The CyberWire Daily Podcast 8.9.16
Ep 159 | 8.9.16

A look back at Vegas. Rio's rogue Wi-Fi. Cyberwar & actual war.


Dave Bittner: [00:00:03:15] Strider (or is it Sauron?) seems to have taken a leaf from the Flamer APT playbook. Quadrooter sounds bad, but there are still no reports of exploitation in the wild. Carbanak group may have hit Oracle point-of-sale systems. Rio Olympics seeing rogue Wi-Fi hotspots. Acts of war in cyberspace or just cyber espionage and cybercrime? US Marshals to auction Bitcoin seized from SilkRoad. And more Pokemon malware is found in the Google Play Store.

Dave Bittner: [00:00:36:10] Time to take a moment to thank our sponsor, Cylance. Are you looking for something beyond Legacy Security Approaches? Of course you are. So you're probably interested in something that protects you at machine speed, and that recognizes malware for what it is, no matter how the bad guys have tweaked the binaries or cloaked their malice in the appearance of innocence. Cylance knows malware by its DNA. Their solution scales easily, and it protects your network with minimal updates, less burden on your system resources, and limited impact on your network and your users. Find out how Cylance is revolutionizing security with Artificial Intelligence and machine learning. It maybe Artificial Intelligence, but it's real protection. Visit to learn more about the next generation of anti-malware. Cylance: Artificial Intelligence, real threat prevention. And we thank Cylance for sponsoring our show.

Dave Bittner: [00:01:33:00] This is Dave Bittner, in Baltimore, with your CyberWire summary for Tuesday, August 9th, 2016. It’s evidently Lord of the Rings week in the APT world, or at least was when the coders were writing back in 2011 or thereabouts. Symantec and Kaspersky independently warn of a new threat group they’re calling either “Strider” (that’s Symantec) or “ProjectSauron” (as Kaspersky calls them). It appears to be engaged in a highly targeted campaign against organizations in Europe, Asia, and Africa, with Belgium, China, Iran, Russia, Rwanda, and Sweden particularly mentioned as geographical areas of interest.

Dave Bittner: [00:02:09:05] The Strider/SauronProject group is thought to be state-sponsored, but so far there’s no attribution to any specific government. Kaspersky says the APT has operated against “government agencies, telecommunications firms, financial organizations, military and research centers since 2011. The group seems particularly interested in encryption software. Symantec reports that Strider uses Remsec malware to establish backdoors. They also say that features of its approach are reminiscent of that taken by the “Flamer” group discovered and disclosed in 2012. Flamer was itself linked to Stuxnet, at least insofar as they shared some of the same source code. Kaspersky agrees that there are some similarities between ProjectSauron and Flamer, but isn’t entirely convinced they’re the work of the same group, whoever that group might have been.

Dave Bittner: [00:02:58:22] This week’s other risk with a fancy name is “Quadrooter,” a firmware vulnerability Checkpoint discovered in the Qualcomm chipsets powering Android devices. Quadrooter is worrisome, since in principle it exposes Android devices to privilege escalation exploits that could give an attacker root access to the device. But matters may not be as bad as initially reported. There are, so far, no clear signs that Quadrooter is being exploited in the wild. And the widely quoted figure of “nine-hundred million” vulnerable devices is almost certainly greatly overstated. Qualcomm has been pushing updates to manufacturers since April that in all likelihood have fixed the problem in many devices. A general patch is expected next month. In the meantime, if you’re curious about your own device, Checkpoint has an online text you can run to determine whether it’s vulnerable. As we consider the mobile world, it’s worth reflecting on where, considering risk and security, 5G cellular service will take us. We spoke with Dr. Charles Clancy, from our partners at Virginia Tech's Hume Center, and we'll hear from them after the break.

Dave Bittner: [00:04:02:05] The Olympics, so far, seem to have been affected by crime (notably the rogue Wi-Fi hotspots Skycure and others have been warning about) and a bit of hacktivism (directed mostly at Brazilian government websites). If you’re in Rio, you should take the sorts of precautions you would have taken last week at Black Hat or DefCon. Both the Guardian and eWeek look back at last week’s conferences in Las Vegas and conclude that things aren’t as one might wish in security. While the Guardian’s indelicate characterization of the situation is no doubt overstated for effect, still a lot of enterprises seem not to be learning what eWeek calls “Security 101 lessons.”

