The CyberWire Daily Podcast 12.2.16
Ep 237 | 12.2.16

Europol and its partners say they've got the head of the Avalanche snake. DDoS and IoT botnet updates. Android vulnerability. New rules for warrants and insider threats.


Dave Bittner: [00:00:03:21] Police take down the Avalanche cyber crime ring. A vulnerability in Android is reported. You can find the app in the Google Play store. Russia says there's a plot afoot to hack its banks and spread financial panic. US Senators tell the White House, they want to know more about Russian attempts to influence US elections.

Dave Bittner: [00:00:20:11] This week has seen more Mirai DDoS; a resurgence of Shamoon and another round of WikiLeaks doxing. There are also changes to NISPOM and Rule 41 in the US. And in the UK, the Snooper's Charter receives Royal assent. And what do pacemakers and e-cigarettes have in common? Malware.

Dave Bittner: [00:00:44:01] Time for a message from our sponsor Netsparker. Do you know how to tell a false positive from a real threat? Netsparker does. If it's exploitable, it's real. Netsparker's distinctive automated scans drive our false positives; save you money and improve security. Their approach is proof based scanning. Netsparker's innovative scanning engine automatically exploits the vulnerabilities it defines in websites and presents you with a proof of exploit. You don't need to verify the scanner findings, to see if they include false positives. If Netsparker tells you it's bad, trust them, it's bad. Remember, if it's exploitable, then it's definitely not a false positive. Learn more at

Dave Bittner: [00:01:22:17] But wait, there's more and we really do mean more. Go to for a free 30 day trial of Netsparker Desktop. It's fully functional. Scan your websites with Netsparker and let them show you how they do it. That's We thank Netsparker for sponsoring our show.

Dave Bittner: [00:01:50:22] I'm Dave Bittner in Baltimore, with your CyberWire summary and weekend review for Friday December 2nd, 2016.

Dave Bittner: [00:01:58:04] We're able to begin today with some good news. An international police operation involving the FBI, the UK's National Crime Agency, Germany's BND, Europol and others has taken down the Avalanche cyber fraud ring. Avalanche has been described as one of the largest crime-as-a-service networks in cyberspace.

Dave Bittner: [00:02:17:03] Active since 2009, it hosted not only money laundering operations, but some of the world's best known and most dangerous malware. The names of the malicious code families will be familiar to many of you; Citadel, Dridex, Vawtrak, TeslaCrypt, Pandabanker, Cridex and GameOverZeuS; to mention just a few of the strains available on Avalanche. Avalanche had long been resistant to take down because of the fast flux approach it employed; changing the IP address records associated with domain names roughly every five minutes.

Dave Bittner: [00:02:49:24] 39 servers are said to have been seized in coordinated raids, with another 221 taken offline. Hundreds of thousands of domains were also seized in an international sweep carried out in five countries Wednesday. Wired puts the tally north of 800,000.

Dave Bittner: [00:03:06:10] The US Department of Justice, reporting on the operation and the role the FBI played in it, especially the Pittsburgh office, said that some 40 countries were involved. At least five arrests have been reported so far, with other warrants still outstanding.

Dave Bittner: [00:03:20:12] The take down is interesting and, perhaps, novel in that it concentrated on hitting leadership and key infrastructure, as opposed to netting little fish and tinkering around the margins. In a statement to the Associated Press, Fernando Ruiz, Head of Operations at Europol's Cybercrime Center, put it this way. Quote, "We have arrested the top, the head of the snake. We are sure that this will have a very huge impact," unquote.

Dave Bittner: [00:03:43:18] The rest of the snake hasn't escaped attention either. German authorities identified 16 leadership level players at Avalanche and a German court in Verden is said to have issued seven arrest warrants.

Dave Bittner: [00:03:55:11] Avalanche had victims in a reported 180 countries. Observers see this success as a good sign that Avalanche has gone for good; although, one must temper such optimism with recognition that we've seen criminal reverence before and almost surely will again. As usual, the investigation and take down preceded with security industry support. Yesterday's raids were the culmination of four years of collaborative international police work.

