Lazarus Group in India. Suspected Chinese APT uses fake Narrator. Fleeceware. DNI testimony. TalkTalk hacker charged in US. Yahoo breach compensation. Chameleon spam campaign.

Dave Bittner: [00:00:03] North Korea's Lazarus group is active against targets in India. A suspected Chinese advanced persistent threat group is exploiting a Windows accessibility feature. Sophos warns of fleeceware. U.S. DNI testifies before the House Intelligence Committee. The TalkTalk hacker and an alleged accomplice are indicted on U.S. charges. And notes on the Chameleon spam campaign. 

Dave Bittner: [00:00:32]  And now a word from our sponsor LookingGlass Cyber. Organizations have been playing a dangerous game of cyber-Jenga, stacking disparate security tools, point solutions and boxes one on top of the other, hoping to improve their security posture. This convoluted and overloaded security stack can't hold up in today's microsegmented, borderless and distributed networks. As the enterprise network grows, organizations need a flexible protection around their unique network ecosystems. By weaving security into the investments your organization has already made, formerly disjointed tools can communicate with one another to disrupt and distract the adversary without revealing your defenses. With a software-based approach to unifying your security stack, security teams can easily scale their protection to fit their needs with one integrated software solution requiring no specialty hardware. Learn more at lookingglasscyber.com/contactus. That's lookingglasscyber.com/contactus. And we thank LookingGlass Cyber for sponsoring our show. Funding for this CyberWire podcast is made possible in part by Bugcrowd, connecting organizations with the top security researchers, pen testers and white-hat hackers in the world to identify 10 times more vulnerabilities than scanners or traditional pen tests. Learn more about how their award-winning platform provides actionable insights like remediation advice to help fix faster, while methodology-driven assessments ensure compliance needs are met at bugcrowd.com. 

Dave Bittner: [00:02:08]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire Summary for Thursday, September 26, 2019. Pyongyang's operators have turned up again in South Asian networks. Researchers at the Kaspersky security firm say they found renewed campaigns by Dtrack and the related ATMDtrack in India. Both have been associated with North Korea's Lazarus group. The objectives are familiar - a combination of espionage and direct theft. Kaspersky says the operations are using variants of code that go back at least to the Dark Seoul campaign of 2013. The Lazarus group, recently the subject of increasingly stringent U.S. sanctions, has been widely accused of engaging in cybercrime to shore up North Korea's struggling finances. 

Dave Bittner: [00:02:59]  BlackBerry Cylance has released its study of a suspected Chinese advanced persistent threat group that's using the open-source PcShare backdoor, modified for side loading by a legitimate NVIDIA application. Once established, the attackers run a version of the narrator ease-of-access application Fake Narrator to achieve system-level access. The APT is interested in exfiltrating sensitive data, conducting reconnaissance and moving laterally across networks. The researchers see some possible connection with the Tropic Trooper threat actor, a group that's been mostly active against targets in Taiwan and the Philippines. But they carefully avoid firm attribution. The MITRE ATT&CK list describes Tropic Trooper as an unaffiliated threat group. It's known to have been active since 2015. 

Dave Bittner: [00:03:49]  Sophos calls it fleeceware - they're referring to Android apps that provide functionality freely available elsewhere and that then hit users with big fees after expiration of a trial period should the users miss some hoops in their cancellation of the app. Why aren't these simply another instance of potentially unwanted programs? Sophos says they occupy a kind of gray area. The apps aren't malicious, and they offer some genuine functionality. But it's functionality that's available either cheaply or freely elsewhere. It's customary in the Play Store ecosystem to make apps available to users free for a defined trial period. Normally, if the users don't cancel the app at the end of the trial, they'll be charged the few dollars the app costs. The apps Sophos is talking about don't charge just a couple of bucks. They take hundreds from the user. So use free trials with caution. 

Dave Bittner: [00:04:43]  When I was a kid growing up near Fort Meade, the parents of some of my schoolmates had jobs they couldn't talk about. If you asked them what they did for a living, they would say, I work for the government with a tone that let you know the conversation was ending right there. Of course, for decades, the running joke was that NSA stood for No Such Agency. Well, times have changed. NSA has an Instagram page. And they and the Department of Justice are actively competing for the best cybersecurity talent out there. It's been a remarkable shift to see. Greg Martin is CEO of cybersecurity company JASK. And he shares these insights on the change. 

