The CyberWire Daily Podcast 1.12.16
Ep 13 | 1.12.16

The CyberWire Daily Podcast 1.12.16


Dave Bittner: [00:00:03:11] Trochilus malware cluster hits Southeast Asian NGOs. Postmortems on the cyber attack against Ukraine's grid continue with worries for the future and another warning about squirrels. Western governments look for technical and messaging responses to ISIS. Cyber tension rises between Saudi Arabia and Iraq. Common sense lessons from recent law enforcement actions. And Wassenaar comes under US Congressional scrutiny today.

Dave Bittner: [00:00:29:20] This CyberWire podcast is made possible by the Johns Hopkins University Information Security Institute, providing the technical foundation and knowledge needed to meet our nation's growing demand for highly skilled professionals in the field of information security, assurance and privacy. Learn more online at

Dave Bittner: [00:00:52:20] I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, January 12th, 2016.

Dave Bittner: [00:01:00:03] Arbor Networks describes a "multi-pronged" malware campaign targeting sites, most of them belonging to non-governmental organizations, in Southeast Asia. There's no formal attribution of the malware cluster yet, which Arbor is calling Trochilus, but the campaign's sophistication and choice of targets suggest to some observers that it was mounted by China's government.

Dave Bittner: [00:01:20:21] The Internet Storm Center has published an account of the xls dropper that seems implicated in the BlackEnergy attack on Ukraine's power grid. ESET, which was early to the investigation, summarizes what's known and what remains unknown about the attack. Observers glumly agree that the incident is a bellwether, not an outlier, and warn that utilities should expect more attacks in 2016. Some, like the Foundation for Resilient Societies, note that the attack in Western Ukraine seems to have operated by striking substations, and that regulatory regimes for the power distribution industry tend to neglect substations.

Dave Bittner: [00:01:56:00] For all the warnings, however, we're reminded again today by Sophos’ Naked Security blog, that squirrels have a far greater track record of success against the grid than hackers.

Dave Bittner: [00:02:05:22] Increasing sectarian and political tensions between Saudi Arabia and Iran inflame a guttural regional cyber riot in which many expect to see the governments themselves join, if they haven't already.

Dave Bittner: [00:02:17:06] Proclamations of fealty to ISIS emerge from the Philippines. European governments continue to work toward closer cooperation against extremism, and its resultant terror. The US Departments of State and Defense show signs of looking beyond technical approaches to fighting ISIS and toward more aggressive counter-messaging, but some American-watchers think the new style of information operations, even if it gets its messaging right, will soon find itself entangled with legal and organizational obstacles.

Dave Bittner: [00:02:43:24] Akamai warns that a malicious search-engine-optimization scheme is using SQL injection to goose search hits.

Dave Bittner: [00:02:50:15] A flaw in eBay is reported to have rendered user credentials vulnerable to compromise. Fake login pages may have enabled hackers to steal usernames and passwords.

Dave Bittner: [00:03:00:01] European data center services provider, Interxion, discloses a breach in its CRM system that may have exposed sensitive customer information.

Dave Bittner: [00:03:08:04] The Russian hacker "w0rm," associated in recent years with attacks on the BBC, the Bank of America, and Adobe, claims to have successfully broken into Citrix. W0rm's identity remains unknown. It's not even know if w0rm is a single individual or a group.

Dave Bittner: [00:03:23:07] Some Dell customers report being contacted by unusually plausible scammers who know a lot about their Dell accounts, but calls aren't from Dell, and Dell, which is investigating, says it hasn't been hacked. So where the data came from remains a mystery.

Dave Bittner: [00:03:38:08] Trend Micro has patched a remote-execution bug in its anti-virus software. A Google researcher discovered and disclosed the vulnerability. Today's the day Microsoft ends support for Windows 8 and for versions 7 through 10 of Internet Explorer, from which Redmond is transitioning to Edge. Drupal moves to improve the security of its update process. And analysts take stock of Juniper's announcement, that it's ending use of the backdoored Dual_EC_DRBG pseudo-random number generator.

Dave Bittner: [00:04:06:22] Security experts draw some familiar lessons from this week's take-down of a Romanian ATM hacking gang, and the recent guilty plea by a former baseball executive who intruded into the rival club's system. First, old, unpatched software is inherently risky. Take note, users of Windows 8 and Internet Explorer. And second, pay close attention to common-sense cyber hygiene, especially when employees transition in or out of your organization.

