The CyberWire Daily Podcast 1.6.16
Dave Bittner: [00:00:03:17] In today's podcast, as intelligence services increasingly link Russia to the cyber attack on Ukraine's power grid, we discuss speculation about possible motives.
Dave Bittner: [00:00:12:17] Iran, Saudi Arabia and ISIS ramp up their mutually antagonistic postures in cyberspace.
Dave Bittner: [00:00:29:17] This CyberWire podcast is made possible by the Johns Hopkins University Information Security Institute, providing the technical foundation and knowledge needed to meet our nation's growing demand for highly skilled professionals in the field of information security, assurance and privacy. Learn more online at isi.jhu.edu.
Dave Bittner: [00:00:51:14] I am Dave Bittner in Baltimore with your CyberWire summary for Wednesday January 6th 2016.
Dave Bittner: [00:00:57:17] To most observers and those include, according to reports, US intelligence services, Russia looks like the most likely suspect in December's cyber attack on the Ukrainian power grid. That the rolling blackouts were caused by a cyber attack is increasingly clear, but how the attack actually worked however remains a matter for investigation.
Dave Bittner: [00:01:16:00] As ESET's reports suggest, signs point to BlackEnergy malware as the toolkit used in the operation. BlackEnergy was found in affected networks. But some industry observers think it's too early to close the case, especially since much BlackEnergy functionality is not clearly related to a capability to manipulate industrial control systems.
Dave Bittner: [00:01:35:08] Other utilities around the world reassure stakeholders they've taken precautions against similar attacks. The motive for a Russian hack also remains unclear. Even given ongoing fighting in Eastern Ukraine, the rolling blackouts don't have an obvious operational purpose. Some speculate the episode amounts to dissuasion or saber-rattling, or capability testing. In its own bit of dissuasion, by the way, the US treasury department has finalized and announced its system of sanctions for hacking.
Dave Bittner: [00:02:03:05] Saudi Arabia and Iran seem poised to escalate their ongoing tension into conflict in cyberspace although neither state has, as far as it's known, used its full cyber attack capabilities. ISIS, implacably hostile to both Iran and Saudi Arabia, has renewed its denunciations of the Saudi regime as tyranny and Saudi soldiers as apostates.
Dave Bittner: [00:02:22:15] Shiites, Christians and Jews come in for their usual share of odium in Daesh social media. Western services are still working out their information operational response. ISIS hasn't shown much ability to hack, but there are no questions about its ability to inspire.
Dave Bittner: [00:02:38:15] GeNius-JorDan, known for attacks on Kuwaiti and Nepalese sites, defaces Ugandan foreign ministry sites with protests of US and Israeli actions in the Middle East.
Dave Bittner: [00:02:49:23] In Southeast Asia, Anonymous takes down Thai police sites to protest death sentences handed down in the case of two murdered tourists. The hacktivist collective sees the suspects as having been railroaded for the sake of Thailand's tourist industry.
Dave Bittner: [00:03:29:04] Herr Wosar also thinks Ransom32 is disturbing in its crimeware-as-a-service distribution. "You can configure your very own ransomware and buy it from the website," he told the CyberWire. "While this isn't entirely new for malware in general, in the ransomware segment specifically it is innovative." Emsisoft also points out that whoever put Ransom32 together did their crypto homework and got it right. That doesn't always happen with crimeware, whose work is as susceptible to bugs as is legitimate software. We see an example of such bugginess with the competing ransomware Linux.Encoder, now on its third release and still, according to Bitdefender, crackable. We'll keep an eye on Ransom32, and you should too.
Dave Bittner: [00:04:11:02] In other news Rapid7 finds issues with Xfinity's home security system, and Android patches five security flaws. Do look to the security of your Android devices.
Dave Bittner: [00:04:23:19] This CyberWire podcast is brought to you by the Digital Harbor Foundation, a non-profit that works with youth and educators to foster learning, creativity, productivity and community through technology education. Learn more at digitalharbor.org.
Dave Bittner: [00:04:43:16] I'm joined by John Petrik, editor of the CyberWire. John, once again the situation with the Ukrainian power grid is in today's edition of the CyberWire. Why attack the Ukrainian power grid? Why is this a target for Russia?
John Petrik: [00:04:55:21] Power grids can be attacked for all sorts of reasons; there are military objectives. A power grid, for example, could be the thing that you're using to run your air defense systems, things like that. That doesn't seem to be the case here at all. There doesn't seem to be any direct military payoff. So, speculate about Russian motives, and most people think that it was Russian security services, were responsible. The Ukrainians say that. And there are reports today that US intelligence services are reaching the same conclusion quietly.
John Petrik: [00:05:25:04] So why would they do it? And the best speculation seems to be that it is a form of deterrence, a kind of dissuasion, letting an opponent know that you can hold important things at risk. Why now? Well, at the beginning of January Ukraine has been scheduled to start some closer moves towards integration with the European Union. So there's that, and that certainly is a development that would be unwelcome to the Russians.
Dave Bittner: [00:05:52:24] In other news again again, today, we talked about the new Ransom32 exploit. Why is this one particularly noteworthy?
John Petrik: [00:06:00:15] Emsisoft is the outfit that found and described the ransomware. It's interesting because ransom ware hasn't so far been offered under a crimeware-as-a-service model on the black market.
John Petrik: [00:06:15:18] There's plenty of ransomware that's been out there, but it hasn't been distributed in this particular way, and Ransom32 is. It looks like a turnkey solution and it's something that you can use with relatively little skill, so that's interesting. It's also dangerous. All ransomware is dangerous, of course, and most people will know that what ransomware does is encrypts a user's files and then asks him for money or her for money, so that they can receive the encryption key and get the use of their files back. So they're always dangerous, but this is particularly dangerous because the people who wrote the crimeware seemed to have, as Emsisoft says, they've done their homework. When it comes to encryption, they've done it right, they say. And that may sound simple but, as Emsisoft points out, there are a lot of pieces of ransomware that have been buggy, and this one seems to not to be buggy.
John Petrik: [00:07:08:19] There is some buggy ransomware in the news today. There is a competitor called Linux.Encoder, and it hit its third release, and Bitdefender is already saying, "We can decrypt it. We can break it." So the criminals who write software have just as many problems as the legitimate people who write software. It's good to remember that.
Dave Bittner: [00:07:26:05] So, are we heading towards a point where anyone can spend a few dollars and Bitcoins and run their own ransomware program and profit?
John Petrik: [00:07:36:15] I know that anyone could do it. You certainly don't need a lot of technical skill to use these solutions, which is why they're successful on the black market. So you can get these things and use them without being a genius hacker yourself, and that's why they're disturbing. There's a kind of proliferation going on with them.
Dave Bittner: [00:07:52:06] If people want to learn more about the Ransom32 exploit, where can they go?
John Petrik: [00:07:56:00] I would go right to the people who discovered and described it. I think you can find out a lot of good information at emsisoft.com.
Dave Bittner: [00:08:02:21] Alright John Petrik, once again thanks for joining us.
Dave Bittner: [00:08:07:10] And that's the CyberWire for Wednesday January 6th, 2016. For links to all of this week's stories along with interviews, our glossary and more, visit thecyberwire.com. The CyberWire podcast is produced by CyberPoint International, and our editor is John Petrik. Thanks for listening.