The CyberWire Daily Podcast 1.31.17
Ep 276 | 1.31.17

Ransomware updates. Netgear vulnerabilities and patches. Breaking Android pattern lock. Delegated Recovery. Information operations.

Transcript

Dave Bittner: [00:00:03:06] We've got ransomware developments, the good, the bad and the ugly. Netgear routers and the mom-and-pop dilemma. Breaking Android pattern locks. Facebook has a novel approach to password recovery. Keysight will buy Ixia and IBM's acquisition of Agile 3 Solutions gets positive analyst reviews. Australia's Data61 innovation shop wants to go all-in for cyber. ISIS makes hay of US immigration policy but the group shows signs of cracks.

Dave Bittner: [00:00:37:00] Time for a message from our sponsor, Palo Alto Networks, available at go.paloaltonetworks.com/secureclouds. Organizations and their data are in the cloud, sometimes whether they know it or not, and the cloud is no longer just a convenient place somewhere out there to store things. Today it's an integral part of the way almost every enterprise level organization does business. Palo Alto Networks understands this. They also get the fact that your data and applications are distributed across the private cloud, the public cloud, software-as-a-service environments, and any number of configurations in between. Make sure your data and apps are secure and protected wherever they may be. Palo Alto Networks offers the broadest, most comprehensive cyber security for private cloud, public cloud, and software as a service environments, because secure clouds are happy clouds. Find out how to keep yours happy at go.paloaltonetworks.com/secureclouds. And we thank Palo Alto Networks for sponsoring our show.

Dave Bittner: [00:01:44:21] Major funding for the CyberWire Podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, January 31st, 2016.

Dave Bittner: [00:01:55:04] We begin with some developments in ransomware. Two relatively new strains are out in the wild. Trend Micro is describing one they're calling "RANSOM_NETIX.A." It's targeting Windows users who also use Netflix, and it's holding their Netflix login credentials hostage, which is a bit of twist, but then an effective extortionists holds something you value at risk.

Dave Bittner: [00:02:17:21] We've heard how Washington DC's police experienced a ransomware attack on their surveillance cameras around Inauguration Day. Another police department, this one from Cockrell Hill, Texas, has also fallen victim to ransomware. In their case it's thought the infestation came through the usual spam vectors, with links incautiously clicked by recipients. The security firm Acronis identified the ransomware strain in Texas as "Osiris," an evolved version of Locky that shows an ability to evade most perimeter safeguards. The police declined to pay, instead biting the bullet and wiping the infected server, accepting the loss of several years' worth of records. Again, secure backup is your best defense.

Dave Bittner: [00:03:00:04] And the criminals have hit back at the white hats in other ways. Over the past week ransomware protection companies Emsisoft and Dr. Web both sustained distributed denial-of-service attacks, apparently in retaliation for both companies' good work in offering decryption tools and other security assistance to ransomware victims. Emsisoft has told Bleeping Computer that they believe the author of MRCR, also known as Merry X-mas, is the hood responsible for organizing the campaign.

Dave Bittner: [00:03:30:19] Trustwave reports Netgear routers are susceptible to authentication bypass flaws. They disclosed their findings to Netgear, which is making security updates available. The bugs can be exploited remotely through the routers’ remote management option. Michael Patterson, CEO of Plixer International, commended Netgear to us for not having enabled remote management by default. But there's a dilemma here, too. If you remove the remote access feature entirely, that puts the onus of updating firmware on the user, and a lot of those users are home users, or mom-and-pop small businesses.

Dave Bittner: [00:04:03:11] Patterson said, quote, "For those mom and pop shops, who own one of those devices, it would be highly unlikely that they would have the time and expertise to implement updates continuously. This is why it is very important to monitor all traffic to and from the DNS using NetFlow or IPFIX. Service providers could easily identify their customers that are reaching out to strange DNS servers. The problem in the industry is that service providers are not motivated to take on this responsibility as the malware isn't impacting their services," end quote.

