CyberWire Daily - Patriotic and free-spirited hacking? WikiLeaks has a new Vault7 dump. Cyber conflict over the South China Sea. Fireball malware infests more than 250 million devices. Trident security. Kmart breach. Bikers turn hackers.
Episode Date: June 2, 2017In today's podcast we hear, second-hand but ultimately from Vladimir Vladimirovich himself, that Russian hackers are free-spirited, patriotic artists, and maybe he'd be in a position to know. WikiLeak...s dumps more Vault7 documents. White hats reconsider crowdsourcing membership in the exploit-of-the-month club. OceanLotus may be weaponizing a ShadowBrokers' leak. Fireball malware used for ad fraud. A think tank warns of Royal Navy submarine cyber vulnerabilities. Kmart discloses a point-of-sale breach.  Jonathan Katz from UMD on undetectable backdoors. Leo Taddeo from Cyxtera Technologies on what the Comey firing means for encryption and cyber security. And a motorcycle gang is hacking cars. Why? Because that's the way they roll. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Russian hackers are free-spirited patriotic artists, says a man in a position to know.
WikiLeaks dumps more Vault 7 documents.
White Hats reconsider crowdsourcing membership
in the Exploit of the Month Club.
Ocean Lotus may be weaponizing a Shadow Brokers leak.
Fireball malware used for ad fraud.
A think tank warns of Royal Navy submarine cyber vulnerabilities.
Kmart discloses a point-of-sale breach.
And a motorcycle gang is hacking cars.
Why?
Because that's the way they roll.
I'm Dave Bittner in Baltimore with your CyberWire summary for Friday, June 2, 2017.
Russia's President Vladimir Putin says he has no knowledge of anyone hacking U.S. elections.
He does speculate that, well, sure, it stands to reason there could have been some patriotic freelancers out there, hacker weight unspecified, who were hitting
American networks. But that's just standing up for the motherland and rooting for good old
Vlad Putin, as who wouldn't? Hackers are free spirits, Mr. Putin observed, just like artists,
and after all, it's a free country, and so on. Besides, all he knows is what he reads in the papers.
Elsewhere in the ongoing conflict in cyberspace, Wikileaks yesterday released its latest tranche
of Vault 7 material.
The latest dump deals with an alleged CIA implant, Pandemic, said to be used to establish
patient zero machines on networks.
Hacker Fantastic and Zores have shuttered their crowdfunded attempt
to buy an early look at the shadow broker's next exploit dump.
Their hope was to have done and shared some quick remediation,
but it's just too risky from a legal point of view.
Sophos advises all against subscribing to the broker's exploit of the month club,
saying, quote,
would-be subscribers should ask themselves the following before diving in.
What are you going to do if they don't deliver?
Ask for a refund? Report them to the ombudsman?
End quote.
Customer service just isn't what it used to be, especially in black market clubs.
Ocean Lotus, also known as APT32,
the threat group associated with the Vietnamese government that's giving Philippine sites difficulty as the two countries squabble over economic and sovereign rights in the South China Sea, is believed to be working to reverse engineer and weaponize Oddjob, an earlier shadowbroker's dump.
Security company Checkpoint reports the discovery of Fireball, a malware campaign said to have infected about 250 million computers worldwide.
Fireball lets its masters execute code on victim machines and to manipulate web traffic to generate ad revenue.
Despite some spyware functionality, the chief motivation here seems to be fraud.
Checkpoint says the Beijing digital marketing agency Rafotech is behind Fireball.
The British-American Information Security Council think tank warns with a degree of alarmism that the Royal Navy's Trident missile submarines are in principle vulnerable to cyber attack.
Sure, the boats are air-gapped while submerged.
Hey, they'd better be.
But the study argues that's not the point.
The sub's supply chains are vulnerable, as are the patches and upgrades they receive in port.
The UK's Defence Secretary Michael Fallon last month declined to comment on whether the submarines used Windows XP
and were therefore vulnerable to WannaCry, but that shouldn't necessarily be interpreted as a non-denial denial.
It would have been irresponsible to comment publicly on a matter affecting technology
used by strategic systems, and besides, the question is a complex one. Windows XP is very
unlikely to have been used out of the box in any significant IoT system.
We received some notes on the WannaCry episode from Cytelix in response to our question about why old and vulnerable instances of Windows have remained in such widespread use.
