The CyberWire Daily Podcast 5.26.16
Ep 108 | 5.26.16

Ransomware threats. Industry (mostly good) news. US State Department IG reports on email.


Dave Bittner: [00:00:03:18] Banks think hard about shoring up their security. Neutrino's back, and a DNS campaign is serving up the PoisonIvy rat. Cyber espionage infests Indian government networks. A CEO loses his position over a costly email scam. Analysts look with tentative favor on cyber stocks, and wait for Palo Alto's results. Startups close VC funding rounds. The US state department's IG releases results of a major investigation of state's email retention and security. And, USSOCOM is looking for innovative cyber tools.

Dave Bittner: [00:00:39:01] Today's podcast is made possible by, find rewarding IT engineering opportunities in Maryland, tackling complex security challenges in the defense arena. Join G2, a growing company where creativity, curiosity and playfulness lead to innovative problem solving. Learn more at

Dave Bittner: [00:01:04:15] I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday May 26th, 2016.

Dave Bittner: [00:01:10:14] Fallout from the cyber looting of the Bangladesh Bank continues. SWIFT's CEO tells a major financial conference that the incident was, as he put it, "a big deal." Gottfried Leibbrandt outlined measures the funds-transfer network wants its clients to take to shore up security and reduce the chances of another large-scale fraudulent transfer.

Dave Bittner: [00:01:30:10] Banks in the Middle East and Africa seem particularly on edge. Kenya's central bank, for one, says it has credible indicators and warnings of an imminent cyber attack, whether that attack would be robbery, ransom, disruption or doxxing is unclear.

Dave Bittner: [00:01:46:04] The Neutrino exploit kit has been relatively quiet so far this year, at least compared to competitors like Angler, but Zscaler has observed a spice in Neutrino activity. The kit's being actively used in a malvertising campaign that drops the Gamarue/Andromeda Trojan on its victims.

Dave Bittner: [00:02:03:07] Palo Alto researchers have found another campaign in the wild that's exploiting DNS for command and control, the attacks, which Palo Alto is calling Pisloader, redirects its victims to malicious sites where they're exposed to the familiar PoisonIvy remote access Trojan.

Dave Bittner: [00:02:20:07] India's government has been among those receiving the ministrations of the people behind the Danti cyber espionage campaign, Kaspersky says that the threat actors, so far formally not attributed, but signs point to Chinese speakers, so you decide, may have established pervasive persistence in government networks. They may also be able to spoof, convincingly, emails from senior officials. Such email spoofing is also used, of course, in criminal phishing, specifically in what's known as a business email compromise. Austrian Aerospace components manufacturer, FACC, was recently the victim of a business email compromise, disclosing on January 16th that it lost €42 million when an employee transferred those funds to a bogus account on the authority of a spoofed email purporting to be from CEO, Walter Stephan. Observers are calling this kind of scam "presidential impersonation." On Tuesday, the company's board voted to remove Herr Stephan from his position, making this the latest case of a CEO's ouster over a cyber incident.

Dave Bittner: [00:03:25:12] Not all the industry news is bad, however, stock analysts are commenting favorably about Cisco, which posted good results last week, and FireEye, whose story they find newly compelling again. Palo Alto reports its results tonight and they're being awaited with considerable anticipation. Celebrity stock picker, Jim Cramer, for one, promises he'll be hollering and screaming his own sober analytical conclusions as soon as he sees what Palo Alto has to say.

Dave Bittner: [00:03:52:13] And there's some movement of venture capital into cyber security startups as well. Votiro has raised $4 million in series A funding to expand its zero-day defense offerings. Security chatbot shop, Demisto, emerged from stealth with $6 million in series A funding. Finally, password and identity management company, Dashlane, has not closed only a series C round, worth $22.5 million, but also concluded a strategic partnership with credit information firm, TransUnion.

Dave Bittner: [00:04:24:04] When it comes to defense against data breaches we've seen a bit of a shift in attitude in the past few years, we've gone from saying "it'll never happen to us," to saying "we hope it'll never happen to us," to asking, "what plans do we have in place for when it happens to us?" Danny Rogers is CEO and co-founder of Terbium Labs, and his view is that defense, while still necessary, is no longer sufficient.

Danny Rogers: [00:04:47:14] You have to take this risk managed mindset where you assume that you're going to be breached in one form or another, that data will leak out of your organization, and instead of trying to prevent everything you have to look at all the other things you can do on top of all the defensive measures. And so, if you can't stop everything the next best thing, of course, is quick and quiet detection.

Dave Bittner: [00:05:09:13] Early in the company's history, Rogers met with a potential client that was interested in hiring Terbium to scan the internet and see if any of their private files had been shared online, but there was a catch, a pretty big one.

