CyberWire Daily - Grid hacks and influence operations. Propaganda sauce spread liberally over geese and ganders. Peace sign hacks? Hamas catphishes the IDF.
Episode Date: January 12, 2017In today's podcast, we hear about the arrest of an Italian brother and sister for an EyePyramid spyware crime spree that may have been in progress since 2010. Ukraine confirms that Kiev's power grid w...as hacked last month, and the Ukrainian government tries to tide over some influence operations of its own. Policy wonks talk information operations and some realize that such ops aren't new. The peace sign hack joins the Gummibear hack as a challenge to biometric authentication. Yisroel Mirsky from Ben Gurion University explains new research using databases of exploits and vulnerabilities. Quick industry notes. And Hamas goes catphishing. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A brother and sister are arrested for an iPyramid spyware crime spree
that may have been in progress since 2010.
Ukraine confirms that Kiev's power grid was hacked last month,
and the Ukrainian government tries to tide over some influence operations of its own.
Policy wonks talk information operations, and some realize that such ops aren't new.
The peace sign hack joins the gummy bear hack as a challenge to biometric authentication,
and Hamas goes catfishing.
to biometric authentication, and Hamas goes catfishing.
I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday, January 12, 2017.
Two Italian citizens, a brother and a sister, Giulio Acchianero and Francesca Maria Acchianero,
both on the downhill side of 45 and therefore old enough to know better,
have been arrested for hacking high-profile Italian figures and at least one high-profile cardinal in the Vatican.
An international operation reeled them in.
Giulio was born in Italy and Francesca in the United States.
Both were residing in London but domiciled in Rome.
Italian police made the collar.
The siblings faced trial in Italy, and the FBI seized the Dropbox servers to which the pair are alleged to have deposited
stolen data. That alleged reminds us that this is a good point to offer the routine disclaimer
that of course persons accused of a crime are entitled to a presumption of innocence,
at least on this side of the Atlantic. Their lawyers, at any rate, say the Okieneros didn't do it.
Sure, Julio owned some of those American servers,
but the lawyers point out that's just because he does business in the U.S.
The incident draws attention to the malware used in the caper.
A security researcher tipped off police when he received an email
purporting to be from a lawyer that contained malware.
Trend Micro has been taking a look at the spyware.
It's being called iPyramid, and they say it's a data exfiltration tool
delivered as the payload of a malicious email attachment.
In the case under investigation, iPyramid is said to have been used to siphon off more than 87 gigabytes of data,
which Trend Micro says includes usernames, passwords,
browsing data, and file system content. Whether the Ikeaneros prove innocent or not,
it looks as if the spyware campaign they stand accused of running had been in progress since 2010.
Those behind the crime appear to have been interested principally in political and financial
information about Italian political figures, and also in similar information about some bankers and Vatican officials.
The hackers' motives in all this are unclear.
They could be political, but Italian police think they were financial.
How the information might have been monetized isn't discussed in early reports.
According to the BBC, Ukrainian officials have confirmed that this past December's power outages in the vicinity of that country's capital were caused by a cyber attack.
Investigators see the same actors behind the 2016 blackout in Kiev that they saw behind the 2015 blackout in Ivano-Frankivsk, which means, of course, that they're seeing Russians.
course that they're seeing Russians. Investigators also suggest, as they did in the aftermath of the 2015 hacks, that this incident could be a dress rehearsal for something much bigger.
The Ukrainian government, Politico reports, is also quietly trying to mend fences with the
incoming U.S. administration after evidently having conducted some quiet minor influence
operations of its own on behalf of the President-elect's
opponent. Those appear to have been conducted relatively casually, and without the high-level
attention and direction the U.S. intelligence community perceives in fancy-bear's prance
through the Democratic National Committee. Minor and quiet as they may have been,
the alleged operations are instructive. Influence operations are nothing new. Foreign
policy and security intellectual types are busily reviewing other cases of propaganda,
disinformation, forgery, provocation, and the like. Many consumers of old and new media are
receiving these unsurprising stories as surprises. By the way, President-elect Trump has also said he now thinks the Russians hacked the DNC.
He's still mad about BuzzFeed's stories of compromise.
So be prepared for what incidents might come your way. If you're planning to be around Norfolk,
Virginia the first week in February, and if you think you might be hungry, say noonish,
take a look at our event sponsor RSAM's Lunch and Learn session on security incident response.