Dave Bittner: [00:04:39:24] That well-known commodity attacks continue to succeed is, of course, as familiar as it is lamentable. There are a lot of reasons for that, enterprises have a lot to do, their resources aren’t unlimited; and, for small and medium-sized businesses as well as for private individuals, it’s easy to fall into a kind of learned helplessness, in which whistling past the graveyard and hoping nothing happens becomes a default security posture.

Dave Bittner: [00:05:03:13] It might be worth quoting some perspective we received from Ntrepid’s Chief Scientist, Lance Cottrell, last week. He notes that many of the things people worry about are Hollywood hacks. Reflecting on his participation in panels on Internet-of-things security, he said, “We tend to look for the extreme movie plot threat scenarios. What if they hacked your car and drove you off the cliff?” And how likely is it that someone would go after you in such a “Rube Goldberg” fashion? If they were rationally evil, and not in it for the baroque, Blofeldian lulz, wouldn’t they just hire a hitman? Cottrell suggested that it’s useful to think about what he called the attackers “mindspace.” “What are their goals? They want to generate money. Why is ransomware suddenly a thing? Because it's hugely lucrative. Why DDoS? Because it works, and can be easily monetized." And, he noted, some once common attacks are fading because of black market forces. There are fewer attempts to steal credit cards, in part because stolen paycard numbers have now become so commoditized that it’s hard to make money from them.

Dave Bittner: [00:06:04:02] So, develop a realistic understanding of what you have that might be of value to an attacker and then manage your risk accordingly. Not every attack is out of “Skyfall.” Whenever an enterprise is breached, Cottrell noted, the first press release talks about how extremely sophisticated the attackers were. Of course it would: "You don't want to say some script kiddie used a well-known exploit against our unpatched browser from two years ago to own us, but that's actually what's happened most of the time."

Dave Bittner: [00:06:31:06] As the US considers enhancing the status of US Cyber Command, observers suggest that the world collectively (and its security and defense sectors especially) need to devote some thought to reaching clarity about conflict in cyberspace and how it relates to actual, lethal, kinetic warfare. Threatpost is running a long, thoughtful open parenthesis-ed on the topic in which important distinctions are drawn. In particular, it’s worth remembering that espionage and propaganda aren’t generally speaking acts of war, and that it’s a stretch to call the tools used to accomplish them in cyberspace “weapons.” Nor is crime, or even organized crime, generally warfare. We’ll add two more metaphors to the discussion, both of which derive from American history but have broader applicability. For all the talk about a “cyber Pearl Harbor,” we would also do well to recall the difficulty of attribution, and worry also about a “cyber Tonkin Gulf Incident,” lest nations perceive acts of war where none exist.

Dave Bittner: [00:07:27:08] A Russian organized crime mob, thought to be the same outfit behind the Carbanak APT, has compromised Oracle’s MICROS point-of-sale system. Oracle has advised affected customers to reset passwords. Other remediation is underway. Brian Krebs reports that security researchers told him (on background) that they observed a MICROS customer support portal communicating with a Carbanak server. How the gang got access to the system is for now unknown, at least publicly.

Dave Bittner: [00:07:56:03] In law enforcement news, Ireland’s Garda upgrades its defenses after the cyberattack it recently sustained, Australia sets up a cyber unit to track terrorist funding, and the US prepares to auction off Bitcoin seized from SilkRoad. That’s some 2,719 Bitcoin, and you don’t have to be Satoshi Nakamoto to know that’s worth a bit of change, around $1.6 million, just to ballpark it for you. The auction will be held on August 22nd. If you’re interested, you’ll have to register by August 18th.

Dave Bittner: [00:08:27:15] Finally, there are still more Pokémon GO issues. More malicious Pokémon apps have been found in the Google Play Store. A number of them are serving up the DroidJack RAT. And trust us, that’s no Blastoise. Be careful out there.

