CyberWire Daily - Daily: Naming & shaming Iran's hackers? Palo Alto spots "Digital Quartermaster." Team Apple bigger than Team DoJ.
Episode Date: March 15, 2016Daily: Naming & shaming Iran's hackers? Palo Alto spots "Digital Quartermaster." Team Apple bigger than Team DoJ. Plus, Jonathan Katz from the Maryland Cyber Security Center responds to Richard Clarke...'s NPR interview. Are claims of NSA's capabilities grounded in reality? Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
That indictment of Iranian hackers?
It's still coming and expected to send a naming and shaming message to Iran.
Onion Dog still looks like a North Korean threat actor.
Palo Alto thinks it spotted the long-suspected, much-looked-for digital quartermaster.
The Department of Justice has the president on its side in the dispute with Apple,
but that looks like about it.
I'm Dave Bittner in Baltimore with your Cyber Wire summary for Tuesday, March 15, 2016.
The U.S. government is said to be winding up an indictment of Iranian hackers.
The Department of Justice is expected to charge Iranian cyber operators with intrusions during 2013 into networks controlling that now-famous
small flood control dam in Rye, New York. The indictment is said to represent the U.S.
administration's way of sending a message to Tehran. Should the indictments appear as expected,
they will be the first charges the U.S. Department of Justice has brought against a foreign government
cyber operator since 2014, when it indicted six People's Liberation Army officers for hacking
U.S. industrial networks. Observers call this the latest round in the U.S. administration's
name-and-shame policy, and they will watch with interest for signs that this policy might be
working. The New York congressional delegation, especially in the form of Senator Schumer,
appears to be front-running the attribution and calling for a vigorous response. Schumer calls the alleged Iranian probe of the dam's network a shot across our bow and says it
should warrant tough sanctions against Iran. Chinese security firm Kihu360 has been tracking
threat actor OnionDog's activities. The hackers have been active in Korean-speaking enterprises.
Read that specifically as South Korean enterprises. North Korean resentment
aside, speculation about who's behind the Onion Dog threat group and its attacks on South Korean
targets is largely directed toward, obviously, North Korea. Palo Alto's Unit 42 is reporting on
the digital quartermaster phenomenon, which it perceives as an ongoing campaign against Mongolian
government sites. A digital quartermaster is a conjectured support service
that maintains attack tools used in a range of cyber campaigns.
The notion of a digital quartermaster is, Palo Alto notes,
a relatively old one that's been discussed within the U.S. intelligence community for some time.
In this case, Palo Alto thinks it's found persuasive evidence
that a digital quartermaster is enabling a current campaign against Mongolian government websites.
The campaign, which targets Russian-speaking operators through a variety of attack vectors, is using a common set of tools that credibly point to a single group of developers.
Those tools include, most prominently, the CM Star Downloader and the BBS Rat Trojan. Unit 42 thinks the attack traffic's geolocation
suggests the hackers are located in China, but stops short of attributing the campaign
to the Chinese government. Palo Alto concludes, quote, while there may be multiple operations
groups, a digital quartermaster may be the one supplying and maintaining the tools used,
end quote. New sophisticated ransomware that's hitting targets in the U.S. and elsewhere is using tactics and tools previously associated with Chinese government-supported computer network intrusions.
Specifically, researchers are seeing some advanced techniques for entry into and lateral movement around networks.
They're also seeing intrusion management software they associate with state-directed operations.
Staminas, which offers Internet hosting optimized for DDoS protection,
continues its recovery from an attack it sustained over the weekend. The attacker's
motivation initially appeared to have been objection to some Staminas clients, but the
crowing over their ability to get in and their arguably smug offer of security tips suggests
that coup counting and lulls may have also been goals as important as slacktivist opposition to the KKK.
As is so often the case, motives are probably overdetermined.
The crypto wars continue unabated in the U.S.,
with the Department of Justice occupying what seems to be an increasingly lonely position.
President Obama, at least, is on the DOJ's side.
He sought to frame the department's position as a sensible, public-spirited one during his remarks at South by Southwest, but the president seems to have found few
takers. Most of the industry people who listened weren't convinced.
