The CyberWire Daily Podcast 1.23.17
Ep 270 | 1.23.17

Fake news tweets (from hijackers, not opinion-makers). Ransomware. New Android Trojans. Closing in on Mirai's master?

Transcript

Dave Bittner: [00:00:03:12] Fake tweets from hijacked news accounts mark US Presidential transition. BankBot Android Trojan evolves and Skyfin will quietly buy stuff you don't want from the Google Play Store. An ill-named Dharma ransomware hits an Indian pony site. Lloyds Bank discloses DDoS attacks. The SEC looks at Yahoo!'s breach disclosure record and the FBI is taking an interest in the gentleman Krebs fingered as Mirai's master.

Dave Bittner: [00:00:35:19] It's time to take a moment to tell you about our sponsor, CyberSecJobs. If you're an information security professional, seeking your next career, or your first career, check out cybersecjobs.com and find your future. CyberSecJobs is a veteran owned career site and job fair company for information security professionals and students. Job seekers can create a profile, upload their résumé and search and apply for thousands of jobs and it's great for recruiters too. If you're an employer looking to source information security professionals, contact CyberSecJobs about their flexible recruitment packages, designed to meet your needs. To learn more visit cybersecjobs.com, that's cybersecjobs.com, and we thank CyberSecJobs for sponsoring our show.

Dave Bittner: [00:01:31:02] Major funding for the CyberWire Podcast is provided by, Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Monday, January 23rd, 2017.

Dave Bittner: [00:01:41:21] Both the New York Times and the BBC had their Twitter accounts hijacked recently. The Times hijackers yesterday, tweeting, falsely, that Russian President Putin had intentions to launch missiles against the US and the BBC's hijackers tweeting Friday, equally falsely, that US President Trump had been wounded in an assassination attempt during his inauguration. Protection racketeers at, OurMine, admit collaborating in the caper, but said their unnamed partners composed the tweets.

Dave Bittner: [00:02:10:24] OurMine has become well known for its shakedown operations and they seek to preserve an implausible illusion of legitimacy as a security auditing service but, as maybe seen in the Hill's Account, as in others, few, if any buy this. OurMine seems today to be distancing itself from both incidents. Disavowing responsibility for the tweets and suggesting to the BBC that OurMine's hacking was only coincidental with the bogus news stories. Still, they're offering their services, as in this note to the New York Times, "Message from OurMine to @nytvideo, contact us to tell you how to fix the issue."

Dave Bittner: [00:02:50:18] The week opens with news of fresh Android threats. Tripwire is following the progress of recently discovered banking Trojan, BankBot, which is built to loot bank accounts by exploiting admin privileges on Android phones. BankBot's source code has begun circulating on at least one criminal hacking forum. Doctor Web has also identified a new Android threat, they're calling this one Skyfin. It's a second stage infection that, so far, has been observed in phones already compromised by the Android downloader malware family. Skyfin quietly infests a device's local Playstore app to make unwanted purchases.

Dave Bittner: [00:03:27:14] The SANS Internet Storm Center has a rundown on Sage 2.0, a variant of CryLocker, first described by Bleeping Computer last month. Sage 2.0 ransomware is now being observed in spam hitherto associated with Cerber, so again the criminal markets are showing their propensity for evolution and adaptation.

Dave Bittner: [00:03:47:15] Specific ransomware victims late last week include the St Louis, Missouri, USA, public library system and the Racingpulse.in pony betting site operating out of Bangalore, India. The Dharma ransomware strain hit Bangalore, there's no word yet on which variety affected St Louis. The St. Louis librarians aren't paying up, instead, they're wiping and restoring the approximately 700 affected machines. That won't be cheap or pain-free and it will, in fact, take a few days to accomplish but the librarians are determined to hang tough.

Dave Bittner: [00:04:21:19] Last week, Google, released an open source prototype of a system for discovering and verifying public encryption keys, called, Key Transparency. For details, we checked in with, Professor Matthew Green, cryptographer from Johns Hopkins University.

Professor Matthew Green: [00:04:36:00] We've known for a long time that, one of the vulnerabilities in encrypted messaging systems is that they use T-servers, or at least many of the commercial ones do. So, what that means, is that if you want to talk to somebody, the first thing you have to do is you have to get their public key. In the olden days, when we did that, with things like, PGP, it was a very painful process. We used to have key signings parties and go to key servers and do all of the stuff. All of these newer, instant messaging systems have gotten easy to use and they've done that mostly by making that transparent. So, you don't know that you're getting somebody's public key, but you're still doing that and that means you're relying on some server, somewhere, to hand you the right public key and not give you the wrong one. That's a vulnerability, or that's a potential vulnerability in many of these apps.

