The CyberWire Daily Podcast 7.11.16
Ep 138 | 7.11.16

Pokémon Go is out, with troubles in its popular trail. Cybercrime & hacktivist miscellany.


Dave Bittner: [00:00:03:10] NATO websites downed during Alliance meetings. Successful scissors-and- paste cyber espionage campaign seems to emanate from South Asia. ISIS and Al Qaeda vie for jihadist mindshare on line. Anonymous hacks targets in Zimbabwe and South Africa. A reported Kindle credential breach may be largely bogus. Eleanor Mac malware and its privacy threat. State Department email scandals remain under investigation, and Pokémon Go seems to be catching them all so Ash Ketchum, call your office.

Dave Bittner: [00:00:38:00] Time to take a moment to welcome our newest sponsor Netsparker. Web applications can have a lot of vulnerabilities. Have you heard? Sure you have, you're listening to this podcast, and of course every enterprise wants to protect its websites, but if you have a security team you know how easy it is for them to waste time culling out false positives. Check out Netsparker. Their technology not only automatically finds vulnerabilities in web applications, but it automatically exploits them too, and even presents a proof of exploit. Netsparker Cloud scales easily. You can use it to automatically scan thousands of websites in just a few hours, but don't take their word for it. Go to, for a free 30 day fully functional trial at the Netsparker Desktop or Cloud. Scan your websites with Netsparker for a month, no strings attached. We thank Netsparker for sponsoring the CyberWire.

Dave Bittner: [00:01:34:09] I'm Dave Bittner in Baltimore with your CyberWire summary for Monday, July 11th, 2016.

Dave Bittner: [00:01:41:12] NATO meetings last week addressed a wide range of security issues, but prominent among these were concerns about cyber operations, especially insofar as they figure in transnational threats like those posed by ISIS and in the hybrid warfare practiced by an increasingly assertive Russia. Several of the alliance’s websites sustained outages during the meetings. NATO is investigating whether these were hacks or just glitches. Two sites were affected, both associated with NATO’s Allied Transformation Command, which is based in Norfolk, Virginia. As is often the case, evidence is ambiguous at best, but a lot of suspicious eyes are being cast towards Moscow.

Dave Bittner: [00:02:19:22] In South Asia, the scissors-and-paste exploitations of an array of known and for the most part long-patched Microsoft vulnerabilities are revealed to have enjoyed surprising success, showing that attackers can innovate without innovative zero-days. Cymmetria last week identified the threat group behind the attacks as “Patchwork,” a name which is evocative of the threat actors’ approach. Kaspersky is calling the actors, “Dropping Elephant” or “Chinastrats.” It’s an espionage campaign whose principal targets are Chinese, but which has also prospected organizations in Australia, Pakistan, Sri Lanka, Uruguay, the US, and Bangladesh. Attribution is still unclear, but most speculation has turned toward India.

Dave Bittner: [00:03:02:03] ISIS is stepping up its online presence and targeted recruiting in out-of-area operations. This bears out the predictions of several observers, who have foreseen that loss of the terrorist group’s core territories in the Levant would drive it towards other geographic areas. ISIS is recruiting jihadists for projected campaigns in the Philippines, and it’s also launched a newspaper designed to appeal to Malaysian expatriates. The Caliphate’s principal rival, Al Qaeda, is also upping its on-line presence, as one of the late Osama Bin Laden’s sons is threatening belated vengeance for the US raid into Pakistan that killed his father in 2011.

Dave Bittner: [00:03:39:21] Anonymous is back and active against targets in Zimbabwe and South Africa. One operation, #ShutDownZimbabwe, has rendered some government websites in that country unavailable. People claiming to speak for the hacktivist collective say more hacks are to come. In other action, this one marked with the familiar #OpAfrica, South Africa’s Armscor was breached. Armscor is a procurement arm of South Africa’s defense establishment. Information apparently taken from Armscor’s networks has appeared on line, and it includes details of various arms transactions with international suppliers. Someone claiming to represent Anonymous says they accomplished the breach through a sequel injection attack.

Dave Bittner: [00:04:21:05] A hacker going by the handle 0x2Taylor, who also claimed responsibility for last week’s breach of the Baton Rouge police, dumped a bunch of data he claims represents Amazon Kindle credentials, but what those data actually are remains unclear. They may be fake, or they may be bot accounts. 0x2Taylor has tweeted that Amazon is a big wealthy company that ought to have better security, and that, besides, they ignored his request for $700 in exchange for keeping silent, so there. Several researchers who’ve looked into the data conclude that, at worst, it’s premature to get too worried about the claimed breach.

