The CyberWire Daily Podcast 6.7.16
Ep 115 | 6.7.16

Hybrid SUV proof-of-concept hack. Al Qaeda peeks over Twitter's parapet.


David Bittner: [00:00:03:22] VK is the latest social media platform to be pwned, and its users also have lousy passwords. Check Point reports vulnerabilities in Facebook Chat and Messenger. F-Secure warns of a RAT sniffing at visa applicants. Angler gets evasive with Silverlight and Flash exploits. Proof-of-concept for an SUV WiFi hack is demonstrated. MSSPs attract enterprise customers. Al Qaeda returns to social media, observers see a silver lining for Fort Meade as they look back from the three-year A.S. - that's after Snowden.

David Bittner: [00:00:38:01] Today's podcast is made possible by ThreatConnect. Join their free webinar and learn how security incidents happen at the seams between tools and teams, and how you can unite your people, processes, and technologies behind an intelligence-driven defense. Sign up today at

David Bittner: [00:01:00:20] I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, June 7th, 2016.

David Bittner: [00:01:06:11] The most recent big data dump has emerged from Russia, where information on more than 100 million accounts associated with social media platform VK is being offered for sale by someone calling himself, herself, or themselves “" Coming as it does on the heels of realization that earlier breaches at LinkedIn and MySpace were much larger than thought, the lessons all should take from the incident are: don’t reuse your passwords; consider changing them (especially If you’ve reused them); and try not to use easily-guessed passwords. With respect to that last lesson, the top passwords revealed in the VK breach were, in (depressingly familiar) order: · 123456; 123456789; qwerty; 111111, and 1234567890. And note—this one's really not any better than 123456, even with four extra numerals.

David Bittner: [00:02:06:10] Still, better than “dadada,” maybe. And speaking of dadada, the OurMine Team, who counted coup by revealing this to be Mark Zuckerberg’s LinkedIn password, are clearly hunting celebrity accounts. Twitter accounts belonging to Keith Richards and Tenacious D have also been reported compromised. As Brian Krebs puts it on his blog, "Password re-user? Get ready to get busy."

David Bittner: [00:02:31:02] Check Point has also reported finding vulnerabilities in Facebook's Chat and Messenger. Facebook's working on them.

David Bittner: [00:02:37:17] F-Secure says travelers applying for US visas in Switzerland are being prospected by cyber criminals serving up Qarallax RAT, or QRAT. The remote access Trojan is being delivered by someone posting as “USTRAVELDOC.COM” and using a Skype account with an easily overlooked misspelling. There’s no attribution, but some signs point to Turkish criminals as the controllers.

David Bittner: [00:03:01:12] The Angler exploit kit has developed the ability to evade Microsoft’s EMET security tools. It’s added Silverlight and Flash exploits to its functionality. Enterprises are advised not to rely on EMET as a hedge against patching. They should instead patch promptly.

David Bittner: [00:03:18:01] Researchers at Pen Test Partners have demonstrated that the Mitsubishi Outlander hybrid SUV is vulnerable to hacking through its onboard WiFi. They didn’t actually reach the vital Controller Area Network, but they were able to get to the infotainment system, which suggested to them that with a bit more time and effort they could indeed intrude into the CAN. As it was, they were able to turn the lights and climate control on and off, alter the charging program, and disable the anti-theft alarm. Mitsubishi is working on a fix. Meanwhile the carmaker advises customers to disable the WiFi app.

David Bittner: [00:03:53:17] Fortinet reports seeing signs that ransomware—which until now has enjoyed its greatest success against health care enterprises—is increasingly targeting the manufacturing sector. Since most of the vulnerabilities exploited are old and known, up-to-date patching remains the best first line of defense.

David Bittner: [00:04:11:07] This is not Patch Tuesday - that comes a week from now - but Google has issued updates for Android. Eight critical and 28 high risk vulnerabilities were closed in the June update.

David Bittner: [00:04:21:18] The Japanese telecommunications giant NTT is forming a new business unit for the managed security services market. NTT Security will combine the services of Integralis, NTT Com Security, and Solutionary.

David Bittner: [00:04:35:22] Such MSSPs are increasingly popular, especially as corporate boards take a closer interest in cyber security, and as operational responsibility for such security shifts from IT departments to line-of-business units. Raytheon yesterday released a study of how businesses are signing up for MSSPs - why, when, and how. We spoke with Raytheon’s Dave Amsler about the study’s findings and the security lessons they suggest.

Dave Amsler: [00:05:01:17] It confirmed a couple of components for me. One, that most organizations did not feel comfortable with where their capabilities were today, whether that meant they were going to have to staff up, or spend more internally, or whether they were going to outsource it, not many organizations felt comfortable with where their capabilities were.

Dave Amsler: [00:05:20:12] But the other thing that was glaring to me was the amount of customers, or respondents, that felt their current managed service provider was not providing the services they felt they needed. I felt like that was the case, but to get a survey to prove it - when you hear 84% of respondents saying they don't provide some of the advanced services they really feel they need, that tells me a lot about where we are in the industry today, and where we need to go.

