talent is as necessary to good security as it is scarce and expensive, but machine learning and artificial intelligence can help your human analysts scale to meet the challenges of today's and tomorrow's threats. They'll help you understand your choices too. Did you know that, while we might assume supervised machine learning, where a human teaches the machine, might seem the best approach, in fact unsupervised machine learning can show the human something unexpected. Cut through the glare of information overload and move from data to understanding. Check out e8security.com/cyberwire and find out more. Follow the behavior, find the threat. That's E8 Security. And we thank E8 for sponsoring our show.

Dave Bittner: [00:13:50:20] And joining me once again is Joe Carrigan, he's from the Johns Hopkins University Information Security Institute. Joe, welcome back.

Joe Carrigan: [00:13:56:18] Hi Dave.

Dave Bittner: [00:13:57:17] So we got some feedback from a listener, this is from Nathaniel U, he's had a couple of ideas about security postures, and I think they're worth discussing here. One of them is, instead of teaching people not to click suspicious links, teach them never to click links in emails, or, even better, disallow links altogether. This can be done without disrupting internal communications simply by placing links in a safe site, or shared folder, which the end user must authenticate into, and then notifying them that the link exists via email. What do you think?

Joe Carrigan: [00:14:29:09] There are systems that you can get for your email now that will strip links out of the email message. It's just a simple, regular expression, so it's pretty easy to identify a link, particularly if it's in HTML, anyway, because they all look kind of similar. They all have a regular syntax that must be matched in order for the URL to work in the first place. So matching them is easy, and then taking them out is a simple find and replace.

Joe Carrigan: [00:14:56:15] I know that at the university we have a system that, if the link is identified as suspicious, it will replace that link in your email with a Hopkins webpage that lets the user know, "We think this link is malicious, you shouldn't click on these links."

Dave Bittner: [00:15:14:10] So sort of quarantines it.

Joe Carrigan: [00:15:15:18] Yeah, kind of quarantines it and takes it out.

Dave Bittner: [00:15:16:23] Makes you think twice.

Joe Carrigan: [00:15:18:04] I do like the idea of completely removing all the links and telling people, "Don't click on any of these links," I think that's a good idea actually. And if you get an email from whoever you think it's coming from, let's say you're doing business with Capital One or Wells Fargo, and you get an email from them that has a link in it, never click on that link, just go to your web browser and enter the name of the website that you're going to, or use your own links. Access the web page that way.

Dave Bittner: [00:15:49:17] Yeah, because even if you mouse over it and it looks familiar enough, they've gotten clever enough that they can make it look familiar enough.

Joe Carrigan: [00:15:56:22] That's right, they've started buying up domains that look similar, they've replaced Ls with 1s, and there's a very small chance that you'll notice that the pixel on the L is not aligned with the top of the L, instead it's dipped down one pixel on a serif, and something as simple as that, you know, replacing an L with a 1, will take you to a completely different website.

Dave Bittner: [00:16:23:06] Right, of course, yeah, so better safe than sorry.

Joe Carrigan: [00:16:25:18] Yeah.

Dave Bittner: [00:16:26:07] All right, Joe Carrigan, thanks for joining us.

Joe Carrigan: [00:16:28:02] My pleasure.

Dave Bittner: [00:16:31:00] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you through the use of artificial intelligence, visit cylance.com. And thanks to our supporting sponsor, E8 Security. Follow the behavior, find the threat. Visit e8security.com to learn more.

Dave Bittner: [00:16:53:05] The CyberWire Podcast is proudly produced in Maryland out of the start-up studios of DataTribe, where they're co-building the next generation of cyber security teams and technology.

Dave Bittner: [00:17:02:21] Our show is produced by Pratt Street Media, with editor, John Petrik. Social media editor, Jennifer Eiben, technical editor, Chris Russell, executive editor, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.