CyberWire Daily - Daily: Blockchains and their uses. Pirrit adware attribution. Avast buys AVG for $1.3B.
Episode Date: July 7, 2016In today's podcast we hear about Cymmetria's discovery of a major threat actor in South Asia, Patchwork, which assembles attack code by cutting and pasting from the Internet. HummingBad adware infests... Android, and Pirrit (affecting Macs) is attributed to a marketer. D-Link routers may be vulnerable to remote-code execution. Google patches more than 100 Android issues. Symantec works on AV product problems. Avast buys AVG. Blockchain's potential. Cyber workforce development. FBI offers explanations to the House. Cyber crooks go after freelancers. Jonathan Katz explains the many uses for blockchain crypto technology, and Chris Key from Verodin has some advice for those entering the cybersecurity workforce. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K. and effective without being advanced. New adware called Pirate is attributed to a marketing company's employee,
and security experts worry that humming bad has potential that goes far beyond click fraud.
D-Link routers are found vulnerable to remote code execution.
Google patches more than 100 Android issues.
USERT warns as Symantec fixes bugs in some AV products.
Avast buys AVG.
Blockchain's potential goes beyond Bitcoin.
Thoughts on cyber workforce development. FBI Director Comey testifies before the House about why the Bureau wouldn't recommend
indicting Hillary Clinton, and defense attorneys are paying close and creative attention.
And cyber criminals hit the gig economy.
I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday, July 7, 2016.
A newly described threat group, which Symmetria is calling Patchwork, is active in South and Southwest Asia.
Patchwork is interesting for at least two reasons.
First, and it's this that gives it its name, the group uses a tech code that appears to be assembled entirely from components cut and pasted from various sources on the
internet. And second, even with its patchwork code, the threat group has proven able to penetrate
relatively hard targets. Symmetria's report says that patchwork activity was first detected in
December 2015. There are indirect indications of activity as
far back as 2014. The campaign, Symmetria says, seems to, quote, focus on personnel working on
military and political assignments, and specifically those working on issues relating to Southeast Asia
and the South China Sea. Many of the targets were governments and government-related organizations,
end quote. These highly targeted attacks are, unsurprisingly, initiated by spear phishing,
and their goal is espionage.
The researchers specifically declined to attribute the attack to anyone,
but they do suggest that circumstantial evidence points, in their view, to India.
They also point out that the evidence is sufficiently circumstantial
that it's also consistent with a false flag operation by
another actor. The combination of operational success and low technical ability, as Symmetria's
report puts it, is curious. It's also why writers at the SANS Internet Storm Center sniff at the
notion that this threat, persistent though it might be, could be fairly called an advanced
persistent threat. It also provides an object lesson in how the
internet itself can serve as effective R&D shop for attackers, making available commodity malware
that the clever, determined, and ill-intentioned can turn to their advantage. We heard yesterday
about the marketing company Yingmob and its alleged connection to the humming bad adware
campaign that amounts to an Android pandemic.
Today, another strain of adware, Pirate, which targets Macs,
is attributed to another marketing outfit.
Cyber Reason says that an employee of Israeli marketing firm Targeting Edge is responsible for writing Pirate.
Pirate, by the way, in this case is P-I-R-R-I-T.
Adware is problematic and damaging even when used just for click fraud.
Hummingbad has observers spooked because of the root access it achieves
and therefore the ease at which it could be converted to a DDoSing botnet or an espionage campaign.
Researchers at Senrio have released details describing a flaw in popular D-Link routers.
Some 400,000 devices are thought to be vulnerable.
D-Link is rolling out fixes through its website. Google is also patching. It's issued fixes for
more than 100 issues in Android components and chipset-specific drivers from different
manufacturers, according to CSO. Some of those components are from Qualcomm, and the register
thinks the patches being pushed for those are likely to be connected with issues demonstrated last week in Qualcomm's Keymaster Crypto.
They speculate that the big problem, an understated problem, may be with Android full-disk encryption.
Symantec is in the process of closing security holes in some of its AV products.
U.S. CERT has issued a warning to users, advising them strongly to
apply the patches as they become available. We're five days away from Patch Tuesday proper,
but Microsoft has offered additional information on how to fix the group policy issues
its June patches presented users. Redmond says, quote, the official guidance from Microsoft is
to ensure the computer accounts have read access to the user policies
you wish to have applied, end quote. And the company has gone on to explain to sysadmins
the various ways in which they can accomplish this. In industry news, Prague-based Avast is
buying Amsterdam-based AVG for a cool $1.3 billion. The acquisition is seen as giving Avast greater
geographic reach. It's also seen as an Internet of Things play.
And in private equity news, container security shop Twistlock has secured a $10 million funding round.
Gatecoin, a Hong Kong Bitcoin exchange, is reported by DealStreetAsia to have raised $500,000 in equity funding as it recovers from a hacking incident.
$500,000 in equity funding as it recovers from a hacking incident.
We often hear of Bitcoin and other cryptocurrencies in the context of attacks and investigations of money laundering.
It's perhaps therefore worth mentioning that there's nothing inherently nefarious about
either Bitcoin or its underlying blockchain technology.
The blockchain indeed is finding increased acceptance and utility in other applications,
and Bitcoin seems no more susceptible to misuse than other more familiar forms of money.
Jonathan Katz, one of our research partners at the University of Maryland,
told us about a Bitcoin-themed conference he recently attended,
and he outlined where and why blockchain technology is finding new uses outside cryptocurrency itself.
We'll hear from him after the break.
