The CyberWire Daily Podcast 11.17.16
Ep 228 | 11.17.16

Social media aren't automatically on the right side of history, it seems. More on the Adups backdoor. Holiday shopping cyber-safety and security.


Dave Bittner: [00:00:03:16] German concerns about Russian election influence mount. In the US, the NSA Director says a nation-state made a conscious attempt to influence American elections. Dictators can use social media, too, it seems. Holiday shopping security warnings are out, and they're not just about online purchases, either. The UK's Snooper's Charter passes the House of Lords. And a Russian court tells that country's ISPs to shut down LinkedIn; it's a concern about privacy, don't you know.

Dave Bittner: [00:00:36:09] Time for a message from our sponsor, E8 Security. You know, to handle the unknown unknown threats, you need the right analytics to see them coming. Consider the insider threat and remember that an insider threat isn't necessarily a malicious actor. Sometimes it's a well-intentioned person who's careless, compromised or just poorly trained. Did you know you can learn user behavior and score a user's risk? E8 can show you how. Did you know, for example, that multiple Kerberos' tickets granted to a single user is a tip-off to a compromise. E8 can show you why. Get their White Paper at and get started. That's Download that free White Paper, "Detect, hunt, respond." E8 Security. And we thank E8 for sponsoring our show.

Dave Bittner: [00:01:33:05] I'm Dave Bittner in Baltimore, with your CyberWire summary for Thursday, November 17th 2016.

Dave Bittner: [00:01:39:08] Hans-Georg Maassen, head of Germany's Federal Office for the Protection of the Constitution, adds his voice to warnings of potential Russian interference in German elections. Maassen told Reuters he thinks the Russian objective would be to erode confidence in German institutions and to sow mistrust among members of the European Union. The information operations he describes would count as "black propaganda," that is, as false stories, the counter to which he says should be unmasking and rumor control.

Dave Bittner: [00:02:10:06] Foreign Policy makes a depressing observation about cyberspace, both in terms of security and in terms of information operations. Repressive regimes have found many ways of turning social media to unfortunate advantage, Twitter's rise as the daystar in the false dawn of Iran's Green Revolution now seems like ancient history. Information may want to be free, sure, but a kind of Gresham's Law might also be operating here, with bad money driving good money out of the marketplace.

Dave Bittner: [00:02:39:08] So German concerns track US concerns on this matter fairly closely. NSA Director, Admiral Michael Rogers, said this week that an unnamed state, but there's no mystery about which one, the US Intelligence Community named Russia a week ago, made "a conscious effort" to affect the recent US elections via WikiLeaks. The WikiLeaks connection is significant, since it would make the operation Julian Assange leads to be, in US official eyes, at the very least an agent of influence acting on behalf of Russian interests. It's worth noting that whatever motives WikiLeaks has are likely to be overdetermined. Assange probably had political rooting interests and a taste for online muckraking long before any alleged contact by Russian organs.

Dave Bittner: [00:03:24:18] Reactions in the US press are interesting. Mother Jones wants Congress to investigate and Mother Jones is sounding, perhaps surprisingly, a lot more like Mr. Deeds than their labor-activist and Wobbly founder namesake. An op-ed in the Christian Science Monitor's Passcode, remembering that the documents leaked were apparently genuine enough, argues that the big lesson to take away from the US elections is that everyone, especially politicians and their staffs and their enablers, needs to do a better job of securing themselves online.

Dave Bittner: [00:03:54:24] An ongoing threat to organizations and individuals alike are phishing attacks, typically emails that use social engineering to get users to click through to nefarious websites or otherwise unwittingly do the bidding of the baddies. We've checked in with John LaCour, CEO of PhishLabs, for some advice on fighting the phishers.

John LaCour: [00:04:13:14] Security hardware and software companies try to make technology that catches the attacks before they get put in front of humans and by and large, they work pretty well. Most of the bad stuff is, is filtered out but yet some of it still gets through and, you know, the bad guys are able to tailor their emails and tweak them over time to figure out how to make them get through. So some of these malicious messages end up in user mailboxes, you know, where users have to take action to either infect their computer, open them, the backdoor for the bad guys. You know, automated technology is not going to be a panacea but it, but it does help.

