Responsible disclosure & why the cool miscreants are on Twitter.

Dave Bittner: [00:00:03:03] Proofs-of-concept, the bad guys are loving them, and they're now on Twitter. Some considerations of what to do in the wake of that Russian boy's sale of 270 million email credentials. Ransomware continues its run, but the bad actors haven't forgotten DDoS, either. Notes on the security marketplace, with a particular look at cyber innovation in Australia. The LAPD cracks a locked iPhone 5s, and that's tougher than what the FBI had to do with the San Bernardino iPhone 5c. And it seems that there's one more guy who isn't, in fact, Satoshi Nakamoto.

Dave Bittner: [00:00:37:18] This CyberWire podcast is made possible by the generous support of Cylance, offering revolutionary cybersecurity products and services that proactively prevent, rather than reactively detect, the execution of advanced persistent threats and malware. Learn more at cylance.com.

Dave Bittner: [00:01:00:24] I'm Dave Bittner, in Baltimore, with your CyberWire summary and Week in Review, for the week ending Friday, May 6th, 2016.

Dave Bittner: [00:01:08:10] Yesterday, Recorded Future released a study of proof-of-concept exploits. While proofs-of-concept are often developed by legitimate white hat security researchers, Recorded Future has found that their production and distribution by black hats is surging. They’ve also found that Twitter seems to be replacing Pastebin as a favorite venue for sharing exploits, which suggests that the border between the digital world and its underworld continues to become more porous.

Dave Bittner: [00:01:33:20] We spoke with Recorded Future's Nicholas Espinoza about the report, and he outlined some of the motivations for creating proof-of-concept exploits. Sometimes, he says, it starts with curiosity.

Nicholas Espinoza: [00:01:45:05] In our own data we've observed people talking about proof-of-concepts being developed for ICS and SCADA systems, just to prove how vulnerable they are on some of the world's most critical systems. In addition, they might be developing these proof-of-concepts to force a vendor to develop a critical patch. This is usually a name and shame sort of example. So, Vendor XYZ might not have paid to a critical vulnerability, so a researcher, or a gray hat, or black hat, might develop and disclose an exploit for this particular vulnerability to essentially light a fire beneath them, and force them to develop something quickly. In addition, people are using these proof-of-concepts to showcase their own skill-set. So this might be someone showing their proficiency in a particular area, usually for bragging rights, kind of building camaraderie against a hacker who they might be aligned with. And then, of course, people also do this to actually hunt down jobs.

Nicholas Espinoza: [00:02:39:18] Then, finally, this is a little bit rare, is when people develop proof-of-concepts, and vaguely obfuscate code, or include comments to make it non-functional. So, this is plausible deniability for developing a workable exploit. So, people will maybe throw in a disclaimer saying, don't use this, or barely fuzz some of their work, and this is usually the most concerning example that we've seen in our datasets.

Dave Bittner: [00:03:05:18] One of the things the report outlines is how social media has become a dominant mechanism for distributing proof-of-concept exploits.

Nicholas Espinoza: [00:03:12:09] We're trying to hone in on the conversations where individuals are sharing proof-of-concepts, and the trends within those conversations. An example, on a basic level is, "Hey, I've got a proof-of-concept for XYZ vulnerability. Check it out here, at my GitHub," and then they'll throw in a link. Social media is being used to amplify the discussion and visibility of those proof-of-concepts at those sites.

Dave Bittner: [00:03:35:02] Espinoza cautions that the pace of POC exploit development is only getting faster, and it's important to track multiple sources of information.

Nicholas Espinoza: [00:03:43:19] I think the key takeaway is, there is an entire discussion on the open, deep and dark web, that a lot of organizations aren't paying attention to point blank. These conversations develop at the speed of social media, a case in point being most of our content comes from Twitter on this particular bit of research. And, for organizations, like NIST, who try to track exploits and, if they exist, for a vulnerability, NIST is not going to be able to keep up with the pace that these discussions are occurring at. The vendors are also unable to keep tabs on this in real time. And then, of course, the organization that actually deployed the hardware and software are ultimately left with the burden of looking for these exploits. So you need a mechanism in place, whether it's Recorded Future or something else, to keep tabs on those conversations, and see if your production environments, or software and hardware that you're running, are vulnerable and having working exploits out there today, because you just can't rely on NIST, and your vendors, to keep you abreast of that in real time.

Dave Bittner: [00:04:45:04] That's Nicholas Espinoza from Recorded Future. Their website is recordedfuture.com.