Greg Martin: [00:05:23]  If you go back to the early '90s, a lot of the DOJ early work with hackers was around arresting them and then working with those arrested individuals who are caught either hacking or involved in some type of cybercrime or a cybersecurity scheme - and turn them in to, you know, either informants or pseudo FBI agents to essentially work on their behalf. 

Dave Bittner: [00:05:52]  Did we reach a point where there was collaboration? Or was there a healthy tension between them? Was there mutual respect? How would you describe it? 

Greg Martin: [00:06:00]  Yeah, well, it was very much like, you know, the "Catch Me If You Can" story, if you recall. But, you know, I think what happened is that cybercrime grew to be such a huge issue that I think that tactic of trying to convert would-be hackers into good guys just faded over time with the surge in cybercrime, the amount of attacks and the fact that many of them were emanating from outside the country. They really had to start, you know, working on new programs. Today, the Department of Defense and the DOJ have taken huge strides to try to change their interaction with the hacker community. 

Greg Martin: [00:06:40]  One of the big things that you can point to is last year, the DOD released this Hack the Pentagon, which is a crowdsourced bug bounty where they were inviting hackers from anywhere in the world to find vulnerabilities in government and DOD systems. Now, this is a huge departure from how we did things in the past, where if you hacked into a government website, well, you could expect that the FBI would be knocking on your door. And it would not be a very good outcome for that individual, whether they had good intentions or not. Well, this has totally changed in the past year. 

Dave Bittner: [00:07:14]  Does the DOJ find itself at a disadvantage compared to private industry when it comes to being able to provide, for example, salaries in a competitive market? 

Greg Martin: [00:07:26]  Yeah. I mean, that's been a huge issue. So the DOJ has a very capable cyber program, but I think talent is the big issue that they struggle with. So part of it is, the culture and the mission is what they've used and focused on to attract people. You know, do you want to go out and, you know, catch bad guys? Do you want to keep people safe? Do you want to keep our government safe? 

Greg Martin: [00:07:52]  You know, this is something that has attracted a lot of people out of college who have, you know, cybersecurity skills. Unfortunately, when those individuals are looking for - at an offer from a Facebook or Google for sometimes the double the amount of money that they would get at a upper-level salary in the U.S. government, it makes it a very hard task for the government to be able to compete. And that's going to remain a challenge. 

Dave Bittner: [00:08:16]  What about from a marketing and PR point of view of the public perception that working in a government situation is going to be something desirable, that they have unique things to offer that you might not find out in industry? 

Greg Martin: [00:08:31]  Yeah, absolutely. You know, I've been through some of that myself in my career and background. And I have lots of friends that have started cybersecurity companies. And they came from NSA and groups like the TAO program where they're out, you know, doing offensive hacking for the government. I think it's an incredible experience. And it's a way that you can serve your country without holding a gun in your hand. And I think it's going to remain very attractive for people to come. And I think it's a cool way for folks to start their career if they have an interest in cybersecurity and they're coming out of college. I think working for DOD, working for DOJ or NSA on cybercrime, I think it's a huge opportunity. 

Dave Bittner: [00:09:13]  Yeah, it really is an interesting shift, isn't it? I mean, both culturally, but also, I suppose there are lots of practical things that they have to deal with as well. You know, like you mentioned, some of the things that previously would have been prohibitions, might have kept you from getting a clearance, perhaps they have to ease up on some of those requirements. 

Greg Martin: [00:09:33]  Yeah, absolutely. One of them is marijuana use, I think. If you're going to hire the top hackers in the world, you have to lower your bar a little bit in some of those areas. But I think all in all, the government is improving in their way that they interact with the hacker community. I think they're trying very hard. And look. This is out of necessity. We are really fighting a losing battle every day. And I think that if we don't take some radical steps to try to change and really recruit the top talent to get ahead, you know, it's really a national security issue at this point. 

Dave Bittner: [00:10:08]  That's Greg Martin. He's CEO of cybersecurity company JASK. 