SANS instructor Alyssa Torres and RSAM CISO Brian Timmerman
will feed your mind as lunch feeds your body.
See the event tracker at thecyberwire.com for information.
Biometric technology has for some time been a leading light
in efforts to replace passwords for authentication.
But that light may be something of
a will-of-the-wisp. You may recall the gummy bear hack in which the mark's fingerprints are stolen
when the mark handles a toothsome but sticky piece of candy, then for some reason puts it back.
This always struck us as a bit of a garbage hack, entertaining sure, but more parlor trick than
serious risk. Researchers at Japan's National Institute for Informatics, however,
may be on to something more disturbing, the peace sign hack.
A digital image, from a mark's incautious selfie perhaps,
is used to copy the mark's fingerprints.
It's a lot quicker and a lot less sticky.
It's been shown in the past that the eye's iris can be matched from a photo,
so the peace sign hack may bear watching.
In industry news, Arxan Technologies has bought security shop Apyrion, and cyber startup InfoSight
gets a $3.4 million Series A funding round.
Finally, Hamas is reported to be using catfish as honey traps to install spyware on Israeli
soldiers' smartphones.
The winsome catfish promised video chats with predictably lovelorn troops.
Alas, soldiers, you're going to get malware with that chat, and maybe not much chat either.
The IDF thinks the damage was minimal, but with the troops, one never knows.
We once heard a general of U.S. Marines lament the misguided initiative of a Lance Corporal who thought it a good idea to recharge his Samsung Galaxy by plugging it into SIPRnet.
So all you sergeants and company great officers out there,
in the IDF and indeed in every army in the world,
if you want to keep them out of trouble, keep them busy.
You may remember the movie Stripes where Ox, one of our favorite characters,
found himself having to explain just what happened
when the men found themselves out for a little extracurricular activity.
Well, sir, we were going to the bingo parlor at the YMCA.
Well, one thing led to another, and the instructions got all foul up there, and we ended up...
Shut up.
Okay, sure.
Do you know the status of your compliance controls right now?
Like, right now.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to
evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And I'm joined once again by Israel Murski.
He's a research project manager at the Ben-Gurion University Cybersecurity Labs.
You've got some interesting research
that involves the use of some exploit
and vulnerability databases.
That's right.
So a vulnerability database is a platform used to
collect, maintain, and disseminate information about discovered vulnerabilities. And there are
many different kinds of vulnerability databases available to the public, such as the NVD,
National Vulnerability Database, maintained by NIST, the National Institute of Standards and
Technology. So different from all these other common vulnerability databases
is a database called the ExploitDB,
which is maintained by Offensive Security.
And they collect actual malware code
written in high-level languages,
such as in C or in Java.
This is different from other databases
or dumps of malwares which are obtainable,
which are the actual raw machine code or the compiled code.
So here you have little excerpts of the malware code written in the original language.
Typically, you can use this code to kind of run it and see if you can find holes in your
systems in pen testing, what's called referred to as white hat hacking.
But we thought, why don't we use this high-level code in the exploit database to assist us in detecting or discovering new malware trends?
So as opposed to, again, the pre-compiled code you find in other databases, the high-level code contains all sorts of different semantics that help you better capture the intent or the objective of the malware author.
So I'll give you an example.
you better capture the intent or the objective of the malware author. So I'll give you an example.
So if you look at some sort of code that performs a buffer overflow, in the machine code you
can track where the pointers are heading and what the malware is trying to accomplish.
But looking at the high level code, you can see what the names of the variables are and
what libraries are perhaps being used.
And just the fact that the malware author called
his variable buffer may indicate some sort of usage of his code. And again, of course, you know,
once it's compiled, this information is lost because the compiler doesn't need that for any
reason. So what we did is we extracted a dataset from ExploitDB's C code samples. And we built a whole dataset
based on these kinds of semantic features.
And we used a self-organizing map,
which is kind of like a neural network for clustering,
to try and discover different kinds of patterns
and trends of malware over the last few years.
Because in the Exploit database,
we know when the malware was published.
We know what kind of malware it is
because it's all been labeled.
And then we try and get an understanding of sort of kind of different trends, when different
malwares were more popular, what perhaps is the next up and coming malware, and so on and so forth.
So that's the kind of ongoing research that we're very interested in, trying to see how we can use
exploit database to try and not just see trends, but also help us build
better predictors and to detect different malwares that may come out in the future.
Israel Mirsky, thanks for joining us.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to
bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. Thank you. impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.