A look back at Patch Tuesday. Classic games on Android serve malware. Cryptocurrency speculation. Info ops updates. Phony hitmen. Guilty pleas in Mirai case.

Dave Bittner: [00:00:00:09] Thanks again to all of our supporters on Patreon. You can find out more at patreon.com/thecyberwire.

Dave Bittner: [00:00:09:08] 2017's last Patch Tuesday has come and gone. Android gamers beware of malware-serving classic games. Cryptocurrency speculative fever is still rising – not even DDoS or overtaxed exchanges put a damper on it. More unwelcome miners are using the unwary and unwitting to pull Monero out of streaming video services. Ransomware extortionists are finding Bitcoin prices sometimes rise too fast for comfort. False hit-man spam, a Russian hacking defendant, in Russia, says Putin made him do it, and there's some guilty pleas in the Mirai case.

Dave Bittner: [00:00:48:13] Time for a message from the good folks over at Recorded Future. Recorded Future is the real-time threat intelligence company, who's patented technology continuously analyzes the entire Web, to develop information security intelligence that gives analysts unmatched insight into emerging threats. And, when analytical talent is as scarce and pricey as it is today, every enterprise can benefit from technology that makes your security teams more productive than ever. We at the CyberWire have long been subscribers to Recorded Future's Cyber Daily, and if it helps us we're confident it can help you too. Subscribe today and stay a step or two ahead of the threat. Go to recordedfuture.com/intel to subscribe for free threat intelligence updates from Recorded Future. That's recordedfuture.com/intel. We thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:46:23] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Wednesday, December 13th, 2017.

Dave Bittner: [00:01:56:17] Yesterday was Patch Tuesday, the last one of 2017. Flash issued its traditional monthly fix for Flash Player. Microsoft pushed out a number of fixes – 20 "critical"; 12 "important" – which observers are calling a relatively light update. As always, patching is vital to digital hygiene, so take a look, and listen to your sys-admins.

Dave Bittner: [00:02:19:04] Those of you who play classic games on your Android device: Tank and Bomber, Battle City: Super Tank, Retro Brick Game, Classic Bomber, and so on, beware! Appthority has found an infestation of malicious code appearing as a payload inbound from the Golduck server.

Dave Bittner: [00:02:36:16] The cryptocurrency inflationary bubble continues apace. DDoS attacks against Bitfinex have been impeding Bitcoin trading this week, and rival currencies, Litecoin and Ether, are absorbing some of the speculative pressure that's seeking an outlet. The Ethereum trading exchange Coinbase may also be under denial-of-service attack, or it may just be clogged by traders. It's difficult to tell. Coinbase's CEO, Brian Armstrong, warned speculators not to expect to be able to trade on Coinbase during busy periods, and indeed it appears that heavy usage is what's bogging down the site. It's a popular service; the Coinbase app has recently been among the top free downloads available online.

Dave Bittner: [00:03:20:01] Bitcoin has been extraordinarily popular among individual speculators in Asia, millions of whom have taken a flier on the cryptocurrency. South Korea has displaced Japan and China as what the Wall Street Journal calls "the latest hot spot". Some deny that this is a classic bubble, but it certainly looks like one. Most observers think a correction is inevitable. It would seem to be, on the grounds of the high-electrical power consumption being drawn by Bitcoin miners and other panners for crypto gold, and not a few of them think that correction is likelier to be a hard than a soft landing.

Dave Bittner: [00:03:54:16] When ordinary people without the resources to follow or perhaps even understand a market jump into speculation, and when they're wagering their savings on the promise of big, big returns, well, as Ars Technica writer Timothy B Lee notes, the current wave of speculators is less sophisticated than those that drove earlier Bitcoin booms in 2011 and 2013. As Lee puts it, "The market is starting to feel like the final month of the dot-com boom, where people started getting tech stock tips from their taxi drivers."

