SWIFT fraud (behind a wiper). Coinrail ICO robbery. Chinese espionage. G7 agrees to a coordinated response to hostile cyber operations. Malwaretech faces new charges.

Dave Bittner: [00:00:00] A quick reminder that there are several ways you can help support the CyberWire podcast. You can visit our Patreon page at patreon.com/thecyberwire and find out how you can make a monthly contribution to our show. You can also visit iTunes and leave a review and a rating for the CyberWire podcast. That's one of the best ways you can help new people find our show. Thanks so much.

Dave Bittner: [00:00:23] More SWIFT fraud, with a wiper attack as misdirection. A cryptocurrency exchange has been looted of ICO tokens. Chinese espionage in Rhode Island, and a conviction in Virginia - Dropping Elephant spearphishes in think tanks. The G7 agreement suggests a coordinated response to hostile cyber operations. Net neutrality expired this morning in the U.S. And Marcus Hutchins faces additional charges.

Dave Bittner: [00:00:55] It's time for a message from our sponsor Recorded Future. You've heard of Recorded Future. They're the real-time threat intelligence company. Their patented technology continuously analyzes the entire web to give infosec analysts unmatched insight into emerging threats. We subscribe to and read their Cyber Daily. They do some of the heavy lifting in collection and analysis that frees you to make the best informed decisions possible for your organization. Sign up for the Cyber Daily email. And every day, you'll receive the top results for trending technical indicators that are crossing the web - cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today and stay ahead of the cyberattacks. Go to recordedfuture.com/intel and subscribe for free threat intelligence updates from Recorded Future. It's timely. It's solid. And the price is right. It's recordedfuture.com/intel. And we thank Recorded Future for sponsoring our show. Major funding for the CyberWire podcast is provided by Cylance.

Dave Bittner: [00:02:02] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, June 11, 2018. There's been a fresh attempt and a successful one at SWIFT fraud. SWIFT, the international interbank financial transfer system, was used against Banco de Chile to steal about $10 million. The bank said the losses occurred during a May attack when hackers successfully took the money via electronic transfer. The criminals used wiper malware to corrupt the master boot records of some 9,000 systems. This aspect of the attack was apparently misdirection, intended to distract IT staff while the hackers accomplished their main objective - SWIFT transfer fraud.

Dave Bittner: [00:02:50] Coinrail, a cryptocurrency exchange based in South Korea, disclosed yesterday that it had been the victim of a cyberattack in which ICO tokens for Pundi X, NPER and Aston were taken. There's also the possibility that tokens for Dent and Tron were stolen as well. The exchange estimates that between $30 million and $40 million were taken. It's working to freeze the stolen accounts. The incident spooked investors. Cryptocurrency valuations took a significant hit as speculators dumped their holdings. Bitcoin wasn't directly involved in the Coinrail affair. But observers think this and other crimes have contributed to the leading cryptocurrency's decline from its $19,000 peak to its current valuation, which is just shy of $6,800.

Dave Bittner: [00:03:40] Several different accounts of cyber-espionage are in the news as the week begins. The U.S. Navy continues to be relatively close-lipped about Chinese exfiltration of sensitive information from a contractor's systems. The contractor, so far unnamed, works for the Naval Undersea Warfare Center in Rhode Island. The company is said to have reported, as required, a cyber incident. And The Washington Post reported late Friday that the incident was, indeed, a Chinese intelligence operation. The information lost is said to concern sensors, submarine cryptographic systems and weapons. The Navy declines to comment, noting the sensitivity of such investigations. But we'll be following this story as it develops.

Dave Bittner: [00:04:24] In another espionage case related to Chinese intelligence services, a jury in Virginia this past Friday convicted former CIA officer Kevin Mallory of conspiracy to deliver information, attempted delivery, delivery of defense information to aid a foreign government and making materially false statements. His sentencing hearing is set for September 21. The charges of which Mallory was convicted carry a maximum sentence of life. Mallory, facing financial troubles as he attempted to run his own consulting practice after leaving government service, was contacted by a headhunter on LinkedIn. That headhunter was, indeed, a talent scout but a talent scout for Chinese intelligence.