Over the summer, many colleges and universities offer cyber camps designed to prepare students
for careers in security. U.S. Cyber Challenge, for example, will open its annual Delaware Summer
Cyber Camp program in collaboration with four academic and one state government partner next
week. Such efforts aim at redressing the familiar shortage of qualified workers in the field. Companies, of course, have their own roles to play in bringing young workers on board.
We spoke with Veriden's Chris Key, who shared some insights on how you can prepare recent
graduates for jobs in cybersecurity. There's a lot of people wanting to come into the cyber
world. Obviously, we have a lot of open positions to really a crisis point. And when we're assessing people and also just
interacting with customers, I think one of the largest gaps that I see are defenders that don't
really understand attacker behavior. What I've seen in some of the recent grads is maybe they've
got experience with tools from labs and things like that, but they really don't necessarily
understand the behaviors of the
people that they're trying to defend against. There's an over-reliance on these tools to
effectively spell out for them what's going on and to pop up and say, hey, you know, you're being
owned. And the reality is that it doesn't really work that way. Chris Key says that once graduates
enter the workforce, ongoing training is crucial and it needs to include realistic, real-world scenarios.
Regardless of the university training or the certification training or the job experience,
I think one thing that's critically important is to make sure that security teams are testing and training in their live environments that they're defending against.
Because even if you understand what an attack pattern looks like, let's say, with snort
from testing, that doesn't mean that's how it's going to show up with the tools that
are deployed in the company that you ultimately end up working for.
And so it's critically important to, you know, just as sports teams are constantly training
or even militaries are constantly wargaming, you know, our defenders, after they get out
of school and they get hired, need to be constantly being challenged in the environments that they're in
from both the training and experience point of view.
And it's not just training.
According to Key, employees need a clear pathway for professional growth.
Even if we're starting to fill those positions,
I think that the companies have to have an ongoing training program
and also be willing to improve that employee standing because the challenge that a lot of organizations have is hiring somebody, training them up, and then them just leaving for another job.
And so I think that you really have to, specifically in cyber right now, have a program to say, okay, we're going to bring you in, we're going to keep making you better, and here's the path within the company that you can take.
And look at your cyber team as a team that needs to be continuously getting better.
That's Chris Key from Verodin.
In the U.S., FBI Director Comey is explaining to the House Oversight Committee
the Bureau's decision not to recommend indictment of former Secretary of State Clinton
for mishandling classified information.
It's generally expected that Director Comey will be fluent and persuasive.
Absent indictment, however, the case is thought by many observers likely to have two effects.
It may be difficult for some of the former Secretary's close aides to obtain or retain
security clearances, and defense attorneys representing defendants in other security cases
are already preparing there are no reasonable prosecutor would indict defenses.
Finally, do you work in the gig economy?
If you do, be on your guard.
Kaspersky says cyber criminals are phishing freelancers with bogus promises of work
that take the victims to the legitimate AirDroid app,
then send them credentials for a test account.
Taking the login bait infects the
freelancer's device. So if you see that bait, don't bite. And if you've already bitten, get help
spitting out that hook.
Do you know the status of your compliance controls right now? Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, Thank you. Security questionnaires done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Thank you. And I'm joined once again by Jonathan Katz.
He's a professor of computer science at the University
of Maryland and head of the Maryland Cyber
Security Center. Jonathan,
you recently attended a conference
that was related to Bitcoin
and blockchain technology.
First of all, why don't you give us an overview
of what is blockchain?
So blockchain is basically a distributed mechanism
that allows people to keep a global history
of all the transactions in the system.
And in this case, we're talking about Bitcoin.
So this basically allows everybody to keep a global view
of exactly how many Bitcoins correspond to each person
or each address,
and then to keep a view also
of when those Bitcoins are spent and who's transferring them to whom.
And so what were the topics covered at this conference?
What kind of things were they talking about?
Well, it was actually meant, it was a summer school, and it was intended actually to get
people up to speed on Bitcoin itself, as well as current research in Bitcoin.
It was quite popular, actually.
In the end, they had to turn people away.
There were a lot of students there, some faculty,
but also, interestingly, a lot of people from startups,
a lot of interest in developing startups related to or around Bitcoin,
and many of those were there as well.
And what's interesting is that even with the popularity of Bitcoin,
there are still so many things that are either poorly understood
or things that we'd like to do better on if we could develop a next generation of Bitcoin.
So people were looking at things like what level of anonymity Bitcoin provides
and how to ensure better anonymity or to develop systems with better anonymity.
And on the flip side, to come up with tools that allow government officials or legal
officials to trace transactions and make sure that they can prevent fraudulent transactions
or illegal transactions on the blockchain. Other things people were looking at were things like
getting better mining protocols that aren't so wasteful in terms of the energy that they're
using and also
developing proofs of security for the Bitcoin protocol itself.
So what were some of the areas beyond cryptocurrency where people are interested in applying blockchain
technology?
Well, actually, people have suggested it for a number of other things since it took off
for Bitcoin.
I think one of the ideas that I've seen is to use it as a mechanism for registering public keys.
You can imagine using this as a next-generation version of a PKI,
where rather than having to rely on some central authority to validate the binding between a public key and an identity,
what you could do is you could just publish the binding between your identity and your public key on the blockchain,
and then that would serve as a global irrefutable proof of the fact that that's your public key. So there's still lots of ideas in this space for
potential applications of the blockchain. All right, Jonathan Katz, thanks for joining us.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's
defenses is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical. Thank you. measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your