Dave Bittner: [00:04:57:10] Network defenders are talking a great deal about threat hunting. We hear from Chris Gerritz, Infosite CEO, about what this approach entails.

Chris Gerritz: [00:05:05:16] Hunting threats is the focused effort to try to find adversaries that have already penetrated the network. Hunting for malicious software that's installed in our systems, or it's hunting for the malicious use of credentials that's in an administrative account, being used by a hacker. Most technologies today that defend a network are designed to prevent attacks: to try to alert on an attack in progress. So, they'll use different behavior models to do that. Really what we're doing is building our wall higher and higher. What we've come to realize is no matter how big that wall we create, our networks are incredibly complex, and people are going to get through.

Dave Bittner: [00:05:44:09] Gerritz says there are a variety of approaches to threat hunting. One of them involves analytics.

Chris Gerritz: [00:05:49:03] Card security software today in our networking topology is that they're collecting a lot of data. They're collecting logs; they're collecting alerts that we may or may not be looking at because there's so many of them. So, let's apply analytics to that, and see if we can get additional context out of that data to find those threats. That's a model that a lot of ex NSA guys are coming out and doing because they have a lot of experience with analytics and large caches of data.

Dave Bittner: [00:06:15:08] A different model is to look at the workstation or server device itself.

Chris Gerritz: [00:06:19:05] My particular expertise is looking at a device and seeing what software is running on there: what software is triggered to run, and then if there's any logs or indications or artifacts, that someone has used this system maliciously, either currently or in the past. So, I directly look at a device, going beyond what just an anti-virus is going to scan for, to verify what's on that system. That's another way of hunting.

Dave Bittner: [00:06:42:00] Gerritz compares the reports we get from much of our defensive software to weather reports.

Chris Gerritz: [00:06:47:10] People are naturally, when they hear a weather warning, like a tornado or something like that, they're going to look out of their window, they're going to turn on the TV because they want to know, is this a threat to me, and is this threat real? Storm warnings and storm predictions are typically not that reliable. So, what we're seeing today is alerts that are policed by our security software are typically unreliable. So, we have to be able to verify those alerts. Are they real? Hunting kind of picks up the slack of being able to verify so many alerts that are being generated by a software.

Dave Bittner: [00:07:19:09] He also advises that organizations not be intimidated by the term, "threat hunting."

Chris Gerritz: [00:07:24:07] This is a trainable process, and this is something that organizations can adopt just like they adopted security operation centers over the last few years.This is something that can be taught and can be effective in their network.

Dave Bittner: [00:07:37:12] That's Chris Gerritz, he's the CEO of Infosite.

Dave Bittner: [00:07:42:02] There’s now some hard evidence car thieves are turning to hacking tools to make off with vehicles. Security cameras in Houston, Texas, have caught someone stealing a 2010 Jeep Wrangler using a laptop. The theft took more than ten minutes so the crooks are well behind the Hollywood “gone-in-sixty-seconds” standard established in 1974, but the security footage is evidence of what’s probably, alas, a coming trend. Little steps for little feet, but they’ll get faster.

Dave Bittner: [00:08:10:07] More is out on Eleanor, the Mac malware whose existence researchers disclosed last week. In a scare headline, Naked Security reports that Eleanor, “tries to hook your webcam up to the Dark Web”: “Webcam”, and “Dark Web” being the operative scary words. We trust most of you have placed opaque tape over your webcams?

Dave Bittner: [00:08:32:04] Inquiry into the US State Department email scandals isn't over even though the Justice Department decided last week not to indict presumptive Democratic Presidential nominee, and former Secretary of State, Hillary Clinton. State has reopened its own internal investigation. Congress wants to hear more of what the FBI described as “lax security culture” at Foggy Bottom, and Republicans look forward to keeping the scandal alive through November.

Dave Bittner: [00:08:57:06] Finally, you may have noticed people walking around outdoors more absorbed in their mobile devices than ever. By people, I mean my entire family. The explanation is that Pokémon Go is out, and it’s very popular. Our Technical Editor gives the game two thumbs up by the way. It involves geocaching and augmented reality. As entertaining as the game may be, its release is also accompanied by some security weirdness. In one case, a Wyoming player was led to climb a fence and approach a river, where she found, to her dismay, a drowning victim.

Dave Bittner: [00:09:28:14] Pokémon Go is also being spoofed by a RAT. Proofpoint has found the familiar Android remote-access Trojan “Droidjack” packaged as a bogus version of the game. Should you download Pokémon Go, don’t do so from dodgy sites, use official, relatively well-vetted, app stores.