Dave Bittner: [00:05:08] Mallory's attorney represented his client as someone who reported his concerns about the Chinese to the CIA but who was, in fact, trying to run an operation as a kind of triple agent against Beijing. The jury didn't buy this. U.S. authorities became suspicious of Mallory when he was observed bringing some $16,000 in cash when he returned to the U.S. from a trip to Shanghai in April 2017. He'd been prospected by his Chinese handler over LinkedIn in February of that year. This is another cautionary tale in the uncritical use of social media. U.S. Assistant Attorney General John Demers commented on the case after pointing out that, quote, "it is a sad day when an American citizen is convicted of spying on behalf of a foreign power," Demers added a pointed warning to China. Quote, "this act of espionage was no isolated incident. The People's Republic of China has made a sophisticated and concerted effort to steal our nation's secrets. Today's conviction demonstrates that we remain vigilant against this threat and hold accountable all those who put the United States at risk through espionage," end quote. Mallory's case will be followed by at least one other. Another former intelligence officer Ron Rockwell Hansen was charged last week with attempted espionage for which the Chinese services paid him up to $800,000.

Dave Bittner: [00:06:33] Other nations, of course, remain active in cyber-espionage. There's widespread suspicion that North Korea will be up to something as the Kim-Trump summit opens this week. And security firm Volexity has published an updated look at the threat actor Patchwork, which is also tracked as Dropping Elephant. Since it's an elephant, it's a good bet that it's associated with India. And that is, indeed, how Volexity describes it. Patchwork is displaying renewed interest in U.S. think tanks, repurposing think tank articles and studies as phish bait. Much of the subject matter it uses in its phishing - spearphishing, actually, since it's closely targeted - has to do with comment and study of Chinese activities, particularly in disputed territorial waters.

Dave Bittner: [00:07:20] The G7 - maybe all seven, but at least six of them - agreed at their meetings last week to take coordinated action in response to cyberattacks by hostile states. An official statement by the British government summed the agreement up. One - sharing of threat intelligence, including hostile activity, techniques and practices; two - improving understanding of partner countries' policies and thresholds for taking action; three - support for independent international institutions; four - work with industry to strengthen physical and digital infrastructure; five - coordinated attribution of hostile activity; and six - joint work to assert a common narrative and response. Note that last point - common narrative. If that doesn't say information operations then we don't know Arkansas.

Dave Bittner: [00:08:11] In the U.S., the long-expected expiration of Federal Communications Commission net neutrality rules happened this morning. There's ongoing litigation concerning the new rules, which give broadband providers wider latitude to control and manage the web traffic they carry. There are also various laws under consideration in Congress and some U.S. states to develop some alternative forms of public oversight of internet service providers.

Dave Bittner: [00:08:37] And finally, Marcus Hutchins, the researcher whose white hat nom de hack was MalwareTech, gained fame and widespread admiration for his discovery of the kill switch in WannaCry. Shortly thereafter, he gained notoriety when he was charged by U.S. authorities with crimes related to the creation of the Kronos banking trojan. He's in more hot water now again with the U.S., where he's been charged with developing and distributing the UPAS Kit described as a modular HTTP bot that installs itself on victims' machines without tripping AV alerts. Mr. Hutchins says he didn't do it.

Dave Bittner: [00:09:20] And now a bit about our sponsors at VMWare. Their Trust Network for Workspace ONE can help you secure your enterprise with tested best practices. They've got eight critical capabilities to help you protect, detect and remediate. A single open-platform approach, data-loss prevention policies and contextual policies get you started. They'll help you move on to protecting applications, access management and encryption. And they'll round out what they can do for you with microsegmentation and analytics. VMWare's white paper on "A Comprehensive Approach to Security Across the Digital Workspace" will take you through the details and much more. You'll find it at thecyberwire.com/vmware. See what Workspace ONE can do for your enterprise security - thecyberwire.com/vmware. And we thank VMWare for sponsoring our show.

Dave Bittner: [00:10:22] And joining me once again is Jonathan Katz. He's a professor of computer science at the University of Maryland and also director of the Maryland Cybersecurity Center. Jonathan, welcome back. I wanted to talk today about hashing emails and this whole notion that hashes can be reversed and kind of the - where does hashing leave us when it comes to actually providing any sorts of - any sort of privacy or anonymity? Can you give us a little lesson here?

Jonathan Katz: [00:10:49] Hash functions, actually, are ubiquitous now. They're used in all kinds of applications. I think what you're referring to is hashing email addresses as a way to provide some kind of pseudonymity or anonymity for individual users. And the interesting thing about these hash functions is that a well-designed cryptographic hash function is actually supposed to be non-invertible, meaning that if I hash some value and then present you the output, you should not be able to figure out from the output what the input was. Now, the problem with that is that it's true that these hash functions are uninvertible. But anybody can compute them. They're not keyed. They're not like encryption schemes. And so anybody - they're public algorithms. Anybody can go ahead and evaluate them. And so the problem is that they - even though the hash function itself is uninvertible, an attacker who's presented with a hash output but knows that the input was chosen from a small set of possibilities can enumerate over all the possibilities, compute all the hashes and then find out which one corresponds to the output it was given.

