The CyberWire Daily Podcast 3.10.17
Ep 303 | 3.10.17

WikiLeaks, responsible disclosure, and insider threats. Playstation credentials rumored to have been compromised. Apache Struts bug being actively exploited. DPRK missile cyber security. A look at West African cybergangs.

Transcript

Dave Bittner: [00:00:03:18] WikiLeaks offers to enter the responsible disclosure game - better late than never. Some AV companies tout their reviews in Vault 7. Speculation about how CIA hacking notes leaked turns to an insider threat. HackRead warns that PlayStation credentials may have been compromised. The Apache Struts vulnerability is being exploited in the wild. Observers cast doubt on reports the US successfully hacked North Korean missile launches. Comodo researcher Kenneth Geers shares insights from their 2016 global research report. And Trend Micro and Interpol take a look at the West African cybercrime scene.

Dave Bittner: [00:00:46:13] Time to take a moment to tell you about our sponsor, the good folks over at CyberSecJobs. If you're an information security professional seeking your next career, or your first career, you need to check out cybersecjobs.com and find your future. CyberSecJobs is a veteran owned career site and job fair company for information security professionals and students. Jobseekers can create a profile, upload their resume, and search and apply for thousands of jobs. And it's great for recruiters too. If you're an employer looking to source information security professionals, contact CyberSecJobs about their flexible recruitment packages designed to meet your needs. You will find this and other great opportunities at cybersecjobs.com. That's cybersecjobs.com. And we thank CyberSecJobs for sponsoring our show.

Dave Bittner: [00:01:43:04] Major funding for the CyberWire Podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Friday, March 10th, 2017.

Dave Bittner: [00:01:52:23] WikiLeaks is apparently opening its own version of the Vulnerability Equities Process, offering to share what it says it learned from the Vault 7 leaks with affected software vendors. Companies are advised by US authorities that receiving classified information puts them on legal thin ice.

Dave Bittner: [00:02:10:18] Some of the anti-virus companies mentioned in Vault 7 as having tough-to-bypass products, notably Bitdefender and Comodo, aren't being shy about letting prospective customers know their reputations as, to quote one leaked remark, "a pain in the posterior."

Dave Bittner: [00:02:26:03] There's now some speculation about where WikiLeaks got the material it released in Vault 7. WikiLeaks itself says its source was a former US government "hacker." The Voice of America says a US intelligence official commented, on background, that there are some indications the leak came from a CIA contractor. A Federal criminal investigation is in progress.

Dave Bittner: [00:02:48:17] The publication Motherboard reports that WikiLeaks may have been a bit sloppy in redacting names from the dump. Some remain, but whether they're real names, pseudonyms, or something else is difficult to say. But Motherboard is taking no chances, and isn't publishing any of them.

Dave Bittner: [00:03:04:22] Reaction from the security industry continues to hold that there's less to the leaks than meets the eye, especially if that eye has been trained on the more alarmist headlines.

Dave Bittner: [00:03:14:03] Ilia Kolochenko, from the web security firm High-Tech Bridge, told us that he's even a bit surprised at the attention Vault 7 has drawn. Of course the CIA uses hacking tools and techniques in its intelligence gathering mission, and he hasn't seen anything so far that indicates the Agency was abusing those tools beyond its legal charter.

Dave Bittner: [00:03:33:18] The CEO of security company CyberX, Omer Schneider, agrees that it isn't news that the CIA has hacking tools, or that it maintains a stock of zero-days. "Most nation-states have similar hacking tools and they're being used all the time. What's surprising is that the general public is still shocked by stories like these. Regardless of the motives for publishing this, our concern is that Vault 7 makes it even easier for a crop of new cyber-actors get in the game."

Dave Bittner: [00:04:02:15] Predictably, the Chinese government has admonished the Americans in a high-minded way that the US really ought to stop spying.

Dave Bittner: [00:04:11:01] The online publication HackRead is warning that it's received reports that 640,000 PlayStation accounts are for sale in a dark web market. HackRead says the story appears credible, although it's been unable to confirm it. Nonetheless, PlayStation users might well look to their accounts, and credentials.

Dave Bittner: [00:04:30:14] The Apache Struts remote code execution vulnerability is being actively exploited. Enterprises should patch, and patches are available. We heard from Craig Young, Principal Security Researcher with Tripwire, who thinks this is a particularly serious issue, a "trivially exploitable command injection execution" that doesn't require authentication. It's possible for an attacker to create custom payloads quickly to install malware on vulnerable web servers. He suggests deploying Web Application Firewall rules as a temporary mitigation until admins can update Struts.

Dave Bittner: [00:05:06:05] Observers cast doubt on claims that US cyberattacks interfered with North Korean missile test launches. It's not clear that DPRK missile guidance packages have the sort of attack surface envisioned by reports of US hacking.