Dave Bittner: [00:04:27:00] With all that money in play, criminal interest in cryptocurrency remains high. Security researchers at AdGuard have noticed that popular video-streaming sites have been using visitors' devices surreptitiously to mine Monero. That this mining is done without the user's permission or even knowledge is obvious. The affected sites are: Openload, Streamango, Rapidvideo, and OnlineVideoConverter. Almost a billion users are thought to be affected each month.

Dave Bittner: [00:04:55:13] But spare a thought for the poor crooks who are pricing their ransomware extortion in Bitcoin. One way an institutional victim, like, say, Mecklenburg County, North Carolina, is going to look at a ransomware attack is as a cost-benefit proposition. They might – might – consider paying, if the cost isn't too high. Mecklenburg County told its extortionists, forget about it, and has simply bitten the bullet and gone about restoring its systems without paying. But if the ransom isn't too high, some might well pay. That's become harder. If you ask for some number X of Bitcoin, and by the time the deadline you gave the victim expires, three or four days are common enough deadlines, they'll find that Bitcoin has risen by 25%, or 50%, or 100%. Sometimes it's not easy being a criminal.

Dave Bittner: [00:05:45:21] Some poor crooks don't even deserve a thought. We're thinking of the outrageous creeps who've begun emailing people saying essentially, "I'm a hit man and your life is in danger," because "your activity causes trouble to a particular person," and said person has hired me to kill you. But because of the sender's sincere concern for the recipient's life, he'll cancel the contract and tell who ordered you whacked if you pay him 0.5 Bitcoin. If you get such an email, don't worry, don't pay, mark it as junk, and move on.

Dave Bittner: [00:06:18:23] Finding qualified candidates to fill available positions remains a challenge in our industry, and some companies are taking a different approach to getting talent up to speed, steering away from traditional certifications and degree programs. Point3 Security is one of those companies, and they think they've found a better way to prepare the next generation of cyber security professionals. Evan Dornbush is founder of Point3.

Evan Dornbush: [00:06:43:11] I think, when we train for cyber security positions, or we teach cyber security, we're emphasizing the wrong thing. In America you have this Victorian era style teaching model? rows and rows of students, memorizing things from canned PowerPoints, canned lectures, multi-choice tests. At the end of the day that doesn't really benefit anyone. So the way we approach cyber security, we're returning to – almost like Medieval Ages – a craft. We do Journeyman, Master, Apprenticeship models, teaching the craft: all hands on puzzles, no lectures, no multiple choice tests, no PowerPoints. Full immersion into the culture. I think that's important. I think that matters. I think the results speak for themselves.

Dave Bittner: [00:07:29:07] I think there's a certain amount, particularly from the hiring side of things, there's a certain amount of gatekeeping that goes on, with certifications and college degrees, and so forth, for people to even get by a certain level of being considered for jobs. You have to have things that can be checked off on check boxes.

Evan Dornbush: [00:07:44:16] Yeah, I agree. I think, again, that's part of the problem, and that's part of what we're trying to change. I agree with you, Dave, you're getting a huge disconnect between how human resources really solicits for talent. What we have done, in our training program, is demonstrate that on-hands skills are more relevant, and more meaningful, more impactful to the end employer than a particular certification that's based on knowledge; memorizing a couple of definitions here and there for a test, or in many cases a degree.

Dave Bittner: [00:08:15:09] What is the approach that you all use?

Evan Dornbush: [00:08:19:19] What we do is we fully immerse our students into cyber security culture. So, all hands-on puzzles. We run students through thinks like buffer overflows, using ASLR defeats, and DEP defeats, vulnerability research, exploit development, reverse engineering, malware analysis. I think there's a conventional wisdom that you have to start answering the phone in customer support, and then proceed to help-desk, and then proceed to sys-admin, and then become a programmer, and then become a cyber security person. That doesn't make sense. I don't think that's realistic, and I don't think that's where the talent actually lies.

Dave Bittner: [00:09:04:13] How does this compare to traditional education systems? They have things like capture the flag programs.

