CyberWire Daily - Daily: Hackers said to "probe" US voting systems. IoT botnet source code released. "DressCode" malware afflicts Android devices. Industry notes. SEC urged to make an example of Yahoo!
Episode Date: October 3, 2016In today's podcast, we hear about Homeland Security's warnings that state election systems are being probed by potential attackers. Newsweek speculates that a brief DDoS attack it sustained was electi...on-related (they also suspect the Russians—no bear named yet). Mirai source code used in large KrebsOnSecurity DDoS published in a hacker forum. The University of Maryland's Jonathan Katz explains why asymmetric encryption is so attractive for ransomware. DressCode malware found in 3000 Trojanized apps. SEC may investigate Yahoo! breach. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Homeland Security warns states to be on their guard against election hacking.
Newsweek speculates that a brief DDoS attack it sustained was election-related.
Mirai source code used in large Krebs on security DDoS published in a hacker forum.
Dress code malware found in 3,000 Trojanized apps. And the SEC may investigate the Yahoo breach.
I'm Dave Bittner in Baltimore with your CyberWire summary for Monday, October 3, 2016.
The U.S. Department of Homeland Security is still warning the states of the likelihood that hackers will take an interest in next month's elections.
Speculation in the media tends to the view that these hackers are acting on behalf of the Russian government.
Newsweek sustained a distributed denial-of-service attack that took its sight down for a few hours Thursday.
The reporter who wrote an article unfavorable to U.S. presidential candidate Trump
thinks it was done to silence him and said there were a lot of Russian IP addresses involved in the attack.
Odds are there would be a lot of Russian IP addresses in a lot of DDoS attacks, but in any
event, opposing presidential candidate Clinton is far from flavor of the month in the Russian
Twitterverse, so perhaps there's something to the speculation. Investigation into the more serious
DDoS attack of the week before last, the one that took down Krebs on security, may be getting closer
to the culprits. Someone using the handle Anna Chan or Anna Senpai
has dumped the IoT bot-herding source code into the criminal market hack forums, Krebs reports.
The code is named Mirai.
Such dumps are often a sign that a cyber criminal is beginning to feel some heat
or is at least moved to some caution.
As Krebs puts it,
quote,
to some caution. As Krebs puts it, quote, publishing the code online for all to see and download ensures that the code's original authors aren't the only ones found possessing it if and
when the authorities come knocking with search warrants. More serpents have made their way into
Google's Play Store garden. On Friday, Trend Micro found about 3,000 Trojanized apps carrying the
dress code malware in the wild, some 400 had made their
way into the Play Store. Some, like a purported Minecraft version of Grand Theft Auto, are
unlikely to draw enterprise users, but dress code hides not only in games, but according
to Trend Micro, in user interface themes and phone optimization boosters. The principal
threat dress code poses to enterprises is the ability to gain access through an infected phone
and then move laterally to more sensitive precincts of a network.
Researchers at Princeton University, Karlstadt University, and KTH Royal Institute of Technology
demonstrate two proof-of-concept correlation attacks.
They're calling them defector that could, in in principle de-anonymize Tor users.
Defector is unlikely to appear in the wild, the researchers say.
First, the attacks require considerable engineering resources,
and second, Tor is expected to upgrade soon to foreclose the possibility of this sort of de-anonymization.
Ransomware, of course, remains with us,
as Kaspersky researchers identify the growing popularity of remote desktop protocol exploits against targets in Brazil.
Stolen or weak credentials place users at risk.
The Yahoo breach may become the subject of a U.S. Securities and Exchange Commission investigation, at least if some senators have their way.
Breach disclosure rules the SEC promulgated in 2011 have been regarded by many
as vague. There's some sentiment in the Senate that Yahoo may afford the SEC the test case it
needs to firm those rules up. The SEC has yet to bring an enforcement action for failure to
disclose a breach. In this, their colleagues in the Federal Trade Commission are clearly the hot
pencil. The FTC has brought 60 successful data
security actions since 2001. But there's some government ambivalence showing. Commerce Secretary
Pritzker last week cautioned against blaming the victim in hacking cases. How the Yahoo breach will
affect Verizon's planned acquisition of Yahoo's core assets remains to be seen. There's a dust-up between two notorious purveyors of stolen data.
