The New York Times this week published a fascinating story about a young programmer in Ukraine who’d turned himself in to the local police. The Times says the man did so after one of his software tools was identified by the U.S. government as part of the arsenal used by Russian hackers suspected of hacking into the Democratic National Committee (DNC) last year. It’s a good read, as long as you can ignore that the premise of the piece is completely wrong.

The story, “In Ukraine, a Malware Expert Who Could Blow the Whistle on Russian Hacking,” details the plight of a hacker in Kiev better known as “Profexer,” who has reportedly agreed to be a witness for the FBI. From the story:

“Profexer’s posts, already accessible to only a small band of fellow hackers and cybercriminals looking for software tips, blinked out in January — just days after American intelligence agencies publicly identified a program he had written as one tool used in Russian hacking in the United States. American intelligence agencies have determined Russian hackers were behind the electronic break-in of the Democratic National Committee.”

The Times’ reasoning for focusing on the travails of Mr. Profexer comes from the “GRIZZLYSTEPPE” report, a collection of technical indicators or attack “signatures” published in December 2016 by the U.S. government that companies can use to determine whether their networks may be compromised by a number of different Russian cybercrime groups.

The only trouble is nothing in the GRIZZLYSTEPPE report said which of those technical indicators were found in the DNC hack. In fact, Prefexer’s “P.A.S. Web shell” tool — a program designed to insert a digital backdoor that lets attackers control a hacked Web site remotely — was specifically not among the hacking tools found in the DNC break-in.

That’s according to Crowdstrike, the company called in to examine the DNC’s servers following the intrusion. In a statement released to KrebsOnSecurity, Crowdstrike said it published the list of malware that it found was used in the DNC hack, and that the Web shell named in the New York Times story was not on that list.

Robert M. Lee is founder of the industrial cybersecurity firm Dragos, Inc. and an expert on the challenges associated with attribution in cybercrime. In a post on his personal blog, Lee challenged The Times on its conclusions.

“The GRIZZLYSTEPPE report has nothing to do with the DNC breach though and was a collection of technical indicators the government compiled from multiple agencies all working different Russian related threat groups,” Lee wrote.

“The threat group that compromised the DNC was Russian but not all Russian groups broke into the DNC,” he continued. “The GRIZZLYSTEPPE report was also highly criticized for its lack of accuracy and lack of a clear message and purpose. I covered it here on my blog but that was also picked up by numerous journalists and covered elsewhere [link added]. In other words, there’s no excuse for not knowing how widely criticized the GRIZZLYSTEPPE report was before citing it as good evidence in a NYT piece.”

Perhaps in response to Lee’s blog post, The Times issued a correction to the story, re-writing the above-quoted and indented paragraph to read:

“It is the first known instance of a living witness emerging from the arid mass of technical detail that has so far shaped the investigation into the election hacking and the heated debate it has stirred. The Ukrainian police declined to divulge the man’s name or other details, other than that he is living in Ukraine and has not been arrested.”

[Side note: Profexer may well have been doxed by this publication just weeks after the GRIZZLYSTEPPE report was released.]

This would not be the first time the GRIZZLYSTEPPE report provided fodder for some too-hasty hacking conclusions by a major newspaper. On December 31 2016, The Washington Post published a breathless story reporting that an electric utility in Vermont had been compromised by Russian hackers who had penetrated the U.S. electric grid.

The Post cited unnamed “U.S. officials” saying the Vermont utility had found a threat signature from the GRIZZLYSTEPPE report inside its networks. Not long after the story ran, the utility in question said it detected the malware signature in a single laptop that was not connected to the grid, and the Post was forced to significantly walk back its story.

Matt Tait, a senior fellow at the Robert Strauss Center for International Security and Law at UT Austin, said indicators of compromise or IOCs like those listed in the GRIZZLYSTEPPE report have limited value in attributing who may be responsible for an online attack.