Evan Dornbush: [00:09:11:13] Our course is very capture the flag driven. Almost everything is a flag to be grabbed. We have an expression that we use that says, cyber security is really no different from going to the gym; very few people want to invest the time to lift the heavy thing up and down, lots and lots of times, but everybody wants the muscles. Cyber security's no different. You have to invest in yourself. You have to take time. You have to struggle. That's part of the growth process. I think the problem with traditional education is time constraints. Oh, we didn't get the answer before lunch, so I'm just going to tell you the answer was 18, and let's go lunch. When we come back we'll start a new subject. That doesn't help. It might feel good. You might feel like, oh yeah, I could have figured that out. But you didn't figure that out, therefore you're more likely to not retain that information, not be able to reach that solution.

Dave Bittner: [00:10:02:19] That's Evan Dornbush from Point3 Security.

Dave Bittner: [00:10:07:04] Russia's been facing a wave of what the Moscow Times is calling "telephone terrorism cyber attacks". They're essentially bomb threats. Russian authorities say they've caused two million people to be evacuated since September, and that the threats originate in Syria.

Dave Bittner: [00:10:22:07] Facebook finds three more Russian-purchased ads related to information operations surrounding the Brexit vote. That's not too many, and Facebook has looked only for ads paid for by the Internet Research Agency, the now famous St Petersburg troll farm. Google has also looked, and says it found nothing. Investigation proceeds.

Dave Bittner: [00:10:42:11] A Russian defendant in a Russian court, one of the members of the "Lurk" hacking crew, is said to have claimed President Putin ordered him to hack the US Democratic National Committee. But both the court and the news source are Russian, and this particular informational matryoshka should be reviewed with appropriate skepticism until more is known. The Times of London reports that the accused hacker, Konstantin Kozlovsky may well have other axes to grind. Their expert on Russian intelligence services, Andrei Soldatov thinks that if Kozlovsky were legitimately illegitimate, if he really were under Mr Putin's orders, he'd have been able to provide more technical details than he has. As it is, it's a bold assertion. Soldatov thinks it likelier that Kozlovsky is just honked off about being prosecuted for Lurk, and is maybe looking for some kind of deal. This of course doesn't mean that Mr Putin isn't involved, just that we haven't seen the other dolls inside the matryoshka.

Dave Bittner: [00:11:43:20] An interesting development in the Mirai case. As has long been believed, it was the work of a couple of guys in Pennsylvania and New Jersey. Both entered a guilty plea to Federal charges involving writing and using the DDoS code this week. The knuckleheads in question, Mr Paras Jha, 21, of Fanwood, New Jersey, and Mr Josiah White, 20, of Washington, Pennsylvania, are co-founders of Protraf Solutions LLC, specializing in DDoS mitigation. Krebs says, that's like a firefighter committing arson so he can get paid to put out the fire, and that's not a bad analogy. Mr Jha has also copped a guilty plea to New Jersey state charges. What are they teaching kids at Rutgers these days?

Dave Bittner: [00:12:32:16] Now I'd like to share a message from our sponsor, Nehemiah Security. Fellow cyber security leaders, when your CEO asks department heads for a status update, do you envy your colleagues like the VP of Sales, or CFO, who only have to pull a report from a single system? Instead of deploying a team of people to check multiple systems and then waiting for them to report back, do you wish you had a single place to get the information you need to communicate with the CEO? Nehemiah Security is here to put that power in the hands of the cyber security leader. It's time for a quick solution that allows you to go to one place to get the security information you need quickly, and in business terms your CEO can understand. Nehemiah Security gives cyber security leaders the ability to report cyber risk, in terms of dollars and cents. Visit nehemiahsecurity.com to learn more, and get a free customized demo, just for CyberWire listeners. Visit nehemiahsecurity.com today. We thank Nehemiah Security for sponsoring our show.

Dave Bittner: [00:13:42:14] I'm pleased to be joined once again by Robert M Lee. He's the CEO at Dragos. We've been going through some of the risk factors, when it comes to different ICS categories, and today I wanted to touch on water; an important one.

