The CyberWire Daily Podcast 6.16.16
Ep 122 | 6.16.16

xDedic, Guccifer 2.0...but what really knocks us out is those cheap sunglasses.


Dave Bittner: [00:00:04:09] Swiss authorities make a collar in the Panama Papers case. Guccifer 2.0 claims he hacked the Democratic National Committee. Investigation into the Orlando shootings looks at Omar Mateen's online activities. Anonymous hits ISIS, both discriminately and indiscriminately. US JTF-Ares conducts cyber operations in theater against ISIS. xDedic is the newest corner of the black market, where people are buying cheap access to servers. Telegram may not be vulnerable after all. Patch Tuesday notes. And how to buy cheap sunglasses.

Dave Bittner: [00:00:42:16] Once again I want to thank one of our sponsors, E8, and ask that question, do you fear the unknown? Lots of people do of course. The Bermuda Triangle, the Loch Ness Monster, stuff like that. But we're not talking about those. We're talking about real threats. Unknown unknowns that are lurking in your networks. The people at E8 have a white paper on hunting the unknowns with machine learning and big data analytics that go beyond the old school legacy signature matching and Human Watch standing. Go to and download their free white paper, "Detect, Hunt, Respond." It describes a fresh approach to the old problem of recognizing and containing a threat no-one's ever seen before. The known unknowns like menehune and skunk apes, they're nothing compared to the unknown unknowns out there in the wild. See what E8's got to say about them. Check it out. It's

Dave Bittner: [00:01:40:00] I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday, June 16th, 2016. First a quick follow-up on the long-running Panama Papers case. Swiss police have made an arrest. They've collared an IT staffer who worked in Mossack Fonseca's Geneva offices. The man they detained, however, apparently isn't the person who released the stolen documents. Bastian Obermayer, the reporter with Le Temps who worked on breaking the story of the arrest, has tweeted, quote, "According to our information the #mossackfonseca IT person arrested in Geneva is not #panamapapers source 'John Doe'," end quote.

Dave Bittner: [00:02:14:16] Someone calling himself, herself, or themselves “Guccifer 2.0” claims responsibility for the DNC hack and dumps a couple of hundred pages of apparent Democratic Party opposition research on presumptive Republican US Presidential nominee Donald Trump. Guccifer 2.0 is not to be confused with the original Guccifer, henceforth perhaps to be called Guccifer 1.0, who of course is preparing to begin the sabbatical with the Federal Bureau of Prisons his guilty plea in the other cases earned him. The new Guccifer not only released the DNC's Trump dossier as a sign of his bona fides, but also said he or she or they has delivered a large quantity of stolen material to Gawker and Wikileaks. Guccifer version 2.0 also takes some verbal shots at CrowdStrike, saying the company’s talk of Fancy Bear and Cozy Bear is sloppy nonsense, an indicator of poor quality work. CrowdStrike for its part stands by its attribution.

Dave Bittner: [00:03:09:16] It’s worth noting that incidents like this tend to be complex and can have more than one actor involved (as may, for example, have been the case with the Sony hack). The PDFs of opposition research documents posted by Gawker, for example, contain error messages in Russian, complete with Cyrillic characters, at broken links. This of course doesn't mean that Russian intelligence services were involved, but it does suggest some passage through Russian networks. In any case, more documents will probably be forthcoming. Guccifer 2.0 also says that he or she got access to Hillary Clinton’s servers. We’ll continue to follow the story.

Dave Bittner: [00:03:46:02] Turning to investigation of the massacre in Orlando, US investigators have turned up more online jihadist rhetoric posted by the shooter. US Senator Ron Johnson, a Republican from Wisconsin, who chairs the Senate Homeland Security Committee, has sent a letter to Facebook asking for information about Omar Mateen’s interactions on the social media platform. The Senator’s letter quotes one post in particular. Quote, "America and Russia stop bombing the Islamic state. I pledge my alliance to abu bakr al Baghdadi. May Allah accept me," end quote. The FBI continues to interview Mateen’s widow and others close to the shooter. In the larger conflict with ISIS, a Berlin court has sentenced an Imam to two and a half years for online incitement and recruitment. The US talks a bit more about its Joint Task Force Ares, which is running cyber support for tactical operations against ISIS in the Caliphate’s claimed territories. A US Defense Department spokesman told the Voice of America in essence that JTF-Ares is pursuing a quite conventional electronic warfare targeting approach to ISIS in cyberspace. Sometimes you watch, sometimes you listen, and sometimes you disrupt.

