Dave Bittner: [00:00:03:12] The US cyber offensive is apparently affecting ISIS recruiting and retention. ISIS supporters form a new cyber attack group. Investigators continue to explore the Bangladesh Bank hack and its connections to the SWIFT network. Extortion by ransomware, doxing, locking, DDoS, or pure gas, rises in the criminal element's favor. The FBI says it won't disclose the vulnerability exploited to unlock the San Bernardino jihadist's iPhone, because it doesn't know what the vulnerability is.
Dave Bittner: [00:00:33:08] This podcast is sponsored by SINET, the security innovation network, connecting the cyber security community, innovators, investors and customers, business and government. Learn more at security-innovation.org.
Dave Bittner: [00:00:56:06] I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday April 27th, 2016.
Dave Bittner: [00:01:03:01] Those listening for reports of progress in the cyber war being waged against ISIS heard some from US Air Force Major General Peter Gersten, a deputy commander for Operation Inherent Resolve, the US effort against ISIS in Syria and Iraq. He said yesterday that the inflow of ISIS recruits has dropped over the past year from a monthly average of between one and 2000 to roughly 200 today. Desertion rates are also said to be up. The ISIS manpower shortage is regarded as a clear indicator of low morale.
Dave Bittner: [00:01:34:01] So anyone who's been wondering why the US has recently been as open as it has been to discussing cyber operations against ISIS, may now have their answer. The drop in recruiting and retention is partially accounted for by direct combat losses (and the fear such losses inspire in both current and prospective jihadists) and partly by ISIS's increasing poverty and inability to pay fighters (caused both by financial sanctions and again, direct kinetic action).
Dave Bittner: [00:02:02:06] To return to cyber crime proper, the SWIFT financial transaction network continues to mop up security issues revealed by investigations into the Bangladesh Bank hack. It's working to help its customers upgrade security while reassuring them about the fundamental reliability of the funds transfer network. The Financial Times reports that FireEye, which is investigating the incident, is hinting in FireEye's dark and knowing way, that there are signs that the threat actors behind the theft are actively targeting other banks. FireEye is probably right.
Dave Bittner: [00:02:35:08] We heard from Frederik Menes, Senior Manager of Market & Security Strategy at VASCO Data Security, who observed that there were many ways that the local SWIFT client in Bangladesh could have been compromised. He offered some advice for any SWIFT Alliance member, "Always rely on strong user authentication mechanisms," he said, "rather than user names and static passwords."
Dave Bittner: [00:02:57:14] Android malware retains its regrettable and rising popularity among the criminal element. Russian mobile users are being affected by "RuMMS", that's R-U-M-M-S, which spreads by SMS phishing. FireEye researchers warns that RuMMS is after customer banking information, credentials and of course balances.
Dave Bittner: [00:03:17:07] On the ransomware front, Kaspersky does some good work by breaking the CryptXXX ransomware and making decryption tools available to the victims, so bravo, Kaspersky.
Dave Bittner: [00:03:27:13] As we come to rely more and more on apps, particularly on our mobile devices, the security of those apps continues to be a growing concern. We spoke with Ferruh Mavituna, founder and CEO of Netsparker, about the challenges in developing secure apps.
Ferruh Mavituna: [00:03:42:12] The technology is rapidly changing. The security is almost always an afterthought. You first try to delivery stuff, later you say, okay, also we need to make this secure, so it's an afterthought. And that's a huge problem, because security should be part of the process. In additional to all these challenges, now we have these new start-up culture and even the big companies such as Facebook and Google is adopting the very same start-up culture. You need to be agile, that means you need to develop faster, you need to deploy faster and when that happens you sacrifice security most of the time.
Dave Bittner: [00:04:18:09] According to Mavituna, designing secure apps is partly process and partly culture.
Ferruh Mavituna: [00:04:23:07] Application security is insanely complex right now. The first thing you need to think about, okay, how can I design it securely, rather than let's build it and then see if it's secure. So just change that mindset. Training your developers to develop a security culture and put that security culture into the development.
Dave Bittner: [00:04:46:01] Netsparker's website is netsparker.com.
