The CyberWire Daily Podcast 5.16.16
Ep 100 | 5.16.16

Social media collection suggests ISIS in trouble. Russian government cyber activities. US VA wants dark web help.


Dave Bittner: [00:00:03:17] CrytpX ransomeware gets decrypted again. ISIS may be fraying online. Germany's BfV says Russia is behind Pawn Storm. Russia prepares to shut down some 4,000 sites as nests of extremism and drug trafficking. The Vietnamese commercial bank mentioned in a SWIFT-related case says it detected and stopped the attempted fraud. Hacktivists continue doxxing and DDoS campaigns against banks. Bug bounties prove tough to price. The VA wants industry's help in the dark web. And how come Vlad gets better Twitter analytics than Jim?

Dave Bittner: [00:00:38:03] This CyberWire Podcast is brought to you by Recorded Future, the real-time threat intelligence company, who's patented web intelligence engine continuously analyses the entire web to give information security analysts unmatched insight into emerging threats. Sign up for free daily threat intel updates at

Dave Bittner: [00:01:02:00] I'm Dave Bittner in Baltimore with your CyberWire summary for Monday, May 16th, 2016. We'd like to open the week with a bit of good news and a reminder that white hats can evolve their products just as well as black hats can. CryptX ransomware had become resistant to the tools released to unlock its victim's files, but Kaspersky has cracked the latest CryptX version and the tool to free your data is available as RannohDecryptor. It can be downloaded from Kaspersky Labs' support website. Bravo, Kaspersky.

Dave Bittner: [00:01:31:19] US officials report signs of shrinkage and disarray in ISIS. Intelligence garnered from observation of social media, suggest that the self-proclaimed caliphate is having difficulty sustaining effective inspiration online and that pressure on the ground has induced it to declare a state of emergency in its self-proclaimed capital, Raqqa, Syria. The endgame is expected to be tragic and ugly. Signs suggest ISIS may be seeking to move its center of gravity from the Levant to the Sahara's Mediterranean coast as it shifts operations to Libya and then, perhaps, Tunisia. Al-Qaeda seems poised for an attempt to displace its rival in Syria itself; expect a surge in information operations from the Base.

Dave Bittner: [00:02:14:21] The Pawn Storm Advanced Persistent Threat group has long been regarded by observers as an agent of Russian security services. One of its victims is now making an official attribution: Germany's domestic intelligence service, the BfV, has asserted that the Russian government is engaged in a longstanding cyber espionage campaign against a wide range of targets; enemies, or as the BfV puts it, in a way that would seem designed to suggest Kremlin paranoia, suspected enemies. The targets prominently include Germany's parliament. Pawn Storm and its Sofacy tool have been found in a variety of other places. Researchers at Trend Micro and elsewhere, have remarked on Pawn Storm activity in Turkey, as well as Germany.

Dave Bittner: [00:02:58:05] Russian authorities are also active domestically, announcing plans to close some 4,000 websites on the grounds that they encourage extremism or facilitate drug trafficking, and in a move widely regarded as a response to government displeasure with its reporting on the Panama papers, Russian privately-held news business, RBC, has fired its three senior editors. RBC and its editors had reported extensively on oligarch's appearance in documents obtained through the Mossack Fonseca breach.

Dave Bittner: [00:03:27:20] Investigation into the SWIFT-linked Bangladesh Bank hack continues. Researchers from BAE are doing much of the ground work, here, with more reports that malware associated with the fraud bears significant similarities to code that appeared during the Sony hack. Last Thursday reports of another attempted bank raid appeared and over the weekend more information emerged. Vietnam's Tien Phong Bank says it’s the bank cyber criminals targeted, but that they were able to detect and stop the attempted fraud. SWIFT has continued to update its customers on this unfolding security story.

Dave Bittner: [00:04:00:16] For its part, the New York Federal Reserve Bank responded to an inquiry about security from U.S. Representative, Carolyn Maloney, a Democrat from New York, with a statement that it stands by its funds transfer procedures, and that it relies principally on SWIFT verification for fraud prevention.

Dave Bittner: [00:04:18:06] The CyberWire received some commentary from Dave Amsler, president and founder of Raytheon Foreground Security, on what people are calling, for want of a better shorthand name, “the SWIFT Heist”. He advocates proactive hunting for threats in a network, especially as criminals grow more adept at evading detection by signatures. Even attacks previously seen can be modified into newly effective forms that evade legacy detection systems. “Looking at the recent SWIFT heist, it is clear that adversaries had gained significant access within those networks.” Thus enterprises should look within as well as without.

Dave Bittner: [00:04:54:19] Other, unrelated attacks, have continued to hit banks. The Turkish hacktivist group Bozkurtlar - people seem to think they’re hacktivists anyway - released data they appear to have obtained from the Commercial Bank of Ceylon. Bozkurtlar is thought to have been responsible for earlier, similar attacks on the UAE’s InvestBank and the Qatar National Bank.