Dave Bittner: [00:11:48] So if someone knows what my email address is, they could somehow align that with a hash of it and then use that to track me around the internet, for example?

Jonathan Katz: [00:11:59] Well, exactly. So I mean, to take the simple example like you were mentioning, if I hash your email address and give it to somebody - just by looking at that value, you know, they have no way to tell that it corresponds to your address. But if they wanted to verify whether it did indeed correspond to your address, all they would have to do is compute the hash of your email address themselves and then check whether the output matches. These hash functions are deterministic. They always give the same output when run on the same input. And so that would allow them to verify that this value did indeed correspond to a hash of your email address. Now, in a more general scenario, one way to see this, for example, is to consider what would happen if somebody presented you with a hash of somebody's Social Security number. So a priori, you don't know their - that person's Social Security number. You'd have no way to verify whether the output you got, you know, really corresponded to their Social Security number or not.

Jonathan Katz: [00:12:47] But on the other hand, Social Security numbers are only nine digits long. And so somebody could enumerate over all possible nine-digit Social Security numbers, hash each one of those and then see which of those hash results corresponded to the value they were given. And that way, they could essentially end up reversing the hash value they were given and de-anonymizing that particular individual. And the same thing would apply to email addresses as well. I saw an estimate recently that the number of valid email addresses is on the order of about 5 billion. And so hashing all 5 billion of those possible addresses and seeing what those hashed values corresponded to would allow you then to de-anonymize a hash value that you were presented with.

Dave Bittner: [00:13:27] Now, is this a matter where once you've reversed one hash, does it get quicker or easier to - as you go, does each one you sort of decode, does it make it a little easier to do the next one? Or is there a randomness built in?

Jonathan Katz: [00:13:39] No, actually, the - it's not the case. These hash values are all essentially independent. And so figuring out the value that corresponds to one person's hash doesn't necessarily help you with the other one. But if you think about it, though, if I give you - if you're given two different hash values and in the process - let's see if we go back to the Social Security number example. If in the process of hashing all those nine-digit Social Security numbers, you're going to end up finding both of those values. So in essence, the work that you're doing in hashing all those SSNs is going to allow you then to actually end up inverting all those hash values. And from that point of view, you can amortize the work and basically figure out everything in one go.

Dave Bittner: [00:14:20] Right, right. I guess the total set of possible numbers decreases each time you get one.

Jonathan Katz: [00:14:25] Well, it's basically - you're doing everything. And so once you do everything, you can break anything.

Dave Bittner: [00:14:30] So given that this is the case, what are people doing to mitigate this possibility?

Jonathan Katz: [00:14:35] Well, you have a similar situation that comes up with hashed passwords. So very often, servers will store hashed passwords of the users on their site. And you run into the same sort of problem because if a server stores the hash of somebody's password and an attacker might guess, let's say, that that password is an eight-character password, they can enumerate over all possible eight-character passwords and then figure out what your password was after being given your hash. And so one thing that you can do to kind of make it harder for the attacker is to make sure that the work they invest in figuring out one user's password is not going to be of any benefit to them in figuring out another user's password.

Jonathan Katz: [00:15:11] And the technique that's done to ensure that it is called salting. So what you do is you basically pick a random salt per user, a random value for every user. And you compute the hash of the user's password along with the salt value that you've chosen. And this means that the attacker can still do the same kind of a brute-force attack like before, but now it's going to have to be hashing all possible passwords along with one particular user's salt. And that's not going to help it figure out the password that results in the hash involving another person's salt. And so this makes it just harder for the attacker. It doesn't make it any harder to crack one user's password. But it means that now they have to spend the same amount of work to crack each user's password at the server.

Dave Bittner: [00:15:55] Well, as always, thanks for explaining it to us. Jonathan Katz, thanks for joining us.

Jonathan Katz: [00:15:59] Great. Thank you, thank you.

Dave Bittner: [00:16:05] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor, VMware, creators of Workspace ONE Intelligence. Learn more at vmware.com.

Dave Bittner: [00:16:33] Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the "Recorded Future" podcast, which I also host. The subject there is threat intelligence. And every week, we talk to interesting people about timely cybersecurity topics. That's at recordedfuture.com/podcast.

Dave Bittner: [00:16:46] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our show is produced by Pratt Street Media with editor John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.