Dave Bittner: [00:05:23:06] And so, take us through how key transparency is addressing that situation.

Professor Matthew Green: [00:05:28:09] So, two bad things can happen to you if you trust somebody else's key server; a person can break into the key server and they can actually give out the wrong public keys to people so that people are encrypting to the bad guy instead of to you, the other thing that people can do is they can impersonate your SMS and they could register a phone to your account or even add another phone to your account if they guess your iCloud password. So that's the problem that key transparency tries to deal with. Many services will tell you, they'll send a message to your phone or something, when that happens, but there's nothing guaranteed about that. If somebody hacks the server, they can prevent that message from getting to you.

Professor Matthew Green: [00:06:06:02] Key transparency takes this a big step further and, what it does, is it basically produces a cryptographic proof that your phone can check, which proves that the key the server is giving out to people is actually the key that you want it to be, attached to your public key. So your phone and other people's phones can actually check that the server is behaving honestly.

Dave Bittner: [00:06:28:16] And so what are the likely areas where we're going to see this put to practical use?

Professor Matthew Green: [00:06:33:11] Well, I think the first place we're going to see this is in instant messaging systems. Hopefully, very soon. So the original key transparency project was created at Google and I think at Yahoo!, because Google and Yahoo! Were working together on this e2e plugin, for mail, both Gmail and for Yahoo! Unfortunately that project hasn't really produced a lot, we still don't have a production version of the e2e plugin. So, the key transparency server, which is now open source, hopefully, will be adopted somewhere where it can actually make a difference. The places where it can make a difference are in encrypted messaging apps like Signal or WhatsApp. We haven't seen anyone adopt it yet, but hopefully that's on the way.

Dave Bittner: [00:07:19:05] So this is a 1.0 release, are there any serious limitations that you see so far?

Professor Matthew Green: [00:07:25:07] So I haven't gone through the code in a lot of detail. I know the people who wrote it, I know the basic design. The big question for me is can it plug into other people's infrastructure, particularly the database backend, and work efficiently. I think we're going to have to see about that. I obviously don't have the tools here in my Professor's office to test it at the scale of a billion people, I think that's going to be an interesting problem.

Dave Bittner: [00:07:51:24] That's, Matthew Green, from Johns Hopkins University.

Dave Bittner: [00:07:55:19] In industry news, it appears that the US Securities and Exchange Commission is taking a close look at what some consider Yahoo!'s belated disclosure of its two major data breaches.

Dave Bittner: [00:08:07:07] The Lloyds Banking Group disclosed that it was affected by a distributed denial of service campaign two weeks ago. An unnamed international cyber crime gang is said to be responsible. Disruptions occurred intermittently over a two day period. Several observers are reminded of the earlier attack on Tesco's banking operations in the UK. We heard from Ilia Kolochenko, CEO of High-Tech Bridge, who strongly urges the victim and the authorities to conduct a quick and thorough investigation. That investigation should bear in mind, Kolochenko says, that DDoS campaigns often serve as misdirection for other, more serious attacks. Kolochenko points out, "DDoS attacks are quite simple to organize, but very difficult and expensive to mitigate. At the end of last year even Akamai was obliged to terminate its DDoS protection services for US journalist and investigative reporter Brian Krebs’s website, following ongoing and massive DDoS attacks against it." Akamai is a leading distributed denial-of-service protection vendor.

Dave Bittner: [00:09:09:20] And speaking of DDoS, and connected IoT devices, the FBI is reported to be interviewing the gentleman security journalist, Brian Krebs, has identified the figure behind Mirai. Mirai, of course, is the botnet herding malware used to clog the Internet last Fall. If you haven't read KrebsOnSecurity's long account of how he tracked the spoor of the attacker, you should consider doing so, it's an interesting and dismaying story. It also offers a surprising window into the highly competitive world of Minecraft servers and the protection thereof. As is the case with any business highly dependent on availability, a distributed denial of service campaign against Minecraft servers, or the vendors who support them with DDoS protection, can have financially devastating, perhaps business killing results. And it's precisely this vulnerability, Krebs believes, that Mirai's creator and controller was out to exploit, hoping to establish either a competing service or a protection racket.