Dave Bittner: [00:05:15:01] And Operation Icarus continues its DDoS campaign against the world financial system, as Anonymous hits banks in France, the UAE, the Philippines, Tunisia, and Trinidad and Tobago.

Dave Bittner: [00:05:26:24] In the marketplace, analysts continue their efforts to interpret the cyber security investment roller coaster. Cisco’s results, to be announced later this week, are awaited with particular interest.

Dave Bittner: [00:05:38:04] Bug bounties grow in popularity. How these bounties are priced, however, remains a matter of some controversy. The market that sets the price is complex and, necessarily, it would seem, far from transparent. Passcode notes this has led to a complicated mix of satisfied and dissatisfied bug hunters.

Dave Bittner: [00:05:56:08] The US Department of Veteran Affairs, the familiar VA, issued a request for information last week that asks companies what they can do to help the VA scan the dark web for evidence of compromised and stolen data.

Dave Bittner: [00:06:09:14] Twitter’s decision late last week to end the US Intelligence Community’s access to Dataminr social media analytics isn’t playing well in the press. Wired calls it "a move that left many scratching their heads," and the Wall Street Journal notes with strong disapproval that Russia Today still gets its Dataminr feeds, so what’s up with that? It’s okay to send data in near-real-time to Vladimir Vladimirovich, but not to Jim Clapper? Come on Twitter, where’s the love?

Dave Bittner: [00:06:43:01] Today's Podcast is made possible by Find rewarding IT engineering opportunities in Maryland, tackling complex security challenges in the defense arena. Join G2, a growing company where creativity, curiosity and playfulness lead to innovative problem solving. Learn more at

Dave Bittner: [00:07:09:06] Joining me is John Leiseboer, he's the CTO at QuintessenceLabs, one of our academic and research partners, John, I know random numbers are an area of research for you at QuintessenceLabs, give us an idea, how do random numbers come into play when we're talking about cyber security?

John Leiseboer: [00:07:26:22] Almost all cryptomathic operations rely on randomness for their security properties. All cryptomathic algorithms, including cryptographic random number generators themselves, are deterministic. This means that, given the same input and internal state, their outputs will always be the same. This is very important for operations like encryption and digital signatures. For example, if the outputs were not deterministic, they could never decrypt encrypted data and we could never verify a digital signature. However, if we want to use cryptography to share information with confidentiality, integrity and non-repudiation, it's essential that session keys, identity keys, initialization vectors and other parameters, that are used in cryptographic algorithms and protocols are unique and they must be unpredictable as well. Now, this is where random numbers come to play as they provide this uniqueness and unpredictability.

Dave Bittner: [00:08:24:14] Alright, so from a practical point of view, what are the options when it comes to generating random numbers?

John Leiseboer: [00:08:30:02] There are two forms of random number generators in general use, one is called pseudo random number generator, the other is a true random number generator. Pseudo random number generators, also known as deterministic random bit generators, are entirely predictable, their randomness of the outputs of a pseudo random number generator is entirely dependent on the seed material of the input; the seed material must be unpredictable and must be truly random. So, although it's a predictable source, it must be fed with an unpredictable source to give it its randomness qualities. The uncertainty in the output of a pseudo random number generator, decreases with every new number drawn from it. The uncertainty is highest when the RNG is seeded or re-seeded, but after that, the uncertainty, or the entropy content as we call it, decreases.

John Leiseboer: [00:09:19:21] On the other hand, true random number generators, also known as non-deterministic random bit generators, produce unpredictable output. The most unpredictable true random number generators, have what we call, full entropy output. Generally, true random number generators are preferable to pseudo random number generators for security purposes. In practice, pseudo random number generators may be used because the environmental platform or some other characteristic of where the application or device is being used, is unable to support a true random number generator. However, when this is the case, the pseudo random number generator must be seeded and preferably re-seeded with a high entropy unpredictable source of randomness, such as is produced by a true random number generator. When the environmental platform is able to support a true random number generator, there's no excuse to not use one.

Dave Bittner: [00:10:10:00] Alright, John Leiseboer, thanks for joining us.

Dave Bittner: [00:10:16:08] And that's the CyberWire. Thanks to all of you who've taken the time to post reviews on iTunes, it really does help us stand out from the crowd, and we appreciate it. We also appreciate your cards and letters, so a special shout out to Marie-Lynn and also to Phil, for letting us know what we're doing right, and what you think we need to work on. That data are good. Is good. Argh. I never get that right.

Dave Bittner: [00:10:37:06] For links to all of today's stories, along with interviews, our glossary, and more, visit The people who are interested in those stories tend to be people who read or listen to the CyberWire. If you'd like to reach them, visit, to find out how you can sponsor the news brief or podcast. And thanks to all of our sponsors who make the CyberWire possible. The CyberWire podcast is produced by Pratt Street Media. The editor is John Petrik. I'm Dave Bittner. Thanks for listening.