The CyberWire Daily Podcast 4.20.16
Ep 82 | 4.20.16

Industry news, and some plaintiffs may wish to reconsider.

Transcript

Dave Bittner: [00:00:03:17] A review of hacktivist inspiration. The Brussels attacks were correlated with a rise in website defacements from ISIS sympathizers last month. Researchers find unpatched remote code execution flaws in the Git version shipped with Apple's Xcode command line development tools. SurfWatch spots and reports an infestation of a malware-for-rent Trojan. We look at some industry news: an IPO, some acquisitions and funding rounds, and new risk management offerings. And two old incidents return to the news, the Hacking Team and Ashley Madison breaches.

Dave Bittner: [00:00:37:24] This podcast is made possible by the Economic Alliance of Greater Baltimore, helping Maryland lead the nation in cyber security, with a large highly qualified workforce, 20,000 job openings, investment opportunities and proximity to key buyers. Learn more at greaterbaltimore.org.

Dave Bittner: [00:01:00:23] I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday April 20th, 2016.

Dave Bittner: [00:01:07:07] The terrorist strike against the Brussels airport had its expected effect on cyber attacks worldwide last month. Researchers at Cytegic and other companies have noticed a spike in ISIS-inspired hacktivist cyber attacks against targets in both Western Europe and North America. The good news is that most of this activity hasn't risen above the nuisance level customarily associated with ISIS hacking, and that nuisance has mostly be suffered by the sort of poorly defended targets of opportunity cyber jihadists have usually attacked. It's worth noting in this regard that even the annual #OpIsrael, a favorite of Anonymous-associated hacktivists, this year showed declining results. Much of this is due to Israeli preparation, but it does seem consistent with the generally shared low assessment of ISIS cyber-offensive capabilities. (Information operations, of course, are quite another matter. There, ISIS has shown itself very capable.)

Dave Bittner: [00:02:01:04] Developers take note, there's a remote code execution vulnerability in the Git version Apple ships with its Xcode command line developer tools. Actually, there are two flaws and both of them were publicly disclosed last month. CSO reports that while patched elsewhere, the bug remains in the command line developer tools. Presumably a patch is in the works, but there's no official word yet on when it will arrive.

Dave Bittner: [00:02:25:02] We've been watching the ongoing maturation of the criminal cyber market. One relatively recent development is malware-as-a-service. SurfWatch says it's detected and stopped one such offering that appeared on the black market last month, a Trojan with the hybrid name, "Thanatos." Thanatos is actually a rental. The author, or at least controller, goes by the alias "AlphaLeon." Seeking to increase the size of his botnet, AlphaLeon attacked websites and online forums hosted by Invision Power Services (or IPS). IPS hosts fully functional e-commerce sites as well as traditional online forums and some of its customers are large businesses. Softpedia reports that these customers include Evernote, the NHL, the Warner Music Group, Bethesda Softworks and LiveNation. SurfWatch detected AlphaLeon's activity and notified IPS, which was then able to close off the access point the hacker had been using.

Dave Bittner: [00:03:21:23] In industry news, SecureWorks' IPO is expected to receive its formal valuation tomorrow evening. Pre-IPO reviews have been running positive, Seeking Alpha, for example, is quite bullish on the offering, despite recently turbulence in cyber stock prices and the spotty performance of other high profile IPOs. We'll know more tomorrow.

Dave Bittner: [00:03:42:06] The credit reporting company Experian is set to buy the Texas-based security firm CSID for a reported $360 million, according to the Austin Business Journal. Landesk has completed its acquisition of endpoint security shop Appsense. Venture capital firm Strategic Cyber Investments has placed its first big bet, $5 million in deception technology start-up TrapX, which has closed a $14 million Series B round.

Dave Bittner: [00:04:09:23] Both CrowdStrike and FireEye have announced new service offerings. They're now offering to perform cyber risk assessments for mergers and acquisitions.

Dave Bittner: [00:04:19:11] Two older incidents return to the news. The first of these is last year's Hacking Team breach, which resurfaced earlier this week when the self-confessed, or self-declared, hacker "Phineas Fisher" Posted a post mortem on the hack. Analysts are drawing lessons from his account. Many of these lessons are familiar ones, but they're nonetheless worth reviewing. CSO's Salted Hash blog published a useful summary along these lines.