Dave Bittner: [00:10:05:24] It's also interesting in that the person the FBI is said to be interested in, is not a state security service conducting a dry-run or even a well-resourced organized gang of criminals expanding their attack portfolio. Instead, it looks like a guy in a New Jersey dorm room. We won't share the person of interest's name, but we can say this, it's not Anna Senpai. And, for you Minecraft fans, it's not Steve, either.

Dave Bittner: [00:10:34:14] Time for a message from our sponsor, E8 Security and, let me ask you a question, do you fear the unknown? Lots of people do, of course, the creeper, the snow ghost stuff like that. But we're not talking about those, we're talking about real threats, unknown unknowns, lurking in your networks. The good people at E8 have a white paper on hunting the unknowns with machine learning and big data analytics that go beyond the old school signature matching and human watch standing. Go to e8security.com/dhr and download their free white paper, Detect, Hunt, Respond. It describes a fresh approach to the old problem of recognizing and containing a threat no-one's ever seen before. The known unknowns, like red beard's goes to the puppet master, they are nothing compared to the unknown unknowns out there in the wild. See what E8's got to say about them, e8security.com/dhr and check out the white paper and we thank E8 for sponsoring our show.

Dave Bittner: [00:11:35:07] And I'm pleased to be joined, once again, by Jonathan Katz, he's a Professor of Computer Science, at the University of Maryland also director of the Maryland Cyber Security Center. Jonathan, I wanted to check in with you, I know there is concern that, as we head towards, post quantum cryptography that there are a variety of schemes that people are working on to try to take us past that hurdle. One of them that I have heard about is called multivariate cryptography. What can you tell us about that?

Professor Jonathan Katz: [00:12:02:03] As you said, people are very concerned about the advent of quantum computers. We don't know when exactly they're going to become a reality but people are speculating that they may be deployed in about 20 or 30 years and, because of that, we need to start preparing now. As you know and as many of the listeners probably know, all the common public-key cryptography used today is based on either factoring or the so called discrete logarithm problems and both of those are known to be solvable, efficiently, by quantum computers. So, basically, all the current public-key crypto on the Internet would be broken if and when we do get quantum computers and people are looking for, as you said, post quantum crypto replacements that would be secure, even against those computers.

Professor Jonathan Katz: [00:12:46:00] So people have been looking at a wide variety of different problems and these multivariate cryptosystems are one, amongst several possibilities, that people are looking at.

Dave Bittner: [00:12:54:07] So, take us through what's going on mathematically under the hood when it comes to multivariate cryptography?

Professor Jonathan Katz: [00:13:00:14] Well, as you can imagine, it's hard to give the full details but, just to give an idea of the problem, the problem essentially boils down to finding solutions to polynomial equations. So imagine that you're given, ten, 20 different quadratic equations in many variables, not in a single variable like back in high school, but these are in many variables and you're asked to find a set of solutions that will simultaneously satisfy all the given equations. Now, it's known actually, that that problem is MP hard in general, so we don't expect there to be a polynomial algorithm, or an efficient algorithm for ever solving that. Of course, that doesn't yet mean that it's ready for cryptographic applications and there's been a lot of work to try to take that problem and map it and derive crypto systems from it.

Dave Bittner: [00:13:44:04] So, when it comes to this post quantum cryptography problem, is it a race against time?

Professor Jonathan Katz: [00:13:49:21] Well, yes, definitely. One of the things that's been interesting here is, if you think about it, you think that quantum computers are maybe 30 years off, so we have time to prepare, but then you look actually at how long the process of research and standardization takes and you realize that actually, if we want something to be in place in 25 to 30 years, we really need to get started in the next five or ten years of having things that we can actually imagine standardizing and then rolling out to the Internet. So, we don't really have as much time as we might hope.

Dave Bittner: [00:14:17:08] Jonathan Katz, thanks for joining us.

Dave Bittner: [00:14:21:14] And that's the CyberWire. Thanks to all of our sponsors, who make the CyberWire possible and special thanks to our sustaining sponsor, Cylance. Learn more about how Cylance prevent cyber attacks at cylance.com. The CyberWire Podcast is produced by Pratt Street Media, our editor is John Petrik, our social media editor is Jennifer Eiben and our technical editor is Chris Russell. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.