The CyberWire Daily Podcast 7.5.16
Ep 134 | 7.5.16

Statecraft, spycraft, & warcraft: inspiration, cells, & espionage. Cybercrime & punishment.


Dave Bittner: [00:00:03:17] ISIS mixes inspiration with clandestine cells as its territory shrinks. EU Internet surveillance is criticized as both porous and unaccountable. OurMine again tries marketing by hacking. Adwind is back and likely to spread. Researchers offer insight into MNKit and SBDH malware. In ransomware, Zepto succeeds Locky, and Satana follows Petya's footsteps. ThinkPwn appears as a proof-of-concept, but not yet in the wild. And we've got updates on US election hacks and email handling investigations.

Dave Bittner: [00:00:42:08] I want to take a moment to tell you about our sponsor E8 Security. You know, to handle the unknown unknown threats, you need the right analytics to see them coming. Consider the insider threat and remember than an insider threat isn't necessarily a malicious actor. Sometimes it's a well-intentioned person who's careless, compromised, or just poorly trained. Did you know you can learn user behavior and score a user's risk? E8 can show you how. Did you know for example that multiple Kerberos tickets granted to a single user is a tip off to a compromise? E8 can show you why. Get the free white paper at and get started. Detect, hunt, respond. E8 Security, and we thank E8 for sponsoring the CyberWire.

Dave Bittner: [00:01:32:11] I'm Dave Bitmore in Baltimore with your CyberWire summary for Tuesday, July 5th, 2016.

Dave Bittner: [00:01:38:11] A wave of ISIS-connected terror attacks over the past weekend suggests that the Caliphate has evolved a mix of inspiration and directed operation of organized clandestine cells. The attacks, which ranged over the past week from Turkey through Israel, across the Subcontinent and into Malaysia, appear to represent the long-foreseen shift to out-of-area operations as ISIS-controlled territory shrinks. Cells, while potentially deadlier, are easier in principle to disrupt than are the self-organized attacks of inspired lone wolves. Authorities worldwide look to the Internet for ways of countering both sorts of threat.

Dave Bittner: [00:02:14:20] The European Union’s surveillance of the Internet, with Europol’s Internet Referral Unit (IRU) in the lead, is attracting criticism from digital rights group AccessNow. The IRU has proceeded largely by requesting that dangerous, potentially illicit content, be taken down. AccessNow calls this approach “haphazard, alarming, tone-deaf, and entirely counter-productive." If there’s illegal content online, AccessNow argues, it should be dealt with through a duly obtained court order directing its removal. The IRU defends its practices on the grounds of their success, and notes that the material it’s worked to remove includes, in a list Ars Technica provides “violent extremist propaganda videos, pictures of beheadings, bomb-making instructions, and speeches calling for racial or religious violence.”

Dave Bittner: [00:03:03:23] The release of old lists of compromised credentials from sites like LinkedIn and MySpace would be old news if it hadn’t continued to cause problems for those who recycle passwords. On Saturday another celebrity social media compromise occurred. Ezra Klein, Editor-in-Chief at Vox Media, had his Twitter account hacked by OurMine. OurMine, you will recall, is a group that represents itself as a legitimate white-hat security scanning business. They have proceeded by taking over accounts to show, as they would put it, security issues, and then offering to scan an enterprise’s social media presence for $5000. Thus they promote their services by compromising their prospective customers’ accounts.

Dave Bittner: [00:03:43:09] Few observers take OurMine’s claims of legitimacy or even technical skill seriously. CSO coldly reports that “most real security professionals see the group as a collective of script kiddies,” and that their purported exploits are really just fallout from the recent series of credential dumps.

Dave Bittner: [00:04:01:08] In cybercrime, we’re seeing some things old and some things new. Heimdal Security reports interesting news on the old. The Adwind remote access Trojan is back, appearing in targeted attacks against Danish companies. Heimdal speculates that Adwind is unlikely to remain confined to Denmark, since its phishmail is in English. Adwind isn’t tripping many anti-virus warnings this time around, so everyone in Midgard should be wary.

Dave Bittner: [00:04:27:05] Palo Alto reports evidence linking the MNKit exploit generator with three Chinese cyber-espionage campaigns. Those campaigns targeted the Russian military, Tibetan communities, and Uyghur minorities.