Dave Bittner: [00:04:57:06] How social providers should interact with problematic or controversial users remains a vexed question. Various Anonymous operators are trolling ISIS-sympathizing Twitter accounts with salacious images and alternative text. Anonymous is also said to have hit the Internet Archive, home of the Wayback Machine, with a denial-of-service attack in apparent protest against the persistence of ISIS-themed material held therein. And the father of one of the victims murdered in ISIS's November Paris massacre has brought a suit in the US District Court for the Northern District of California against Facebook, Google and Twitter, alleging that they were culpably responsible for permitting the Islamic State to recruit members and inspire attacks.

Dave Bittner: [00:05:39:01] We learned yesterday that a new hot item on the cyber black market was server access, which can be had for as little as $6 or what will get you movie ticket on Tuesdays at the Bow Tie Cinema, just outside of Annapolis Junction or so we're told. Kaspersky Lab has issued a report on the forum where that access is being traded. It's called xDedic and it's run by Russian-speaking operators. We also heard reports earlier this week that Iranian researchers had found a serious vulnerability in the messaging service Telegram. Telegram has since called the alleged bug bogus. Connoisseurs of Iranian hacking will be interested to learn that two of the researchers are among the seven Iranians under US indictment for attacks on the Bowman Street Dam and various financial sector targets. We've heard quite a bit recently about point-of-sale breaches, with Wendy's being among the more prominent corporate victims. But of course the best known method of pay card fraud is online shopping. So we put on a pair of cheap sunglasses and spoke with Wandera's Michael Covington about insecure online merchants they discovered some of their clients were using.

Michael Covington: [00:06:46:05] What caught our attention is that we saw data leakage. We saw data leakage of sensitive information, email address, user name, password, credit card number, along with expiration date, mailing address, etc. So when we started seeing that type of data leaking, i.e. it wasn't being encrypted by the app or the web service that was being accessed, we decided to do a little investigation. We wanted to know a little bit more about the app that was being used, the websites that were being accessed and that's when we found out that it was actually counterfeit goods that were being sold on the website.

Dave Bittner: [00:07:20:00] The online merchants highlighted in the report were selling knock-off sunglasses, those ads we've all seen for highly discounted Ray-Bans or Oakleys but Covington says their research turned up a number of reasons for these leaky websites.

Michael Covington: [00:07:33:11] You know, it's interesting. We, we've seen a, a number of different activities taking place on these sites that we've investigated. First and foremost, there are scam sites, so they are sites that are made to look as though they're selling a legitimate product or service and at the end of the day what they're really trying to do is steal your money, steal your identity and they're not going to shift you the good on the other side. So those are really the more fraudulent websites. I think though and, and you see this in the report that we put out, that there are also sites out there that are, I'm gonna call them legitimate businesses, where they are there to make a profit, to sell items and to actually ship them to people when they're purchased, but they're fake products. They're, they're knock-offs, they're things that are being sold to unsuspecting shoppers or people who are trying to save a buck. I also think that there's another category of site out there and it's a low budget site, a site that just hasn't spent a lot of money on infrastructure. They're trying to do as much volume and sales and minimal investment being made on the, on the infrastructure side, those guys just aren't investing in security so they're not spending the time protecting the data that they're collecting.

Dave Bittner: [00:08:41:09] Wandera's report is a good reminder to be vigilant with your sensitive data when shopping online.

Michael Covington: [00:08:46:14] Make sure that if you're parting with sensitive information, that it is being encrypted as it's being transmitted from your device to the service and that the service that you're doing business with is actually who you think it is. And you can do some, some basic things there, like looking at the URL, reading the about page, just making sure that the general cues on the website match up with what makes sense, given the transaction that you're trying to accomplish there.

Dave Bittner: [00:09:09:09] At an enterprise level, Covington suggests that if you see these kinds of risky transactions happening on your network, take it seriously and use it as an opportunity to educate your employees.

