CyberWire Daily - Daily: Russian hackers hit German targets. New ransomware. DPRK domains revealed.
Episode Date: September 21, 2016In today's podcast, we hear about Russian hackers turning their attention to German political targets as well as politicians in the US. The son-of-Shadow-Brokers vulnerability Cisco discovered is bein...g exploited in the wild. New strains of ransomware are out—Mamba is as dangerous to networks as its namesake is to human tissue. The Air Force Association is taking up cyber in its annual meetings. The Internet-of-moving things handles disclosures. Matthew Green from Johns Hopkins University's Information Security Institute discuses the downsides of crypto backdoors. University of Maryland's Jonathan Katz talks about new security standards adopted by Google. And North Korea parts the curtain in front of its domains. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Russian hackers appear to have turned their attention to German political targets
as well as politicians in the U.S.
New strains of ransomware are out.
Mamba is as dangerous to networks as its namesake is to human tissue.
The Air Force Association is taking up cyber in its annual meetings.
And North Korea parched the curtain in front of its domains.
I'm Dave Bittner in Baltimore with your Cyber Wire summary for Wednesday, September 21, 2016.
Election hacking may not be confined to United States targets.
German news outlets are reporting that a number of senior politicians and their staffs have come under cyber attack, apparently by Russian actors.
There's no name assigned to this particular bear yet, but doubtless one is coming.
The Bundestag sustained
compromises last year. The current round of intrusions extends to political party organizations
in the country's lender, that is, down to what Americans would call the state level.
It appears the attacker's initial approach was through a long series of phishing emails
purporting to originate in NATO. The timing of the attack suggests an interest in elections,
and German newspapers are significantly juxtaposing the story with coverage of
election-related hacking in the U.S. The vulnerability Cisco found in the course of
its investigation of the shadow broker exploits is said to be actively used by attackers in the
wild. Patches and mitigations are expected soon. More ransomware enters circulation, some
of it unsophisticated. Detox Crypto is distributed in a poorly crafted imitation of Malwarebytes
communication. Other strains are being carried by bogus FedEx failed delivery notices. But some of
it is sophisticated indeed and dangerous. Mamba, also known as HDD Cryptor, is unusually dangerous. We've been spending some time down at the Air Force Association's annual Airspace and Cyber Conference,
just south of the District of Columbia.
While the conference was, as one attendee put it, heavy industry heavy,
this year's version featured a conscious effort to devote significant attention to cyber.
You'll find accounts of the conference at thecyberwire.com.
But we were struck by the Air Force Operations Chief's emphasis
on working out effective command and control mechanisms for cyber operations
and by the Service IT Chief's commitment to looking for commercial solutions to Air Force challenges.
And the chief of personnel faces the same tight labor market the cyber industry does,
with the added challenge posed by a complex workforce and some cultural obstacles
to what she called the agility necessary to recruit, develop, and retain cyber talent.
Two initiatives stood out to us.
Everyone had very good things to say about CyberPatriot,
the Air Force Association-led, Northrop Grumman-supported youth cyber education program.
And the Military Cyber Professional Association was also present on the floor,
a young group organized to support and foster the growth of the profession.
Both of these will bear watching.
Matthew Green is an assistant professor at the Johns Hopkins University Information Security Institute,
and he's well known in the industry for his work in cryptography and other security technology.
He's one of the keynote speakers at the AppSecUSA 2016 conference coming up in October in Washington, D.C.
We checked in with Matthew Green for a preview of his presentation.
So there's been a pretty big debate going on right now about making encryption a little bit more tractable for law enforcement.
So I've spent a lot of my time in the last year, maybe year and a half, fighting with a lot of people about this
because, you know, the proposals that are being put out right now for making encryption easier for folks to decrypt
also have this kind of side effect that they make
encryption a lot worse. And if you've been paying any attention the last however many years,
you know that things aren't going very well for us. And by us, I mean everybody who uses
computers and relies on them being secure. So encryption is one of the best tools we have for
fixing that problem. If we start by weakening it or doing something to limit it, we're really starting out on the wrong foot. And so I'm going
to talk a little bit about how we've done that wrong in the past and what we could do wrong in
the future. So let's dig into that a little bit. I mean, there's been this notion, certainly,
you know, we saw in the last year, the incident with Apple and the FBI, this notion of is it
possible to have a backdoor that is
both a backdoor and secure? What are your thoughts on that? I mean, the way you just put it, I think,
is a pretty good illustration of why it's so difficult. You want to let people in,
but only the right people. However, the right people are going to be, you know, a lot of right
people. So you have a lot of different people in law enforcement, courts, all over the
place, not very technically savvy people. All of those people have to be able to get into your
encryption. And by your encryption, I mean everybody's encryption. It's not just going to
be Apple and Google. It's going to be small companies developing apps and everybody who
does anything with encryption in the long run. So you want to let all of those people get into
your encryption. You want to keep all of the very sophisticated,
sometimes nation-state funded attackers out.
And I have a very hard time seeing
how we're going to do that.
Because the difference between somebody like Guccifer,
you know, where we have somebody
who's extraordinarily sophisticated
and pretty good at getting into things.
And at the same time, you know,
that's the person we want to keep out.
But at the same time, we want to keep let in folks who are
very technically unsavvy, who are writing pieces of paper and saying, here's a court order,
let somebody into this encryption. I think it's going to be very hard to make that kind of system
work. And at a technical level, in the process of trying to make it work, I think we're going
to screw it up in all kinds of new and exciting ways we haven't even thought of yet.
process of trying to make it work. I think we're going to screw it up in all kinds of new and exciting ways we haven't even thought of yet. So where do you see this headed? Is there a possible,
is there some meeting in the middle where both sides can get closer to what they want?
