The CyberWire Daily Podcast 8.17.16
Ep 165 | 8.17.16

Shadow Brokers warn 'Wealthy Elite'--new cyber cold war? And cybercrooks are still out there.


Dave Bittner: [00:00:03:16] More on the Shadow Brokers, Equation Group, and what the encryption algorithms are suggesting to people. Crimeware, hacktivism, or cyber cold war? We're thinking door number three. More banking Trojans in Brazil and Colombia. DNSSEC and its exploitation in DDoS. Cerber holds its criminal marketshare as ransomware-as-a-service. And Crooks don't trust Shark ransomware. Airbus says "no" to Pokémon, at least on the factory floor. And don't follow Charizard into a minefield.

Dave Bittner: [00:00:39:04] Time to take a moment to tell you about our sponsor, Cylance. Are you looking for something beyond legacy security approaches? If you are, and who isn't, you're probably interested in something that protects you at machine speed and that recognizes malware for what it is no matter how the bad guys have tweaked the binaries or cloaked their malice in the appearance of innocence. Cylance knows malware by its DNA. Their solution scales easily and it protects your network with minimal updates, less burden on your system resources and limited impact on your network and your users. Find out how Cylance is revolutionizing security with artificial intelligence and machine learning. It may be artificial intelligence but it's real protection. Visit to learn more about the next generation of anti-malware. Cylance: artificial intelligence, real threat protection and we thank Cylance for sponsoring our show.

Dave Bittner: [00:01:35:14] I'm Dave Bittner, in Baltimore with your CyberWire summary for Wednesday, August 17th, 2016.

Dave Bittner: [00:01:41:19] The news today continues to be dominated by the Shadow Brokers, the group that dumped a bunch of code on Github, claimed it was a sampler of NSA attack code, and offered the rest for sale to anyone who'd care to pony up 1,000,000 Bitcoin. The released code is represented as a teaser, a loss leader.

Dave Bittner: [00:01:59:02] But there may be more going on here other than simple criminal or even hacktivist money-making. Several observers have noticed, like us, how stagey and clumsy the Shadow Brokers' language is. In a quick test of a hypothesis that the prose came from lazy use of Google Translate, our linguistic staff ran some Russian text through the free tool, which gives us a very rough-and-ready and often comical rendering into the target language, but our staff couldn't come close to replicating the style. It's difficult, others have also pointed out, to see how one could write like that without craft and intention. Here's a fair sample, worth quoting at some length. It's addressed to "Wealthy Elite".

Dave Bittner: [00:02:39:07] "We want make sure Wealthy Elite recognizes the danger cyber weapons, this message, our auction, poses to their wealth and control. Let us spell out for Elites. Your wealth and control depends on electronic data. You see what 'Equation Group' can do. You see what cryptolockers and stuxnet can do. You see free files we give for free. You see attacks on banks and SWIFT in news. Maybe there is Equation Group version of cryptolocker+stuxnet for banks and financial systems? If Equation Group lose control of cyber weapons, who else lose or find cyber weapons? If electronic data go bye bye where leave Wealthy Elites? Maybe with dumb cattle? 'Do you feel in charge?' Wealthy Elites, you send bitcoins, you bid in auction, maybe big advantage for you?"

Dave Bittner: [00:03:25:12] So there. Stuxnet is speculated to have some connection with the Equation Group, an outfit described last year by Kaspersky Labs and widely believed, although Kaspersky is as usual coy about the attribution, to be an NSA operation. Cryptolocker, of course, is criminal ransomware no one has connected with Equation Group or anyone outside of cyber gangland. The same can be said of SWIFT bank transfer fraud. The suggestion that NSA is preparing an attack on global wealth is to be sure as provocation as it is on the face of it implausible. So is the notion that alleged US Government attack code would easily find its way into criminal hands. Still, the insinuation is more plausible than, say, the stuff that's widely believed about chemtrails or Sasquatch.

Dave Bittner: [00:04:12:19] Kaspersky Labs thinks the samples are genuine pieces of Equation Group code. The biggest tip-off they see, as expressed in their Securelist blog, is an unusual implementation of RC5 and RC6 encryption algorithms. This evidence is, of course, circumstantial, and attribution remains as notoriously difficult as ever.