Dave Bittner: [00:04:35:09] British and Chinese researchers have published findings that show how Android's pattern lock system can be broken. Craig Young, Principal Security Researcher with the security firm Tripwire thinks passwords are still your best bet for securing an Android device. Unfortunately good, strong passwords are tough to use on a phone, which is why he recommends phones with fingerprint readers. Young says, quote, "While biometric security certainly has its limitations, I feel that it will generally still hold up better against most attack vectors than a simple pattern or pin unlock code," end quote.

Dave Bittner: [00:05:09:12] This of course is one instance of the more general problem of authentication that many experts see as a major issue for 2017. Facebook might have come up with an interesting approach to one aspect of authentication, password recovery, now most often done by means of email and secret questions. They announced it at USENIX, and they call it, Delegated Recovery. In Bleeping Computer's account, an online service vouches for a user on another website roughly like this. User Bob has an account on Facebook and GitHub. Bob generates a recovery token with GitHub. Bob saves the GitHub recovery token inside his Facebook account. Bob loses access to his GitHub account. Bob recovers his GitHub account using the recovery token stored in his Facebook account.

Dave Bittner: [00:05:54:24] Facebook says the recovery token is encrypted, and no online service that temporarily stores it can read the token.

Dave Bittner: [00:06:03:03] With all of the news about ransomware and IoT vulnerabilities, it's easy to lose sight of the fact that malvertising remains a common, profitable attack. Security company, RiskIQ recently published their 2016 malvertising report, and we spoke with RiskIQ security researcher, Ian Cowger.

Ian Cowger: [00:06:20:05] So, in a malvertising instance, whenever you're delivered an ad on your page there is a long series of redirections, where it reaches out to, like, from the publisher, out to the ad exchange, which then goes to the DSP, and then a long series of redirections that pulls in assets from any number of parts. So, whenever you're delivered an ad, it actually goes through a lot of different hands and at any one of those points, including both the origin and near the end, any one of those web assets can be compromised. If one of those are compromised then it just-- they can link out to some malicious file and either redirect you out your entire user session to something bad or they can just drop a malicious file on you.

Dave Bittner: [00:07:09:02] And, and who, who are they specifically targeting? Are they mostly going after consumers or is it a wider net than that?

Ian Cowger: [00:07:15:11] It is really anyone who uses an ad is a potential target. So common, common scam tables that they would drop would be like a fake text report scam. Like, you have a virus on your computer, call this number and then, you know, they create a problem and solve a problem. Or, you know, they will drop a banking Trojan on to your device and then they'll just sit there and listen for you logging into any of your banking applications or on to any of your banking websites and then they'll capture your credentials and then send that back or harvest any credit card details. Or even just general spyware, these days, just harvesting user information about you is oftentimes more valuable than even your credit card information. Credit card dumps are getting cheaper and cheaper, whereas personal information is getting bought up at a higher price.

Dave Bittner: [00:08:11:15] I'm surprised that this sort of thing makes it through, you know, some of the large ad networks, like Google and Facebook.

Ian Cowger: [00:08:18:11] Yes, sadly it does, but the key important thing there is that there's a lot of sophisticated filtering systems that these guys put in place, as a means to evade solutions like ours, or other solutions. So in normal ad delivery systems there are means to target whichever user you're trying to do. They turn those same sorts of tools around to then try and not serve it to scanning solutions or security researchers, such as any time you'll get one payload, oftentimes they'll never send the payload to the same IP. Or they'll try and use specific calls, to figure out whether or not what they're doing is running inside of a sandbox environment. The security industry and their space has always been a sort of cat and mouse game of new techniques are developed and then new counter-measures are developed and it's always sort of an evolving space.

Dave Bittner: [00:09:18:01] That's Ian Cowger from RiskIQ.

Dave Bittner: [00:09:21:09] In industry news, Keysight's rumored acquisition of Ixia seems to be happening, with Ixia fetching $1.6 billion. The acquisition is expected to close in October.

Dave Bittner: [00:09:31:24] IBM's acquisition of Agile 3 Solutions is receiving generally positive analyst reviews as a cyber security play. And in Australia, Data61, that country's innovation promotion organization, wants to go "all-in" on financial technology and cyber security.

