The CyberWire Daily Podcast 9.13.16
Ep 183 | 9.13.16

Lessons from recent incidents. Russia says, it's not us, it's you, and more.


Dave Bittner: [00:00:03:14] It's Patch Tuesday and time to apply the latest fixes from Redmond. Symantec's August security report is out. Middlemen make it tough to track exploit sales. GovRAT continues to afflict networks in the wild. Lessons from private key exposure. Russia says the international order isn't the same thing as the American order. The US and the UK conclude a cyber cooperation agreement. More bogus apps for Pokemon-GO. And, could people soon be asked to stand and remove their hats for "City Escape?"

Dave Bittner: [00:00:38:08] It's time to take a moment to tell you about our sponsor, Recorded Future. Recorded Future is the real time threat intelligence company whose patented technology continuously analyzes the entire web to develop information security intelligence that gives analysts unmatched insight into emerging threats. And when analytical talent is as scarce and pricey as it is today, every enterprise can benefit from technology that makes your security teams more productive than ever. We at the CyberWire have long been subscribers to Recorded Future's Cyber Daily, and if it helps us we're confident it will help you too. Subscribe today and stay a step or two ahead of the threat. Go to to subscribe for free threat intelligence updates from Recorded Future. That's And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:35:14] I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday September 13th, 2016.

Dave Bittner: [00:01:41:05] Today is Patch Tuesday, and the latest updates from Redmond are out. Microsoft has released a total of 14 security bulletins for September, seven of them are rated "critical," Microsoft's highest severity rating, and the other seven are rated "important." All versions of Windows are affected as are Microsoft Office, Microsoft Exchange Server, and both of Microsoft's browsers, Internet Explorer and Edge.

Dave Bittner: [00:02:04:00] Microsoft is revamping its patch distribution policy in October, this is the last Patch Tuesday but one to follow the old policies. Beginning with October, Microsoft will distribute pre-Windows 10 patches in a cumulative rollup. Windows 7, 8.1, Windows Server 2008 and Server 2012 are all affected. The new policy is controversial among some, principally app developers, who will no longer be able to pick and choose which patches to apply. Microsoft says the new patch delivery system will be easier on users and will help admins avoid the fragmentation of different devices patched at different levels. Whether you agree with Microsoft or the dissenters, remember that patch management is one of the most important steps an enterprise can take toward better cyber hygiene.

Dave Bittner: [00:02:47:06] Symantec has released its August security trends report. It finds a rise in the number of malware variants circulating in the wild, it's difficult to count these, but, by Symantec's reckoning there are some 45.5 million variants out there. And there's a drop in attacks. The disruption and decline of various old standby exploit kits appears to account for this trend.

Dave Bittner: [00:03:08:22] Observers are looking at recent incidents and drawing some lessons from them. Those who have been interested in tracking the sale of the Pegasus iOS lawful intercept tools found on the phone of an Emirati dissident have tracked the product itself to Israeli firm, NSO Group. Determining who actually bought and used it is cloudier. It's generally believed that the spyware was installed on the iPhone in question by the government of the United Arab Emirates, but the sale proceeded through middle men in ways that Motherboard says are difficult to untangle. This is thought by many to be a general problem with the lawful intercept and exploit broker markets.

Dave Bittner: [00:03:44:19] The GovRAT Trojan, InfoArmor, described last November, as now out and afflicting US government personnel in a version 2.0. It's more difficult to detect than earlier versions of the malware. GovRAT can, InfoArmor says, intercept files users download and replace them with malware.

Dave Bittner: [00:04:02:24] STEALTHbits Technologies' Brad Bussie shared some thoughts on the malware with the CyberWire, "GovRAT and GovRAT 2.0 are highly sophisticated malware packages that feature the ability to steal files, remotely execute commands, upload other malware variants and monitor network traffic," he said. The malware is particularly effective because it uses stolen certificates as an aid. The GovRAT database also contains about 33,000 stolen credentials from a wide variety of accounts. Bussie advises AV vendors to replace digital signatures and certificates on the grounds that they can't know which have been compromised. He advises enterprises to have users reset passwords. "Until passwords have been globally replaced with a new identification system, web and application hosts need to become part of the solution to protect against credential abuse. End users will rarely preemptively change passwords unless forced to do so."

