CyberWire Daily - SWIFT fraud (behind a wiper). Coinrail ICO robbery. Chinese espionage. G7 agrees to a coordinated response to hostile cyber operations. Malwaretech faces new charges.
Episode Date: June 11, 2018In today's podcast, we hear about more SWIFT fraud, with a wiper attack as misdirection. Cryptocurrency exchange looted of ICO tokens. Chinese espionage in Rhode Island, and a conviction in Virginia. ...Dropping Elephant spearphishes in think tanks. G7 agreement suggests a coordinated response to hostile cyber operations. Net neutrality expired this morning in the US. And Marcus Hutchins faces additional charges. Jonathan Katz from UMD discussing hashing. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
More swift fraud with a wiper attack as misdirection.
A cryptocurrency exchange has been looted of ICO tokens.
Chinese espionage in Rhode Island and a conviction in Virginia.
Dropping elephant spearfishes in think tanks.
The G7 agreement suggests a coordinated response to hostile cyber operations.
Net neutrality expired this morning in the U.S.
And Marcus Hutchins faces additional charges.
faces additional charges.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Monday, June 11, 2018.
There's been a fresh attempt, and a successful one,
at SWIFT fraud.
SWIFT, the International Interbank Financial Transfer System,
was used against Banco de Chile to steal about $10 million.
The bank said the losses occurred during a May attack, when hackers successfully took the money via electronic transfer.
The criminals used wiper malware to corrupt the master boot records of some 9,000 systems.
This aspect of the attack was apparently misdirection, intended to distract
IT staff while the hackers accomplished their main objective, swift transfer fraud.
CoinRail, a cryptocurrency exchange based in South Korea, disclosed yesterday that it had
been the victim of a cyber attack in which ICO tokens for PundiX, Enper, and Aston were taken.
There's also the possibility that tokens for Dent and Tron were stolen as well. The exchange estimates that between $30 million and
$40 million were taken. It's working to freeze the stolen accounts. The incident spooked investors.
Cryptocurrency valuations took a significant hit as speculators dumped their holdings.
Bitcoin wasn't directly involved in the CoinRail affair,
but observers think this and other crimes have contributed to the leading cryptocurrency's decline
from its $19,000 peak to its current valuation, which is just shy of $6,800.
Several different accounts of cyber espionage are in the news as the week begins.
The U.S. Navy continues to be relatively closed-lipped about Chinese exfiltration of sensitive information from a contractor's systems.
The contractor, so far unnamed, works for the Naval Undersea Warfare Center in Rhode Island.
Rhode Island. The company is said to have reported, as required, a cyber incident,
and the Washington Post reported late Friday that the incident was indeed a Chinese intelligence operation. The information lost is said to concern sensors, submarine cryptographic systems,
and weapons. The Navy declines to comment, noting the sensitivity of such investigations,
but will be following the story as it develops.
of such investigations, but we'll be following the story as it develops.
In another espionage case related to Chinese intelligence services, a jury in Virginia this past Friday convicted former CIA officer Kevin Mallory of conspiracy to deliver information,
attempted delivery, delivery of defense information to aid a foreign government, and making materially
false statements.
His sentencing hearing is set for September 21.
The charges of which Mallory was convicted carry a maximum sentence of life.
Mallory, facing financial troubles as he attempted to run his own consulting practice
after leaving government service, was contacted by a headhunter on LinkedIn.
That headhunter was indeed a talent
scout, but a talent scout for Chinese intelligence. Mallory's attorney represented his client as
someone who reported his concerns about the Chinese to the CIA, but who was in fact trying
to run an operation as a kind of triple agent against Beijing. The jury didn't buy this.
U.S. authorities became suspicious of Mallory when
he was observed bringing some $16,000 in cash when he returned to the U.S. from a trip to Shanghai
in April 2017. He'd been prospected by his Chinese handler over LinkedIn in February of that year.
This is another cautionary tale in the uncritical use of social media.
U.S. Assistant Attorney General John Demers commented on the case after pointing out that,
it is a sad day when an American citizen is convicted of spying on behalf of a foreign power.
Demers added a pointed warning to China. This act of espionage was no isolated incident.
The People's Republic of China has made a sophisticated and concerted effort to steal our nation's secrets.
Today's conviction demonstrates that we remain vigilant against this threat
and hold accountable all those who put the United States at risk through espionage.
End quote.
Mallory's case will be followed by at least one other.
Another former intelligence officer, Ron Rockwell Hansen,
was charged last week with attempted espionage,
for which the Chinese services paid him up to $800,000.
Other nations, of course, remain active in cyber espionage.
There's widespread suspicion that North Korea will be up to something
as the Kim-Trump summit opens this week.
And security firm Valexity has published an updated look at the threat actor Patchwork,
which is also tracked as dropping elephant.
Since it's an elephant, it's a good bet that it's associated with India,
and that is indeed how Valexity describes it.
Patchwork is displaying renewed interest in U.S. think tanks,
repurposing think tank articles and studies as fish bait. Much of the subject matter it uses in its fishing,
spearfishing actually, since it's closely targeted, has to do with comment and study
of Chinese activities, particularly in disputed territorial waters.
The G7, maybe all seven, but at least six of them, agreed at their meetings last week to
take coordinated action in response to cyber attacks by hostile states. An official statement
by the British government summed the agreement up. One, sharing of threat intelligence, including
hostile activity, techniques, and practices. Tworoving understanding of partner countries' policies
and thresholds for taking action,
3. Support for independent international institutions,
4. Work with industry to strengthen physical and digital infrastructure,
5. Coordinated attribution of hostile activity,
and 6. Joint work to assert a common narrative and response.
Note that last point, common narrative.
If that doesn't say information operations, then we don't know Arkansas.
