Russia's cyber long game, SWIFT fraud, hack physics (not metaphors), and more.

Dave Bittner: [00:00:03:17] Business email compromise scores big in Central Europe. More SWIFT fraud, and a security ultimatum from SWIFT to its members. Vanya, the RIPPER is on the lam from Thai police. iMessaging issues surface. Cerber ransomware is being spread by Word documents. Adobe's hot fix swats a Cold Fusion bug. Rowhammer attacks are shown to be a real possibility. Election hacking and influence operations. And a tip, if you look good for your mugshot you won't be tempted to Facebook a more flattering one to the authorities.

Dave Bittner: [00:00:38:17] Time to take a moment to thank some sponsors. The Johns Hopkins University Information Security Institute and COMPASS Cyber Security are hosting the third annual Senior Executive Cybersecurity Conference on Wednesday September 21st from 8:30 am to 4:00 pm. That's going to be at the Homewood Campus of Johns Hopkins University right here in Baltimore. Hear from industry leaders on cybersecurity, best practices and trends that will help you better secure your organization's data. This year's agenda examines the current cybersecurity landscape, threats and challenges ahead for organizations and how senior leaders can work towards shifting their data to being safe and secure. You can find out more online at secsc.compasscyber.com, or, on the Johns Hopkins University Information Security Institute website at isi.jhu.edu. Do check it out. And we thank the Johns Hopkins University Information Security Institute and COMPASS Cyber Security for sponsoring our show.

Dave Bittner: [00:01:45:04] I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday, September 1st, 2016.

Dave Bittner: [00:01:51:14] Two revelations of fraudulent fund transfers lead cybercrime news. The first is a variant of the familiar yet still very dangerous business email compromise. In mid-August, German wire manufacturer, Leoni AG, lost roughly $44.6 million when personnel at a Romanian facility followed instructions in a spoofed email. The money apparently wound up in accounts in the Czech Republic. The incident is noteworthy because Leoni had a number of safeguards in place to prevent exactly this sort of loss, but the criminals had done their homework and crafted an email that not only appeared to be from an executive authorized to make such a request, but, also, gave every appearance of having passed through the company's policy and security gates.

Dave Bittner: [00:02:34:20] And SWIFT, the Society for Worldwide Interbank Financial Telecommunications, is back in the news. Earlier this year the financial sector's international funds transfer network witnessed fraud against member banks in Bangladesh, Vietnam and Ecuador, with some of the attempts also touching German and US banks. It has now, Reuters reports, again warned its members that more fraudulent money transfers have been observed and that some of them were successful. The scope of the latest attacks is unknown, but SWIFT has given its members an ultimatum: update to the latest version of SWIFT Software by November 19th or be reported to regulatory authorities and banking partners. Reuters says that weak local security was exploited to compromise local networks, and then send bogus messages requesting money transfers. Some of which were apparently filled.

Dave Bittner: [00:03:23:22] Such incidents offer a number of lessons, not the least of which are the importance of network segmentation and privileged account management. Commenting directly on the SWIFT disclosure and warning, Shane Stevens, VASCO Data Security's Director of Omni-Channel Identity and Trust Solutions, told the CyberWire that "SWIFT got a wake-up call finally for its decision to stay with passwords." Stevens noted that while SWIFT has worked to strengthen passwords, the password itself represents a dead end line of development in three decades of authentication technology.

Dave Bittner: [00:03:56:05] He also commented that organizations like SWIFT present a large attack surface, "with so many attack vectors it was just a matter of time before SWIFT became a focal point for cyber criminals." He characterized the financial sector as more reactive than one would like to see them be.

Dave Bittner: [00:04:13:03] It seems that hardly a week goes by without news of a new or newly discovered data breach. We spoke with Centrify's Senior Director of Products, Corey Williams, about data breaches, and his insights on the recent Sage Software data breach.

Corey Williams: [00:04:27:04] Well, Sage is an interesting company, they're one of the largest software companies in the UK with over six million small or medium sized businesses, and they provide software for things like payroll and accounting and CRM. What we've heard so far about the Sage data breach is that it's affected the information related to somewhere in the neighborhood of 280-300 of those individual businesses, although that number may change as it's very early on in the investigation. And allegedly the breach was conducted using a Sage employee account, so, it's not known whether this was indeed some sort of insider doing something that they shouldn't be doing, or whether it was some sort of outside attack that was leveraging a compromised employee account.

