CyberWire Daily - Fake news tweets (from hijackers, not opinion-makers). Ransomware. New Android Trojans. Closing in on Mirai's master?
Episode Date: January 23, 2017In today's podcast we discuss some fake tweets from hijacked news accounts around the time of the US Presidential transition—OurMine seems to have some at least tangential involvement. BankBot Andro...id Trojan evolves, and Skyfin will quietly buy stuff you don't want from the Google Play Store. Sage 2.0 ransomware distributed by repurposed spam. Ill-named Dharma ransomware hits Indian pony site. Lloyds Bank disclosed DDoS attacks. Cryptographer Matthew Green describes Google new open source Key Transparency project. Jonathan Katz from the University of Maryland explains multivariate encryption. The SEC looks at Yahoo!'s breach disclosure record. And the FBI is taking an interest in the gentleman Krebs fingered as Mirai's master. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K. Transcription by CastingWords and Krebs fingered as Mirai's master.
I'm Dave Bittner in Baltimore with your CyberWire summary for Monday, January 23, 2017.
Both the New York Times and the BBC had their Twitter accounts hijacked recently. The Times hijackers yesterday tweeting falsely that Russian President Putin had intentions
to launch missiles against the U.S.
And the BBC's hijackers tweeting Friday, equally falsely, that U.S. President Trump had been wounded in an assassination attempt during his inauguration.
Protection racketeers at OurMine admit collaborating in the caper, but said their unnamed partners composed the tweets.
OurMine has become well known for its shakedown operations.
They seek to preserve an implausible illusion of legitimacy as a security auditing service,
but as may be seen in the Hills account, as in others, few, if any, buy this.
Our Mind seems today to be distancing itself from both incidents,
disavowing responsibility for the tweets and
suggesting to the BBC that Our Mind's hacking was only coincidental with the bogus news stories.
Still, they're offering their services, as in this note to the New York Times,
quote, message from Our Mind to at NYT video, contact us to tell you how to fix the issue,
end quote. The week opens with news of fresh Android threats.
Tripwire is following the progress of recently discovered banking trojan BankBot,
which is built to loot bank accounts by exploiting admin privileges on Android phones.
BankBot's source code has begun circulating on at least one criminal hacking forum.
Dr. Webb has also identified a new Android threat. They're
calling this one Skyfin. It's a second-stage infection that so far has been observed in
phones already compromised by the Android downloader malware family. Skyfin quietly
infests a device's local Play Store app to make unwanted purchases. The Sands Internet Storm
Center has a rundown on Sage 2.0, a variant of CryLocker, first described by Bleeping Computer last month.
Sage 2.0 ransomware is now being observed in spam, hitherto associated with SareBear,
so again the criminal markets are showing their propensity for evolution and adaptation.
Specific ransomware victims late last week include the St. Louis, Missouri, USA public library system
and the RacingPulse.in pony betting site operating out of Bangalore, India.
The Dharma ransomware strain hit Bangalore.
There's no word yet on which variety affected St. Louis.
The St. Louis librarians aren't paying up.
Instead, they're wiping and restoring the approximately 700 affected machines. That won't be cheap or pain-free, and it will in fact take a few days
to accomplish, but the librarians are determined to hang tough. Last week, Google released an
open-source prototype of a system for discovering and verifying public encryption keys called Key
Transparency. For details, we checked in with Professor Matthew
Green, cryptographer from Johns Hopkins University. We've known for a long time that, you know, one of
the vulnerabilities in encrypted messaging systems is that they use key servers, or at least many of
the commercial ones do. So what that means is that if you want to talk to somebody, the first thing
you have to do is you have to get their public key. In the olden days, when we did that with things like PGP, it was a very painful
process. We used to have to go, you know, have key signing parties and, you know, go to key servers
and do all of this stuff. All of these newer instant messaging systems have gotten so easy
to use, and they've done that mostly by making that transparent. So you don't know that you're
getting somebody's public key, but you're still doing that.
And that means you're relying on some server somewhere to hand you the right public key and not give you the wrong one.
That's a vulnerability.
That's a potential vulnerability in many of these apps.
And so take us through how key transparency is addressing that situation.
Well, so two bad things can happen to you if you trust somebody else's key server.
So a person can break into the key server and they can actually give out the wrong public
keys to people so that people are encrypting to the bad guy instead of to you. The other thing
people can do is they can impersonate your SMS and they can register a phone to your account or
even add another phone to your account if they guess your iCloud password.
And so that's the problem that key transparency tries to deal with.
Many services will tell you they'll send a message to your phone or something when that happens,
but there's nothing guaranteed about that.
If somebody hacks the server, they could prevent that message from getting to you.
Key transparency takes us kind of a big step further.
And what it does is it basically produces a cryptographic proof that your phone can check,
which proves that the key the server is giving out to people is actually the key that you want it to be.
It's actually your public key.
So your phone and other people's phones can actually check that the server is behaving honestly.
And so what are the likely areas where we're going to see this put to practical use? Well, I mean, I think the first place we're going to see this is in instant
messaging systems, hopefully very soon. So the original key transparency project was created at
Google and I think at Yahoo, because Google and Yahoo were working together on this E2E plugin
for mail, both Gmail and for Yahoo.
Unfortunately, that project hasn't really produced a whole lot.
We just still don't have a production version of the E2E plugin.
So the key transparency server, which is now open source,
hopefully will be adopted somewhere where it can actually make a difference.
And the places where it can make a difference are in encrypted messaging apps like Signal or WhatsApp.
We haven't seen anyone adopt it yet,
but hopefully that's on the way.
So this is a 1.0 release.
Are there any serious limitations that you see so far?
So I haven't gone through the code, you know, in a lot of detail.
I know the people who wrote it.