Dave Bittner: [00:05:20:14] Trend Micro and Interpol have an interesting report on West Africa's cybercriminal underground. The crooks divide essentially into two categories: "Yahoo Boys" - devoted to lonely-hearts, stranded travelers, and advance fee scams - and "Next-Level Cybercriminals" - more sophisticated financial fraud and business email compromise capers. Both groups are adept at social engineering, although the Yahoo Boys do tend to engineer relatively naive marks.

Dave Bittner: [00:05:49:00] The Yahoo Boys, so called for their association with Yahoo email, are much given to trolling social media and concocting implausible stories. The Next-Level Cybercriminals are more likely to be found looking for tools in some hacker forum or black market.

Dave Bittner: [00:06:05:03] Of some interest is the connection with "Sakawa," an emerging religious system in which Internet fraudsters offer sacrifice in atonement to a god of thieves. The sacrifices are held to render the victims of scams more likely to succumb to the ballyhoo. There's also some thought that the sacrifices draw some of the sting of conscience the fraudster might feel from, well, being a crook.

Dave Bittner: [00:06:28:08] So remember, the next time you receive an email from the widow of a Nigerian prince, entreating you to believe that a divine voice advised her to seek you out in her time of trial, remember these things. First, Nigeria is a republic, so, no princes, or princesses, either, alas, lonely ones. Second, there's no good reason to advance someone money to facilitate a bank deposit. Third, that widow? No. It's a Yahoo Boy. And fourth, if any supernatural voice was whispering to your emailer, by all the best authorities it was an Internet god of thieves. Not the sort of divine inspiration you'd want to heed, we think. But that's just us.

Dave Bittner: [00:07:16:07] Time for a moment from our sponsor, Netsparker. You know how to tell a false positive from a real threat? Netsparker does. If it's exploitable, it's real. Netsparker's distinctive automated scans drive out the false positives, save you money and improve security. Their approach is proof based scanning. Netsparker's innovative scanning engine automatically exploits the vulnerabilities that identifies in websites and presents you with a proof of exploit. You don't need to verify the scanner findings to see if they include false positives. If Netsparker tells you it's bad, trust them, it's bad. Remember, if it's exploitable, then it is definitely not a false positive. Learn more at netsparker.com. But wait, there's more. And we really do mean more. Go to netsparker.com/cyberwire for a free 30 day trial of Netsparker Desktop. It's fully functional. Scan your websites with Netsparker and let them show you how they do it. That's netsparker.com/cyberwire. And we thank Netsparker for sponsoring our show.

Dave Bittner: [00:08:22:00] Joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute. Joe, welcome back. You know, we've got some stories about SHA-1. SHA-1 has been sunsetted.

Joe Carrigan: [00:08:38:07] Yes, it's been deprecated, that's right. For a number of years, people have been saying don't use it. But it's still in a lot of uses for file verification, for certificate signing things. Google has changed Chrome so that now when you get a SHA-1 signed certificate, it says, this is not secure as it should be, and kudos to Google for being ahead of the curve for that one. Actually, I think it was one of their researchers that recently generated a SHA-1 collision.

Dave Bittner: [00:09:08:14] Let's talk about that.

Joe Carrigan: [00:09:09:24] Hash collisions are a very interesting thing. You have a hashing algorithm, which is an algorithm that you put something into, a string of bytes into, and what you get out is called a hash digest. And it's always the same length, depending on what the hashing algorithm is. It has a few properties, like it shouldn't be easy to be reversed. But one of the other properties is that it shouldn't be easy to generate two hash digests that are identical. MD5 has been broken for a very long time, and it still has uses in forensics, but that's about it. It's not good for storing password hashes. It's not good for anything other than a forensic application. SHA-1 now has entered that realm where it's about the same. It's no longer reliable demonstrably. Theoretically, it's been no longer reliable for a number of years, but now it is demonstrably no longer reliable.

Dave Bittner: [00:10:06:21] I saw that Google said that it would take roughly 110 years of computing from a single GPU to produce the collision. Google's being a little coy with it. They're say they're waiting 90 days to say exactly how they did it, which I guess is a good thing.

Joe Carrigan: [00:10:22:19] That gives everybody enough time to stop using SHA-1. I'm going to go out on a limb here and predict that not everybody is going to stop using it.

Dave Bittner: [00:10:32:10] No and I've spoken to some other experts on the show about people who help organizations track down and replace their uses of SHA-1. And one of the points they made was that if you have a large website or a large installation, you may have instances of SHA-1 spread around that maybe you've lost track of.

Joe Carrigan: [00:10:53:08] It's a configuration management problem as well. It can be a nightmare.

Dave Bittner: [00:10:58:09] Alright, interesting stuff as always. Joe Carrigan, thanks for joining us.

Joe Carrigan: [00:11:01:19] My pleasure.