Dave Bittner: [00:08:45:19] Time for a message from our sponsor, Who doesn't like to take the next step in their career? If you're a cybersecurity professional in the South West, think about attending the free Cyber Job Fair at this year's Cyber Texas conference, coming Tuesday August 23rd at the San Antonio Convention Center. Organized by, the veteran owned outfit that matches security professionals with rewarding careers. The Cyber Job Fair is free and open to all cybersecurity professionals, with and without an active clearance. And college students studying cybersecurity are welcome too. Connect face-to-face with industry leaders like Lockheed Martin, Booz Allen Hamilton and the Los Alamos National Laboratory. And tune up your resume and get free career coaching from expert coach and army veteran, Bill Branstetter, author of the "Six Second Resume". To learn more visit and click job fairs in the main menu. That's See you in San Antonio, and we thank for sponsoring our show.

Dave Bittner: [00:09:47:23] And joining me once again is Dr. Charles Clancy. He's the director of the Hume Center for National Security and Technology at Virginia Tech. Dr. Clancy, we all use our mobile devices, and we're dependent on the data that those devices use, the next thing coming down the pike is 5G cellular technology. What are we talking about when we're talking about 5G?

Dr. Charles Clancy: [00:10:07:16] So 5G is a number of different technologies that are being aggregated together, that are building on top of the current 4G LTE standards that we all use currently in our smartphones. Some of the key features of 5G are a new spectrum. So there's a lot of spectrum that is available, that's currently in use, typically by the US military, but not widely used here in the United States. And the White House has asked the US military to look at how it might share those bands with commercial sale or service. And then we also have the millimeter wave spectrum of much higher frequencies, that also has some interesting properties that could enable extremely high data rate communications. So a new spectrum is one key part of 5G. In addition to this notion of cognitive management, and software defined networking, and the ability to almost treat your cellular network as an elastic resource for communication from a wireless device into the Cloud.

Dave Bittner: [00:11:01:00] And so what are some of the specific security challenges with 5G?

Dr. Charles Clancy: [00:11:04:06] Well, there's a number that we're looking at right now in the area of new spectrum bands. So, the first band really that's been looked at is the 3.5 gigahertz band, which here in the United States is used by the US Navy. And in that band is the Navy radar that's used for air traffic control purposes. So for the last year, I've been chairing a standards committee within the Wireless Innovation Forum, that's been looking at how we can share that band within, between the US Navy and the cellular commercial ecosystem, in such a way that the privacy of the navy operations are not inadvertently revealed to the public, as a part of that interaction. So there's some new standards that have actually just been published by the Wireless Innovation Forum, that define the operational security and privacy protections that this ecosystem will have. So that's one particular aspect that I think is really interesting. The second is in the area of millimeter wave, where you have a very high data rate and very high frequency signals. And the technology that's being employed there, I think provides a unique opportunity from a security perspective. Much of these signals are such high frequency that they generally don't penetrate walls. So unless you're in the same room as the access point, you may not be able to receive a signal from it, which is obviously good from a security perspective, in terms of limiting potential exposure.

Dr. Charles Clancy: [00:12:25:02] Also, technology being used, Massive MIMO, where you've got many antennas, and these antennas are all transmitting signals that cohere at your specific physical location, also prevents someone that's in a different physical location from being able to intercept or receive your signal. So, I think that's a unique opportunity that will help improve security with 5G cellular.

Dave Bittner: [00:12:46:18] Is there any sense for what kind of timeline we're on, when we may be seeing 5G in our personal devices?

Dr. Charles Clancy: [00:12:52:21] Well, as with all of the different cellular standards, it's kind of an incremental process. So, I think that we're going to see some of the frequency bands becoming incrementally available over the next two to three years. Technologies like millimeter wave, are still in the R&D stages. There have been demonstrations that they will work, and will work at scale, but so far they're nowhere near ready for a commercial product development.

Dave Bittner: [00:13:18:09] Alright Dr. Charles Clancy, thanks for joining us.

Dave Bittner: [00:13:22:19] And that's the CyberWire. For links to all of today's stories, along with interviews, our glossary, and more, visit Thanks to all of our sponsors, who make the CyberWire possible. The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Our social media editor is Jennifer Eiben, and our technical editor is Chris Russell. Our executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.