In the U.S., the long-expected expiration of Federal Communications Commission net neutrality rules happened this morning.
There's ongoing litigation concerning the new rules,
which give broadband providers wider latitude to control and manage the web traffic they carry.
There are also various laws under consideration in Congress and some U.S. states to develop some alternative forms of public oversight of Internet service providers.
And finally, Marcus Hutchins, the researcher whose white hat nom de hack was malware tech,
gained fame and widespread admiration for his discovery of the kill switch in WannaCry.
Shortly thereafter, he gained notoriety when he was charged by U.S. authorities with crimes related to the creation of the Kronos banking trojan.
He's in more hot water now, again with the U.S.,
where he's been charged with developing and distributing the UPAS kit,
described as a modular HTTP bot that installs itself on victims' machines without tripping AV alerts.
Mr. Hutchins says he didn't do it.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash
careers to learn more. Do you know the status of your compliance controls right now? Like,
right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time
checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows
like policies, access reviews, and reporting, and helps you get security questionnaires done
five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is jonathan katz he's a professor of computer science at the university of maryland and also director of the maryland cyber security center jonathan welcome back
i wanted to talk today about hashing emails and this whole notion that hashes can be reversed
and kind of the the where does hashing where does hashing leave us when it comes to
actually providing any sort of privacy or anonymity? Can you give us a little lesson here?
Hash functions actually are ubiquitous now. They're used in all kinds of applications. I think
what you're referring to is hashing email addresses as a way to provide some kind of pseudonymity or anonymity for individual users.
And the interesting thing about these hash functions is that a well-designed cryptographic hash function
is actually supposed to be non-invertible, meaning that if I hash some value and then present you the output,
you should not be able to figure out from the output what the input was.
Now, the problem with that is that it's true that
these hash functions are uninvertible, but anybody can compute them. They're not keyed. They're not
like encryption schemes. And so anybody, they're public algorithms. Anybody can go ahead and
evaluate them. And so the problem is that even though the hash function itself is uninvertible,
an attacker who's presented with a hash output but knows that the input was chosen from a small
set of possibilities,
can enumerate over all the possibilities, compute all the hashes, and then find out
which one corresponds to the output it was given. So if someone knows what my email address is,
they could somehow align that with a hash of it and then use that to track me around the internet,
for example? Well, exactly. So I mean, to take the simple example, like you were mentioning, if I hash your email address and give it to somebody,
just by looking at that value, you know, they have no way to tell that it corresponds to your
address. But if they wanted to verify whether it did indeed correspond to your address, all they
would have to do is compute the hash of your email address themselves and then check whether the
output matches. These hash functions are deterministic. They always give the same output when run on the same input. And so that would
allow them to verify that this value did indeed correspond to a hash of your email address.
Now, in a more general scenario, one way to see this, for example, is to consider what would
happen if somebody presented you with a hash of somebody's social security number. So a priori,
you don't know that person's social security number. You'd
have no way to verify whether the output you got really corresponded to their social security
number or not. But on the other hand, social security numbers are only nine digits long.
And so somebody could enumerate over all possible nine-digit social security numbers,
hash each one of those, and then see which of those hashed results corresponded to the value they
were given.
And in that way, they could essentially end up reversing the hash value they were given
and de-anonymizing that particular individual.
And the same thing would apply to email addresses as well.
I saw an estimate recently that the number of valid email addresses is on the order of
about 5 billion.
And so hashing all 5 billion of those possible addresses and seeing what those
hash values corresponded to would allow you then to de-anonymize a hash value that you were presented
with. Now, is this a matter where once you've reversed one hash, does it get quicker or easier
to, as you go, does each one you sort of decode, does it make it a little easier to do the next
one or is there a randomness built in? No, actually, it's not the case. So these hash values are all essentially independent. And so
figuring out the value that corresponds to one person's hash doesn't necessarily help you with
the other one. But if you think about it, though, if you're given two different hash values,
and in the process, if we go back to the social security number example, if in the process of
hashing all those nine-digit social security numbers, you're going to end up finding both of those values.
So in essence, the work that you're doing in hashing all those SSNs is going to allow you then to actually end up inverting all those hash values.
So from that point of view, you can amortize the work and basically figure out everything in one go.
Right, right. I guess the total set of possible numbers decreases each time you get one.
Well, it's basically you're doing everything. And so once you do everything, you can break anything.
So given that this is the case, what are people doing to mitigate this possibility?
Well, you have a similar situation that comes up with hashed passwords. So very often servers will
store hashed passwords of the users often servers will store hashed passwords
of the users on their site.
And you run into the same sort of problem
because if a server stores the hash of somebody's password
and an attacker might guess, let's say,
that that password is an eight-character password,
they can enumerate over all possible eight-character passwords
and then figure out what your password was
after being given your hash.
And so one thing that you can do
to kind of make it
harder for the attacker is to make sure that the work they invest in figuring out one user's
password is not going to be of any benefit to them in figuring out another user's password.
And the technique that's done to ensure that is called salting. So what you do is you basically
pick a random salt per user, a random value for every user,
and you compute the hash of the user's password along with the salt value that you've chosen.
And this means that the attacker can still do
the same kind of a brute force attack like before,
but now it's going to have to be hashing
all possible passwords
along with one particular user's salt,
and that's not going to help it figure out
the password that results in the hash involving another person's salt.
And so this makes it just harder for the attacker.
It doesn't make it any harder to crack one user's password,
but it means that now they have to spend the same amount of work to crack each user's password at the server.
Well, as always, thanks for explaining it to us.
Jonathan Katz, thanks for joining us.
Thank you.
Thank you. Thank you. with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing
at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious,
but also practical and adaptable.
That's where Domo's AI and data products platform comes in. Thank you. insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.