Dave Bittner: [00:11:07:03] Time to take a moment to tell you about our sponsor, Control Risks. If you own cyber security in your organization, let's be honest, you might not sleep easily. If you lie awake thinking about new threats over the horizon, or how to allocate your limited resources, Control Risks can help. It's often impossible to separate threats to your data from geopolitical swings, local regulatory shifts and competitors maneuvering. Without a risk-led approach, how can you be sure all your shiny tools are working? Talk to Control Risks. They treat information security as a business risk, not just a technical problem. For over 40 years, they've helped clients proactively identify and mitigate risk, respond to and recover from disruption and capitalize on opportunities. In short, they bring order to chaos and reassurance to anxiety. Let Control Risks help you spend money where it really counts, protecting what really matters. Find out more at controlrisks.com/cyberwire. That's controlrisks.com/cyberwire. And we thank Control Risks for sponsoring our show.

Dave Bittner: [00:12:22:01] My guest today is Kenneth Geers. He's a Senior Research Scientist with Comodo Threat Research labs and a NATO Cyber Center ambassador. At this year's RSA conference, he presented Comodo's 2016 global report, what they describe as "a deep dive into new discoveries and detailed analysis of recent malware incidents tied to geopolitical events around the world." We spoke with him about the report and the kinds of insights he gains from the research he does with the kind of data he has at his disposable.

Kenneth Geers: [00:12:52:17] I'm looking right now at about three months worth of data, but it's about three and a half billion rows from every country on the planet. So, believe it or not, Comodo has clients in North Korea. So, every country, every city, every province on the planet. What we can see, if we divide our clients into not only geographic components, but vertical components, so what industry you're in - health care or aerospace, government etc. Really we can see the progression of malware from patient zero throughout the earth. So, for me as an analyst, it's just a dream opportunity to be able to look at so much data and come up with not only a report that is interesting today, but really is potentially of historical interest, because we can see kind of the birth and death of malware.

Kenneth Geers: [00:13:55:04] And not only that, one of the things that I personally specialize in is kind of the geopolitical angle. So I've always looked at attribution issues and data ex-filtration categories, for example. I worked at the Pentagon for a long time trying to figure out who's hacking the United States and why. But one of the things I'm doing with Comodo is putting together a kind of strategic think piece type analysis as well. Especially given the 2016 US presidential election, which is widely assumed to be, not hacked directly, let's say, but via information operations in social media, fake news, the weaponization of doxxing, for example, and hacking of political parties, a wide range of things. It really can push an election over the edge, at least in theory, and perhaps in practice. So I'm looking at major events, like elections or invasions. Big business events, mergers, deals, that sort of thing.

Kenneth Geers: [00:15:17:04] But I can see over our whole ecosystem of malware to identify where geopolitical crises are reflected in the network data, because really cyber space is just a reflection of human affairs. So nothing happens really, even at the tactical level, if you want to go out on a date or go to a movie. That in fact is easily reflected in cyberspace. And it's important to know that even if communications are encrypted, you can still do heavy traffic analysis against anything and surmise what is happening in the real world. But for our report, what we're doing is we're placing things into resolving IP addresses to countries, so that we can see which countries are most affected. And then within those countries we can divide our client base by vertical, so we know in which industry you work. If you're in education, for example. Recently, I looked at a lot of target spam campaign and it all was going to a particular university, network space within a particular country. For me, what that meant was that somebody was targeting the intellectuals within that country and when you have a whole lot of data you can do that kind of analysis.

Kenneth Geers: [00:16:51:04] So this is not just spam, but in fact it's a spam campaign that has malicious links, will take you to compromising and compromised already websites who download malicious code on to your computer. But the recipients of those emails, it wasn't random, it went, in fact, to a targeted group of individuals. But you have to, as an analyst, not just know a little bit about hacking, but kind of follow real world events so that you can marry the two. But that's what we're doing with our 2016 report. We're trying not just to talk about viruses and worms and Trojans, but what they're used for and who potentially the actors are who write this kind of software and the purposes they're using malicious code for, which really is even more important and easier to understand for a lay person. But it can also inform system administrators to this kind of analysis and this angle to help defend your company.

Kenneth Geers: [00:18:02:13] Because if you know for example that you are entering a period of geopolitical uncertainty, or international conflict and tension, for sure, you'll be targeted - that's only normal today. So, for me as an analyst at Comodo working on such a large data set, it's really a joy to be able to have room for a lot of creativity and imagination when putting together a year long report.

Dave Bittner: [00:18:34:20] That's Kenneth Geers from Comodo Group.

Dave Bittner: [00:18:42:04] And that's the CyberWire. For links to all of today's stories, along with interviews, our glossary, and more, visit thecyberwire.com. Thanks to all of our sponsors, who make the CyberWire possible, especially to our sustaining sponsor, Cylance. Be sure to check us out Twitter and Facebook and Linked In and if you have the inclination, we would really appreciate it if you would take the time to leave a review on iTunes. It really does help people find the show.

Dave Bittner: [00:19:09:15] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Our social media editor is Jennifer Eiben. Technical editor is Chris Russell. Executive editor is Peter Kilpe, and I'm Dave Bittner. Have a great weekend, everybody. Thanks for listening.