The CyberWire Daily Podcast 3.15.16
Ep 56 | 3.15.16

Naming & shaming Iran's hackers? Palo Alto spots "Digital Quartermaster." Team Apple bigger than Team DoJ.

Transcript

Dave Bittner: [00:00:04:02] That indictment of Iranian hackers, it's still coming and expected to send a naming and shaming message to Iran. Onion Dog still looks like a North Korean threat actor. Palo Alto thinks it's spotted the long suspected, much looked for, digital quartermaster. The Department of Justice has the President on its side, in the dispute with Apple, but that looks like about it.

Dave Bittner: [00:00:26:09] This CyberWire podcast is made possible by the generous support of Cylance, offering cyber security products and services that are redefining the standard for enterprise endpoint security. Learn more at Cylance.com.

Dave Bittner: [00:00:46:08] I'm Dave Bittner in Baltimore, with your CyberWire summary for Tuesday, March 15th, 2016.

Dave Bittner: [00:00:52:12] The US government is said to be winding up an indictment of Iranian hackers. The Department of Justice is expected to charge Iranian cyber operators with intrusions during 2013, into networks controlling that now famous small flood control dam in Rye, New York. The indictment is said to represent the US Administration's way of sending a message to Tehran. Should the indictments appear as expected, they will be the first charges the US Department of Justice has brought against a foreign government cyber operator, since 2014, when it indicted six people's Liberation Army officers for hacking US industrial networks. Observers call this the latest round in the US Administration's name and shame policy and they will watch with interest for signs that this policy might be working.

Dave Bittner: [00:01:34:16] The New York Congressional Delegation, especially in the form of Senator Schumer, appears to be front running the attribution and calling for a vigorous response. Schumer calls the alleged Iranian probe of the dam's network, "a shot across our bow" and says it should warrant tough sanctions against Iran.

Dave Bittner: [00:01:51:05] Chinese security firm Qihoo 360 has been tracking threat actor Onion Dog's activities. The hackers have been active in Korean speaking enterprises, read that specifically as South Korean enterprises. North Korean resentment aside, speculation about who's behind the Onion Dog threat group and its attacks on South Korean targets is largely directed toward, obviously, North Korea.

Dave Bittner: [00:02:14:05] Palo Alto's Unit 42 is reporting on the digital quartermaster phenomenon, which it perceives as an ongoing campaign against Mongolian government sites. A digital quartermaster is a conjectured support service, that maintains attack tools, used in a range of cyber campaigns. The notion of a digital quartermaster is, Palo Alto notes, a relatively old one, that's been discussed within the US Intelligence community for some time. In this case, Palo Alto thinks it's found persuasive evidence that a digital quartermaster is enabling a current campaign against Mongolian government websites. The campaign, which targets Russian speaking operators through a variety of attack vectors, is using a common set of tools, that credibly point to a single group of developers. Those tools include, most prominently, the Cmstar Downloader and the BBS Rat Trojan. Unit 42 thinks the attack traffic's geo location suggest the hackers are located in China, but stop short of attributing the campaign to the Chinese government. Palo Alto concludes, "While there may be multiple operations groups, a digital quartermaster may be the one supplying and maintaining the tools used."

Dave Bittner: [00:03:21:07] Should there in fact be digital quartermasters out there, their supply sergeants might take a look at inventory control, because it seems the quartermasters are having trouble keeping criminals out of their tool bins. Reuters reports on the basis of studies by Dell SecureWorks, Attack Research, InGuardians and GC Partners, that a new sophisticated ransomware that's hitting targets in the US and elsewhere, is using tactics and tools previously associated with Chinese government supported computer network intrusions. Specifically, researchers are seeing some advanced techniques for entry into and lateral movement around networks. They're also seeing intrusion management software they associate with state directed operations.

Dave Bittner: [00:04:01:05] Staminus, which offers Internet hosting optimized for DDoS protection, continues its recovery from an attack it sustained over the weekend. The attacker's motivation initially appeared to have been objection to some Staminus clients. But the crowing over their ability to get in and their arguably smug offer of security tips, suggests that coup counting and lulls may have also been goals as important as slacktivist opposition to the KKK. As is so often the case, motives are probably overdetermined.