I know the basic design.
You know, the big question for me is, you know, code in a lot of detail. I know the people who wrote it. I know the basic design. The big
question for me is, can it plug into other people's infrastructure, particularly the database
backend, and work efficiently? I think we're going to have to see about that. Obviously, I don't have
the tools here in my professor's office to test it at the scale of a billion people. I think that's
going to be an interesting problem.
That's Matthew Green from Johns Hopkins University.
In industry news, it appears that the U.S. Securities and Exchange Commission is taking a close look at what some consider Yahoo's belated disclosure
of its two major data breaches.
The Lloyds Banking Group disclosed that it was affected
by a distributed denial-of-service campaign two weeks ago.
An unnamed international cybercrime gang is said to be responsible.
Disruptions occurred intermittently over a two-day period.
Several observers are reminded of the earlier attack on Tesco's banking operations in the UK.
We heard from Ilya Kolochenko, CEO of Hitech Bridge, who strongly urges the victim and the authorities to conduct a quick and thorough investigation.
That investigation should bear in mind, Kolachenko says, that DDoS campaigns often serve as misdirection for other, more serious attacks.
Kolachenko points out, quote,
DDoS attacks are quite simple to organize, but very difficult and expensive to mitigate.
DDoS attacks are quite simple to organize but very difficult and expensive to mitigate. At the end of last year, even Akamai was obliged to terminate its DDoS protection services for U.S. journalist and investigative reporter Brian Krebs' website,
following ongoing and massive DDoS attacks against it.
Akamai is a leading distributed denial-of-service protection vendor.
a denial-of-service protection vendor.
And speaking of DDoS and connected IoT services,
the FBI is reported to be interviewing the gentleman security journalist Brian Krebs as identified as the figure behind Mirai.
Mirai, of course, is the botnet-herding malware used to clog the Internet last fall.
If you haven't read Krebs on Security's long account of how he tracked the spore of the attacker,
you should consider doing so. It's an interesting and dismaying story. It also offers a surprising
window into the highly competitive world of Minecraft servers and the protection thereof.
As is the case with any business highly dependent on availability, a distributed denial-of-service
campaign against Minecraft servers or the vendors who support them with DDoS protection can have financially devastating, perhaps business-killing results.
And it's precisely this vulnerability, Krebs believes,
that Mirai's creator and controller was out to exploit,
hoping to establish either a competing service or a protection racket.
It's also interesting in that the person the FBI is said to be interested in
is not a state security service conducting a dry run
or even a well-resourced organized gang of criminals
expanding their attack portfolio.
Instead, it looks like a guy in a New Jersey dorm room.
We won't share the person of interest's name,
but we can say this.
It's not Anna Senpai.
And for you Minecraft fans, it's not Steve either.
And for you Minecraft fans, it's not Steve either. be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be. Let's create the agent-first future together. Head to salesforce.com slash
careers to learn more. Do you know the status of your compliance controls right now? Like,
right now? We know that real-time visibility
is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
Look at this. More than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking
and wickedly humorous film
from Searchlight Pictures.
Stream Night Bitch January 24
only on Disney+.
Cyber threats are evolving every second
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker
is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
And I'm pleased to be joined once again by Jonathan Katz. He's a professor of computer
science at the University of Maryland and also director of the Maryland Cybersecurity Center.
Jonathan, I wanted to check in with you. I know there is concern that as we head towards post-quantum cryptography, that there are a variety of schemes that people are working on
to try to take us past that hurdle. And one of them that I've heard about is called multivariate
cryptography. What can you tell us about that? Yeah, right. As you said, people are very concerned
about the advent of quantum computers.
We don't know when exactly they're going to become a reality,
but people are speculating that they may be deployed
in about 20 or 30 years.
And because of that, we need to start preparing now.
As you know, and as many of the listeners probably know,
all the common public-key
cryptography used today is based on either factoring or this so-called discrete logarithm
problem. And both of those are known to be solvable efficiently by quantum computers.
So basically, all the current public-key crypto on the internet would be broken if and when we
do get quantum computers. And people are looking for, as you said, post-quantum crypto replacements
that would be secure even against those computers. So people have been looking at
a wide variety of different problems, and these multivariate crypto systems are one among several
possibilities that people are looking at. So take us through what's going on mathematically
under the hood when it comes to multivariate cryptography. Well, as you can imagine, it's
hard to give the full details, but just to give an idea of the problem, the problem essentially boils down to finding
solutions to polynomial equations. So imagine that you're given, you know, 10, 20 different
quadratic equations in many variables, not in a single variable like back in high school,
but these are in many variables, and you're asked to find a set of solutions that will simultaneously satisfy all the given equations.
Now, it's known, actually, that that problem is NP-hard in general.
So we don't expect there to be a polynomial time algorithm or an efficient algorithm for ever solving that.
Of course, that doesn't yet mean that it's ready for cryptographic applications.
And there's been a lot of work to try to take that problem and map it and derive cryptosystems from it. So when it comes to this post-quantum cryptography problem,
is it kind of a race against time? Well, yeah, definitely. I mean, one of the things that's
been interesting here is if you think about it, step back and think about it, you think that
quantum computers are maybe 30 years off, so we have time to prepare. But then you look actually
at how long the process of research and standardization takes, and you realize that actually if we want something to be in place in 25 to 30 years, we really need to get started in the next 5 or 10 years of having things that we can actually imagine standardizing and then rolling out to the Internet.
So we don't really have as much time as we might hope.
Jonathan Katz, thanks for joining us.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Thank you. with Black Cloak. Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner.
Thanks for listening. and data products platform comes in. With Domo, you can channel AI and data
into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps
tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com Learn more at ai.domo.com.
That's ai.domo.com.