Dave Bittner: [00:04:32:18] Speculation about the leakers inevitably turns to Russia. Tensions between that country and the US have been rising, and the timing seems appropriate, given the current uproar over hacking the US Democratic and Republican Parties have sustained. But, as Edward Snowden has tweeted, it's more noteworthy that the intrusion has been made public than that it was made at all. Any intelligence service like NSA is an obvious collection target, but you wouldn't talk about collecting unless you were interested in making a point, or communicating a threat. The incident moves experts to raffish and demonic commentary. Thomas Rid calls the Shadow Brokers' dump a big "middle-finger" hoisted in a generally American direction. Dave Aitel writes, explaining why he thinks it was the Russians, quote, "No team of 'hackers' would want to piss off Equation Group this much. That's the kind of cojones that only come from having a nation-state protecting you," end quote.

Dave Bittner: [00:05:25:14] So, Wealthy Elite, take your head out of your Pokémon and see, observers are telling us, the dawn of a new cyber cold war. Did we mention Pokémon? Why, yes, we did. Airbus has told its employees to knock off playing the game at work. And the US State Department has advised travelers not to play Pokémon-GO while visiting countries prone to having marked fields of uncleared landmines, especially Laos, Cambodia, and Vietnam. Even if you think you see a Halucha.

Dave Bittner: [00:05:54:02] An important part of cybersecurity is of course physical security, making sure your devices don't get lost or stolen. Kensington does a good bit of business helping with the physical security of devices and their locking mechanism has become something of an industry standard. They recently took a survey of IT professionals on how they secure their devices in the real world and we spoke with Kensington's Rob Humphrey about what they learned.

Rob Humphrey: [00:06:17:06] What we've found through the survey was the office continues to be one of the highest places that laptop theft occurs which is a big surprise to most people, in particular IT managers, that people think that the office is a very secure location for office equipment, IT equipment and it turns out that the only other place that theft occurs more often is actually in cars or other transportation like on a train or something like that.

Dave Bittner: [00:06:45:16] Rob Humphrey said one of the surprising results from the survey was how many organizations had no policy when it came to physical security of devices.

Rob Humphrey: [00:06:54:07] More than a third do not have policies in place to physically secure laptops. What we see is a lot of organizations just assume that all of the security needs to be placed on firewalls or virus protection or malware protection and the like and they, they forget about physical aspects. The other stat that came out that was pretty interesting was more than half, 54% of the survey participants failed to use a physical lock for IT equipment. The survey pointed out 80% of the respondents to the survey do not utilize locks to, to lock down the other types of equipment that are sitting on desktops in conference rooms and other locations. And it's pretty easy to do. And when deploying the locks the key management is always a concern and our study confirmed that that over two thirds of the respondents said, "Yes, key management is very important to us when we're considering launching or rolling out locks corporate wide." So when we mean key management is it gives the facilities managers or the IT manager a key that can open up any lock in their system. So if a user forgets their key at home or leaves the organization and takes the key with them or just loses the key, the IT manager can unlock that device for them.

Dave Bittner: [00:08:20:20] And when something like a laptop gets stolen there's more than just the cost of the device to consider.

Rob Humphrey: [00:08:25:19] You've got to get back to a productive state. So what kind of hassle is that when that happens? You know, our, our other studies have shown that that takes, you know, people days, up to a week or more to get fully back up to speed when they lose something as critical as their, as their personal computer.

Dave Bittner: [00:08:44:13] Employees may resist having their devices locked down at work but Humphrey says many companies have successfully implemented physical security policies.

Rob Humphrey: [00:08:52:11] Having a policy in place and putting some enforcement behind it such as, we know organizations, what they do is they have facilities folks go around the office in the morning and any, any computer that's not locked down they pick up and take to their office and this creates a very inconvenienced scenario for the employee to pick up their computer. So it's all about, you know, having the policy in place and enforcing that policy to drive home the importance of locking down their equipment.

Dave Bittner: [00:09:24:07] That's Rob Humphrey from Kensington. You can learn more about their security survey on their website.

Dave Bittner: [00:09:31:19] Turning to news of other threats, BlackBerry is the first major manufacturer to release a patch for the QuadRooter vulnerability.

Dave Bittner: [00:09:39:18] Brazil is experiencing a fresh wave of banking malware infestations as Zeus Sphinx joins Zeus Panda. Some Colombian banks have also been affected by Sphinx.

