The CyberWire Daily Podcast 9.6.16
Ep 178 | 9.6.16

Slap leather, Vlad. If cyberspace is the "Wild West," here's the best showdown since Blazing Saddles, and more.


Dave Bittner: [00:00:03:09] Pokemon-themed Linux rootkits are observed, but they're not related to Pokeman-GO. Trojans continue to herd IOT botnets. Social media monitoring leads to convictions of jihadist plotters in Australia and the UK. Pegasus spyware and NSO Group's pricelist. Election hacking on four continents. Are the Shadow Brokers engaged in intelligence or influence operations? In any case, no one's really bidding on the equation group code the Brokers say they're auctioning. The FBI releases information on its investigation into former Secretary of State Clinton's email. And for a while it looked like cyber high noon at the G20 talks.

Dave Bittner: [00:00:44:19] Time to take a moment to tell you about our sponsor, Recorded Future. If you haven't already done so, take a look at Recorded Future's Cyber Daily. We look at it. The CyberWire staff subscribes and consults it daily. The web is rich with indicators and warnings, but it's nearly impossible to collect them by eyeballing the Internet by yourself, no matter how many analysts you might have on staff and we're betting that however many you have, you haven't got enough. Recorded Future does the hard work for you by automatically collecting and organizing the entire web to identify new vulnerabilities and emerging threat indicators. Sign up for the Cyber Daily email to get the top trending technical indicators crossing the web. Cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today and stay ahead of the cyber attacks. Go to Recorded Future dot com slash ntel to subscribe for free threat intelligence updates from Recorded Future. That's Recorded Future dot com slash intel. And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:52:17] I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, September 6th, 2016.

Dave Bittner: [00:01:58:12] Over the long weekend, Trend Micro researchers report finding a Pokemon-themed Linux rootkit. Called "Umbreon," after a dark Pokemon that hides in the night, the rootkit has a second Pokemon-themed component named after a big-eared "Espeon," that backdoors infected systems. Umbreon hides its outbound traffic from the commonly used tcpdump utility.

Dave Bittner: [00:02:21:03] MalwareMustDie describes another strain of Linux-malware, this one a Trojan called "Mirai." An evolution of BASHLITE, the IoT botnet herder recently described by Level 3, Mirai targets IoT devices running Busybox.

Dave Bittner: [00:02:37:01] Reports of social media enabled jihadist recruiting and inspiration continue. Malaysian security authorities are monitoring the activity of an operator they characterize as an Indonesian operating from Syria. He's active on social media, encouraging sympathizers in Malaysia to undertake terrorist attacks in that country.

Dave Bittner: [00:02:56:12] In Australia, a teenager has been sentenced to ten years for plotting the murder and beheading of police officers during ANZAC Day commemorations. Nineteen year old Sevdet Ramadan Besim, a resident of surburban Melbourne was convicted of the thwarted plot. He was in regular online contact with a 14 year old in Manchester, England, who last October was sentenced to five years for inciting terrorism abroad.

Dave Bittner: [00:03:21:15] The discovery of Pegasus spyware on an Emirati activist's iPhone and Apple's subsequent patching of the Trident zero-days in both iOS and more recently, OS X, continues to excite comment. According to the New York Times, NSO Group's pricelist for lawful intercept services runs to an initial set up fee of $500,000 dollars, with installation fees varying by number and kind of devices to be monitored. $650,000 dollars will put the tools into ten iPhones or Android devices. $500,000 dollars will get them onto five Blackberries, and $300,000 dollars will provide access to five Symbian phones. Ten additional targets, the Times reports, can be added for an additional $150,000 dollars, 20 for $250,000 dollars, 50 for $500,000 dollars and an even hundred additional devices will set the customer back $800,000 dollars. The pricing suggests that the spyware would be used, as expected, for targeted interception of communications as opposed to bulk collection and surveillance.

Dave Bittner: [00:04:24:13] Industry sources draw this lesson from the incident, watch the traffic emerging from your devices. Plixer's founder and CEO Michael Patterson shared his assessment with the CyberWire. "There can be a significant gap between vulnerabilities going live in the wild, and their discovery and subsequent remediation, as there seems to have been in this case. During this vulnerability time and on an ongoing basis, organizations can protect themselves by watching for anomalies, like strange outbound connections. Education becomes more important than ever, helping people recognize strange messages and avoid opening links if they seem out of the norm."

Dave Bittner: [00:05:02:04] Other governments are found to be engaged in close monitoring of their citizens' networks. Cuba, for one, according to Reuters, is filtering mobile text messages for the appearance of certain keywords. "Democracy" and "human rights" prominent among them and then blocking the traffic. The Internet in that country continues to be tightly controlled, with home access, licensed by the government, closely restricted to about five percent of the population.

Dave Bittner: [00:05:27:21] Late Friday afternoon the FBI released emails and other details from its investigation of former Secretary of State Clinton's handling of classified information. It appears that parties unknown engaged in spearphishing against users of the former Secretary's homebrew server. The report also indicates that in 2013 an "unknown user" wandered through an account belonging to a staffer working for then Secretary Clinton's husband, former President Bill Clinton. The investigation also determined that some eight mobile devices used by the former Secretary to access Clinton email dot com during her tenure in office could not be located or inspected.

Dave Bittner: [00:06:05:15] Politically motivated hacking, apparently interested in gathering either electoral intelligence, influencing voter sentiment, or directly manipulating results, continued over the weekend. FireEye tracked APT3, a Chinese cyber espionage group, in the networks of at least two unnamed Hong Kong agencies in the week prior to this past Sunday's elections in that city. There are also allegations of election hacking in Mexico, those come from the now imprisoned Colombian hacker, Andres Sepulveda, who says he engaged in hacking, spying and social media manipulation on behalf of Enrique Pena Nieto's 2012 presidential campaign. Telesur reports that Mexican authorities declined to investigate what they characterize as a "frivolous" complaint.