They told the CyberWire there are many reasons why this is so.
Quote,
A variety of costs and obstacles contribute to persisted use of outdated systems.
Some companies lack the financial or technical resources to update their systems
accordingly, while others believe the older systems are more stable. New systems are often
rolled out with various bugs. Some companies operate under the adage of, if it's not broken,
don't fix it. While we would consider outdated security patches as contributing to a system that
needs repair, not every IT team has the resources to understand and evaluate information security.
They might be of the opinion that if their systems keep them productive,
there is no reason to alter them, especially if an upgrade is expensive,
from either a financial standpoint or in terms of the time spent implementing.
The Chipotle breach earlier this week served as a reminder
that point-of-sale attacks are still very much with us.
Another retailer, Kmart, has also disclosed a customer data breach.
Credit card data were exposed to hackers in the second such breach in three years.
Kmart's parents, Sears Holding, says their investigation determined that no personally identifiable information was compromised,
but that some credit card numbers were.
A Sears spokesman also said the infection was undetectable by antivirus software.
Hitech Bridge's Ilya Kolicchenko thinks the talk about antivirus is misdirection.
Quote, payment systems should be thoroughly isolated
and restrict any third-party code or applications from running on them.
Apparently, such fundamental precautions were at least partially missing.
End quote.
He also says big enterprises can't rely on basic security solutions like antivirus software
if they're not designing security into their systems from the start.
Finally, those of you who've been following the increasing commodification of cybercrime,
crimeware, DDoS, and ransomware as a service,
won't be surprised to learn that a bunch of denim-jacketed one-percenters
have now roared into cyberspace astride their hogs.
Yes, it's the Hooligans Motorcycle Gang,
known for riding between Tijuana and San Berdu.
At least one outlaw biker club has apparently branched out
from meth distribution and cigarette smuggling to enter the IOT hacking game.
Three members of the Dirty 30, a subunit of the hooligans, have got themselves arrested by the FBI on charges of boosting more than 150 Jeep Wranglers.
Nine more suspects remain at large, and there are other people the authorities would like to meet, too.
and there are other people the authorities would like to meet too.
The hooligans allegedly stole the Jeeps by hacking into a proprietary database containing replacement key codes,
then syncing a replacement key code by connecting to a given vehicle's onboard diagnostic system.
The Bureau called their investigation Operation Last Ride,
and they've been after the Dirty 30 since 2015.
The Feds? They are nothing if not patient.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of
technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of
herself. Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures. Stream Night Bitch January 24 only on Disney+.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Thank you. What are we talking about here? Well, some researchers showed that there will be ways to generate parameters for Diffie-Hellman Key Exchange,
which is used very often on the Internet and also used in HTTPS.
And they could generate these parameters in such a way that they had a backdoor in them.
And that backdoor would allow anybody knowing the backdoor to be able to break the security of any communication channel set up using those parameters.
But the backdoor was also undetectable.
So they were using, they described it as being hard-coded primes.
What does that mean?
Yeah, what they did was, so Diffie-Hellman parameters rely on prime numbers, at least
the non-elliptic curve variants of Diffie-Hellman.
And what the researchers showed was that by picking primes in a particular
way and embedding those into the Diffie-Hellman parameters, they were able to break the key
exchange protocol using those parameters much more quickly than you would expect if those primes were
chosen at random. So is this something that we're seeing in the real world yet, or is this so far
just in the lab? Well, we have no evidence that this has been carried out in the
real world, but I guess we also have no evidence that it hasn't been. So I think the point the
researchers were making is that this kind of a trap door might be present in some parameters
that people are using. We have no way of knowing either way, but there's, I guess, always a
possibility that it could have been done at some point in time. And we're talking about 1024-bit keys,
but they were saying that taking it up to 2048-bit keys would obviously take it to another
degree of difficulty. Yeah, that's right. I mean, you still have a possibility that these
trapdoors would make it easier to break, even the 2048 version, than you would expect. But it's
definitely true. I mean, anyway, there are recommendations for other reasons
to start moving toward 2048-bit keys.
But yeah, that's definitely true that it would be harder
to carry out this kind of attack on the longer key.
All right, Jonathan Katz, thanks for joining us.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
blackcloak.io.
My guest today is Leo Taddeo.
He's the Chief Information Security Officer at 6TERRA Technologies, a company that provides secure infrastructure.