“It’s a classic problem that these IOCs indicate you may be compromised, but they’re not very good for attribution,” Tait said. “The Grizzly Steppe report is a massive file of signatures, and loads of people have run those, found various things on their network, and then assumed it’s all related to the DNC hack. But there’s absolutely no tie between the DNC hack that in any way involved this P.A.S. Web shell.”

If it’s not always clear how seriously to take conclusions from Uncle Sam about the sources of cybercrime, it certainly doesn’t help when intelligence agencies are still relying on discredited sources of information about the sources of cyberattacks. As Mr. Lee observed at the top of his blog post, the Twitter account for the U.S. Defense Intelligence Agency tweeted on Aug. 14, 2017: “Cyber attacks going on right now #DoDIIS17”.

The DIA tweet included a brief video of the global threat map produced by Norse Corp., a company whose lovely but otherwise misguided efforts at cyber attack attribution have been repeatedly denounced by Lee and other cybersecurity experts. For more on how Norse self-destructed from the inside, see my Jan. 2016 story, Sources: Security Firm Norse Corp. Imploding.

One final note: Wired.com has a lengthy but tremendous new story worth reading called A Guide to Russia’s High Tech Tool Box for Subverting US Democracy. It makes a convincing case that the real, long-term goal of Russian state-sponsored hacking activity is to sow public and popular distrust in the democratic process and to weaken democratic institutions inside countries that support the North Atlantic Treaty Organization (NATO).

On Wednesday, the security industry once again witnessed an all-too-familiar cycle: I call it “security by press release.” It goes a bit like this: A security firm releases a report claiming to have unearthed a major flaw in a competitor’s product; members of the trade press uncritically republish the claims without adding much clarity or waiting for responses from the affected vendor; blindsided vendor responds in a blog post showing how the issue is considerably less dire than originally claimed.

At issue are claims made by Denver-based security company DirectDefense, which published a report this week warning that Cb Response — a suite of security tools sold by competitor Carbon Black (formerly Bit9) — was leaking potentially sensitive and proprietary data from customers who use its product.

DirectDefense warned about a problem with Cb Response’s use of “a cloud-based multiscanner” to scan suspicious files for malware. DirectDefense didn’t name the scanner in question, but it’s Google’s VirusTotal — a free tool that lets anyone submit a suspicious file and have it scanned against dozens of commercial anti-malware tools. There’s also a paid version of VirusTotal that allows customers to examine any file uploaded to the service.

Specifically, DirectDefense claimed that Cb Response’s sharing of suspicious files with VirusTotal could expose sensitive data because VirusTotal allows paying customers to download any files submitted by other users. This is the full extent of the “vulnerability” that DirectDefense labeled “the world’s largest pay-for-play data exfiltration botnet.”

Carbon Black responded with its own blog post noting that the feature DirectDefense warned about was not turned on by default, and that Carbon Black informs customers of the privacy risks that may be associated with sharing files with VirusTotal.

ANALYSIS

Adrian Sanabria, a security expert and founder of Savage Security, published a blog post that called “bullshit” on DirectDefense’s findings, noting that the company inexplicably singles out a competitor when many other security firms similarly allow customers to submit files to VirusTotal.

“Dozens of other security vendors either have an option to automatically submit binaries (yes, whole binaries, not just the hash) to VirusTotal or do it without the customers knowledge altogether,” Sanabria wrote. “In singling out Carbon Black, DirectDefense opens itself up to criticism and closer scrutiny.”

Such as shilling for a partner firm (Cylance) that stands to gain from taking Cabon Black down a few notches in the public eye, Sanabria observed [link added].

“I personally don’t believe DirectDefense is a shill for Cylance, but in singling out one of many vendors that do the same thing, they’ve stepped into a classic PR gaffe that makes them look like one,” he wrote.

My take is that most people in corporate cybersecurity roles understand what VirusTotal is and the potential privacy risks involved in uploading files to the service — either on a one-off basis or automatically submitted through some security suite like CB Response (if not, those security folks probably need to investigate another career).