Right now, I think we already are meeting in the middle to some extent. So you probably saw the
headlines in the last day or two about the FBI gaining, you know, really powerful hacking
powers. They are now legally allowed or about to be allowed
to essentially hack anything they want,
and that includes end devices.
The FBI is developing this capability,
and they're getting pretty good at it.
And they clearly got into this San Bernardino iPhone last year,
and they didn't do it through a backdoor.
They did it by hacking.
So I think we're already heading towards some kind of meat in the
middle where this is how device access is handled, is the FBI just learns to hack. That doesn't mean
they see this as a compromise. They want backdoors too. The good guys say, the people who are calling
themselves good guys, they say, well, you know, as long as we have judicial oversight, what's the
problem here? What's the worry? What I'm going to talk about in my presentation is kind of the history of how, you know, good ideas,
you know, the road to hell is paved with good intentions, and how apparently good ideas can
turn into bad ideas, and those bad ideas can hurt us even, you know, a decade plus after the initial
idea is over. And so really, you know, I want to give a little bit of a history lesson, talking about previous attempts to limit and weaken encryption, and how they didn't really
go very well. So, you know, for example, back in the 90s, there were laws that said, if you want
to download a browser, you had to either download the strong US one and prove, you know, assert you
were from the US, or if you were from another country, you had to download the weak one.
And that stuff, these export-grade crypto systems, as recently as 2014, 2050, there
were bugs in SSL and TLS that were still exploitable because those leftover systems were still
in the standard.
And so it's kind of an illustration of how even well-meaning ideas can
lead to all sorts of unintended consequences, and they just linger. That's Matthew Green from the
Johns Hopkins University Information Security Institute. He'll be keynoting at the upcoming
AppSecUSA 2016 conference in October in Washington, D.C. It's gratifying to see responsible disclosure
of an Internet of Things vulnerability on the part of researchers, It's gratifying to see responsible disclosure of an Internet of Things vulnerability on
the part of researchers, and equally gratifying to see receptivity and responsiveness on the
part of the vendor whose product is affected.
We mean, of course, the demonstration by a group of Chinese researchers of vulnerabilities
in Tesla cars.
They were able to open sunroofs, turn blinkers on, and, most disturbingly, apply the brakes
while the car was in motion.
They disclosed the issues to Tesla, which has patched them, and thanked the researchers.
The researchers coordinated their announcement with Tesla's fix.
We heard at the Billington Automotive Cybersecurity Summit in July
that the auto industry was determined to invite and encourage and act on responsible disclosure.
The Tesla fix looks like a good omen.
encourage and act on responsible disclosure. The Tesla fix looks like a good omen.
And finally, we hear a great deal about North Korean activity in cyberspace,
from the country's alleged role in the Sony hack, to perennial expressions of concern from Seoul that Pyongyang has its fingers in as many South Korean networks as possible. But we hear much
less about what the internet might actually look like inside North Korea itself. If you were betting that the North Korean web wasn't exactly that familiar mashup of Woodstock,
Burning Man, the Wild West, BronyCon, and Mos Eisley that most of the rest of us have grown
accustomed to, you'd be right. Late Monday, an IT error in the Hermit Kingdom inadvertently,
we think, allowed domain administrators to request a list of the DPRK's top-level domains.
An alert watcher did just that and posted the results to Reddit.
There are, it turns out, a total of 28.pk domains.
Not 28,000, just 28.
And TechCrunch thinks the sites on those top-level domains are likely to be busy because, as
TechCrunch says, that's what being on Reddit will do for you.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time
visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-
time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows
like policies, access reviews, and reporting, and helps you get security questionnaires done
five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe
and compliant.
Joining me is Jonathan Katz.
He's a professor of computer science at the University of Maryland and director of the Maryland Cybersecurity Center.
Jonathan, we saw a story come by recently
that Google is turning on HSTS encryption on its domain.
Give us some background here.
What are we talking about with HSTS encryption?
Well, as you know, when you're connecting to a sensitive website, like a banking website
or your email or things like that, you generally want to do that over a secure connection over
HTTP.
And what this new mechanism does is actually it's something that the website will provide,
which will tell the user's browser to only allow secure connections to the site.
And this would basically have the effect of preventing the user from mistakenly opening
up an insecure connection with that website.
So is this basically protecting the user from themselves so they don't inadvertently pass
along insecure data?
Yeah, exactly.
So what a user might do, for example, is go to, you know, if they're connecting to Gmail,
they might go to their web browser
and type in http://mail.google.com.
And if they did that in general,
then that would open up an insecure connection.
And to open up a secure connection,
they would have to know to type in https,
mail.google.com.
And what the HTF does for you, actually,
is that if the user ever connects securely
to the Gmail backend server, then from that point on,
the browser will ensure that the user only ever opens up
a secure connection.
So even if the user mistakenly types in http and forgets
the F, the browser will know to automatically initiate
a secure connection anyway. And in fact, it won't browser will know to automatically initiate a secure connection
anyway.
And in fact, it won't even allow the user to initiate an insecure connection.
So we're really heading towards this time of when all connections really should be secure.
Yeah, that's right.
So Google has moved toward that in general, and they've made available secure connections
to all of their services.
And what this does is add an extra layer of protection
to protect either against user mistakes, like I was talking about earlier,
or also phishing attempts, right?
If an attacker sends a user an email with an embedded link to Google.com,
which is a link with an HTTP rather than HTTPS,
then this mechanism will still protect the user in that case,
and again will only allow the user in that case. And again,
will only allow the user to open up a secure connection. All right, Jonathan Katz, thanks for joining us. And now a message from Black Cloak. Did you know the easiest way for cyber criminals
to bypass your company's defenses
is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Thank you. deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.