The CyberWire Daily Podcast 6.23.16
Ep 127 | 6.23.16
Insecurity cascades from credential breaches, homebrew servers? Cyber casus belli. Waiting for Brexit (or not).

Dave Bittner: [00:00:04:03] Studies show Brexit trending up over Bremain on Twitter as British voters go to the polls. Investment analysts foresee a surge in cyber M&A activity. Tech support scammers turn to pop-ups. There's mixed news on ransomware - good, bad, and baffling. Laws of war in cyberspace. The purported lone DNC hacker sounds a bit like a Hollywood Russian. And was that just a non-denial denial?

Dave Bittner: [00:00:32:05] I want to take a moment to thank our sponsor, E8 Security and remind you to visit to check our their free white paper, “Detect, Hunt, Respond.” It's going to give you the information you need to deal with the unknown threats in your network, the threats no one has ever seen before. E8 is going beyond legacy signature matching and human watch standing and they're hunting for these unknown threats, with machine learning and big data analytics. See what E8 has to say. Download the free white paper at We want to thank E8 for sponsoring the CyberWire.

Dave Bittner: [00:01:16:17] I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday June 23rd, 2016. We begin with some developing news that’s likely to affect both security and the security industry. The UK voted on whether to remain in or leave the European Union today. Polls will close at 10:00 pm, that’s 5:00 U.S. Eastern time, and the result won’t be known until tomorrow. Research by Expert System and the University of Aberdeen, however, suggest that support for Brexit has been trending up in Twitter, handily outpacing Bremain. We shall soon see whether the on-line tracking has any predictive power.

Dave Bittner: [00:01:54:14] As investors watch Brexit/Bremain closely, analysts think they foresee a coming spike in cybersecurity mergers and acquisition. Symantec’s purchase of Blue Coat is thought by many to be a potential trigger for more M&A.

Dave Bittner: [00:02:06:20] A privately held company, SecurityScorecard, has raised $20 million in its latest venture funding round, joining LightCyber, which received the same amount from other VCs earlier this week. SecurityScorecard’s investor in this round is Google Ventures.

Dave Bittner: [00:02:23:04] In cyber crime news, tech support scammers have moved away from cold calls and toward pop-ups. Instead of saying they’re from Microsoft, they now impersonate the victim’s ISP. But Microsoft’s leading position in the industry still makes it attractive in other ways to criminal hackers. We spoke with Zscaler's Deepen Desai about new malware targeting Microsoft systems.

Deepen Desai: [00:02:43:13] So a macro is a piece of code which is written in a programming language called Visual Basic for applications. It is a piece of code that embedded in Microsoft Office documents.

Dave Bittner: [00:02:56:14] Embedding malware code into Microsoft Office macros is nothing new. It's been around since the 90s and up until recently they were all but extinct, thanks to Microsoft's efforts to eradicate them.

Deepen Desai: [00:03:07:12] Then suddenly, as has been the trend, the attack practice is focusing more on the user side, so now the attackers are leveraging Office documents with social engineering tactics, so what will happen is if you open up a malicious document that contains an embedded macro in it, you will see a security warning from Microsoft Office that says, this document contains macro and it basically preventing you from getting infected. But what hackers are now doing, and this is an irony, because they're saying that the content of this document is protected and if you want to view this content, you will have to enable the macros, 'cause then it will decrypt the content for you to review the super secret message. And a lot of users are falling for the social engineering tactic and getting infected.

Dave Bittner: [00:04:02:09] The bad guys are circumventing standard virus scanning tools by making the macros harder to read.

Deepen Desai: [00:04:08:19] By using encryption, by using obfuscation. So the second thing that they're doing is they're trying to evade automated analysis systems, also known as sandboxes. They're also trying to evade researchers and the security companies from analyzing this piece of code. So they will not run if it's open in a virtual environment and they will try to detect various aspects of virtual environment.

Dave Bittner: [00:04:34:11] Desai says that Zscaler is seeing the usual suspects when it comes to the types of payloads being delivered, and also that there's potential for cross-platform vulnerability.