Dave Bittner: [00:10:14]  Acting U.S. Director of National Intelligence Maguire testified this morning before the House Intelligence Committee concerning a whistleblower's complaint concerning U.S.-Ukrainian presidential interactions. The complaint centers on a phone conversation between U.S. President Trump and Ukrainian President Zelenskiy, its contents and subsequent classification. Much of the discussion centered on whether the complaint of the whistleblower, whose identity is being properly protected, was disclosed to Congress as expeditiously as the law requires. The transcript of the conversation has been duly released. Acting DNI Maguire has said in response to questions from Representative Hurd - Republican of Texas - that great power competition has largely moved to cyberspace. We'll see how the matter develops and what implications it might have for cybersecurity in particular. 

Dave Bittner: [00:11:06]  We send out a bravo to Emsisoft and Kaspersky, who have released descriptors for WannaCry Fake, Yatron and FortuneCrypt Ransomware. Emsisoft took care of WannaCry Fake. Kaspersky's decryptors work against Yatron and FortuneCrypt. 

Dave Bittner: [00:11:23]  A British teenager who was convicted of the TalkTalk hack and received a sentence of 20 months is expected to face U.S. charges as well. Elliott Gunton, who's still only 19, was indicted on U.S. federal charges related to fraud and aggravated identity theft. The indictment also charges Anthony Nashatka, a U.S. citizen. The two are alleged to have defrauded customers of the EtherDelta cryptocurrency exchange by redirecting customers to a bogus version of EtherDelta's site, where their account credentials and private keys were stolen. 

Dave Bittner: [00:11:56]  Finally, security firm Trustwave's SpiderLabs is tracking a spam campaign, Chameleon, that's shown the changeable appearance of its namesake. The messages it sends use randomized headers. Templates are also frequently changed. And the links, if you follow them - which, of course, you shouldn't - move through frequent redirections. SpiderLabs says that the messages look like phishing, but in fact, they generally don't seem to be that at all. The subject lines will be familiar. Remember me? I'm your ex-colleague. Or, hi, do you need a job? Well, hey, who doesn't? Or the ever-popular variations on critical security alert. 

Dave Bittner: [00:12:35]  This is why the apparent failure to deliver a typical hook inside the phish bait is curious. The ultimate direction of all the redirections has generally been equally familiar, either bogus Canadian pharmacy pages - because, of course, it's a known fact on the internet that you can get Viagra without a prescription in Saskatoon or so I'm told. Or - wait for it - sites that will show you how to get rich with bitcoin. Trustwave says on their blog that they'll be keeping an eye on Chameleon. In the meantime, don't take the phish bait. 

Dave Bittner: [00:13:13]  And now a word from our sponsor ExtraHop, delivering cloud-native network detection and response with a hybrid enterprise. The cloud helps your organization move fast, but hybrid isn't easy. Most cloud security failures will fall on customers, not service providers. That's one reason enterprises value the SOC Visibility Triad, Gartner's framework that helps teams like yours scale security and business operations safely and cost-effectively. When you combine network detection and response with endpoint protection and SIM, you have the visibility, threat detection and automated response capabilities you need to secure and support cloud growth. Learn more at extrahop.com/cyber. That's extrahop.com/cyber. And we thank ExtraHop for sponsoring our show. 

Dave Bittner: [00:14:12]  And joining me once again is Jonathan Katz. He's a professor of computer science at the University of Maryland and also director of the Maryland Cybersecurity Center. Jonathan, welcome back. I wanted to talk today about hashing emails and this whole notion that hashes can be reversed and kind of the - where does hashing leave us when it comes to actually providing any sorts of - any sort of privacy or anonymity? Can you give us a little lesson here? 

Jonathan Katz: [00:14:39]  Hash functions actually are ubiquitous now. They're used in all kinds of applications. I think what you're referring to is hashing email addresses as a way to provide some kind of a pseudonymity or anonymity for individual users. And the interesting thing about these hash functions is that a well-designed cryptographic hash function is actually supposed to be noninvertible, meaning that if I hash some value and then present you the output, you should not be able to figure out from the output what the input was. 

Jonathan Katz: [00:15:09]  Now, the problem with that is that it's true that these hash functions are uninvertible, but anybody can compute them. They're not keyed. They're not like encryption schemes. And so anybody - they're public algorithms. Anybody can go ahead and evaluate them. And so the problem is that they - even though the hash function itself is uninvertible, an attacker who's presented with a hash output but knows that the input was chosen from a small set of possibilities can enumerate over all the possibilities, compute all the hashes and then find out which one corresponds to the output it was given. 