That’s not to say that organizations don’t inadvertently overshare. I’ve seen instances where entire email threads and apparently sensitive documents have been submitted to VirusTotal along with embedded malware.

Lesley Carhart, a security incident response team leader and a prolific security commentator on Twitter, said there are immense amounts of trust given VirusTotal. Carhart said if a malicious actor were able to identify individual files uploaded from a target organization to VirusTotal — even just as file hashes — they could gain lots of information about the organization, including what software suites they use, what operating systems, and which document types.

“They provide an amazing free resource for the infosec community, as well as some great paid services,” Carhart said of VirusTotal. “However, we have unintentionally given them one of the largest repositories of files in the world.”

If DirectDefense’s report helped some security people better grasp the risks of oversharing with multiscanners like VirusTotal, that’s a plus. But from where I sit, these types of overblown research reports tend to live or die by uncritical and/or unbalanced coverage in the news media — also known as “churnalism.”

My advice to tech reporters: Quit taking claims like these at face value and start asking some basic questions before publishing anything. For example, the early coverage of DirectDefense’s report in the media suggests that few reporters even asked about the identity of the multiscanner referenced throughout the report. Also, it’s clear that few (if any) reporters asked DirectDefense whether it had alerted Carbon Black before going public with their findings (it hadn’t).

Pro tip: If a researcher or company with a vulnerability “scoop” doesn’t mention interaction with the affected vendor before going public with their research, this should be a giant red flag indicating that this individual or entity is merely trying to use the media to generate short-term PR buzz, and that the “vulnerability” in question is little more than smoke and mirrors.

Two young Israeli men alleged by this author to have co-founded vDOS — until recently the largest and most profitable cyber attack-for-hire service online — were arrested and formally indicted this week in Israel on conspiracy and hacking charges.

On Sept. 8, 2016, KrebsOnSecurity published a story about the hacking of vDOS, a service that attracted tens of thousands of paying customers and facilitated more than two million distributed denial-of-service (DDoS) attacks over the four year period it was in business.

That story named two then 18-year-old Israelis — Yarden “applej4ck” Bidani and Itay “p1st” Huri — as the likely owners and operators of vDOS. Within hours of that story’s publication the two were detained by Israeli police, placed on house arrest for 10 days, and forbidden from using the Internet for a month.

On Tuesday, Israeli prosecutors announced they had formally arrested and charged two 19-year-olds with conspiring to commit a felony, prohibited activities, tampering with or disrupting a computer, and storing or disseminating false information. A statement from a spokesman for the Israeli state attorney’s office said prosecutors couldn’t name the accused because their alleged crimes were committed while they were minors.

But a number of details match perfectly with previous reporting on Bidani and Huri. As noted in the original Sept. 2016 expose’ on vDOS’s alleged founders, Israeli prosecutors say the two men made more than $600,000 in two of the four years the service was in operation. vDOS was shuttered for good not longer after Bidani and Huri’s initial detention in Sept. 2016.

“The defendants were constantly improving the attack code and finding different network security weaknesses that would enable them to offer increased attack services that could overcome existing defenses and create real damage to servers and services worldwide,” Israeli prosecutors alleged of the accused and their enterprise.

“Subscribers were able to select an ‘attack’ package from the various packages offered, with the packages classified by the duration of each attack in seconds, the number of simultaneous attacks and the magnitude of the attack in Gigabits per second, and their prices ranged from $ 19.99 to $ 499.99,” the allegation continues.

Lawyers for Bidani and Huri could not be immediately reached for comment. But both have said their clients were merely operating a defensive “stresser” service sold to companies that wished to test whether their sites could withstand large cyberattacks.

The owners of these stresser services have sought to hide behind wordy “terms of service” agreements to which all customers must agree, arguing that these agreements absolve them of any sort of liability for how their customers use the service.

Law enforcement officials both in the United States and abroad say stresser services enable illegal activity, and they’ve recently begun arresting both owners and users of these services.