Deepen Desai: [00:04:44:21] Right now we are seeing a lot of malware executables belonging to ransomware, infostealer, as well as banking Trojan families. But this could easily change to, you know, delivering, say a macros... I've seen lots of Mac users use Office applications as well.

Dave Bittner: [00:05:04:18] According to Deepen Desai, one of the primary ways to protect yourself is pretty straightforward. Be skeptical.

Deepen Desai: [00:05:10:12] Don't run the macro from a document that is telling you hey, you need to run macros to view the content of this document. Because you are, like 99.99 percent, I would even go ahead and say 100 percent of the time, you will be getting attacked. Nobody's going to have some kind of RSA encryption, you know, applied using macros. That's not standard.

Dave Bittner: [00:05:33:11] That's Deepen Desai from Zscaler. Some good news on the ransomware front comes from Emsisoft. They’ve released a decryption tool for the lesser-known ApocalypseVM exploit.

Dave Bittner: [00:05:47:08] Less well known is the news on crypto-ransomware - the kind of malware that encrypts your files and demands a ransom for the key. Crypto-ransomware has now far outstripped its older, cruder screen-blocking cousins. Kaspersky Labs has been tracking the trend, and the researchers there say that in April of this year some 54% of the extortion malware observed was crypto-ransomware. That’s a dramatic increase from the 10% registered a year ago.

Dave Bittner: [00:06:14:13] Crypto-ransomware is of course more troubling than screen lockers and blockers: the damage it does is more difficult to reverse. A fair bit of this spring’s ransomware traffic was still associated with TeslaCrypt, a variant that has since disappeared as the responsible hoods switched to other variants, mostly CryptX. The other strains Kaspersky found most active in April include CryptoWall, Cryaki, TorrentLocker, and CTB-Locker.

Dave Bittner: [00:06:41:22] No one’s actually complaining about the crooks having dropped TeslaCrypt, but researchers are a bit baffled by the tool’s apparent abandonment. Why would criminals abandon a tool still able to make them a bit of money?

Dave Bittner: [00:06:52:13] Most speculation centers on the possibility that TeslaCrypt’s operators were spooked by the attention they were getting. Perhaps the return wasn't worth the investment, or maybe the risk, because TeslaCrypt’s command and control traffic was never really a criminal market leader. As eWeek puts it, “If CryptoLocker and CryptoWall are the Coke and Pepsi of ransomware, TeslaCrypt is the knock-off that cannot be found in most stores.” Which reminds me of the reaction I got from my wife and family the one time I brought home store-brand soda. But I digress.

Dave Bittner: [00:07:26:05] Recent and ongoing worries about attacks on infrastructure and elections revive consideration of laws of war for cyberspace. On the jus ad bellum side of the question - what would justify going to war - the US is still groping toward a definition of “act of war” for cyberspace. Thinking so far pointedly hasn't ruled out kinetic retaliation for what people are calling a cyber “act of significant consequence.”

Dave Bittner: [00:07:48:23] On the other side of the issue, jus in bello - what you’re permitted to do in lawful combat - the Global Commission on Internet Governance, an international think tank, suggests nations ought to adopt certain constraints. Governments should agree, the Commission says, not to attack either critical infrastructure that’s mostly used by civilians, and not to hit core Internet infrastructure.

Dave Bittner: [00:08:11:10] We talked about issues of cyber warfare with Markus Rauschecker, from the University of Maryland’s Center for Health and Homeland Security. We'll hear from him after the break.

Dave Bittner: [00:08:18:24] Proposals for more extensive warrantless electronic investigation powers appear to have stalled this week in the U.S. Senate.

Dave Bittner: [00:08:28:01] More election-season issues surface in the U.S. as MacKeeper’s Chris Vickery reports finding 154 million voter profiles in a database exposed online. The information is of the sort used by political campaigns, and it seems to have originated with the data broker L2, not to be confused with the cyber security company L3. The compromise seems to have been the result of carelessness on the part of an L2 customer (an “unnamed national client,” as they put it) and the data have since been removed from the Internet. At least from their former, easily accessible place on the Internet.