Dave Bittner: [00:04:52:19] People are still wondering what to do about that big pile of email credentials the Russian kid sold to Hold Security for a buck and a pat on the head. Some experts are telling NBC News that, just to be safe, everyone should change their personal email account passwords. It’s generally a good idea to change passwords, especially if the change also makes them stronger, and several security companies are advising people to move to pass phrases. On the other hand, lest anyone panic, Wired points out, sensibly, that there’s probably less to the horrible sounding 270-million-credentials-stolen story than meets the eye, as even the malchick who sold them admits, the credentials in question have leaked out over the years in various breaches.

Dave Bittner: [00:05:34:23] We heard from Lastline about the general problem compromise of email credentials presents. Brian Laing, the company’s Vice President, Products and Business Development, reminded us that free email services, while “free,” are still a business, and generally the business they’re in is advertising. He thinks those services should up their security game, and induce users to make their passwords stronger and change them on a regular basis. Multi-factor authentication might also be a nice upgrade. The users themselves could also do a better job of taking care of security, especially by using password managers. But until you, user, are willing to work a bit harder to protect yourself, Laing has this advice: “Change your pet's name monthly, preferably with a mix of upper and lower case letters." To which we can only add, Rover, we hardly knew you. We mean, R-Zero-lowercase-V-3-R-exclamation point. Good dog!

Dave Bittner: [00:06:34:04] This CyberWire podcast is made possible by Wide Angle Youth Media, a non-profit that provides free media education to Baltimore youth, to tell their own stories and become civic leaders. Learn, watch and connect at wideanglemedia.org.

Dave Bittner: [00:06:54:07] Joining me is Dale Drew. He's Chief Security Officer at Level 3 Communications. Dale, you have an interesting story to share, about the discovery of a new DDoS vector. What can you tell us about that?

Dale Drew: [00:07:04:11] So the Level 3 threat research lab recently identified a new attack pattern in the internet backbone, where bad guys have found a new way to do what's called a DDoS amplification attack. This is basically where a bad guy can send a small packet, and it result in a very large packet return, and so when they spoof that traffic to make it look like it's coming from the victim, that very large return ends up hitting the victim, and it amplifies the amount of traffic going to them. We saw a bunch of bad guys, who were experimenting in a new amplification attack, not only developing the code, but data testing it on a number of victims. It used a service called PortMapper. PortMapper is a Unix-based service where you can query the Unix server and say, "What network-based services are you running?" And, it will be return back a list of those services. So I send it a very small request and I get a very large return as a result.

Dale Drew: [00:08:16:02] And so, we sent out an early warning notice on our blog about it, and to a number of our industry partners, because we found about 12 million systems on the internet that had PortMapper accessible. So they are 12 million nodes that could help amplify a DDoS attack. Our recommendation in this early warning notification was that people really need to make sure that they have firewall rules enabled to block access to traffic from the public internet, as well as making sure that they disable all unnecessary services on their systems. It really feels seems like a fairly simple guidance. I mean, this has been guidance that's been around for decades, but it's really those simple things that have substantial leverage impact on being able to better protect not only the victims of these attacks, but the internet backbone as a whole.

Dave Bittner: [00:09:11:14] All right, good advice. Dale Drew, from Level 3 Communications. Thanks for joining us.

Dave Bittner: [00:09:18:11] This CyberWire podcast is brought to you through the generous support of Betamore, an award-winning co-working space, incubator, and campus for technology and entrepreneurship, located in the Federal Hill neighborhood of downtown Baltimore. Learn more at betamore.com.

Dave Bittner: [00:09:46:07] Ransomware has been much in the news this week. Cylance has published a dissection of AlphaLocker. An unknown white hat has subverted Dridex, substituting dummy files for ransomware payloads. And, of course, Heimdal has exposed the Charity Team’s brassy attempt to nudge its victims into payment with the promise that the proceeds of extortion will go to the children. And how could you be so heartless as to turn down the Charity Team’s appeal? Here’s how: realize that the chance that a Sasquatch will turn out to be Satoshi Nakamoto is probably higher than the likelihood that a kids charity will get the Bitcoin you pony up. So, let’s see, counting on my fingers, here, it’s about the likelihood of getting a winning PowerBall number, right? I mean, Satoshi, Sasquatch.

Dave Bittner: [00:10:30:11] At any rate, other forms of criminal attack haven’t disappeared. DDoS, for one, is still a hacktivist favorite, as Anonymous hits against the central banks of Greece and Cyprus in Operation Icarus attest. Such hacktivism aims, of course, at business interruption, but there are other reasons threat actors engage in denial-of-service. Misdirection is one of them, and Forcepoint, this week, published a study that shows how this can work. The Jaku botnet is now said to have 19,000 zombie machines. While it could be used for conventional spam and distributed denial-of-service, its principal purpose still appears to be highly selective attacks, mostly against East Asian targets. Forcepoint, which has been tracking the Jaku campaign, notes that the attackers seem to be masking precise targeting in the noisy traffic of a big botnet.