Robert M Lee: [00:13:58:06] Absolutely. When we're talking about any industry it's always good to note that there are some very, very small players, and there's some very considerable sized players in that community as well. When most people think of water resources they're thinking water distribution and waste water treatment, basically, how do I get water? And how do I keep it clean? There's a lot more to it than that, but that usually comes to the forefront of folk's minds. In those environments, there's historically been a very good safety culture, especially when you start dealing with things like chlorine and other chemicals, to make sure that they test, even outside of any cyber mechanisms. One wastewater treatment facility had routine schedule, 24/7, where multiple people are actually testing samples of the water, and making sure that there's not an overloading of chemicals, or anything like that.

Robert M Lee: [00:14:56:15] So, even if a hacker got on and dumped chlorine into the tanks they would notice. That's the good side. The bad side is that the water industry, by far, is one of the least invested into industries. There's a lot of reasons for this. I don't mean by their own community. I don't want to downplay the work that's been done there. But, when you think of the infrastructures that get national attention and grant money, and the security industry going after their budgets and all of the research, you're usually thinking about electric systems, maybe manufacturing, but water isn't one of those ones that generally comes to the forefront, at least not for a lot of us players. They talk about it, but they don't have the staff. In many water facilities there might be an IT guy, who is supposed to do IT, as well as security, and he mows the lawn on Fridays. It's very, very resource tapped.

Robert M Lee: [00:15:50:19] For that reason, and the lack of complexity in the water systems, compared to many other systems, there are some particularly damaging scenarios that you could think about. As an example, when I try to balance how attacks would occur, there's usually three variables that I measure, or think about. One is the complexity of the overall system. With the electric power grid you have redundant lines, you have redundant routes. In Baltimore there's a substation connected to a substation in DC, let alone different parts of the country. There's interconnects. There's a lot of complexity in that system. If you can even measure the security investment is adding to that complexity for the adversary. The second one is, what do you actually want to achieve, the impact? Is the impact, you want to have a disruption for an hour? Potentially, physical disruption will lead to disruption for a week.

Robert M Lee: [00:16:43:10] Then the third one is really that scale. Like, am I talking about one site? Am I talking about all across the United States? So when we look at water, it's still a complex system, and the control system environments are still fantastic, but it's not as complex as an electric grid, or one of the larger infrastructures. The ability for an attacker to go in and identify and learn the environment, and do something malicious to it, is not as significant a bar as we'd want. So we do have to add complexity to that challenge to them, by investing in the right security, you address the right threat landscape. That being said, there is also the hilarious reality that there's a lot of tribal knowledge that occurs on how certain plants are run and operated. And, sometimes if you just follow the spec, and you follow the engineering guide, you design an attack off that – it's actually not what's fully-implemented and that can lead to unintended complexity for the adversary, which means they might do something expecting an outcome, and not achieve that outcome at all.

Robert M Lee: [00:17:42:06] So, in short, when I think of the industries that I wish was able to have more investment into it, water is at the top of the list for me, in terms of needing some attention, and also understand what those unique water targeting threats look like, because we're not doing a lot of discovery there. But, as always, I try to balance it with the fact that, yes, we do have really good engineers and talent, but I would say we are becoming more interconnected, or becoming more homogeneous in nature. And the natural complexity of the problem, that benefits defenders, is not so substantial in water to lean on. So we have definitely got to do more.

Dave Bittner: [00:18:13:22] Robert M Lee, thanks for joining us.

Dave Bittner: [00:18:18:10] That's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you, using artificial intelligence, check out cylance.com.

Dave Bittner: [00:18:31:08] The CyberWire podcast is proudly produced in Maryland, out of the start-up studios of DataTribe, where they're co-building the next generation of cyber security teams and technology.

Dave Bittner: [00:18:41:11] Our show is produced by Pratt Street Media. Our editor is John Petrik. Social Media Editor is Jennifer Eiben. Technical Editor is Chris Russell. Executive Editor is Peter Kilpe. I'm Dave Bittner. Thanks for listening.