Dave Bittner: [00:04:57:15] We also heard from Balabit's Csaba Krasznay. "GovRAT 2.0 once again highlights the password threat again as it exfiltrates such data from network traffic." The lesson he draws from this incident and others is the necessity for monitoring behavior on networks, especially given the frequency with which credentials are compromised.

Dave Bittner: [00:05:17:22] Turning to the threat of the recently disclosed MySQL flaws, patched by some but not all affected vendors, CSO thinks the incident affords an object lesson in the importance of permission management.

Dave Bittner: [00:05:30:08] And the large number of private keys exposed on publicly accessible web servers indicates, says Naked Security, that those who develop firmware for embedded devices shouldn't share or reuse private keys, enable remote administration by default or let users activate new devices until they've set the necessary passwords.

Dave Bittner: [00:05:49:14] Our reporters are on-site in Washington today, covering the Seventh Annual Billington CyberSecurity Summit. They'll have a full report for us tomorrow, but, for now, they're sharing what they heard in the morning keynote by US Federal CIO, Tony Scott. It's clear that he thinks the biggest IT and security challenges Federal agencies face across the board is their dependence on legacy IT systems. He said that adherence to three outdated "paradigms" (as he called them) are imposing significant economic and security costs on the government. These, he identified as technology, organization and funding. He argues that a large scale upgrade and modernization of Federal systems would constitute the most important steps the government could take to improve not only its IT, but its cybersecurity posture as a whole. We'll have more tomorrow on the Billington CyberSecurity Summit.

Dave Bittner: [00:06:39:04] The Johns Hopkins University Information Security Institute along with COMPASS Cyber Security is hosting the third annual Senior Executive Cybersecurity Conference here in Baltimore, September 21st 2016. The CyberWire is a media sponsor for the event and we checked in with Tony Dahbura, the Executive Director of the Johns Hopkins Information Security Institute to learn more.

Tony Dahbura: [00:06:59:11] The event is really targeted to executives and senior leadership from pretty much every industry. Everyone is so concerned about cybersecurity, namely protecting their data and defending against intrusions of their systems. And those are the topics that we cover in this event. We go over different types of cyber threats and statistics, we talk about different types of attacks, especially this year we're going to go in depth into social engineering and phishing attacks, we're going to talk about emerging technologies including cloud storage, data encryption, and we're also going to talk about a really important topic, which is the human element of cybersecurity in the enterprise. So it's going to be an information filled day. We're trying to make it a one stop shop for people to really get a great idea of what's going on out there in cybersecurity.

Dave Bittner: [00:07:56:21] And you've lined up quite an impressive array of speakers. Give us some of the highlights, some of the names of people who are going to be speaking.

Tony Dahbura: [00:08:04:14] We've invited some of the heavy hitters, for instance, Lorrie Cranor who is with the Federal Trade Commission and also with Carnegie Mellon, and the Federal Trade Commission is playing an increasingly important role in cybersecurity policy and regulations. We have Donald Good from Navigant. We have Bob Olsen from our partner on this, from COMPASS, talking about the security landscape. We have a couple of people from the Applied Physics Lab at Johns Hopkins, talking about, this is fascinating, the anatomy of a breach, which I'm really looking forward to. This is what they do day and night down there, studying these types of attacks. We also have several panels in the afternoon covering different events, we'll have participants from different industries, such as insurance, banking, financial and high tech industries.

Dave Bittner: [00:09:04:14] So, who's your target audience? Who are the people for whom this should be a can't miss event?

Tony Dahbura: [00:09:12:00] The key people that should attend this event are the leaders in companies who really need to get a lot of information, be able to survey the landscape in one day. That's what this is designed for.

Dave Bittner: [00:09:24:16] Tony Dahbura, from Johns Hopkins University Information Security Institute. The event is the Third Annual Senior Executive Cyber Security Conference taking place in Baltimore on the Johns Hopkins University Homewood Campus, September 21st, 2016. And we, at the CyberWire, are pleased to be media sponsors of the event and we hope you'll check it out.

