CyberWire Daily - Kenyan elections, not hacked? Someone's poking into DPRK systems. DDoS in Ukraine. Pseudoransomware protection. Spyware in Play Store. HBO hack.
Episode Date: August 10, 2017In today's podcast, we learn that EU election monitors say Kenyan presidential voting went off without hacking (the losing opposition disagrees). Germany looks toward securing September's vote. North ...Korea receives cyber attention from somewhere in the civilized world. Ukraine's postal service sustains a two-day DDoS attack. WannaCry and NotPetya pseudoransomware fallout. Spyware-infected apps found in the Google Play Store. Jonathan Katz from UMD on a RSA 2048 encryption hack. Markus Jakobsson from Agari on a proposed cyber threat classification system. "Mr. Smith" comes to Midtown, and he wants a raise from Richard. Supported by E8 Security, Johns Hopkins University, and Domain Tools. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Election monitors say Kenyan presidential voting went off without hacking.
The losing opposition disagrees.
Germany looks toward securing September's vote.
North Korea receives cyber attention from somewhere in the civilized world.
Ukraine's Postal Service sustains a two-day DDoS attack. There's one to cry and not pet you a
pseudo-ransomware fallout. Spyware-infected apps are found in the Google Play Store.
And Mr. Smith comes to Midtown and he wants a raise.
Midtown, and he wants a raise.
I'm Dave Bittner in Baltimore with your Cyber Wire summary for Thursday, August 10, 2017.
For all of you thinking hard about election hacking, here's a Sherlock Holmesian dog that didn't bark. EU observers who were monitoring Kenya's presidential election say that the contest appears
to have been conducted without vote tally manipulation. Incumbent Uhuru Kenyatta seems
to be the winner, but opposition leader Odinga says the results were cooked. The country's
electoral commission has said that the voter database was targeted by hackers, but unsuccessfully,
and that voting proceeded without illicit manipulation.
Neither the EU observers nor the Electoral Commission's statements
are likely to mollify the opposition, which is disputing the results.
Do note that most election hacking has involved influence operations,
not directly finagling with the count.
The next big event on the election hacking scene,
and yes, we're looking at you cozy and
fancy, will be the German federal elections set for September 24th. German authorities have for
some time been on alert for Russian interference, so viel Glück, Germany, and best wishes for a clean
vote. Reports continue that North Korean targets have been infected with Connie and Inexmar
espionage tools.
The incidents are not attributed, but speculation inevitably centers on the likelihood
that the cyberattacks have been prompted by Pyongyang's increasingly aggressive
and threatening missile and nuclear weapons programs.
The civilized world is uneasy, to say the least,
with the regime's very disturbing talk and even more disturbing demonstration
of nuclear and
ballistic missile capabilities. North Korea's news agency has promised that a plan to destroy Guam,
which Pyongyang calls a nest of American air pirates, will be presented to Supreme Leader
and great successor Kim Jong-un next week. Now, to be sure, Pyongyang does say a lot of stuff, but possession of nuclear
weapons, and quite possibly the means to deliver them over long distances, leads people to take
the things the Kim regime says with greater seriousness than they otherwise might. Thus,
it would be surprising if the North Korean regime were not being subjected to the attentions of
foreign intelligence services, to which thinking people can only say, good hunting.
Ukraine's Postal Service on Monday and Tuesday came under a sustained distributed denial of service attack.
Package tracking was particularly disrupted.
Investigation is in its early stages.
Rapid 7 does some self and sector examination on its look at the second quarter of 2017.
The security company says its honeypots indicated that something was brewing
after the shadow brokers dumped external blue exploits in April.
WannaCry and NotPetya, of course, hit in May and June, respectively.
Their success was in some ways surprising, given their attack against known vulnerabilities,
but effective patch
management can be surprisingly difficult. So hindsight makes it appear obvious that something
big was up, but then hindsight will do that. Another point Rapid7 makes is that criminals
generally maintained their usual activity. While the good guys were focused on the large,
splashy, and disruptive WannaCry and NotPetya, the bad guys were going
about their usual petty larceny, too.