Dave Bittner: [00:04:53:00] Do people's perceptions of, of phishing align with the reality of it? Do people consider it to be the serious threat that it is? Do they take it more seriously than they should or less seriously than they should or somewhere in the middle?

John LaCour: [00:05:05:17] I think people don't take it seriously enough. I think it's, it's one of those things where, you know, they hear about the media stories of data breaches but most people think, well, that, that happens to other people or I'm going to recognize the attacks. But the reality is, is that, you know, and it's a good thing in a way, most people's human nature is to be helpful. And so the attackers know this and use that as part of their attack, so they'll send email messages that are, are friendly. In some cases the attackers will send emails that are very demanding and ominous and they want to encourage people to take action right away. And so I think people don't understand how sophisticated some of these attacks can be and, generally, are not very good at spotting the phishing messages. You know, we're-- we've known about phishing for a long time and companies are still losing in some cases millions of dollars every year to phishing attacks so, you know, the results speak for themselves. Phishing is still a big problem.

Dave Bittner: [00:06:06:19] So what, what's your advice to, to companies who want to try and get a better handle on this?

John LaCour: [00:06:12:05] Yeah, so my advice to companies is to really do three things. It's a three-pronged approach. The first is to educate your users and that's your first line of, of defense after the security technologies that you've already invested in. The second step is, once you've educated users, leverage them as part of your threat detection system if you will. Have a process whereby users can report suspicious emails and have them acted upon. And then thirdly, take those learnings from those reports and use that as a feedback loop to better your security posture, whether that's by improving technology and tools that you've purchased, whether that's by improving your education program or just better information about what sort of information or data your attackers are going after.

Dave Bittner: [00:07:00:00] That's John LaCour from PhishLabs.

Dave Bittner: [00:07:03:21] Huawei and ZTE scramble to reassure customers about the Adups backdoor Kryptowire researchers found in too many phones. Huawei asserts, firmly, that it's never been a customer of the Shanghai Adups Technology Company. ZTE doesn't go quite that far, but it does say that none of the phones it's sold in the US feature the backdoor.

Dave Bittner: [00:07:25:03] Enigma Software predicts a holiday cybercrime spike, and others, including Core Security and Skycure, offer advice on staying safe while shopping. Skycure's even got a run-down on the riskiest mall Wi-Fi systems. You can read the whole thing from the link in today's CyberWire daily news brief, but we'll just say that there's one shopping center in Vegas where you should probably keep your phone turned off.

Dave Bittner: [00:07:49:04] Recorded Future is offering a peek into the mind of the cybercriminal. Readers of Freakonomics who've seen how low-level street criminals are recruited even though the money goes to the kingpins, and those of you who saw Donnie Brasco and remember the Pacino character trying to saw open parking meters for chump change won't be surprised to learn that low-level cyberhoods lack skills and really just don't make very much. But, alas, they're still out there, so be on guard when you shop during the holidays.

Dave Bittner: [00:08:17:03] Others are predicting a holiday surge of denial-of-service, too, in part because the barriers of entry in this part of the criminal market have dropped as much as they have. The CyberWire heard from Plixer's CEO, Michael Patterson, on this issue. He said, quote, "It's no surprise that the volume of DDoS attacks are on the rise. It provides value to cyber criminals in multiple ways," end quote. It can, as we've seen, serve as a misdirection for a simultaneous targeted attack. And the threat of DDoS can be a way of extorting companies, like retailers depending on holiday online sales, to pay up or face seasonal ruin. Patterson went on to say that the widespread availability of Mirai source code has contributed to the problem, as has the proliferation of connected things in the Internet-of-things. Quote, "If you consider that Gartner estimates that by 2020, 50 billion connected 'things' will be on the Internet, you can appreciate that the trend here isn't really our friend," end quote.

Dave Bittner: [00:09:14:09] In the UK, the Snooper's Charter passes the Lords. This means that, once it receives the expected, essentially routine, royal assent, it will become law, probably before the new year.

Dave Bittner: [00:09:25:10] And finally, because the Russian government cares as much about personal privacy as it does about combinations in restraint of trade, a Russian court has ruled that the country's ISPs must block LinkedIn. You did see that Kaspersky and Microsoft are now in an antitrust dust-up in a Moscow court? Hm.