Dave Bittner: [00:05:13:23] What are the ramifications of this breach?

Corey Williams: [00:05:15:19] Well, it's interesting, Sage has been on a tear lately, if you look at their stock price it recently hit a 16 year high, and they've been performing very well on the market. Just the news alone has caused the share price to dip four, five percent, at last glance, so at a minimum it's affecting the shareholders of Sage. But, interestingly, there's probably longer term ramifications. Centrify recently did a study with over 2,000 participants in the US and the UK, basically said that over two-thirds of the respondents, of consumers, are likely to stop doing business with organizations that have been breached, so, potentially, the damage to this could last for a while.

Dave Bittner: [00:06:02:21] And so, what are some of the things that Sage could have done to protect themselves against this sort of thing?

Corey Williams: [00:06:09:04] Many of these data breach stories, and it appears that Sage is the same, is it has to do with the misuse of someone's credentials, they're logging into systems they shouldn't have access to, whether they're an insider or they're a malicious outsider. So, one of the first things you can do is immediately establish better what we call identity assurance, it's sort of the lowest hanging fruit to ensure that people are logging in as themselves, and passwords just aren't sufficient for that anymore. Our modern companies today are using multi-factor authentication everywhere that they can, and the nice thing about multi-factor authentication is the password by itself can't be used to compromise access, you actually have to have the user's device or some other fingerprints or so on. And so that's the lowest hanging fruit is to immediately use MFA everywhere.

Corey Williams: [00:07:03:17] Now, what's interesting is that MFA hasn't been widely deployed because it has a stigma of being hard to use, but multi-factor authentication in the past year, I believe, has really grown to be much easier to deploy and manage on a widespread basis. So, there's really no excuse. Certainly consumers have started to adopt it, businesses should be adopting multi-factor as well.

Dave Bittner: [00:07:26:02] That's Corey Williams from Centrify.

Dave Bittner: [00:07:29:23] ATM and point-of-sale hacking continues. Police in Thailand have a be-on-the-lookout alert for a twenty-something Russian they believe was responsible for draining ATMs in that country of about $350,000, with the use of malware, FireEye, has called RIPPER. The suspect is unnamed, we'll call him, for convenience, Vanya the RIPPER, and he's thought to have had at least two accomplices. According to FireEye, RIPPER is installed using a malicious EMV chip: insert, install and steal.

Dave Bittner: [00:08:00:20] Microsoft warns that attackers are exploiting Word vulnerabilities. Weaponized documents are now spreading Cerber ransomware and password-stealing Trojans through Betabot. It's a new kind of threat but it's reminiscent of old school malicious macros.

Dave Bittner: [00:08:15:07] Adobe patched ColdFusion with a hot fix Tuesday. Users are advised to apply the patch, the XML External Entity injection vulnerability is a real one.

Dave Bittner: [00:08:25:17] Several interesting proof-of-concept attacks indicate a shift toward physical exploitation of hardware. Google researchers showed how a Rowhammer attack - exploiting a condition researchers noticed in 2014 - can use electromagnetic leakage across rows of transistors to achieve a degree of control over a device. In an excursion into cyber metaphysics, Wired observes that we're accustomed to understanding information systems in metaphorical terms, "file," "window," "memory," etc., but that such newer demonstrations represent a move down and away from metaphorical abstractions.

Dave Bittner: [00:09:01:14] US states continue to worry about and possibly improve voting security. Vermont thinks it's covered, North Carolina wants Federal help, and many worry about the implications of federalizing elections. Technology Review thinks that direct manipulation of election results is less likely than most people think, but, influencing such results through information operations is a different matter. Russia continues to play an information operations long game with respect to US and other Western elections. It seems to be doing so directly, and deniably, as through the Guccifer 2.0 sockpuppets, and with the aid of effective fellow-travelers. The New York Times observes that, independent as WikiLeaks may be, objectively, as the old Pravda might have put it, Assange's operation is nicely aligned with Russian interests.

Dave Bittner: [00:09:47:16] And finally, we like to keep up with recurring themes. Social media are well-known for the dis-inhibition they induce in their users, and that dis-inhibition works especially powerfully, it often seems, on those who have run afoul of the law. We've heard of burglars posting their next planned capers on Facebook, of wanted felons responding to notices that a rare Charizard can be found in a police station, of muggers using stolen phones to ask their victims for dates.