Dave Bittner: [00:06:51:15] Elsewhere, ThreatConnect found that the same IP address implicated in intrusions into US state voter databases, was also used in incursions into German, Turkish and Ukrainian political networks. Suspicion in all these cases continues to be directed toward Russian intelligence services.

Dave Bittner: [00:07:08:13] The biggest of these hacks, of course, remain the incursions into US political party and campaign networks, as well as the compromise of Equation Group code claimed by the Shadow Brokers. The Shadow Brokers, who've offered what they call Equation Group attack code in an online auction, are believed by most observers to be sockpuppets for either the FSB or the GRU. There are some observers who think this unlikely, why, they ask, would an intelligence service so readily reveal its successful collection of an adversary's code? Wouldn't they be more likely to exploit it quietly and keep their sources and methods to themselves?

Dave Bittner: [00:07:43:02] Thus, NSA-watcher James Bamford and some others conclude that the Shadow Brokers are hacktivists abetted by insiders. Such an evaluation would be consistent with an ordinary case of collection, but not if the breach is an influence operation. Sometimes attacks are deliberately noisy, particularly if they aim at deterrence or shaping public opinion, as opposed to intelligence.

Dave Bittner: [00:08:06:10] In any case, the Shadow Brokers don't seem particularly successful or even active as straight-up criminals. Our partners at Terbium Labs tells us there's not much action in the dark web or elsewhere in the Shadow Brokers' auction for Equation Group. As far as we can see the bidding is apparently stalled at just 1.8 Bitcoin, a little more than $1,000 dollars, far short of the half-billion dollars the hackers asked for. Some bidders are including rickrolling with their lowball bids.

Dave Bittner: [00:08:34:07] Presidents Obama and Putin exchanged starchy words over cyberwar at the G20 summit. Mr Obama advised Mr Putin against turning cyberspace into "the Wild Wild West," and suggested that if the two countries had to slap virtual leather, Mr Putin would find himself outgunned. Mr Putin said, via Sputnik News, that he's got better things to do than fool around with American electoral theater. He went on to deny any involvement in US political hacking, but the Russian President did mention late last week, sounding a little like the Man Who Shot Liberty Valance, that whoever hacked the Democratic National Committee had performed a public service.

Dave Bittner: [00:09:13:05] In any case, Agents James T. West and Artemus Gordon, we hope your private Pullman car has good connectivity. President Grant, and we mean, President Obama, might want to be in touch.

Dave Bittner: [00:09:30:03] We've got another message from our sponsor Recorded Future. What are you doing the first week in October? If you're a threat intelligence enthusiast consider joining Recorded Future for RFUN 2016 in Washington DC on October 5th and 6th. This year's annual conference promises to be at least as good as the last four, after all it's organized by Recorded Future, the people who know a thing or two about collection and analysis of the information out there on the web. Recorded Future customers, partners and threat intelligence enthusiasts are all invited to RFUN 2016. Meet others like you. People who understand that cyber security depends on actionable intelligence. Network with your information security peers to learn how others apply threat intelligence. RFUN is the place to be if you're a threat intelligence enthusiast.

Dave Bittner: [00:10:13:22] Register now, it's free at That's and we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:10:31:02] Joining me is Malek Ben Salem, she's the R&D Manager at Accenture Technology Labs. Malek, I know there at Accenture you recently published a framework regarding the security for the industrial Internet-of-things. What can you tell us about that?

Malek Ben Salem: [00:10:44:14] Yeah, the industrial Internet-of-things, as you know, introduces various operational technology architectures. Whether it's healthcare, manufacturing, transportation or energy production, all of these industries have different architectures. So, at Accenture Labs as we deal with clients from various industries, we developed a framework for security for these industrial Internet-of-things domains. And what we focused on is, what are the common themes around these architectures? And what are the differences between these domains?

Malek Ben Salem: [00:11:27:24] One thing we looked at is the edge gear, which we think has to be self-organizing and self-reliant. Today we see some solutions, security solutions at the edge, that provide some capabilities, some security functionalities but there is still a gap in protecting all the devices at the edge. For example, you know, many of these solutions are not vendor agnostic, so when you deploy them you have to make a lot of customization for that particular industry domain. What we are looking at in our framework is, find mechanisms to detect and prevent a physical or remote tampering with edge devices regardless of what the device is. That's one key security capability that we think is important.

Malek Ben Salem: [00:12:25:07] Another security capability that we looked at also is a distributed intrusion detection mechanism, that can ultimately assign security functions to the resource constrained devices at the edge. So some mechanism that augments that edge layer with additional security capabilities. Whether it's an additional device, that is not constrained in terms of its storage and computer capabilities, or whether it's a Gateway at the edge that is responsible for augmenting the security capabilities of the edge devices underneath.

Dave Bittner: [00:13:04:14] Are we starting to see the development of these sorts of standards with IoT devices or is it still pretty much the Wild West out there?

Malek Ben Salem: [00:13:11:13] I think we're starting to see that and this has a working group that's working on cyber security framework and they've published several drafts of their framework.

Dave Bittner: [00:13:24:03] Alright, Malek Ben Salem thanks for joining us.

Dave Bittner: [00:13:30:22] And that's the CyberWire. For links to all today's stories along with interviews, our glossary and more, visit Thanks to all of our sponsors who make the CyberWire possible.

Dave Bittner: [00:13:40:18] The CyberWire podcast is produced by Pratt Street Media. The editor is John Petrik. Our social media editor is Jennifer Eiben and our technical editor is Chris Russell. Our executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.