David Bittner: [00:05:48:12] One of those advanced services referred to in the survey is, according to Amsler, threat-hunting. That's almost a buzz-word these days, so I asked Amsler to describe what it means.

Dave Amsler: [00:05:59:05] Up to this point, we spent a lot of time building technologies - IDS, firewall, even SIMs, and even sandboxing solutions that are reactive in nature. They have to be told what bad looks like, either through a rule, or a signature, or "heuristics," but that essentially says, "Look for this kind of activity, or A+B=bad," and because they've seen that in the past and they know that's what an actor looks like, so they tell the tool, "When you see this, alert me." So then you have analysts sitting in front of screens, waiting for bells or alarms to go off - that's a very reactive method, and we've proven that doesn't work. It doesn't find the sophisticated actor. 

Dave Amsler: [00:06:41:23] To find those, you have to have data, you have to have visibility, and then you have to use different techniques to look for behaviors, to look for anomalies, to look for things that are actually inside of what appears to be normal traffic, because that's what sophisticated are going to look like. It's more proactive - I'm diving into the data, and I'm sifting through it, looking for behaviors, or anomalies, versus reactively waiting for a tool to tell me, "Hey, I've found bad, because you told me what bad looks like."

David Bittner: [00:07:13:18] That's Dave Amsler - he's president of Raytheon's foreground security team. You can read more about the survey on their website.

David Bittner: [00:07:22:20] In policy news, recent attacks circumstantially linked to Pakistan lend urgency to calls in India for establishment of a cyber command. Such a move has been under consideration for some time, and the government is under increased public pressure to act.

David Bittner: [00:07:37:22] In the US, the Administration is seeking legislation that would give investigators warrantless access to persons’ browser histories and other electronic data in espionage and terrorism cases.

David Bittner: [00:07:49:12] As ISIS cannibalizes itself under pressure, al Qaeda makes a tentative return to Twitter from Syria. The message is a pedantic restatement of their familiar call to jihad; we shall see if it resonates as inspiration the way ISIS chatter has.

David Bittner: [00:08:05:22] Finally, this week marks the third anniversary of the publication of Edward Snowden leaks about US electronic surveillance operations. Former Attorney General Holder spoke in a general way last week about the silver lining inside that particular cloud, and this week Lawfare echoes the conclusion with a more extensive and thoughtful treatment. Lawfare thinks, with some reason, that NSA actually came out of the affair stronger, and better looking, than it went in, especially since the increased scrutiny appeared to show that the agency did indeed take its legal responsibilities more seriously than skeptics would have believed. So, to answer the question “Cui bono?” (Who's to gain?, one would say, with Lawfare, NSA. We would add, "Sure, of course, NSA, but first of all Russia’s FSB." Still you take your silver linings where you can get them.

David Bittner: [00:09:01:23] Today's podcast is made possible by E8 Security - detect, hunt, respond. E8 security is transforming the effectiveness of enterprise security teams. Read their informative white paper, a unified use case for preventing unknown security threats, at E8

David Bittner: [00:09:27:13] And joining me once again is Dale Drew - he's Chief Security Officer at Level 3 Communications. Dale, there's been an uptick in malicious activity originating from the Latin America region. What can you tell us about that from your point of view?

Dale Drew: [00:09:39:07] We are seeing a pretty significant increase in malicious traffic and DDoS traffic, both originating and terminating inside of Latin America. It's becoming sort of the new frontier for bad guys, and what we're seeing is bad guys are using a lot of techniques that they've gleaned or learned from other regions, and applying that to the Latin America region, where a lot of those companies and capabilities have not yet been fully baked.

Dale Drew: [00:10:07:13] So for example, we've seen a 40% increase in DDoS attacks in that region alone in the past six to twelve months. We've also seen a significant uptick in command and control systems, and compromised computers - this is traffic originating inside of Latin America as well as terminating inside of Latin America, so actors who are operating in that country are learning from advanced techniques in other regions in order to apply that within that region.

David Bittner: [00:10:35:18] Is this a matter of, on the one hand, a simple market expansion, where as security gets tighter in the United States and Asia, and places in Europe are being attacked, then the bad guys move on to the next frontier?

Dale Drew: [00:10:50:16] Yes. I would say it's a two-fold factor. I would say that organized crime syndicates in Latin America are really beginning to branch out into cyber, where they have not had that sort of frontier or capability before, and they're seeing a pretty significant amount of economical advantage in doing so. So organized crime syndicates in Latin America are creating more advanced cybercrime capabilities.

Dale Drew: [00:11:17:22] We're also seeing people outside Latin America who are seeing Latin American companies as prime targets. I would say we're seeing more traffic inside Latin America attacking other Latin American companies than we are seeing traffic from the outside, but there's definitely an uptick from the outside of that region as well.

David Bittner: [00:11:36:24] All right. Dale Drew, thanks for joining us.

David Bittner: [00:11:41:13] And that's the CyberWire. Thanks to all of you who've helped spread the word about our how. You can find more information and subscribe to our daily news brief at Our editor is John Petrik; I'm Dave Bittner. Thanks for listening.