Dave Bittner: [00:10:14:07] Today's news in this vein comes from Australia, where a young woman, arrested on suspicion of property crimes, took it on the lam, allegedly we must say, from a Sydney jail. The police posted a wanted notice and she politely Facebooked them to ask that they use a more flattering mugshot. She helpfully provided a new picture. There's some closure to the story, she's now back in custody. We hope the magistrate tempers justice with a little bit of mercy, we await further news from the Sydney PD.

Dave Bittner: [00:10:46:20] It's time to take a moment to tell you about our sponsor, Recorded Future. Recorded Future is the real time threat intelligence company whose patented technology, continuously analyzes the entire web, developing cyber intelligence that gives analysts unmatched insight into emerging threats. At the CyberWire we subscribe to and profit from Recorded Future's Cyber Daily. As anyone in the industry will tell you, when analytical talent is as scarce as it is today, every enterprise owes it to itself to look into any technology that makes your security teams more productive and your intelligence more comprehensive and timely, because that's what you want. Actionable intelligence. Sign up for the Cyber Daily email and every day you will receive the top trending indicators Recorded Future captures crossing the web. Cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today and stay a step or two ahead of the threat. Go to recordedfuture.com/intel to subscribe for free threat intelligence updates. That's recordedfuture.com/intel. And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:11:57:00] Joining me is Jonathan Katz, he's a professor of computer science at the University of Maryland, also Director of the Maryland Cybersecurity Center. Jonathan saw a story come by this week that Matthew Green, a researcher at Johns Hopkins University, has found some vulnerabilities in Apple's iMessage encryption protocol, what do you make of this discovery?

Jonathan Katz: [00:12:15:13] Well, I think it was quite interesting. Actually, the main attack that they showed was what's called a chosen-ciphertext attack, where basically it's a situation where an attacker eavesdrops and gets some ciphertext, and can then pose as the legitimate user and send related ciphertexts to the server, to the Apple server, and see their decryption, and even though it sounds kind of contrived, that kind of a scenario can occur in practice, and what Green and his collaborators showed was that they were able to use such an attack to actually recover the original encrypted message.

Dave Bittner: [00:12:49:22] And so, part of the point they were making in this article and in this research, was that Apple sort of rolled their own when it came to coming up with this encryption and that may not be such a good idea.

Jonathan Katz: [00:13:02:02] Yes, that's right. It's kind of funny because these chosen-ciphertext attacks are something that I gave as a course project in my undergraduate cryptology class, and it's sort of well known by now, number one, that these attacks are possible, and, number two, how to defend against them. And so it's kind of surprising that Apple engineers weren't aware of this apparently when they designed their protocols. And, like you said, it's another indication of why people shouldn't roll their own crypto but should be really using standardized and off the shelf sort of protocols.

Dave Bittner: [00:13:32:08] And so, what are the advantages of using standardized and off the shelf protocols?

Jonathan Katz: [00:13:36:16] Well, I mean, basically, one of the advantages is, number one, that they have been designed with knowledge of these various attacks, like these chosen-ciphertext attacks, and they've been developed to protect against them, and, more than that, they've also been analyzed by the community, so, they're publicized, they're analyzed, they're constructed in a very careful way in order to be secure, and with Apple, what they did, not only did they roll their own but they also kept the details of their protocol hidden, so as part of their work, Green and his collaborators had to actually spend a lot of time reverse engineering the protocol, just to get it to a point where they could sit down and analyze it. And if Apple had released the details of what they were doing then these kind of attacks might have been found much earlier, maybe even before they started deploying it. So, those are the advantages you get from relying on things that other people have developed and already studied.

Dave Bittner: [00:14:28:02] Alright, Jonathan Katz, thanks for joining us.

Dave Bittner: [00:14:32:08] And that's the CyberWire. For links to all of today's stories along with interviews, our glossary and more, visit thecyberwire.com. Thanks to all of our sponsors who make the CyberWire possible. The CyberWire podcast is produced by Pratt Street Media, the Editor is John Petrik, our Social Media Editor is Jennifer Eiben, and our Technical Editor is Chris Russell. Our Executive Editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.