Dave Bittner: [00:11:19:04] In industry news, FireEye and CyberArk both reported earnings late yesterday. FireEye posted a better than expected loss of $0.47 per share, on $168.0 million in revenue. CyberArk reported $0.23 in earnings per share, on $46.9 million in revenue. FireEye also saw an increase in security subscription services, which it sees as playing a greater role in its business strategy going forward. FireEye’s CEO, Dave DeWalt, will move up to the Executive Chairman role, with Kevin Mandia filling in behind him as the new CEO.

Dave Bittner: [00:11:53:06] Cybersecurity research and development, and building a strong domestic cyber sector are priorities for Australia’s government, as we learned when we heard Data61’s presentation at SINET ITSEF last month. Today we hear from Data61’s Adrian Turner, who gave us a view from the organization charged with driving security innovation forward in Australia.

Adrian Turner: [00:12:14:12] This strategy is a comprehensive strategy that covers aspects of innovation and new industry creation, including technology transfer from the research sector, right through to the other end of the spectrum, providing infrastructure, threat intelligence sharing capability and infrastructure, for industry to be able to do what happens organically today in a more structured way. What we've done is we've identified areas where we think we can make a difference and be world-leading, and then we've gone back into the uni sector, and into partners to find people that have the main expertise working on parts of the problem. So, we're taking their fundamental research, bringing market context, and are very focused on the translation of that research into solutions that can be consumed by the market.

Dave Bittner: [00:13:10:20] An important aspect of Australia's commitment to cyber, according to Turner, is the recognition of evolving trends in the global marketplace.

Adrian Turner: [00:13:18:09] It's not just that every industry is becoming data-driven, which it is, it's as those industries become data-driven they take on different economic structures. The shift is as profound as when we moved from agriculture to manufacturing. Now we're moving to platform economics, and the characteristics of those platforms, as we've seen with companies like Google and Apple, and Facebook and others, is that they tend to have natural monopolistic tendencies. There tends to be learning algorithms at the center of those that take data feedback routes and deliver better services at scale. So, for Australia, we have a choice - we either be participants in those platforms, or we lead in helping to transform our strength industries like healthcare, mining, agriculture and services industries, and develop some of those ourselves. And I think the opportunity for Australia is global, but it's also regional, Indo-Pacific regional opportunity.

Dave Bittner: [00:14:26:23] It's a coordinated effort, engaging a variety of stakeholders throughout the nation.

Adrian Turner: [00:14:31:24] The first goal that we have is to drive national alignment, and bring global context to the work that's going on nationally. So, for the country, in the last month we've had the publishing of the Defense Policy paper. We've had a National Cyber Security Strategy Policy published. We've had the establishment of a Cyber Security Growth Center, which is a group to coordinate cyber activities across the country, across the uni sector, right through to providing infrastructure and programs to keep a collaboration in industry, and between industry and government, as well as tax incentives for start-ups and early stage investing. So, we're at a moment in time where new policies and new strategy are all lining up, and we have a role to bring that together nationally.

Adrian Turner: [00:15:28:14] There is a recognition in Australia that cyber security doesn't have geographic boundaries, and it's a shared responsibility, and so we are being aggressive in partnering internationally. We're engaged in dialogs with people across public and private sector in other parts of the world, to make sure that we're also learning from the things that have worked well at a national level and a system level in other countries in the world.

Dave Bittner: [00:15:55:05] That's Adrian Turner, CEO of Australia's Data61. You can learn more about them at csiro.au.

Dave Bittner: [00:16:05:19] The Los Angeles Police Department succeeded in gaining access to a murder victim’s locked iPhone 5s, previously thought more resistant to cracking than the iPhone 5c, used by the San Bernardino jihadist. They’re said to have succeeded by using the service of a forensic expert. Observers expect this to inform the crypto wars, making requirements for backdoors or other vendor assistance less urgent.

Dave Bittner: [00:16:28:08] Finally, Craig Wright seems to have given up, albeit ambiguously, his claim to be Satoshi Nakamoto. His blog says that he just doesn’t feel up to continuing the struggle. He closes with a simple, "I’m sorry." You decide. But you can always stand up with the rest of us and shout, “I’m Satoshi!”

Dave Bittner: [00:16:51:01] And that's the CyberWire. For links to all of today's stories, along with interviews, our glossary, and more, visit thecyberwire.com. The people who are interested in those stories tend to be people who read or listen to the CyberWire. If you'd like to reach them, visit thecyberwire.com/sponsors, and find out how you can sponsor the news brief or podcast. Thanks to all of our sponsors who make the CyberWire possible.

Dave Bittner: [00:17:13:14] The CyberWire is produced by Pratt Street Media. Our editor is John Petrik. I'm Dave Bittner. As always, thanks for listening, and have a great weekend.