Dave Bittner: [00:04:40:24] SBDH malware is turning up in active espionage campaigns run against targets in five Eastern European countries, one former Soviet Republic, Ukraine, and four ex-members of the Warsaw Pact, Poland, the Czech Republic, Slovakia, and Hungary. ESET, the Bratislava-based security firm that uncovered and is tracking the campaigns, sees several interesting features in SBDH. The malware is using steganographic techniques to obscure some of its command-and-control features, and it displays similarities to malware that appeared in Operation Buhtrap, a criminal campaign that raided Russian banks.

Dave Bittner: [00:05:16:24] And two new ransomware strains have appeared. Locky, famous for its use against hospitals, is apparently going into occultation. It’s being replaced by “Zepto." Zepto is marked by a number of stylistic similarities to Locky, especially its requirement that victims work with it over Tor to repay the ransom.

Dave Bittner: [00:05:35:22] The second new variety is being called “Satana” by researchers at Malwarebytes. Satana follows Petya’s lead, it affects Windows machines to encrypt master boot records as well as files, thereby rendering infected devices unable to load their OS. Malwarebytes describes Satana as under development, but already functional.

Dave Bittner: [00:05:56:05] A proof-of-concept exploit has been released by Dmytro Oleksiuk, a.k.a. Cr4sh, that overrides firmware protections in Lenovo ThinkPads and possibly other, similar systems. Crash calls the exploit ThinkPwn and says he didn’t warn Lenovo before releasing it because he thinks it too difficult for exploitation in the wild. There are so far no patches or mitigations.

Dave Bittner: [00:06:19:24] The National Cyber Security Hall of Fame is taking nominations for its next class, scheduled for induction in October. Since its first class was inducted in 2012, the Hall has honored 26 of the most eminent contributors to the field.

Michael Jacobs: [00:06:33:10] Well it began in 2012, when three of us - myself, a fellow named Rick Geritz and Larry Letow - were having lunch, and one thing led to another. There was a suggestion made that we really out to begin to honor the people who formed the industry that we now talk about as cybersecurity.

Dave Bittner: [00:06:53:01] That's Michael Jacobs, the chair of the National Cyber Security Hall of Fame Advisory Board.

Michael Jacobs: [00:06:58:05] With a mission statement that reads, "The Cyber Security Hall of Fame will represent the mission, respect the past, protect the future, and will honor the innovative individuals and organizations which have the vision and leadership to create the foundational building blocks for the cybersecurity industry." There are five different categories under which someone could be nominated. The categories are technology, policy, public awareness, education, and business.

Dave Bittner: [00:07:32:19] Jacobs says there's no shortage of nominees.

Michael Jacobs: [00:07:35:06] We'll probably end up reviewing around 50, perhaps 60 nominations, and then we do that through a two round voting process. Each of the members of the board are provided five yes votes. Every year for five years we've been doing this. There was near unanimity in agreement on where the yes votes got used. There are 11 members of the board of advisors. They're drawn from industry, academia and government. There are a number of household names like, Rivest, Shamir, and Adleman, and Whitfield Diffie, and Marty Hellman, and so it's a great range of people that have been influential in starting the industry and sustaining the industry and that's what it's all about.

Dave Bittner: [00:08:25:05] Michael Jacobs shared his view that recognition of the cybersecurity industry as a whole has been a long time coming.

Michael Jacobs: [00:08:31:18] There has historically been in my experience over 52 years, a great deal of skepticism about the need for this industry. It's taken an awful long time for the industry to get established, for people to recognize the threat and for people to begin doing something about the threat. So the folks that we're talking about are people that have had great impact in causing that turnaround to occur either through technology which was simple to use, relatively inexpensive to acquire, and has in many respects become ubiquitous. People who formed industries around the technology. So these are folks that had a vision and made a significant contribution to allow things to happen.

Dave Bittner: [00:09:19:09] Nominations are open for this year's National Cyber Security Hall of Fame, and you can learn more at

Dave Bittner: [00:09:29:06] The Brexit vote has, to no one’s surprise, spawned phishing campaigns inducing the unwary to open emails offering counsel on what Brexit means for you, for the global economy, and so forth. Open your emails with caution, especially if you’re in the UK.