In December 2016, federal investigators in the U.S. and Europe arrested nearly three-dozen people suspected of patronizing stresser services (also known as “booter” services). That crackdown was billed as part of an effort by authorities to weaken demand for these services, and to impress upon customers that hiring someone to launch cyberattacks on your behalf can land you in jail.

In October 2016, the U.S. Justice Department charged two 19-year-old men alleged to have operated a stresser service affiliated with the hacking group known as the Lizard Squad.

KrebsOnSecurity paid a heavy price for breaking the story on vDOS’s hacking and the subsequent arrest of its alleged proprietors. Less than two weeks after those stories were published in September 2016, this site came under one of the largest DDoS attacks the Internet has ever witnessed.

That series of attacks ultimately knocked this site offline for nearly four days. According to follow-up reporting published in January 2017, the attacks were paid for by a cybercriminal who was upset and/or inconvenienced by my exposé on vDOS.

At the height of vDOS’s profitability in mid-2015, the DDoS-for-hire service was earning its then-17-year-old proprietors more than $42,000 a month in PayPal and Bitcoin payments from thousands of subscribers. That’s according to an analysis of the leaked vDOS database performed by researchers at New York University.

Adobe has released updates to fix dozens of vulnerabilities in its Acrobat, Reader and Flash Player software. Separately, Microsoft today issued patches to plug 48 security holes in Windows and other Microsoft products. If you use Windows or Adobe products, it’s time once again to get your patches on.

More than two dozen of the vulnerabilities fixed in today’s Windows patch bundle address “critical” flaws that can be exploited by malware or miscreants to assume complete, remote control over a vulnerable PC with little or no help from the user.

Security firm Qualys recommends that top priority for patching should go to a vulnerability in the Windows Search service, noting that this is the third recent Patch Tuesday to feature a vulnerability in this service.

Qualys’ Jimmy Graham observes that many of the vulnerabilities in this month’s release involve the Windows Scripting Engine, which can impact both browsers and Microsoft Office, and should be considered for prioritizing for workstation-type systems.

According to Microsoft, none of flaws in August’s Patch Tuesday are being actively exploited in the wild, although Bleeping Computer notes that three of the bugs were publicly detailed before today’s patch release.

Case in point: This month’s patch batch from Microsoft does not address the recently-detailed SMBLoris flaw, a vulnerability in all versions of Windows that can be used to remotely freeze up vulnerable systems or cause them to crash.

For those of you who still have Adobe Flash Player installed in a browser, it’s time to update and/or restart your browser. The latest version of Flash Player is v. 26.0.0.151 for Windows, Mac and Linux systems.

Windows users who browse the Web with anything other than Internet Explorer may need to apply the Flash patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

Chrome and IE should auto-install the latest Flash version on browser restart (users may need to manually check for updates and/or restart the browser to get the latest Flash version). Chrome users may need to restart the browser to install or automatically download the latest version. When in doubt, click the vertical three dot icon to the right of the URL bar, select “Help,” then “About Chrome”: If there is an update available, Chrome should install it then. Chrome will replace that three dot icon with an up-arrow inside of a circle when updates are ready to install).

Better yet, consider removing or at least hobbling Flash Player, which is a perennial target of malware attacks. For more on how to do that and other ways to reduce your exposure to Flash-based attacks, see this post.

By the way, the bulk of the vulnerabilities that Adobe patched today were in versions of its Acrobat and Adobe PDF Reader software. If you use either of these products, please take a moment to update them today.

As always, if anyone experiences weirdness or troubles after installing today’s updates, please leave us a note about it in the comments.

Adobe last week detailed plans to retire its Flash Player software, a cross-platform browser plugin so powerful and so packed with security holes that it has become the favorite target of malware developers. To help eradicate this ubiquitous liability, Adobe is enlisting the help of Apple, Facebook, Google, Microsoft and Mozilla. But don’t break out the bubbly just yet: Adobe says Flash won’t be put down officially until 2020.