Dave Bittner: [00:04:32:18] Industry continues to dislike proposals by various governments to mandate weak encryption or installation of backdoors. While experts differ, the emerging consensus is that the effect of doing so would be to increase the vulnerability of Internet users without realizing any compensatory gains in security. Industry is also leery of cyber arms control agreements, which some see as tending toward the criminalization of legitimate security research. The US House of Representatives Committee on Oversight and Government Reform is holding hearings this afternoon on proposed US implementation of the Wassenaar cyber arms control regime. Symantec, VMWare, and Microsoft will be testifying and, from what we've heard from Symantec, their testimony isn't exactly going to be a mash note to the Department of Commerce and State.

Dave Bittner: [00:05:18:10] Various cyber story-stocks, including perennial market darling FireEye, experience a sell-off but investment analysts remain generally bullish on the sector. Nice Systems agreed yesterday to purchase analytics shop Nexidia for $135m. Bloomberg speculates about 2016 tech IPOs. Their list of IPO candidates includes two cyber security firms, Tenable Network Solutions and Tanium.

Dave Bittner: [00:05:45:24] This CyberWire podcast is brought to you through the generous support of Betamore, an award-winning coworking space, incubator and campus for technology and entrepreneurship located in the Federal Hill neighborhood of downtown Baltimore. Learn more at

Dave Bittner: [00:06:06:04] Joining me is John Petrik, editor of the CyberWire. John, today the US House of Representatives are holding hearings on the implementation of Wassenaar. Start us off here. What is Wassenaar?

John Petrik: [00:06:15:10] Wassenaar is an arms control agreement. Its formal name is the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies. Right now, some 40 countries are parties to Wassenaar.

Dave Bittner: [00:06:28:07] So is this a treaty?

John Petrik: [00:06:30:07] No, it isn't a treaty - it's an export control regime. What that means is that all the important action with respect to Wassenaar lies in how the parties to the arrangement decide to implement it.

Dave Bittner: [00:06:39:15] What do you have to do to be a part of Wassenaar?

John Petrik: [00:06:43:04] To be admitted to the Wassenaar Arrangement, a state has to meet several requirements. First, it must produce or export arms or sensitive industrial equipment. It should follow non-proliferation policies, and it should especially adhere to the policies of: the Nuclear Suppliers Group, the Missile Technology Control regime, the Nuclear Non-Proliferation Treaty, the Biological Weapons Convention, the Chemical Weapons Convention, and the like; and it must maintain fully effective export controls.

Dave Bittner: [00:07:09:23] Here in the US, who is in charge of implementing it?

John Petrik: [00:07:13:06] In the US, the Department of Commerce, and specifically its Bureau of Industry and Security.

Dave Bittner: [00:07:18:02] Why is Wassenaar so controversial?

John Petrik: [00:07:21:01] It's been around for a while. The agreement itself has been around since 1996, and it became important to cyber security only in the last few years, as cyberspace has increasingly become a domain of conflict and various cyber tools have increasingly been seen as, and used as weapons. So in December of 2013 there were plenary meetings at Wassenaar that reached an agreement on controlling what they call intrusion and surveillance items. The Commerce Department's Bureau of Industry and Security has published a proposed implementation of the new arrangement, and they did that just this past summer. That implementation effectively proposes requiring a license to export, re-export, or transferring country cyber security items.

Dave Bittner: [00:08:03:08] Who could possibly object to all that?

John Petrik: [00:08:06:01] A lot of people object to it. The proposed implementation has been, to say the least, coldly received by industry. Industry regards the perspective rule as effectively restricting, and in some cases even criminalizing what had hitherto been considered perfectly legitimate kinds of research. The objections haven't just come from industry. The Electronic Frontier Foundation, which is not generally seen as just a shill for the IT biz, has called the proposed rule "an unworkably broad set of controls" that on the face of it would prohibit, for example, sharing vulnerability research without a license. The US House of Representatives Committee on Oversight and Government Reform is the outfit holding the hearings this afternoon, and I'm sure they will receive some interesting and vigorous testimony.

Dave Bittner: [00:08:49:09] John, thanks again for joining us.

Dave Bittner: [00:08:54:19] And that's the CyberWire. For links to all of this week's stories, along with interviews, our glossary and more, visit The The CyberWire podcast is produced by CyberPoint International, and our editor is John Petrik. Thanks for listening.