Dave Bittner: [00:04:28:16] The Crypto Wars continue unabated in the US, with the Department of Justice occupying what seems to be an increasingly lonely position. President Obama at least, is on the DoJ's side, he sought to frame the department's position as a sensible public-spirited one, during his remarks at South by Southwest. But the President seems to have found few takers. Most of the industry people who listened, weren't convinced.

Dave Bittner: [00:04:51:08] The Defense Department, of course, as it's continued to woo Silicon Valley for help with its cyber missions, has offered essentially no support to the FBI position the Justice Department is advocating. Most of the former senior intelligence community officials who've weighed in, are on team Apple. Richard Clarke, who served three presidents as national coordinator for security and counter terrorism, told NPR yesterday that, "The Justice Department and the FBI are on their own here." More interested in setting a precedent, than in simply cracking open one iPhone. He also thought there were other national means of getting at the data on the phone, if it really is that important. We spoke with Jonathan Katz of the University of Maryland Cyber Security Center and asked him about the case. We'll hear from him after the break.

Dave Bittner: [00:05:33:04] As we've been following researchers, working in cyber threat intelligence, we'd had occasion to note the importance they attach to framing the questions they're tasked to answer. Some of them have fun with the notion that you could actually derive useful intelligence without posing intelligent questions. Here's a fun fact we learnt at RSA, for example: Palo Alto Networks calls its intelligence team “Unit 42”; that's an homage to the Hitchhiker's Guide to the Galaxy, where the Deep Thought computer delivers 42 as the answer to the ultimate questions of life, the universe, and everything. Of course, the people who program Deep Thought, never actually knew what that question was. Don't be like that.

Dave Bittner: [00:06:15:10] This CyberWire podcast is brought to you by the Digital Harbor Foundation, a non-profit, that works with youth and educators, to foster learning, creativity, productivity and community, through technology education. Learn more at digitalharbor.org.

Dave Bittner: [00:06:35:07] I'm joined once again by Jonathan Katz, professor of computer science at the University of Maryland and Director of the Maryland Cyber Security Center, one of our academic and research partners. Jonathan, NPR's morning edition interviewed former national security official, Richard Clarke, about the Apple/FBI dispute and NPR's David Greene asked Clarke if he was still inside the government as a counter-terrorism official, would he be more sympathetic to the FBI in doing everything it can to crack the case. Clarke responded, "If I were in the job right now, I would have simply told the FBI to call Fort Meade, the headquarters of the National Security Agency, and NSA would have solved this problem for them." My question to you, with your expertise in cryptography, how grounded in reality is that statement?

Jonathan Katz: [00:07:16:17] There are some cryptographic problems that even the NSA can't solve. I remember, I spoke with you a few weeks back, about certain physical limits to the amount of computation that we can possibly do. And in particular, it would be infeasible for anybody to do a brute force search, over a 256-bit key space, because that would require doing a search over 256 different possible keys.

Dave Bittner: [00:07:37:01] So it's not a matter of simply lining up enough hardware to be able to throw at the problem?

Jonathan Katz: [00:07:42:21] Yes, that's right, so there would be no way for the NSA to do a brute force search for the key. What we have to remember here, is that there may be other ways to break the system. For example, in the case of the iPhone here, that we're talking about, remember that it all comes down to being able to determine the four digit pin that's used to protect the 256-bit key. And in turn, that pin is protected by a hardware mechanism that locks down the phone after ten incorrect guesses. So, if the NSA could somehow get access to the hardware itself and break the assumption or break the hardware that's preventing them from making an unlimited number of guesses for the pin, then, in fact, the NSA might be able to get the pin some other way and then obtain access to that 256-bit key, not by doing a brute force search.

Dave Bittner: [00:08:24:13] I see, so it's not so much the NSA's cryptographic capabilities, it's just they may have systems for just simply dealing with the hardware in the phone?

Jonathan Katz: [00:08:33:16] Exactly. In general, for any system you're talking about, the best way to attack it, is of course, by looking for the weakest link and in this particular example, the weakest link would not be doing a brute force search for the key, but it would be attacking the recovery mechanism, attacking the hardware that's preventing them from doing the unlimited number of guesses.

Dave Bittner: [00:08:50:21] Jonathan Katz, thanks again for joining us.

Dave Bittner: [00:08:55:19] And that's the CyberWire. For links to all of today's stories, along with interviews, our glossary and more, visit thecyberwire.com. The CyberWire is produced by CyberPoint International, the editor is John Petrik, I'm Dave Bittner. Thanks for listening. Don't forget your towel.