Dave Bittner: [00:04:43:22] First, minimize and harden your attack surface. Second, monitor and assess your networks. Firewalls and IPS can yield valuable indicators and warnings of an attempt on a network. Third, keep your systems patched and up-to-date. Phineas Fisher appears to have exploited a known vulnerability within Hacking Team's network management system. Fourth, segregate your networks and protect your backups. Keep operational and managerial networks separate. Fifth, protect and control privileged accounts. And finally, use data loss prevention solutions. A great deal of information was exfiltrated undetected during the Hacking Team breach.

Dave Bittner: [00:05:24:07] The other old story that's with us again, is the Ashley Madison breach. Since few of our listeners, this being a family show, will have any particular acquaintance with Ashley Madison, suffice to say, that Ashley Madison is a kind of online bazaar for would-be adulterers. And we say "adulterers" advisedly, because the site's in hot litigation water of its apparent, alleged, practice of having used fictitious identities, in order to goose the apparent number of ladies signed on to the service. Ashley Madison was breached last year and many otherwise unembarrassed customers, because they were unnamed among the customer data lost, are feeling the fictitious identities done them wrong. So they've become plaintiffs, at least until a ruling, looked for in June, requires them to use their real names to sue. At that point, many plaintiffs are expected to back out. So whether it's June or May and September, our advice remains straighten up and fly right.

Dave Bittner: [00:06:26:14] This CyberWire podcast is brought to by SINET ITSEF, the IT security entrepreneur's forum, meeting in Mountain View, California, April 19th-20th, 2016. Bridging the gap between Silicon Valley and the Beltway, by bringing together the innovators, entrepreneurs, investors and policy-makers who are shaping the next generation of security solutions. Learn more at security-innovation.org.

Dave Bittner: [00:07:01:01] I'm joined once again by Jonathan Katz who's a Professor of Computer Science at the University of Maryland. Also director of the Maryland Cyber Security Center.

Dave Bittner: [00:07:08:06] Jonathan, I know one of your areas of research is searchable encryption. What can you tell us about that?

Jonathan Katz: [00:07:13:22] Searchable encryption is a mechanism that allows a user to offload storage of their email to a third party, like a cloud provider, and to do that in encrypted forms, so that the cloud provider can't read anything in the emails and can't actually learn any information whatsoever about the underlying emails. But the challenge is to ensure that even while doing that, the user is still able to search over their emails and pull back emails that match some keywords, for example. So searchable encryption schemes provide exactly that kind of a functionality.

Dave Bittner: [00:07:41:21] Alright, it sounds straightforward, but it's my understanding that this is not entirely without risk, correct?

Jonathan Katz: [00:07:46:22] That's right, and in a recent paper of ours, we actually looked at current searchable encryption schemes and showed that even ones that were proven secure, meaning that they leaked only a minimal amount of information, could be broken and the privacy could be violated, just by exploiting exactly the information that they leak. So in particular, what these systems guarantee is that they leak nothing, other than the fact that the same email, say, might be returned in response to multiple queries. And we show that by exploiting that and additionally sending emails to the system with known content, an attacker could actually ultimately figure out exactly what terms the user was searching for. So this really demonstrates the importance of understanding what these cryptographic security definitions actually guarantee when used in the real world.

Dave Bittner: [00:08:33:14] It reminds me, at one of my former places of employment we used encryption in our email, but it was frustrating, because you could only search on message titles and who the message was from. You couldn't actually search on the content of an individual message, which was quite limiting. So I guess searchable encryption would solve this problem for us.

Jonathan Katz: [00:08:52:15] That's exactly right. I guess what you're using there is not searchable encryption and so what you're doing is encrypting the email and then storing it on some server, but then that takes away any ability to search over the email because everything's encrypted. So searchable encryption schemes would allow you to perform the encryption, but yet still enable you to do searches over that data. So they actually are, as you can imagine, quite non trivial to design.

Dave Bittner: [00:09:16:18] Jonathan Katz, thanks for joining us.

Dave Bittner: [00:09:21:01] And that's the CyberWire. For links to all of today's stories visit thecyberwire.com. And while you're there, subscribe to our popular daily news brief. Our editor is John Petrik. I'm Dave Bittner. Thanks for listening.