Dave Bittner: [00:09:51:01] Neustar has released a study on how Domain Name System Security Extensions, DNSSEC, can be exploited in DDoS attacks. The security company says, quote, "DNSSEC reflection can transform an 80-byte query into a 2,313-byte response, an amplification factor of nearly thirty," end quote. This is troubling because of the role DNSSEC play in defensive measures.

Dave Bittner: [00:10:17:16] Cerber remains the dominant ransomware as a service, but a competitor is up, "Shark," whose masters say they work on commission. Their attack screen says, "Data on this device were locked," thus getting on our editor's good side because the crooks recognize that the word "data" is plural. He says things like, "You should honor the Latin plural, blah blah blah," and, yes, alas, he really does talk like that. But Symantec, Bleeping Computer, and others who've looked into Shark note that its purveyors have been booted out of the best criminal fora, "fora," that Latin plural again, and that they're probably just scamming other crooks. Don't let the Latin plural fool you, kids. There's no honor among thieves.

Dave Bittner: [00:11:02:19] It's time to take a moment to tell you about our sponsor, Recorded Future. Recorded Future is the real time threat intelligence company whose patented technology continuously analyses the entire web to develop information security intelligence that gives analysts unmatched insight into emerging threats. And when analytical talent is as scarce and pricey as it today, every enterprise can benefit from technology that makes your security teams more productive than ever. We at the CyberWire have long been subscribers to Recorded Future's Cyber Daily and if it helps us we're confident it will help you too. Subscribe today and stay a step or two ahead of the threat. Go to to subscribe for free threat intelligence updates from Recorded Future. That's and we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:11:56:19] Joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Joe, earlier in the show we heard from Rob Humphrey from Kensington about the physical security and securing our devices. We hear stories regularly about laptops being stolen from cars and so forth. In your opinion, what are some of the things we can do to pay better attention to physical security?

Joe Carrigan: [00:12:16:11] Obviously, don't leave them in your car. There was-- the one case that comes to my mind was a case of somebody who worked for a VA hospital who left a laptop in their car. I can't remember all the details of it, it was probably about seven years ago that this happened, but that, that constituted a breach of personal healthcare information. You know, basic, basic common sense things. If you, if you-- don't leave your laptops in your car. Do the physical things, protect your computer like it is a valuable item. But let's say that, that you've done something or that you manage many computers and you just don't have the faith in humanity that's required to believe that everybody's gonna take care of their devices. So there are things you can do to protect the data that's on that. Generally the buzz word or jargon term is called data at rest. So this is any kind of, any kind of data that's on physical media like a hard drive, tape backup, and you can encrypt that device so that even if somebody does steal the hardware, the device is encrypted and they can't get the data off of it.

Dave Bittner: [00:13:16:05] Right, so that's an option. You know, I, I remember the last computer I bought, it's-- when I set up the computer it asked me, "Do you want to encrypt the hard drive on this computer?" I said yes. Didn't seem to be much of a downside to that.

Joe Carrigan: [00:13:29:24] Yeah, there's really not much of a downside, it's very transparent to the end user. There is one issue and that is, you know, at the enterprise level if you have-- if you, if you forget a password then you have to go and, and have somebody reset it.

Dave Bittner: [00:13:42:22] So even that way, if someone actually got physical access to, lets say a laptop and they removed the hard drive from the innards of the laptop and tried to hose it up to some other machine, that data is protected because it's encrypted?

Joe Carrigan: [00:13:55:17] Right, it's encrypted and it's encrypted with a key instead-- and not necessarily a password-derived key.

Dave Bittner: [00:14:00:24] Alright good stuff, Joe Carrigan, thanks for joining us.

Joe Carrigan: [00:14:03:10] My pleasure.

Dave Bittner: [00:14:06:15] And that's the CyberWire. For links to all of today's stories, along with interviews, our glossary, and more, visit Thanks to all of our sponsors, who make the CyberWire possible. Our ad space is filling up fast through this fall and into next year so if you want to reserve a spot on our show or daily news brief, don't delay, we've got a limited number of spots, and according to our advertisers, they get results. Visit to learn more.

Dave Bittner: [00:14:32:01] The CyberWire podcast is produced by Pratt Street Media. The editor is John Petrik. Our social media editor is Jennifer Eiben, and our technical editor is Chris Russell. Our executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.