Dave Bittner: [00:09:44:18] US discontent with Russian behavior in cyberspace, especially with what are generally taken to be Russian influence operations intended to call the legitimacy of US elections into question, recently led Defense Secretary Carter to warn Russia against attempts to undermine democratic institutions and the international order as a whole. His Russian counterpart, Defense Minister Sergei Shoigu, hit back yesterday, "you too," he said in effect, and said that "the international order mustn't be mistaken with the American order." Part of that international order, of course, is the longstanding tradition of close cooperation between the United States and the United Kingdom. That relationship grew stronger this week with the conclusion of an agreement of increased cyber cooperation the two nations concluded.

Dave Bittner: [00:10:30:23] We feel, somehow, we've been neglecting Pokemon-GO, not having mentioned it for a few days, did you miss your Pikachu gossip? Well, there are fresh warnings from Trend Micro that bogus apps are redirecting Pokemon trainers away from the Google Store and into what Wired called "spammy" rogue app stores. Catch them all but don't catch anything else.

Dave Bittner: [00:10:51:24] And finally, since everyone's worried about elections, let us give you something else to worry about: online petitions. Did you know that a petition has reached The White House with sufficient signatures to require action on a request to change the United States National Anthem from the Star Spangled Banner to Sonic The Hedgehog's "City Escape" music? We don't know, but one of our stringers is disturbingly interested in this, he says he wants to make America fast again.

Dave Bittner: [00:11:25:10] Time for a timely message from our sponsors at E8 Security. Putting your data together with E8's analytics for security that can handle the unknown unknowns. Consider what might warn you off to malware on your system, listening to running programs on a rare or never seen before open court is one of them, it's easy to say that, but, could you say what counted as rare or never seen before? Or would that information jump out at you as you reviewed logs? If you had time to review your logs, and by the time the logs reached you the news would be old. But E8's analytical tools recognize and flag the threat at once, enabling you to detect, hunt and respond. Get The White Paper at and get started. E8 Security, your trusted partner. And we thank E8 for sponsoring our show.

Dave Bittner: [00:12:14:00] And I'm pleased to welcome Emily Wilson, she's the director of analysis at Terbium Labs, one of our research partners. Emily, welcome to the show, this is your first time with us, so, by way of introduction, tell us a little bit about yourself.

Emily Wilson: [00:12:25:14] Sure, thank you for the introduction and happy to be here. I am Emily Wilson, as you mentioned, I'm Director of Analysis at Terbium Labs. I didn't come to dark web data intelligence by whatever you might think of as the normal routes, I have a degree in international relations from the College of William and Mary, spend a lot of time looking at Russian foreign policy, and now, thankfully, Russia has come back into focus.

Dave Bittner: [00:12:46:16] It certainly has.

Emily Wilson: [00:12:48:01] That's worked well for me. So yes, I direct a team of analysts over at Terbium and the work that we do is based on the idea, we like to say, that defense, while necessary, is no longer sufficient. The idea that dark web data intelligence isn't kind of a single problem you need to manage, it's an ongoing issue, and that more likely than not your information probably will end up online somewhere where it shouldn't.

Dave Bittner: [00:13:11:16] So, give me an idea of the types of research that you are all doing there at Terbium.

Emily Wilson: [00:13:16:02] Sure, a great question. We are actually in the process right now of putting together a formal research paper, kind of demystifying the dark web and looking at the realities of the information that appears there. One of our technologies that we use at Terbium is this kind of massive scale dark web crawler, and so using that same technology we're able to go through and ask interesting questions, you know, what is the dark web? What kind of content appears there? Is it legal? Is it illegal? Is it mostly drugs or weapons or fraud? Or questions we get often: are the terrorists there? Can I do human trafficking through the dark web? And so we're putting out this research paper to answer some of those question.

Dave Bittner: [00:13:55:15] Alright, well, Emily, welcome to the show, we'll look forward to talking to you again soon.

Dave Bittner: [00:14:01:17] And that's the CyberWire. For links to all of today's stories along with interviews, our glossary and more, visit Thanks to all of our sponsors who make the CyberWire possible. The CyberWire podcast is produced by Pratt Street Media, the Editor is John Petrik, our Social Media Editor is Jennifer Eiben and our Technical Editor is Chris Russell. Our Executive Editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.