CyberWire Daily - Dridex, Locky, PadCrypt, and extortion. Hollywood vs. ISIS? ISIS vs. ISIS? Apple vs. FBI.
Episode Date: February 18, 2016Dridex, Locky, PadCrypt, and extortion. Hollywood vs. ISIS? ISIS vs. ISIS? Apple vs. FBI. Learn more about your ad choices. Visit megaphone.fm/adchoices...
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K. Thank you. closely. I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday, February 18th,
2016. Ransomware, especially Locky, which is distributed via malicious word macros like
Drydex, but also PadCrypt, which picks up the trend set by Cryptowall 4.0,
in which ransomware treats its victims as if they're customers,
they continue to exercise researchers and security teams.
Locky is apparently being distributed, according to Palo Alto Networks,
through a Revenant subnet of the old Drydex botnet.
Authorities took down Drydex late last year, but it began to reform in January.
PadCrypt's customer service angle includes both an uninstaller, it won't help you,
it only uninstalls the malware, and leaves your files encrypted and unrecoverable,
plus a live chat feature in which you, the victim, may consult PadCrypt's controllers,
who will guide you through the steps to easy payment. We note that you're probably better
off not chatting with them at all.
Cyber extortion seems to be paying off for the criminals.
The Hollywood Presbyterian Hospital in Los Angeles, still recovering from a cyber attack,
said yesterday that it paid the hackers $17,000 in Bitcoin to release control of some affected systems.
And a survey by Bitdefender suggests that paying up has become increasingly common.
U.S. users are most likely to be hit by extortion, but victims in the U.K. are willing to pay the
most ransom. As always, the best defense is caution backed up by, well, good backups of your files.
In industry news, the approach of RSA is accompanied by the usual flurry of new product
announcements. Consult the CyberWire Daily News Brief for links to the most recent. Thank you. UK, moving away from what it calls a dangerous dependency on legacy mainframe systems.
Amid conflicting reports over how well private sector cooperation against ISIS is going,
some say Twitter's giving ISIS troubles, others say the blocked accounts amount to little
more than a gesture, U.S. Secretary of State Kerry visits California to solicit support
of movie producers in building up a counter-narrative.
Studio executives presumably know a thing or two about storytelling,
and the Secretary is looking for the kind of help from Hollywood on the content side
the administration's recently sought from Silicon Valley on the technical side.
Whatever Los Angeles and San Francisco come up with, however,
for now, ISIS seems to be its own worst enemy.
Reports of widespread corruption and un-Islamic injustice in the territories it controls continue to undermine the caliphate's messaging. Admiral Rogers,
director of the U.S. National Security Agency, who continues to say that encryption is foundational
to our future, and that it's pointless to argue over whether strong encryption should be restricted,
points out that widespread encryption does come at a price. He told Yahoo News that the terrorist massacres in Paris could have been forestalled
had the attackers not used encrypted communications.
Ars Technica wonders whether he's alluding to knowledge not widely shared,
since public statements by French police indicate that the attackers coordinated their actions
using quite ordinary SMS messaging.
Elsewhere in the crypto wars, Apple continues to fight the court order it received to
assist the FBI in the Bureau's efforts to unlock an iPhone used by the San Bernardino jihadists.
Apple receives support from rivals Microsoft and Google. It also gets support from, unsurprisingly,
NSA leaker Edward Snowden, and surprisingly from former NSA director Michael Hayden.
Hayden's support is based on his conviction that the general availability of strong encryption makes everyone more secure, despite the undeniable burdens it
places on law enforcement. We heard a somewhat contrary nuanced view yesterday from Flashpoint's
chief scientist, Lance James. Quote, this is not the same as the crypto war, he said.
Apple didn't need to react this way. It was premature. Forensically speaking and legally
speaking, the judge asked for reasonable assistance on unlocking this specific phone, James told us.
He doesn't see this as the entering wedge of mass surveillance, but rather, quote, a reasonable
search warrant request no different from a warrant to the free webmail services or Facebook's asking
for data, end quote. In any case, observers agree that the ultimate outcome of the case will be important in terms of judicial precedent.
The case is also important in that it's likely to push Congress toward legislation on encryption.
And, of course, for Apple, the company's strong stand for privacy seems to be good for business, too.
Thank you. winning with purpose, and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist,
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures. Stream Night Bitch January a thought-provoking and wickedly humorous film from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
Joining me is Joe Kerrigan from the Johns Hopkins Information Security Institute.
Joe, let's talk about passwords, specifically password cracking.
One of my favorite subjects.
I know, I know it is. So before we get into how we crack passwords,
let's talk about how passwords are stored and protected.
Right. Passwords are usually stored in some kind of hashed system. If they're stored in plain text,
then there's no security at all. So we use an algorithm called a hash algorithm
that takes that password and turns it into essentially a one-way encryption function.
The weakness there is that I can build a simple lookup table based on the hashes.
So if your password is ABC123 and my password is ABC123, then our hashes are going to be the same.
I see.
So we have a second protection against that called salting.
And that is where we take a random string of characters and add it to our passwords.
So let's say that random string of characters is for you, one, two, three.
So your password becomes ABC one, two, three, one, two, three.
And then that gets hashed.
And then my password becomes ABC one, two, three.
And then I have X, Y,Z added to the end of my password.
In the password database, the salts get stored with the hashes, and now our hashes look different.
So I can't just say, okay, these two users have the same password anymore.
That's what we call a salted and hashed password, and that's the best way to protect a password in a database.
All right, so we've got our passwords stored.
They've been protected through salting and hashing, but now I want to have at it,
I want to start figuring out what the passwords are.
How do I go about it?
Right.
The very first thing you're going to do as a password cracker is you're going to run
what's called a dictionary attack on that.
Okay.
And there are programs out there that are specifically designed for doing this,
and there are lists out there, very large lists of known passwords.
And the thing about people is they're kind of predictable in this.
And you can break about 50% of the passwords just with a dictionary attack.
You come at it with your dictionary attack and you're unsuccessful with that.
What next?
So the next step would be brute force attacks.
The same software tools that can run a dictionary attack can also do a brute force attack.
There's one called Hashcat that actually runs on graphics processors that makes it very
fast.
When I'm coming up with a password for myself, is there a way to protect myself against either
of these attacks?
I use a password manager. What I do is I use random 20-character passwords at a minimum for the websites I visit frequently and the websites I care about.
Okay.
How do you remember them?
I don't remember them.
All right.
Go on.
If somebody asked me what my Facebook password is right now, I wouldn't be able to tell them.
Okay.
So how do you log on to Facebook then?
So I open up my password safe and I copy the password from the password safe into the Facebook interface.
So what if I get access to your password safe?
That's an excellent question.
In fact, there's now malware that's out there targeting password safes because they realize that this is a high-value target.
So are you in effect just sort of shifting it one degree away because you still have a password to get into your password safe, right?
Correct, yes. Then that password to get into your password safe, right? Correct, yes.
Then that password to get into my password safe is a very long password.
Does it really help to, you know, you see people substituting characters for letters,
you know, using an at symbol instead of the letter A and using a...
No, no.
Those are, I mean, it helps in that it might not show up in a first-time dictionary attack,
but there are rules, substitution rules in these tools,
and it will go through the dictionary and start substituting out the existing characters,
like it will substitute A's for 4's, 1's for I's, and vice versa.
So, in effect, it's just making it harder to remember.
Sort of, yeah.
I say the longer the password, the better the password.
All right.
Joe Kerrigan, thanks for joining us.
Thank you.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Thank you. that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.