Dave Bittner: [00:09:44:22] Two ongoing cybersecurity stories with implications for US elections continue to develop. Guccifer 2.0 is still insisting, no, really, he’s not a Russian spy, he hacked the DNC for purely private reasons, but these protestations are falling on ears that grow progressively deafer. Election site security will remain an issue for the foreseeable future. We spoke recently with the University of Maryland's Ben Yelin on the case of a gentleman facing felony charges for hacking into a Florida elections site. We'll hear from him after the break.

Dave Bittner: [00:10:15:10] The other incident with implications for the election is the FBI’s ongoing investigation into email security, record retention, and the handling of classified information during presumptive Democratic Presidential nominee Hillary Clinton’s tenure as US Secretary of State. The Bureau interviewed former Secretary Clinton on Saturday. Her husband, former President Clinton, held an unscheduled meeting with Attorney General Lynch last Monday, and both the White House and the Justice Department were at pains late in the week to reassure everyone that the FBI’s investigation into the former Secretary of State’s emails would proceed without political influence.

Dave Bittner: [00:10:50:23] And finally, another innocent person named after the Egyptian goddess of nature, motherhood, and magic has been blocked by Facebook. Isis Thomson found herself locked out of the social media site, and staring at a pop-up message that said her name, her actual name, did not comply with Facebook's policies. She sent them proof of her ID, explaining that yes, she is Isis, but not THAT ISIS, and as we go to press she's still waiting to be let back in. Acronyms can be inadvertently tricky, after all, especially when you're trying to make a name for yourself in the international stage. Just ask the Moro Islamic Liberation Front.

Dave Bittner: [00:11:31:19] This CyberWire podcast is made possible by the generous support of Cylance, offering revolutionary cybersecurity products and services that proactively prevent, rather than reactively detect, the execution of advanced persistent threats and malware. Learn more at

Dave Bittner: [00:11:54:12] I'm joined once again by Ben Yelin, he's a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security, one of our academic and research partners. Ben, there was an article recently in Ars Technica about a Florida man who's trying to demonstrate the insecurity of the Florida election site and he decided to take matters into his own hands. What can you tell us about this case?

Ben Yelin: [00:12:17:21] Well I would first start by saying it's generally not a good idea in these instances to take matters in your own hands, and this is an individual, David Michael Levin in Florida who hacked into a local county board of elections website to prove that it was insecure. He used the pilfered credentials of the county’s supervisor of elections.

Ben Yelin: [00:12:37:01] Now, granted we are all very concerned about the integrity of elections data, especially considering what happened in Florida in 2000. I think we're sensitive to that. But this person Mr Levin not only hacked into the account, but did it on video and actually that video was used as evidence him. And that has led to a criminal hacking charge.

Ben Yelin: [00:13:00:05] So, even though the point that he was trying to make - that the integrity of the elections data was at risk - is a good one, he certainly was ill-advised in trying to break in himself, and especially ill-advised in putting it on video on the internet.

Dave Bittner: [00:13:16:23] So from his point of view it was all about good intentions, but he just went about it the wrong way? What would be the proper way to handle this? If you think there's a security flaw in something like this, what's the best way to go about it?

Ben Yelin: [00:13:30:03] Generally you should not try to use pilfered credentials of anyone. If you really do think that there's a problem, you can certainly raise it to the media. I think that'd be the best way to raise your concerns without actually hacking into any system yourself. And in this case it is a public official, so you have the right to contact the public official to express your concerns. And again, the concerns are certainly warranted. I just think that there is a significant risk in hacking into the device and that will risk to a felony charge and again, even though the purpose of it might have been noble, it's just not worth it to face a felony hacking charge. That would garner significant criminal penalties.

Dave Bittner: [00:14:10:10] Alright Ben Yelin, thanks for joining us. And that's the CyberWire.

Dave Bittner: [00:14:16:00] For links to all of today's stories, along with interviews, our glossary and more, visit Thanks to all of our sponsors who make the CyberWire possible. We hope you'll check them out and we also hope you'll tell your friends about our show and help spread the word.

Dave Bittner: [00:14:29:02] The CyberWire podcast is produced by Pratt Street Media, the editor is John Petrik, our social media editor is Jennifer Eiben, and our technical editor is Chris Russell. Our executive editor, in his snazzy suit, is Peter Kilpe. I'm Dave Bittner, thanks for listening.