Dave Bittner: [00:09:45:12] If you’re playing Pokémon Go, you’re probably not worried about an encounter with Squirtle, or even Squirtle’s Wortortle evolution, or even Wortortle’s Blastoise evolution, and you, a Pokémon trainer, are probably not too interested in the extensive permissions the game requires. It really needs to know a lot about you for the geocaching to work and be engaging, but those permissions are interested in you. Police in O’Fallon, Missouri say muggers have used a combination of social media and geolocation data to target absorbed and inattentive players. Philadelphia cops are also warning of Pokémon Go connected robberies.

Dave Bittner: [00:10:19:15] Ash, Serena, Misty, and Red were unavailable for comment. It’s unclear whether the police will be Mirandizing muggers they collar with the words, “I choose you. You have the right to remain silent…”

Dave Bittner: [00:10:35:02] I want to take a moment to tell you about our sponsor E8 Security. To handle the unknown threats, you need the right analytics to see them coming. Consider the insider threat, and remember that an insider threat isn't necessarily a malicious actor. Sometimes it's a well intentioned person who's careless, compromised or just poorly trained. Did you know you can learn user behavior and score a user's risk? E8 can show you how. Did you know for example that multiple Kerberos tickets granted to a single user is a tip off to a compromise? E8 can show you why. Get the free white paper at, and get started. Detect, hunt, respond. E8 Security. We thank E8 for sponsoring the CyberWire.

Dave Bittner: [00:11:23:03] Joining me once again is Doctor Charles Clancy, he's Director of the Hume Center for National Security and Technology, they're part of Virginia Tech. Doctor Clancy, there's a lot of concern with privacy of data, particularly concerning the Internet-of-Things, and medical data, and data in the cloud. This is an area where you're doing research there at the Hume Center, correct?

Doctor Charles Clancy: [00:11:43:05] Yes, we are. Significant growth of data within the Internet-of-things is creating significant opportunities for new industries. For example, as we see the growth of Smart Grid, it's incentivizing power operators to push their data to the cloud in order to use big data techniques to more efficiently manage the grid itself and get more efficiencies out of the grid. So, there's a significant financial incentive for companies to begin to push to the edge of the cloud, but at the same time this creates a potential threat factor for cyber risk. We're seeing some very interesting research in the area of homomorphic encryption, which essentially allows you to encrypt that data before you send it to the cloud. The cloud operator and the owners of the infrastructure never actually are able to see the data. However, you're able to execute encrypted operations on the data and get back an encrypted result that only you are able to decrypt. This basic new technique is not yet efficient. There's still orders of magnitude slow-down, and using homomorphic encryption, but it's a promising tool that I think could unlock significant potential in terms of privacy, preserving analytics within the cloud.

Dave Bittner: [00:12:53:14] What about the aspects of this dealing with the medical industry?

Doctor Charles Clancy: [00:12:57:00] Well, certainly compliance with frameworks such as HIPAA require protection of data in the cloud, but we're seeing entirely new applications, particularly in the area of genomic medicine, where services like 23andMe will allow you to sequence your own DNA. There are services that will allow you to just essentially put your DNA in the cloud for researchers to use for medical research. While this is really exciting: it opens a lot of opportunity for data to be available to researchers, it's also a significant vector for compromising privacy. Whereas you as an individual may feel comfortable sharing that data, you must realize that your DNA breakdown is 50 percent correlated with that of your parents and 25 percent correlated with that of your siblings, and therefore not only are you compromising your own data by putting it in the cloud, you're perhaps compromising the privacy of your relatives. So, some of these new approaches to homomorphic encryption actually allow you to encrypt that data in such a way that it would not negatively impact your privacy, or the privacy of your family members, but still allow medical researchers the ability to execute queries against it that they could use to look for bio-markers for cancer, as an example.

Dave Bittner: [00:14:08:02] Alright, fascinating stuff. Doctor Charles Clancy, thanks for joining us...

Dave Bittner: [00:14:13:11] ...and that's the CyberWire. For links to all of today's stories along with the interviews, our glossary, and more visit If you enjoy our daily look at cyber security news, we hope you'll help spread the word by telling your friends and co-workers about our show, or leaving a review on iTunes. Thanks to all of our sponsors who make the CyberWire possible. The CyberWire podcast is produced by Pratt Street Media. The editor is John Petrik. Our social media editor is Jennifer Eiben. Our technical editor is Chris Russell. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.