Dave Bittner: [00:15:39]  So if someone knows what my email address is, they could somehow align that with a hash of it and then use that to track me around the internet, for example? 

Jonathan Katz: [00:15:49]  Well, exactly. So, I mean, to take the simple example like you were mentioning, if I hash your email address and give it to somebody, just by looking at that value, you know, they have no way to tell that it corresponds to your address. But if they wanted to verify whether it did indeed correspond to your address, all they would have to do is compute the hash of your email address themselves and then check whether the output matches. These hash functions are deterministic. They always give the same output when run on the same input. And so that would allow them to verify that this value did indeed correspond to a hash of your email address. 

Jonathan Katz: [00:16:19]  Now, in a more general scenario, one way to see this, for example, is to consider what would happen if somebody presented you with a hash of somebody's Social Security number. So a priori, you don't know their - that person's Social Security number, you'd have no way to verify whether the output you got, you know, really corresponded to their Social Security number or not. But on the other hand, Social Security numbers are only nine digits long. And so somebody could enumerate over all possible nine-digit Social Security numbers, hash each one of those and then see which of those hashed results corresponded to the value they were given. 

Jonathan Katz: [00:16:52]  In that way, they could essentially end up reversing the hash value they were given and deanonymizing that particular individual. And the same thing would apply to email addresses, as well. I saw an estimate recently that the number of valid email addresses is on the order of about 5 billion. And so hashing all 5 billion of those possible addresses and seeing what those hash values corresponded to would allow you then to deanonymize a hash value that you were presented with. 

Dave Bittner: [00:17:18]  Now, is this a matter where, once you've reversed one hash, does it get quicker or easier to - as you go, does each one you sort of decode, does it make it a little easier to do the next one, or is there a randomness built in? 

Jonathan Katz: [00:17:30]  No. Actually, the - it's not the case. So these hash values are all essentially independent. And so figuring out the value that corresponds to one's person - person's hash doesn't necessarily help you with the other one. But if you think about it, though, if I give you - if you're given two different hash values, and in the process - let see if we go back to the Social Security number example - if in the process of hashing all those nine-digit Social Security numbers, you're going to end up finding both of those values. So in essence, the work that you're doing in hashing all those SSNs is going to allow you then to actually end up converting all those hash values. So from that point of view, you can amortize the work and basically figure out everything in one go. 

Dave Bittner: [00:18:10]  Right. Right. I guess the total set of possible numbers decreases each time you get one. 

Jonathan Katz: [00:18:16]  Well, it's basically - you're doing everything. And so once you do everything, you can break anything. 

Dave Bittner: [00:18:20]  So given that this is the case, what are people doing to mitigate this possibility? 

Jonathan Katz: [00:18:25]  Well, you have a similar situation that comes up with hashed passwords. So, very often, servers will store hashed passwords of the users on their site. And you run into the same sort of problem because if a server restores the hash of somebody's password and an attacker might guess, let's say, that that password is an eight-character password, they can enumerate over all possible eight-character passwords and then figure out what your password was after being given your hash. 

Jonathan Katz: [00:18:49]  And so one thing that you can do to kind of make it harder for the attacker is to make sure that the work they invest in figuring out one user's password is not going to be of any benefit to them in figuring out another user's password. And the technique that's done to ensure that is called salting. So what you do is you basically pick a random salt per user, a random value for every user. And you compute the hash of the user's password along with the salt value that you've chosen. 

Jonathan Katz: [00:19:17]  And this means that the attacker can still do the same kind of a brute-force attack like before, but now it's going to have to be hashing all possible passwords along with one particular user's salt. And that's not going to help it figure out the password that results in the hash involving another person's salt. And so this makes it just harder for the attacker. It doesn't make it any harder to crack one user's password, but it means that now they have to spend the same amount of work to crack each user's password at the server. 

Dave Bittner: [00:19:46]  Well, as always, thanks for explaining it to us. Jonathan Katz, thanks for joining us. 

Jonathan Katz: [00:19:50]  Great. Thank you. 

Dave Bittner: [00:19:55]  And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat-management platform. Learn more at observeit.com. 

Dave Bittner: [00:20:08]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.