Our conversation centered on the tension between advocates of privacy and strong encryption
and those who believe law enforcement has legitimate needs to be able to access encrypted data. We began our
discussion reflecting on the recent firing of FBI Director Comey. I think we've lost an advocate
for the debate over encryption. Jim Comey, of course, as a law enforcement officer, had his own views on whether or not the government should have access to secure devices,
whether that was through encrypted data at rest or data in motion.
But the encryption problem in general, according to Director Comey, was something that the country needed to debate.
that the country needed to debate, and it wasn't for the FBI to decide, but he did want the country to debate whether or not law enforcement had the tools necessary to continue to do its mission.
I think we lost an advocate with Mr. Comey. His departure means that the next director will have
to decide whether to pick up the mantle, if you will, and try to raise the issue and try to get Congress to address it.
There are some technological challenges to law enforcement and how law enforcement can do its job,
and unless addressed, technology will continue to outpace traditional capabilities that law enforcement has today.
Director Comey was different from the directors of, say, the NSA
and the CIA, where they were more pro-encryption, and he was more skeptical of it. Right. Well,
they have slightly different missions. Director Comey's mission is focused on primarily a law
enforcement function. There are some intelligence authorities within the FBI, and we do have
components of our mission that involve national
security. But for the most part, encryption was an obstacle and continues to be an obstacle to
the day-to-day work of FBI agents. That's different than, say, the NSA or CIA, Department of Defense,
and some of their roles, where they can use different authorities to break encryption and may have better capabilities, to be frank.
So the FBI is limited in what it can use, and it can't use state-of-the-art techniques and tools
because they wouldn't be state-of-the-art for very long.
Once exposed in court during a prosecution, those tools would no longer be available.
So we have slightly
different authorities than NSA and CIA and DOD, and those authorities change the way we look at
the problem. At the end of the day, if a technique or tool is required to be disclosed to a defendant,
then that technique or tool no longer becomes effective.
And that's not a problem that NSA or the other intelligence services has.
You know, I talk to a lot of folks on the technology side of the encryption debate,
and they look at this, I believe, partially as a practical issue,
where, you know, encryption is readily available.
It's not hard to do strong encryption.
And when we're talking about things being done across borders, they make the point that it's not really a practical thing that you can stop.
I agree with all of that, that strong encryption is easy to deploy. It's becoming part of everyday devices.
The question is, how strong does it need to be, in my mind? And
there's a debate about whether we need perfect security. So I look at it this way. We have to
use encryption that is designed to address the threat that we face. So if we're trying to counter
criminal groups who are stealing data, then you don't need AES-256 unbreakable cryptology.
You can perhaps use a different algorithm or perhaps deploy it in a different way that
allows law enforcement with considerable resources and access to the device to obtain the evidence
that it needs to complete its mission.
So if you're trying to prevent a nation state from accessing your device,
then you must be in a pretty small category
because it's not often that nation states go after individuals.
So I think we can address that problem on a case-by-case basis.
So, for example, a CEO that might have intellectual property
or sensitive business
information on his or her cell phone, we can make strong encryption available to them. But the day
to day ubiquitous deployment of strong encryption means that your average person has what is in
effect government proof communications capability. And in a world where we are seeing people with access to,
I won't say weapons of mass destruction, but certainly weapons that can cause mass casualties
and the propensity for people to use those weapons, whether it's a rifle or we've seen
recently a truck, we have to balance the risk and reward, if you will,
of strong encryption. So what I mean by that is, in my view, we have to have a balancing.
If the privacy advocates, of which I consider myself one in part, but I don't go as far as some
groups, if privacy advocates are worried about government overreach. That is a threat. But so is the idea that there may be
a mass shooting or a mass casualty event involving what we've seen, for example, in Europe and other
places. And the real threat there is on the ground and present. It's not theoretical. And I think that
we have to balance the real threat with the potential for threat. And that means strong
oversight for the
government, strong auditing of government use of the techniques, but also an understanding that
in many cases, the government is the only thing standing between us and potentially great harm.
So I don't think it's all or nothing. And my bottom line is we have to find some way to come
to a acceptable compromise between privacy concerns
and legitimate law enforcement requirements. And we're not there yet.
That's Leo Taddeo from Sixterra Technologies. And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. Thank you. comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable
impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.