The Defense Department, of course, as it's continued to woo Silicon Valley for help with
its cyber missions, has offered essentially no support to the FBI position the Justice
Department is advocating. Most of the former senior intelligence community
officials who've weighed in are on Team Apple. Richard Clark, who served three presidents as
National Coordinator for Security and Counterterrorism, told NPR yesterday that, quote,
the Justice Department and the FBI are on their own here, end quote, more interested in setting
a precedent than in simply cracking open one iPhone. He also thought there were other national
means of getting at the data on the phone if it really is that important. We spoke with Jonathan Katz of
the University of Maryland Cybersecurity Center and asked him about the case. We'll hear from him
after the break. As we've been following researchers working in cyber threat intelligence, we've had
occasion to note the importance they attach to framing the questions they're tasked to answer.
Some of them have fun with the notion that you could actually derive useful intelligence without posing intelligent
questions. Here's a fun fact we learned at RSA, for example. Palo Alto Networks calls its
intelligence team Unit 42. That's an homage to the Hitchhiker's Guide to the Galaxy, where the
Deep Thought computer delivers 42 as the answer to the ultimate questions of life, the universe, and everything.
Of course, the people who programmed Deep Thought never actually knew what that question was.
Don't be like that.
Transat presents a couple trying to beat the winter blues.
We could try hot yoga.
Too sweaty.
We could go skating.
Too icy.
We could book a vacation.
Like somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks.
Yes!
Yes!
Yes!
With savings of up to 40% on Transat South packages,
it's easy to say, so long to winter.
Visit Transat.com or contact your Marlin travel professional for details.
Conditions apply.
Air Transat.
Travel moves us.
travel professional for details. Conditions apply. Air Transat. Travel moves us.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora Thank you. ISO 27001. They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. Returning to W Network and Stack TV. The West Side Ripper is back.
If you're not killing these people, then who is?
That's what I want to know.
Starring Kaley Cuoco and Chris Messina.
The only investigating I'm doing these days is who shit their pants.
Killer messaged you yesterday?
This is so dangerous. I got to get out of this.
Based on a true story.
New season premieres Monday at 9 Eastern and Pacific.
Only on W.
Stream on Stack TV.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions
designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach
can keep your company safe and compliant.
I'm joined once again by Jonathan Katz,
Professor of Computer Science at the University of Maryland and Director of the Maryland Cyber Security
Center, one of our academic and research partners.
Jonathan, NPR's Morning Edition
interviewed former National Security
official Richard Clark about the Apple FBI dispute.
And NPR's David Green asked Clark if he was still inside the government as a counterterrorism official, would he be more sympathetic to the FBI in doing everything it can to crack the case?
Clark responded, quote,
If I were in the job right now, I would have simply told the FBI to call Fort Meade, the headquarters of the National Security Agency,
and NSA would have solved this problem for them, end quote.
My question to you, with your expertise in cryptography, how grounded in reality is that statement?
There are some cryptographic problems that even the NSA can't solve.
I remember I spoke with you a few weeks back about certain physical limits to the amount of computation that we can possibly do.
And in particular, it would be infeasible for anybody to do a brute force search over a 256-bit key space, because that would require doing a search over two to the 256 different possible
keys. So it's not a matter of simply lining up enough hardware to be able to throw at the problem.
Yeah, that's right. So there would be no way for the NSA to do a brute force search for the key.
What we have to remember here is that there may be other ways to break the system.
For example, in the case of the iPhone here that we're talking about,
remember that it all comes down to being able to determine the four-digit pin that's used to protect the 256-bit key.
And in turn, that pin is protected by a hardware mechanism that locks down the phone after 10 incorrect guesses.
is protected by a hardware mechanism that locks down the phone after 10 incorrect guesses.
So if the NSA could somehow get access to the hardware itself
and break the assumption or break the hardware
that's preventing them from making an unlimited number of guesses for the PIN,
then in fact the NSA might be able to get the PIN some other way
and then obtain access to that 256-bit key
not by doing a brute force search.
I see. So it's not so much that the NSA has their cryptographic
capabilities. It's that they may have
systems for just simply dealing with the
hardware in the phone. Exactly.
In general, for any system you're talking about,
the best way to attack it
is, of course, by looking for the weakest link.
And in this particular example, the weakest link would not
be doing the brute force search for the key,
but it would be attacking the recovery
mechanism, attacking the hardware that's preventing them from doing the unlimited force search for the key, but it would be attacking the recovery mechanism,
attacking the hardware that's preventing them from doing the unlimited number of guesses.
Jonathan Katz, thanks again for joining us.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your
executives and their families at home. Black Cloak's award-winning digital executive protection
platform secures their personal devices, home networks, and connected lives. Because when
executives are compromised at home, your company is at risk. In fact, over one-third of new members
discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. Pure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.