Dave Bittner: [00:04:20:09] A new Android vulnerability surfaces inside Google Play's walled garden. Zimperium reports that, for the past six month, the remote management app AirDroid has used a static, readily detected encryption key. Ars Technica compares it to leaving your house key under a doormat. Zimperium informed AirDroid of the vulnerability in May and AirDroid has sought to address it, but with imperfect success. They're working on a comprehensive solution.

Dave Bittner: [00:04:47:13] Russian authorities say they've uncovered a plot by unnamed foreign intelligence services - but they're looking at you Vice-President Joe Biden, you spymaster you - to disrupt Russia's banking system with a mix of cyber attacks and information operations designed to foment financial panic. These statements have a certain symmetry with concerns expressed in the US over Russian election hacking.

Dave Bittner: [00:05:10:22] On that election hacking, FireEye describes Russian intelligence services as having quote, "Weaponized social media," unquote. And says, those services no longer appear to care much about their activities going undetected. Several US Senators have asked the White House to reveal more of what they think the White House knows about Russian attempts to influence the election.

Dave Bittner: [00:05:32:03] Looking back at the week, observers continue to expect more Mirai botnet distributed denial of service. The biggest incident affected nearly a million customers of Deutsche Telekom last Sunday. It's since come to light that there were smaller, but still significant disruptions in the UK. Both TalkTalk and the British Post Office were hit with DDoS also on Sunday.

Dave Bittner: [00:05:52:13] About 100,000 UK customers were knocked offline and Mirai IoT botnet has been implicated in both the German and British incidents and, in both cases, the botmasters told affected customers, they were sorry and meant no harm. The customers didn't get your apologies dude, they were offline. Go figure.

Dave Bittner: [00:06:12:03] Shamoon has returned to bedevil Saudi networks, destroying data in several sectors. Civil aviation is thought to be particularly affected by the Iranian malware.

Dave Bittner: [00:06:22:10] WikiLeaks doxed the German BND over its relationship with the US NSA. WikiLeaks also sustained a four hour outage yesterday and speculators speculate on a priori grounds that the incident was a retaliatory DDoS; because, of course, that's what speculators do.

Dave Bittner: [00:06:39:14] On Wednesday, NISPOM Change Two went into effect. NISPOM is the National Industrial Security Program. It required all federal contractors with a facility clearance; that is roughly a clearance to store and work with classified information, to self-certify that they have an insider threat management program in place. Such a program would address responsibility, training and reporting. Insider threats, of course, can be malicious, careless, or even well intentioned.

Dave Bittner: [00:07:06:05] Another example of an insider threat came to light this week in the Netherlands; where people noticed that documents relevant to Europol terror investigations were compromised by a careless police investigator. He took them home and exposed them to the Internet; where Shodan searches stumbled across them. The unnamed investigator is described variously as a rogue and not a rogue. It would seem likely that he belonged to that tribe of hard-working pack rats that's long been the despair of security officers.

Dave Bittner: [00:07:36:10] The week also saw the Snooper's Charter become law in the UK and, in the US, implementation of changes to Rule 41; which governs the scope of warrants to collect information online pursuant to criminal investigations. We'll hear more about this from Ben Yelin after the break.

Dave Bittner: [00:07:53:05] Finally, some notes about cybersecurity and your health. Researchers have shown that various pacemakers and implantable defibrillators, ICDs, are vulnerable to reverse engineering and hacking. Their proof of concept exploits show that they could collect information about the patient in whom such a device was installed; as well as information about their treatment. It's also possible to go beyond such threats to privacy and drain the device's battery, or send the device arbitrary commands.

Dave Bittner: [00:08:21:10] Perhaps you're thinking you can avoid these problems by adopting a more heart healthy lifestyle. You've heard that smoking cigarettes could give you heart disease and so you chuck your last pack of coffin nails and say to yourself, I'm going to get me some of those e-cigarettes I see at the convenience store. No luck, friend. The malware's going to get you even in the low tar alternative. Wapack Lab says that, people suspect some Chinese e-cigarette manufacturers are hard-coating the USB charging units, that come with the high tech butts, with malware. So think twice before you plug that cigarette into your laptop's USB port. That nicotine buzz isn't worth a malware infestation.

Dave Bittner: [00:09:04:05] Time for a moment to tell you about our sponsor Recorded Future. You've probably heard of Recorded Future; the real time threat intelligence company. Their patented technology continuously analyzes the entire web, to give InfoSech analysts unmatched insights into emerging threats. We subscribe to and read their cyber daily.