Peace, best known for the MySpace hack and for claiming to have millions of Yahoo credentials
available to sell, although not, investigators stress, the half billion stolen in the theft
that's roiling Yahoo, Verizon, their customers, and their shareholders, is at war with Worm,
who trades mainly in data taken from news
agencies.
Peace defaced Worm's site on the grounds that Worm is a bad guy who's done Peace some unspecified
wrong and who's messed with the Hell Forum, a dark web market with a contentious, turbulent
history.
So, in the case of Peace vs. Worm, it's in the interest of the civilized world that both
sides should lose.
The shadow brokers resurfaced Saturday, miffed that no one is taking their auction of equation
group tools seriously. Here's a sample of what they have to say. Quote, Hello world,
the shadow brokers is sending message number two weeks but media no make big story. The shadow
brokers is calling this message, message number
three. The Shadow Brokers is realizing Peoples is not thinking auction is being real, end quote.
We'll stop at this point because the diction swiftly becomes lurid and demotic in ways
unsuitable for a family show, but you get the syntactic and semantic drift. Observers continue
to draw attention to the Shadow Brokers' implausibly broken English.
Motherboard calls it Borat-like, and we've been reminded of F Troop's Hikawi.
But with Saturday's omission, it hit us.
The Shadow Brokers are the male crocodiles from Steve Pastis' comic strip Pearls Before Swine.
Think about it if you're not too hip to read the Sunday Funnies in their Dead Tree edition.
Anyway, we think the answer to the question posed by message number three, it comes after message
number two for make benefit those of us who might be slow on the uptake, would be no, the people's
is not thinking auction is being real. The auction, if you're keeping score at home, is still stuck at 1.76 Bitcoin, or roughly $1,082.
A bit south of the $1 million the shadow brokers is being asking the peoples to be opening the bidding on.
Sorry, we hate it when we get infected with broke addiction.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep
your company safe and compliant.
Jonathan Katz joins me. He's a professor of computer science at the University of Maryland
and director of the Maryland Cybersecurity Center. Jonathan saw an article recently in SC Magazine,
and they were talking about ransomware criminals
who are increasing the use of asymmetric encryption.
Can you help us understand what's the difference
between symmetric and asymmetric encryption?
Sure.
So symmetric encryption is kind of what has been used historically for cryptography.
And in such an encryption scheme,
you have a single key that's used by both the sender and receiver. So the sender will use the key to encrypt a plain
text and get a ciphertext, and the receiver will use that same key to decrypt the ciphertext and
recover the plain text. And in contrast, asymmetric encryption is what was invented in the 1970s and
has become a lot more prevalent today, where you have different keys used for both
encryption and decryption. So you have a public key, which is used by the sender to encrypt,
and then a private key, which is used by the receiver to decrypt. And what's fundamentally
different about public key encryption and what makes it so useful is that you can have many
different senders all communicating with this receiver because the public key, as the name
suggests, can be public. So anybody can encrypt a message using this because the public key, as the name suggests, can be public.
So anybody can encrypt a message using this publicly available public key,
but only the receiver who has the corresponding private key will be able to decrypt.
And so how is combining these two techniques an attractive thing for ransomware criminals?
Well, first of all, ransomware criminals are using public key encryption because it exactly exploits this asymmetry.
So what they'll do is they'll put the malware on your computer and then encrypt your files using the public encryption key in such a way that only the writer of the ransomware will have the corresponding private key and be able to decrypt.
And then, of course, they ask you for money in order to be able to decrypt. Now, what's interesting is that you can combine public key asymmetric techniques and symmetric key encryption to kind of get the best of both
worlds and to get the functionality of asymmetric encryption with the efficiency of symmetric key
encryption. And what you do is simply use the asymmetric encryption to encrypt a short key
and then use that key in a symmetric key encryption scheme to encrypt the long data, the files, or what have you.
So this is really giving the ransomware writers, unfortunately, the best of both because they're able to very efficiently encrypt your files and then force you to pay them in order to recover them.
All right. Clever bad guys. Jonathan Ketch, thanks for joining us.
Thanks for joining us. Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire. We are proudly produced in Maryland by our talented team
of editors and producers. I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo,
you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.