Security experts at Venify have taken a look at what went wrong with MEDOC, the patient
zero of NotPetya.
They offer three bits of advice as well.
First, every machine must have a unique identity.
Second, make sure your software is code-signed.
And third, machine
credentials must be expertly defended. They think Intellect Service, ME Doctor's vendor,
fell short in all three areas. A survey by the security company Tripwire finds that more than
two-thirds of security personnel think their enterprises remain inadequately protected against
a repeat run of these pseudo-ransomware
attacks.
We've got a lot of technical terms and buzzwords in cybersecurity, to the point where it can
be hard to know for sure what someone is really talking about when they're describing, say,
a phishing attack.
Marcus Jacobson is chief scientist at Agari, a company that helps protect against phishing
attacks.
They've come up with a threat taxonomy to help standardize the way we describe attacks.
So I spoke with vendors out there and customers of these vendors
and a lot of people in general trying to understand what are they concerned with.
And the first things that came out of their mouths were things like phishing and hacking.
And then I drilled a little bit deeper and I realized that they're not at all concerned about phishing and hacking. And then I drilled a little bit deeper
and I realized that they were not at all concerned
about phishing or hacking.
They might be concerned about targeted attacks
such as business email compromise.
They might be concerned with ransomware attacks.
They just did not have a meaningful terminology
to express their concerns,
which of course is not their fault.
It's our fault, the industry as such,
for not providing a terminology that is meaningful in terms of explaining what you want to achieve.
And you use an analogy comparing it to a doctor.
Right. Assume that you go to a doctor and you can only say pain and hurt, right, or something like
that. No matter what your ailment is, this is not going to be
helpful. You might have a toothache. I might come there with pain in my leg and somebody else has
cramp in their back. And the doctor is going to give us all the same treatment.
Of course, that is idiotic. And it would not occur to anybody that that would be a meaningful way of approaching a doctor's visit.
But that is what we're doing collectively to security these days.
We're calling everything phishing, we're calling everything hacking, and we forget the nuances.
So give me an example of a common attack and how it would be categorized within your taxonomy.
example of a common attack and how it would be categorized within your taxonomy? So business email compromise is one increasingly common attack. And the way it normally starts is that
the attacker finds out information about your organization. They know the org chart or they
know a couple of names within the organization. And now they send an email that appears to come from one
of them to another one. And the way they perform this identity deception, about half the time
is using spoofing. And the other half of the time, pretty much is using display name deception.
And so then they are trying to using business as usual language, request information. So if you get an email from
your boss saying, you know, I need the W-2s, as a result of them responding and sending W-2s,
now the attacker has W-2s for employees, which means that the attacker can file taxes.
So in this case, if you're looking at the sender, typically it's about
display name or it's boofing. So if an organization wants to address this threat,
they will know that since it's a con at the same time, and there are no countermeasures that
address cons per se, they would have to look at the ways in which identity deception takes place.
If they already have DMARC in place, that's great. Now it's only the display name aspect
that they need to nail down. And so it gives you a recipe for what's next. Once they know what
their solutions are and what these do, then they can go out and say, well, where can we shut this down? And typically,
it's at the identity deception part. That's Marcus Jacobson from Agari. You can find out
more about their cyber threat taxonomy at their website. Surfwatch published an analysis in IT
Pro Portal that says the big story in cybercrime so far this year has been the extent to which
such crime has been fueled by leaked government exploits.
The security firm thinks this is likely to continue,
and it offers three general pieces of advice to companies as they brace for more attacks.
First, continuously monitor for relevant external threats.
Second, have a structured way of prioritizing threats and taking meaningful action.
And third, follow best practice and risk assessment recommendations.