Dave Bittner: [00:09:16:07] They do some of the heavy lifting and collection and analysis, that frees you to make the best informed decisions possible for your organization. Sign up for the cyber daily email and every day you'll receive the top results for trending technical indicators that are crossing the web; cyber news targeted industries; threat actors exploited vulnerabilities malware and suspicious IP addresses. Subscribe today and stay ahead of the cyber attacks.

Dave Bittner: [00:09:44:06] Go to to subscribe for free threat intelligence updates from Recorded Future. It's timely, it's solid and the price is right. That's We thank Recorded Future for sponsoring our show.

Dave Bittner: [00:10:05:05] Joining me once again is Ben Yelin. He's a Senior Law and Policy Analyst at the University of Maryland Center for Health and Homeland Security. Ben, once again, this case with the FBI versus the people who ran the Playpen child pornography site is back in the news. There have been some new revelations about the extent of the FBI's hacking. Bring us up-to-date.

Ben Yelin: [00:10:23:18] We found out in January, at least a small part of the extent of this operation, in which the FBI was trying to hack into computers, to shut down this child pornography ring. We recently learned that the deployed malware was much more extensive than we originally thought; it's now known that the FBI obtained over 8,000 IP addresses and they were actually able to hack computers in 120 different countries.

Ben Yelin: [00:10:50:21] The reason that this concerns some civil liberties advocates is that, all of these searches were based on a warrant issued by one magistrate; one magistrate who generally would only control a relatively small geographical area. But in this case, this warrant has covered, obviously, IP addresses both in the United States and around the world. That actually invokes another problem that's been in the news recently and that's so called Rule 41 of the Federal Rules of Criminal Procedure. The way Rule 41 operates is that, it dictates the ground rules for electronic surveillance and one of those ground rules is that, magistrate judges cannot allow surveillance anywhere beyond their jurisdiction.

Ben Yelin: [00:11:36:01] Earlier this year, those rules were amended and those amendments were ratified by the US Supreme Court and, now, under Rule 41, a single magistrate judge can authorize electronic surveillance, even if the surveillance itself is going to implicate IP addresses beyond the geographical reach of that magistrate judge.

Ben Yelin: [00:11:57:14] This caused a bit of a political battle earlier this week, in the United States Senate. A couple of Senators tried to introduce a bill to delay implementation of this amended Rule 41. I know Senator Ron Wyden, who is one of the biggest civil liberties advocates in the Senate, was behind this effort; also Christopher Coombs of Delaware. They tried to get a bill passed by unanimous consent in the Senate. The Senate leadership had no interest in passing the bill; they objected to the request and the rule took effect as of December 1st.

Ben Yelin: [00:12:29:13] Obviously, this is something we're going to have to watch for going forward. Since the Supreme Court has ratified Rule 41, really the only remedy is going to be legislative. It remains to be seen whether there's the political will to undo the work that's been done to amend Rule 41.

Dave Bittner: [00:12:46:12] Well, we'll have to keep an eye on it. Ben Yelin, thanks for joining us.

Dave Bittner: [00:12:58:08] My guest today is John Dixon. He's a Principal at Denim Group; a secure software development company and consultancy on matters of software risk and security. John Dixon is a former US Air Force Officer, serving in the Air Force Information Warfares Center and was a member of the Air Force Computer Emergency Response team.

Dave Bittner: [00:13:17:01] In his role at Denim Group, he's close to policymakers at the State and Federal level and we wanted his take on what we might expect in terms of cybersecurity policy, as we head towards a Trump presidency. He joined us from his office in San Antonio, Texas.

Dave Bittner: [00:13:31:08] What about, you know, his relationship with the Russians? There was much talk, during the campaign, that President Elect Trump resisted naming the Russians as being responsible for hacking; although he encouraged them to do so. As we move forward and he has to engage with agencies like NSA and the FBI, how are those relationships, or even his tone and attitude towards the Russians going to frame things for him?

John Dixon: [00:14:03:24] Well, I would pay a lot of money to be at that first meeting, or some meetings in Fort Meade. You know, interesting enough, these guys work for him now; these agencies, these thousands and thousands of professionals in the intelligence community now work for him and the executive branch and report to him. Now they're his asset.