Dave Bittner: [00:09:50:04] ISIS is making information-war hay of President Trump's order restricting immigration from seven Muslim-majority countries. Its narrative suggests, first, that ISIS represents Islam, and second, ISIS is the victim here. ISIS messaging, however, is also showing signs that the group may be fragmenting under kinetic military pressure. It remains to see what that will mean in terms of the threat it poses.

Dave Bittner: [00:10:16:06] And finally, those following Russia's FSB shake-up may wish to revisit the old interview with Shaltai-Boltai. The Russian Humpty-Dumpty has been a wasp in that government's ear for some time, and last month's FSB arrests suggest that Humpty-Dumpty is having an effect.

Dave Bittner: [00:10:37:22] And now a quick thank you to our sponsors, CyberArk. This past year CyberArk scanned over 15,000,000 machines. 88% of the networks they scanned were found significantly at risk of compromise, through theft or abuse of privileged account credentials. How many privileged accounts and credentials are there in your organization? You may be surprised. CyberArk will tell you that the average organization has four times more privileged accounts than employees. Take the first step towards securing your privileged accounts, run the CyberArk Discovery and Audit Scan. That's CyberArk DNA. It'll discover your privileged accounts, whether on-site or in the cloud, assess the risk they pose, and identify accounts with local admin rights, and even the machines vulnerable to credential theft.

Dave Bittner: [00:11:20:14] Get your free risk assessment today, at cyberark.com/cyberwire. That's cyberark.com/cyberwire. Check it out and see what your risk is. And we thank CyberArk for sponsoring our show.

Dave Bittner: [00:11:40:11] And I'm pleased to be joined once again by Ben Yelin. He's a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security. Ben, we talked not too long ago about Coinbase, a Bitcoin currency company, who ran into some troubles with the IRS. The IRS wanted to get some records on Coinbase's customers and Coinbase is pushing back. Fill us in here.

Ben Yelin: [00:12:03:03] Sure. So this is a story we'd referenced a couple of months ago on our-- on the podcast. The IRS, back in March of 2014, issued a guidance document on virtual currency and they basically said it would be treated for tax purposes, not necessarily as income, but as property. So it still has to be reported, like any sort of gain and property that someone gets through the year they have to report on their income taxes, they would have to do the same for virtual currency. The IRS, of course, in its effort to increase its tax receipts, sent a request to Coinbase to collect the personal data of 1000s of its users. The rationale was they wanted to make sure that all of the property, the virtual currency being collected, was being reported for tax purposes. Coinbase, under its CEO, Brian Armstrong, estimated, this past week, that it will cost the company between 100,000 and $1,000,000 to defend its customers from what he called an overly broad subpoena. And eventually those costs are going to be passed down to the consumer, I think it's reasonable to say.

Ben Yelin: [00:13:14:09] And, you know, we saw the same issue with Apple and the FBI. We have these tech companies, and in this case Coinbase, advertising to its consumers that their information is going to be protected, they're going to have data integrity, and then the government comes in and submits this request. In this case, the federal judge ruled that Coinbase would be ordered to turn over this data. It's not only a monetary problem for Coinbase, in terms of the legal costs, but they're not going to be able to represent themselves to somebody who has data integrity, and that's going to hurt their bottom-line going forward.

Dave Bittner: [00:13:49:16] Take us through the process here. What's next in terms of Coinbase fighting this order?

Ben Yelin: [00:13:55:07] So Coinbase has asked to intervene in the court proceedings. They're going to make their first appearance in front of a federal judge in, in the northern district of California this coming February. A favorable ruling would mean that there would be a separate proceeding, where Coinbase would be able to argue against the IRS, against the intrusion into this data.

Dave Bittner: [00:14:16:20] Alright, we'll stay tuned. Ben Yelin, thanks for joining us.

Dave Bittner: [00:14:22:03] And that's the CyberWire. For links to all of today's stories, along with interviews, our glossary, and more, visit thecyberwire.com. Thanks to all of our sponsors for making the show possible, especially to our sustaining sponsor, Cylance. For more information about how Cylance can help protect you, visit cylance.com.

Dave Bittner: [00:14:38:05] The CyberWire podcast is produced by Pratt Street Media. The editor is John Petrik. Our social media editor is Jennifer Eiben and our technical editor is Chris Russell. Our executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.