In a blog post about the move, Adobe said more sites are turning away from proprietary code like Flash toward open standards like HTML5, WebGL and WebAssembly, and that these components now provide many of the capabilities and functionalities that plugins pioneered.

“Over time, we’ve seen helper apps evolve to become plugins, and more recently, have seen many of these plugin capabilities get incorporated into open web standards,” Adobe said. “Today, most browser vendors are integrating capabilities once provided by plugins directly into browsers and deprecating plugins.”

It’s remarkable how quickly Flash has seen a decline in both use and favor, particularly among the top browser makers. Just three years ago, at least 80 percent of desktop Chrome users visited a site with Flash each day, according to Google. Today, usage of Flash among Chrome users stands at just 17 percent and continues to decline (see Google graphic below).

For Mac users, the turning away from Flash began in 2010, when Apple co-founder Steve Jobs famously penned his “Thoughts on Flash” memo that outlined the reasons why the technology would not be allowed on the company’s iOS products. Apple stopped pre-installing the plugin that same year.

“Today, if users install Flash, it remains off by default,” a post by Apple’s WebKit Team explains. “Safari requires explicit approval on each website before running the Flash plugin.”

Mozilla said that starting this month Firefox users will choose which websites are able to run the Flash plugin.

“Flash will be disabled by default for most users in 2019, and only users running the Firefox Extended Support Release will be able to continue using Flash through the final end-of-life at the end of 2020,” writes Benjamin Smedberg for Mozilla. “In order to preserve user security, once Flash is no longer supported by Adobe security patches, no version of Firefox will load the plugin.”

Facebook has long hosted plenty of games that invoke Flash, but over time more Facebook apps and games turned to HTML5, the company said.

“Today, more than 200 HTML5 games are live on our platform, most of which launched within the last year,” wrote Facebook’s Jakub Pudelek. “Many of the largest developers on the platform…migrated at least one Flash game to HTML5 on the Facebook platform with minimal impact to their existing customers.”

Finally, Microsoft said it has begun phasing out Flash from Microsoft Edge and Internet Explorer, culminating in the removal of Flash from Windows entirely by the end of 2020. For now, Microsoft Edge, the default browser on newer versions of Windows, will continue to ask users for permission to run Flash on most sites the first time the site is visited, remembering the user’s preference on any subsequent visits.

By mid- to late 2018, Microsoft says, Edge will require permission for Flash to be run each browser session. But by mid 2018, Microsoft will disable Flash by default in both Edge and Internet Explorer. Read more about Microsoft’s timeline for Flash elimination here.

For years, unpatched vulnerabilities in Flash plugins have been the top moneymaker for users of various commercial “exploit kits,” crimeware designed to be stitched into the fabric of hacked or malicious sites and exploit browser plugin flaws.

An analysis of exploit kit activity  by Arlington, Va.-based security firm Recorded Future showed that Flash Player vulnerabilities provided six of the top 10 vulnerabilities used by exploit kits in 2016 [full disclosure: Recorded Future is an advertiser on this blog].

I look forward to a time when Flash Player is in the rearview mirror entirely. Until then, KrebsOnSecurity will continue to call attention to new security updates for Flash Player and other widely used Adobe products.

Even so, I’ll also continue to encourage readers to remove or hobble Flash Player unless and until it is needed for a specific site or purpose. More on that approach (as well as slightly less radical solutions ) can be found in A Month Without Adobe Flash Player. The short version is that you can probably get by without Flash installed and not miss it at all.

For readers still unwilling to cut the cord, there are half-measures that work almost as well. Fortunately, disabling Flash in Chrome is simple enough. Paste “chrome://settings/content” into a Chrome browser bar and then select “Flash” from the list of items. By default it should be set to “Ask first” before running Flash, although users also can disable Flash entirely here or whitelist and blacklist specific sites.

Another, perhaps less elegant, solution is to keep Flash installed in a browser that you don’t normally use, and then to only use that browser on sites that require it.