Dave Bittner: [00:04:50:11] Extortion is indeed rising in cyber criminals favor, but not all extortion takes the form of classic ransomware like CryptXXX, encrypting files and withholding keys until the marks pay up. Some extortion involves doxing, and uses it to blackmail people in ways anyone who's watched film noirs would immediately recognize. Cymmetria's been taking a look at one dox market, Ran$umBin and says, "this one truly stands out: it's a platform where any criminal can use what other criminals have stolen, like a cyber ransom Uber or AirBnB." Ran$umBin also provides a way for victims to pay up. Cymmetria's not sure yet who's behind Ran$umBin, but they think the site's language and style give off an American vibe.
Dave Bittner: [00:05:34:15] The crypto range wars between defenders of security and defenders of privacy are somewhat quieter of later, at least so far this week. But US FBI Director Comey fired a little H&I program yesterday at Georgetown. While the Bureau did succeed in getting into the San Bernardino jihadist's iPhone, Director Comey said, "I don't see us becoming a prolific hacker being the answer to our public safety problem." That approach just won't scale.
Dave Bittner: [00:06:01:08] The Bureau has also said that it won't tell Apple about the vulnerability the FBI's hired whitish hats exploited to get into the phone. And why not? Because, the Bureau says, it doesn't know. And why doesn't it know? Apparently, because it didn't think it appropriate to ask, because then it might have to disclose the vulnerability. Anyway, the Bureau says, it stands to reason that vulnerability has a short shelf-life and that Apple's probably patched it already.
Dave Bittner: [00:06:27:17] But one wonders, if they don't know how the phone was hacked, how can they be so sure it was hacked?
Dave Bittner: [00:06:36:06] In any case, one awaits an account of what it was investigators found, or didn't find, in that famous iPhone 5c.
Dave Bittner: [00:06:49:09] This CyberWire podcast is brought to you by the Digital Harbor Foundation, a non-profit that works with youth and educators to foster learning, creativity, productivity and community through technology education. Learn more at digital harbor.org.
Dave Bittner: [00:07:09:16] I'm joined by Jonathan Katz, Professor of Computer Science at the University of Maryland and Director of the Maryland Cyber Security Center, one of our academic and research partners.
Dave Bittner: [00:07:17:22] Jonathan, I wanna ask you about program obfuscation. It's not just a fun word to say, it's an important element of computer science.
Jonathan Katz: [00:07:24:09] Program obfuscation is a technique that's been around for decades. And the basic idea is that it allows you to take the source code for a program and transform it in such a way, that somebody else can still execute the program and actually get working source code that they can compile and then run, that will have the same functionality as the original program, but with a guarantee that they can't figure out anything from the source code about how the program works. They basically can't figure out anything about what the program is doing, other than what they might have already known. All they can do is run the program, feed it inputs and get back corresponding outputs, and they can't learn any of the underlying, as it were, trade secrets about how the program was developed.
Dave Bittner: [00:08:01:23] So it sounds good in theory, but it's my understanding that there's some challenges associated with it?
Jonathan Katz: [00:08:06:23] Well, there was a big breakthrough about a year ago, when cryptographers developed the first mechanism for program obfuscation that could be proved secure in some sense, under some relatively new cryptographic assumptions. And the community's been really excited by this development and in fact there's even a DARPA program now funding work in this direction. But unfortunately, this work is still very much in flux. Right now, the schemes that exist are highly inefficient and even worse than that, there's been some recent results demonstrating that the cryptographic assumptions that people are using to prove security of these cryptographic obfuscators, may not be as hard as originally thought.
Dave Bittner: [00:08:46:04] So what are some of the practical applications of obfuscation?
Jonathan Katz: [00:08:50:22] One example is, that you could obfuscate a program that contains a secret key inside of it. So for example, you could imagine embedding a secret key inside of a program that would encrypt some in-coming encrypted emails and only decrypt them if they satisfied some particular condition. And if you gave somebody that program without performing obfuscation, they would be able to look inside the source code and extract the key and then encrypt all your emails. But if you obfuscate the program first, then you could hope that the secret key would be hidden, the person would not be able to look inside the source code anymore and obtain the secret key, but nevertheless, they would still be able to use the program to decrypt emails that satisfy that condition.
Dave Bittner: [00:09:32:16] Jonathan Katz, thanks for joining us.
Dave Bittner: [00:09:34:00] And if you have a question for one of our experts, we'd love to hear it. Send your questions to firstname.lastname@example.org.
Dave Bittner: [00:09:43:21] And that's the CyberWire. For links to all of today's stories, visit thecyberwire.com and while you're there, subscribe to our popular daily news brief. Our editor is John Petrik, I'm Dave Bittner. Thanks for listening.