Danny Rogers: [00:05:21:19] We were talking to the CSO of a Swiss Bank and he said, you know, we have this client list, for example, that is our crown jewels of being a wealth management bank, and we'd like you, Terbium Labs, along these assumptions, to tell us the instant that client list leaks to the internet, we're worried about insider threats or social engineering attacks, things like that. Except, the catch is, they couldn't give us the list, and that sort of prompted, how do you build a search engine to find the needle in the haystack when you're not even allowed to know exactly what the needle looks like? We used this technique we developed called Data Fingerprinting to really pre-program it with whatever the client is interested in, but in this way that they never have to reveal it to us, so it doesn't increase their risk profile, it doesn't increase their attack surface, we don't actually store any raw data in our system, we just do what we call take fingerprints of the internet to the tune of billions a day and compare that to the fingerprints that we have on file of our client's data. And then alert them in this automated way if any of it appears, trying to bring that discovery time for data breaches down from the hundreds of days into the hours or sometimes even minutes.

Dave Bittner: [00:06:36:05] And that's Danny Rogers, CEO and co-founder of Terbium Labs.

Dave Bittner: [00:06:41:22] Various reports show surprise over the very old IT systems in use across the US Government, from the IRS to Strategic Command. Coincidentally, DARPA has awarded a grant to develop ways of securing such legacy systems from cyber attack.

Dave Bittner: [00:06:57:03] The US State Department Inspector General has released a lengthy report on email security and retention practices observed at high levels in the department. It's not pretty. Essential findings include probable violations of record retention laws and policies, lax security practices, a strong interest in protecting private emails from exposure and indications that some private servers may have sustained some sort of attacks.

Dave Bittner: [00:07:24:08] Finally, US Special Operations Command is looking for innovative ideas and capabilities for cyber operations. It would particularly like to hear suggestions from industry on social media tools. SOCOM is of course engaged with ISIS in cyberspace and the command has established an innovation lab in what the Washington Post calls a "former hipster tattoo parlor" in Tampa. They're calling it SOFWERX, that is, we guess, special operations forces works.

Dave Bittner: [00:07:54:17] We get the tattoo stuff, but hipster's a little surprising. But we don't know. What are you seeing these days on Hay Street, Delta? Anyway, good luck to you, SOCOM.

Dave Bittner: [00:08:09:14] This CyberWire podcast is brought to you through the generous support of Betamore, an award-winning co-working space, incubator and campus for technology and entrepreneurship located in the Federal Hill neighborhood of downtown Baltimore. Learn more at

Dave Bittner: [00:08:30:11] Dale Drew joins me, he's the chief security officer at Level 3 Communications. Dale, on yesterday's show, we talked about the ransomware attack suffered by Kansas Heart Hospital in Wichita, they paid the ransom and the crooks came back and demanded more. Is this how it goes these days with ransomware?

Dale Drew: [00:08:47:07] You know, in most cases, the victim will receive an email directing them to where to pay the ransom, which would typically be via BitCoin, how much the ransom is and what'll happen once they pay the ransom, which is typically getting access to a recovery password or a location where their data is stored. There typically isn't much negotiation on that very first pass, and so the victim really doesn't have a chance to talk to the bad guy, he has very limited time in order to respond. After that, once the first ransom is paid, then we see a little bit more sort of back and forth between the bad guy and the victim, where the bad guy will then contact them back, or they'll go back to that victim and say "that simply just is not enough, we want some more". Then there's a bit more of dialog, because the bad guy's got to be able to convince the victim that indeed they will get their data back once they've paid this second ransom. It's an opportunity for the victim to be able to get some pretty critical information about the bad guy and live access to the bad guy, which is typically when companies like us are engaged to help identify where the bad guy is coming from and what group they're a part of to be able to consult with that customer, the bad guy will typically negotiate one or two times with the victim before either deleting the data or going on their way.

Dave Bittner: [00:10:13:15] And so what are the odds of the victim actually getting their data back?

Dale Drew: [00:10:18:02] I'd say traditionally it's pretty low, I'd say it's in the 10-15% range of customers successfully getting the necessary information to recover their data.

Dave Bittner: [00:10:30:15] So, once the ransomware perpetrator has gotten you, it's too late, so, what should businesses be doing to protect themselves?

Dale Drew: [00:10:37:17] The biggest thing that we can recommend is backing up your data. A regular disciplined backup means that, if your data is ever encrypted, or if your data is ever lost, you at least have access to a backup of that data to recover. We can't stress enough the importance of daily incremental backups of critical infrastructure and the ability to recover desktops quickly. The other one is more traditional in the sense that its phishing security, meaning that, educate your employees on what they should be clicking on and how they should be clicking on it, because the avenue of bad guys gaining access to systems to perpetrate the malware scam is through phishing email attacks, so education on knowing what employees should click on and how they should click on it is critical.

Dave Bittner: [00:11:31:19] Alright, good stuff. Dale Drew, thanks again for joining us.

Dave Bittner: [00:11:37:14] And that's the CyberWire. If you enjoy our show we hope you'll help spread the word and tell your friends and co-workers and recommend us on social media, it really does help and we really do appreciate it. The CyberWire is produced by Pratt Street Media, our editor is John Petrik and I'm Dave Bittner. Thanks for listening.