Dave Bittner: [00:09:49:14] Time to take a moment to tell you about our sponsor, AlienVault. Do you know that a typical attack goes undetected for more than eight months? This is especially frightening considering 90% of all businesses have suffered an attack, so it's no longer a question of whether an organization will be breached, it's when. Better threat detection starts with AlienVault Unified Security Management. The AlienVault platform provides all of the essential security controls needed for a complete threat detection in one easy to use and affordable solution. With its integrated security controls and expert threat intelligence from the AlienVault Lab Security Research Team, you don't need to deploy and manage numerous security point products. Spend your time responding to threats rather than researching them with AlienVault. Visit today to download your free 30 day trial of AlienVault Unified Security Management. That's And we thank AlienVault for sponsoring our show.

Dave Bittner: [00:10:52:04] Joining me once again is Ran Yahalom. He's the Project Leader at the Malware Lab of the Cyber Security Research Center at Ben-Gurion University. Ran, USB devices are one of your specialties and today you wanted to take us through some potential hardware vulnerabilities when it comes to USB devices.

Ran Yahalom: [00:11:07:20] I want to talk about two categories, primary categories of USB hardware attacks. The first one is what I call Trojan attacks. Now there are many inexpensive microcontrollers out there that can be used to emulate different USB devices, practically any USB device, while being concealed in an innocuous casing. For example, you can consider the Teensy which is a complete USB microcontroller development system and comes with many free software development tools and can be purchased for only $20.

Ran Yahalom: [00:11:37:08] And another example is the universal RF USB keyboard emulation device, which was developed by Monta Elkins which is basically a Teensy with an additional radio frequency component attached to it and it allows, it allows the adaptive and remote delivery of keystrokes to a computer. So it's actually overcoming the blind timing and selection of attacks and these are challenges that you-- it's impossible to overcome if you can't operate from a remote location.

Ran Yahalom: [00:12:08:00] And a different example is the USB Rubber Ducky, which is a commercial keystroke injection attack platform. It's based on an anthill microcontroller that poses as a keyboard and it was-- it's developed by the nice folks at Hack5 and can be purchased for about $45. It is a little bit more expensive, but it's, it does almost everything with a very simple language that you can code the scripts with and it will automatically-- once you inject it, it will automatically execute a script of commands that is capable of changing system settings, opening backdoors, retrieving data, initiating reverse shells or basically anything that you can achieve with physical access and it does that all in a matter of seconds.

Ran Yahalom: [00:12:55:01] So the second category, I guess you can call them electrical attacks. This thing was originally referred to as a USB killer and it was developed by a Russian security researcher in 2015 nicknamed "Dark Purple". And what he did, he just built a USB stick that, that's capable of destroying sensitive components of your computer once it's plugged in. Okay, basically what he does is, he connect-- when you-- once you connect the stick to a host's USB port, it starts the operation of a voltage converter on the USB stick which charges the capacitator to about minus 220 volts and then, when that voltage is achieved, the converter is switched off, the capacitator is charged and it's accumulated energy, just apply it to the signal lines of the USB interface. This cycle is repeated and, about in a couple of seconds, you can incapacitate the host computer. So it basically fries part of the computer.

Ran Yahalom: [00:13:54:14] So what we really should hope for are new USB devices that the manufacturers do add some kind of hardware signature of validation of the firmware and another approach maybe would be to develop all sorts of detection methods, kind of like what my research is aiming at, so that we can continue using the very many currently available USB devices but be safe.

Dave Bittner: [00:14:23:05] Alright. Ran Yahalom, thanks for joining us.

Dave Bittner: [00:14:27:24] And that's the CyberWire. A quick reminder that there's more to the CyberWire than just this podcast. We also publish a daily cybersecurity news brief, which you can subscribe to on our website, And thanks to all of our sponsors, who make this CyberWire possible.

Dave Bittner: [00:14:42:17] The CyberWire podcast is produced by Pratt Street Media. The editor is John Petrik. Our social media editor is Jennifer Eiben and our technical editor is Chris Russell. Our executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.