Dave Bittner: [00:09:03:01] Nothing new in the Democratic National Committee hacking case, but Motherboard continues to close-read its chats with “Guccifer 2.0” and run them by experts in Slavic and Romance languages. They think signs point to a native speaker of a Slavic language - uncertainty about definite and indefinite articles is the principal tip-off, because, as anyone who’s watched Star Trek (the original series) can tell you, people who come to English from Russian have trouble with articles, just the way Ensign Chekhov did. There are no articles in Russian.

Dave Bittner: [00:09:37:02] Motherboard asked the Russian embassy in Washington about it, and they were told “the possibility of involvement of Russian government, including government agencies and representatives, in hacking activities is completely ruled out.” Note the statement’s telltale missing articles. It’s more obvious if you pronounce it in your best Ensign Chekhov voice.

Dave Bittner: [00:09:59:08] And turning to the embassy’s statement, please. One supposes there’s a sense in which certainty would rule out possibility. I mean, come on Jake, it’s DC. If anyone can recognize a non-denial denial a mile off, it’s an American voter. Right, Chekhov? Da.

Dave Bittner: [00:10:19:21] This CyberWire podcast is made possible by the Johns Hopkins University Information Security Institute, providing the technical foundation and knowledge needed to meet our nation's growing demand, for highly skilled professionals in the field of information security, assurance and privacy. Learn more online at

Dave Bittner: [00:10:47:20] And joining me once again is Markus Rauschecker. He's from the University of Maryland’s Center for Health and Homeland Security. Markus, there's an article on the Federal News Radio website about the senator who wants a definition on what constitutes a cyber act of war. What's he trying to get at here?

Markus Rauschecker: [00:11:03:14] Yes, so we have this term cyber act of war, and a question of what constitutes an act of war in cyberspace has been debated for a long time. We don't really have a proper definition of that term, cyber war, so the senator is trying to create a policy that will outline how government will determine whether or not an act in cyberspace amounts to an act of war. I think what the senator and others who have tried to define this term are trying to achieve, is to create greater deterrents to prevent acts of war, because if we are defining acts of war, and if it's clear to our adversaries what constitutes an act of war, the thought is that they might be deterred from actually engaging in any kind of act that amounted to such a threshold.

Dave Bittner: [00:12:00:17] Yeah, I might point out this is Senator Mike Rounds, he's a Republican from South Dakota. You know, this bill still has to make it through committee before it makes its way to the floor of the Senate. What do you think the odds are of it actually making it to the Senate floor?

Markus Rauschecker: [00:12:16:08] So if the Senator certainly believes that defining an act of war in cyberspace will further deter adversaries from engaging this kind of behavior. But opponents of course will argue the exact opposite. They say that defining cyber war will actually embolden our adversaries and create the exact opposite effect of what the Senator's trying to achieve, because if you're defining what an act of war is in cyberspace, that creates a certain threshold, a certain line if you will. The argument goes that adversaries will do everything right up to that line, so they don't actually hit the threshold of an act of war.

Markus Rauschecker: [00:12:59:03] And it's because of this argument, I think, that the bill probably will not be successful. I think the prior administration and this administration and others believe that you don't really want to define what an act of war is because you want to have the freedom to decide on a case-by-case basis what amounts to an act of war. And what the proper response should be to a certain act in cyberspace. So you know, we'll have to wait and see how this develops, but these kinds of definitions have been attempted before and so far haven't really come to fruition.

Dave Bittner: [00:13:36:17] Alright, Markus Rauschecker, thanks for joining us.

Dave Bittner: [00:13:41:01] And that's the CyberWire. If you enjoy our daily look at cyber security news, we hope you'll help spread the word and tell your friends about our show. Our editor is John Petrik and I'm Dave Bittner. Thanks for listening.