The third recommendation looks obvious, but as SurfWatch's Adam Meyer acidly observes in the ITPro Portal piece,
if the U.S. intelligence community had paid more attention to advice about internal threats,
we might not be in the exploit pickle we find ourselves.
we might not be in the exploit pickle we find ourselves.
Researchers at security company Lookout announced today that they've discovered approximately a thousand spyware apps infesting Google's Play Store.
Lookout says the apps belong to the SonicSpy family,
which began deployment in February of this year.
Google has removed some of the apps after Lookout alerted Mountain View to the problem.
Sonic Spy is thought to be related to SpyNote malware, possibly descending from it by automated build processes.
The hackers behind the malware are believed to be located in Iraq.
To take one of the more prominent bad apps Lookout has discerned,
the one called Soniac is marketed as a messaging app,
and does appear to provide
some messaging functionality through a customized version of Telegram. But its malicious components
include, as Lookout says, quote, the ability to silently record audio, take photos with the camera,
make outbound calls, send text messages to attacker-specified numbers, and retrieve
information such as call logs, contacts, and information about Wi-Fi access points.
The extortionist Mr. Smith, claiming responsibility for the HBO hack,
has escalated his or her or their game by releasing mobile phone numbers and email addresses
belonging to Game of Thrones stars Lena Headley, Peter Dinklage, and Emilia Clarke.
The hackers are also said to have released emails from HBO vice president Leslie Cohen.
Mr. Smith threatens a bigger release today if his demands for a six-month salary,
thought to be between $6 million and $7.5 million, are not met.
Mr. Smith has also said that he will only deal with Richard, presumably HBO
chairman and CEO Richard Pepler. So far, no word on further developments, but there are a few hours
left in August 10th as we speak. And as we know, winter is coming.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations, Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking
and wickedly humorous film from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals
to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning
digital executive protection platform secures their personal devices, Thank you. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Joining me once again is Jonathan Katz.
He's a professor of computer science at the University of Maryland and also director of the Maryland Cybersecurity Center.
Jonathan, welcome back. We had a story come by from Security Affairs, and I was talking
about a side channel attack on some RSA encryption. They were claiming that they can crack 1024-bit
RSA encryption. Bring us up to date here. What's going on? So this is an example of a side channel
attack where basically the attacker is using information that they're obtaining by watching the execution of the algorithm.
Say, if they have a virus running on the same machine that the algorithm is executing on.
And by looking at very small differences in the timing that various parts of the algorithm take, it turns out that it's possible to extract bits of information that allow them
to recover the secret key for 1024-bit RSA, as you say. And one of your colleagues at the
University of Maryland had a hand in this. Yeah, that's right. Actually, Daniel Genkin is one of
the co-authors of the paper describing this work, and he's currently a postdoc, splitting his time,
actually, working with me at the University of Maryland and also working with Professor Nadia Henninger at the University of Pennsylvania.
So how big a deal is this? Is this how big a threat is this? Is something to be taken seriously or is this more of an academic kind of thing?
Well, it's a little bit mixed, actually.
So it's something to be taken seriously from the point of view that there are actually deployed products, in particular the new pg uh crypto library that are vulnerable to this attack and they've uh ended up
patching their system and fixing the bug that led to this attack so they certainly took it seriously
on the other hand the conditions that an attacker would need in order to carry out this attack
are pretty severe and like i said earlier, the attacker would basically have to be running
on the same machine that the cryptography was being executed on.
If that's the case, if you have an attacker running on your machine,
you probably have bigger problems to worry about.
But so there are some specific concerns when it comes to cloud computing.
Yeah, that's right.
When you're implementing cryptography in the cloud,
you might have actually different users' programs
being run on the same physical machine.
And it's potentially possible in that case
that an attacker running on the same machine
as an honest user would be able to get the information
that's needed to carry out this attack in that case as well.
All right.
Jonathan Katz, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive
data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default deny approach can keep your company safe and compliant.
And that's The Cyber Wire. We are proudly produced in Maryland by our talented team of editors and producers. I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.