Michael Covington: [00:09:21:02] There's some behavior that we can see from end users that may be reflective of that decision-making, risky behavior like visiting a scam website where you're providing sensitive information and it's not being encrypted. I think that's indicative of your online habits in general. And so if you're in admin of a large company and you're seeing this type of activity from a particular user, that type of user probably just needs some training. You want to get them into a room, spend some time with them, showing them the best practices on how to actually engage in an online world, make sure that they're protecting themselves as well as the corporate secrets that, that they're being trusted with.

Dave Bittner: [00:09:58:05] That's Michael Covington from Wandera. You can read the report on their website. Observers think the Bad Tunnel patch is the most important Windows fix on Patch Tuesday. Admins who've applied Microsoft's June fixes are complaining that one of them, MS 16-072, exposes Group Policy settings. Researchers find flaws in Cisco small business Wi-Fi routers, but Cisco says it will patch these issues next quarter. Legal observers think the apparent failure of the Compliance with Court Orders Act of 2016 to gain traction in the US Congress is good news for encryption. We spoke with Dr. Vikram Sharma from Quintessence Labs about a technical topic of some importance to the future of encryption, quantum key distribution. We'll hear from him after the break. Finally, a Maryland gentleman currently a guest of the Governor a few blocks away from our studios has been charged with fraud. He passed the credit card information belonging to a corrections officer's wife to a colleague who then applied that information to various purchases. The gentleman in question, Mr Dontae Small, was accommodated by the Governor last October. He had fled from a traffic stop, crashed a barrier at Fort Meade, and was found the next day hiding in a storm drain on the post. Kudos to Mr Small for having selected a secure hideout…we suppose.

Dave Bittner: [00:11:27:08] It's time for me to give a quick thanks to our sponsor, ThreatConnect, you know ThreatConnect. They're the enterprise level security platform that allows you to unite all your people processes and technologies behind an intelligence-driven defense. They're teaming up with Forrester, the global research and advisory firm for a look at fragmentation in the security industry, what it means and what can be done about it. You can hear what they've got to say and consider how to apply the lessons to your own organization, by signing up for ThreatConnect's webinar. It's scheduled for Tuesday, June 28th, catch Forrester's Jeff Pollard and ThreatConnect's Chief Intelligence Officer, Rich Barger, as they discuss the issues fragmentation poses for organizations of all sizes and offer their thoughts on how to unify security operations in your enterprise. Visit, tell him the CyberWire sent you. Best of all, the price is right. It's free, that's

Dave Bittner: [00:12:25:05] And joining me once again is Dr Vikram Sharma, he's from QuintessenceLabs, one of our academic and research partners. Dr Sharma, you know, we've spoken previously about quantum technology, it's an area where you all are doing a lot of research there at Quintessence and we touched on quantum key distribution. I was wondering if you could dig a little deeper into what exactly is quantum key distribution?

Dr Vikram Sharma: [00:12:47:06] Well, quantum key distribution is a mechanism of transporting encryption keys securely between two locations. And in this particular instance, it applies to using light to transport these keys very securely, optical comms. In its earliest incarnation, what had been done was single photons of light were polarized or spun in a particular way so vertical could be a one and a horizontal zero sent between two locations and if anybody tried to intercept those photons in flight, they would disturb the spin and therefore reveal the eavesdropping. What QuintessenceLabs has been doing is taking the same principals but applying it to a highly tuned laser and hundreds of millions, billions of times per second, we modulate very small signals at the quantum level, like doing am and sm, onto the laser. And similar to the single photon model, if there's any act of eavesdropping on this optical signal while it's being transported over, say optic fiber, that eavesdropping will be revealed.

Dave Bittner: [00:14:01:16] So it's sort of that, that old-- it's that old scientific principle about how the observation of something can change the state of it, correct?

Dr Vikram Sharma: [00:14:07:20] That's exactly right, Dave, it's a corollary of Heisenberg's uncertainty principle. If you look at something at the quantum level, your act of observation disturbs it in a measurable way.

Dave Bittner: [00:14:21:23] Alright, fascinating stuff. Dr Vikram Sharma, thanks for joining us.

Dave Bittner: [00:14:26:18] And that's the CyberWire. For links to all of today's stories, visit And if you want to put your message in front of a global audience of cyber security professionals, check out The CyberWire is produced by Pratt Street Media. Our editor is John Petrik. I'm Dave Bittner. Thanks for listening.