John Dixon: [00:14:25:04] My sense is, there's probably some level of mending of fences that should and probably has to occur; so he's going to have to trust at least Admiral Rogers, somebody in the DoD or DHS and that's why I think the employments are so important.

John Dixon: [00:14:44:21] But yes, he definitely pretty strongly came out questioning the intelligence community; that's probably one of the first candidates that I can recall that's done that. Overtly encouraging the Russians to hack us, that was probably more hyperbole than it was serious policy, in the context of the moment; so we'll give him a little bit of benefit of doubt on that one. But we'll see.

Dave Bittner: [00:15:11:13] Is it fair for us to expect expertise in the realm of cybersecurity? I mean, certainly, not everyone who has held the office of the President has been an expert in all of the areas that were under their command. I think there's this notion that, as long as people put good people around them, who do know these sorts of things and then trust and follow their advice and good counsel, then we may just be okay.

Dave Bittner: [00:15:39:04] But that's not the sense that I think people are feeling, or describing as we come into a Trump Presidency. Certainly his behavior during the campaign doesn't give a lot of people hope. Do you think that's a fair assessment?

John Dixon: [00:15:57:15] I think we're going to see; we'll find out. What's happened, since the election with the transition team, doesn't put those fears to rest. Here's what I would say. He is going to have bigger policy issues to tackle; we've already talked about that and he's going to have policy issues that come to him.

John Dixon: [00:16:16:15] I think, if you read about what happens to any Presidents in the first 100 days, they're typically tested by some type of foreign policy crisis that wasn't on their radar screen. It happened to Obama, it's happened to every President; where they come in and say, here's my script for my first 100 days and then something happens in the Middle East, or the North Koreans do something and it sucks the cycles out of you.

John Dixon: [00:16:42:12] I think that'll be interesting to see and that's why they have to rely on experts; because you want the public policy engines of State to continue onwards, in spite of those crises.

John Dixon: [00:16:54:08] I will be very interested to see, given his interaction with Anonymous, or the Anonymous guys coming after him; whether or not the hacktivists are going to do something; whether or not he's going to be tested by the Russians and the North Koreans. But one thing I would say, I bet he's probably one of the smartest candidates on cybersecurity stuff; given what he went through during the campaign.

John Dixon: [00:17:23:09] I mean, his properties were attacked; the hotels were attacked; his campaign headquarters was attacked; obviously the DNC and RNC were attacked. He may be, along with his former competitor, probably the smartest candidate on cybersecurity ever, I would suggest.

John Dixon: [00:17:40:12] There is a lot of policy underway, at the executive branch level, the DHS and in the DoD and certainly a lot of proposal legislation in Congress. You've got smart guys on both sides of the aisle and both houses. Guys like Will Hurd, Mike McCaul, from our backyard, who know this stuff particularly well.

John Dixon: [00:18:02:11] One interesting positive that's come out of all of this is that, maybe with the deadlock in the house and Senate, between the two parties, maybe they can actually get some cybersecurity legislation through that helps move things forward; versus the last year or two, where neither party wanted to give each other a win.

John Dixon: [00:18:22:21] I'm hopeful, I've got my fingers crossed, that maybe we can move the legislative needle above and beyond information sharing. The question on the legislative front is, you know, will Senator or Congressman submit a bill that creates a separate agency, a Cabinet level role for this type of function. That was something that got banded about last year. We'll see, but yes, on the executive side, government will continue on doing what it does.

Dave Bittner: [00:18:52:20] That's John Dixon from Denim Group.

Dave Bittner: [00:18:59:16] That's the CyberWire. For links to all of today's stories, along with the interviews, our glossary and more, visit Thanks to all of our sponsors who make the CyberWire possible. If you're considering sponsoring our show and putting your message in front of our global audience of cybersecurity professionals, visit to find out how. But don't delay, 2017 is selling out fast.

Dave Bittner: [00:19:23:09] The CyberWire podcast is produced by Pratt Street Media, our Editor is John Petrik, our Social Media Editor is Jennifer Eiben and our Technical Editor is Chris Russell. Our Executive Editor is Peter Kilpe and I'm Dave Bittner. Have a great weekend everybody and thanks for listening.