The CyberWire Daily Podcast 12.20.16
Ep 249 | 12.20.16

Another Ukrainian power grid outage may have cyber causes. ShadowBrokers may have got Equation Group code from a rogue insider. WordPress brute-forcing. Evading volumetric detection. Methbot ad fraud. Wassenaar remains controversial.


Dave Bittner: [00:00:03:02] Another possible cyber incident in Ukraine's power grid last Saturday remains under investigation. Flashpoint looks at the ShadowBrokers' alleged Equation Group code and sees a rogue insider behind the leak. WordPress sites are receiving a lot of brute-forcing attempts. New spam and other attack techniques are evading volumetric detection. Mirai is sniffing for new IoT bots. Russian crooks skim ad revenue with the Methbot scam. Wassenaar cyber arms control remains controversial. And informed speculation suggests the ShadowBrokers and Bocephus Cleetus are, da, effectively the same people.

Dave Bittner: [00:00:43:16] It's time to take a moment to tell you about today's sponsor, Recorded Future, the real time threat intelligence company. Recorded Future's patented technology continuously analyses the entire web to give cyber security analysts unmatched insights into emerging threats. We read their dailies at the CyberWire and you can too. Sign up for Recorded Future's Cyber Daily email to get the top trending technical indicators crossing the web. Cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today and stay ahead of the cyber attacks. They watch the web so you have time to think and make the best decisions possible for your enterprise's security. Go to to subscribe for free threat intelligence updates from Recorded Future. It's timely, it's solid and it's on the money. That's And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:46:01] I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, December 20th, 2016.

Dave Bittner: [00:01:53:02] Many of you will recall that a year ago this month the power grid in Eastern Ukraine was taken down by a complex cyberattack. It involved phishing that installed BlackEnergy and Killdisk malware to facilitate access to substation controls followed by telephonic denial-of-service designed to impede response and recovery.

Dave Bittner: [00:02:11:18] This Saturday Ukraine again experienced an electrical outage, this one on the north side of Kiev and in adjacent districts. Ukrenergo, the national power company, said the interruption was caused by an external influence. Investigation continues and is focused on failure of automation control. The entire incident was remediated rapidly with power restored within 30 minutes and a complete recovery in just over an hour. Last year's attack was widely attributed to a combination of Russian criminal and state actors but there's so far no word on who was responsible for Saturday's disruption or on how it was achieved.

Dave Bittner: [00:02:51:18] Flashpoint has published its close look at the ShadowBrokers' leak of Equation Group code. The security company concludes with medium confidence, that it was an inside job. They say the data's structure looks like something from an NSA internal code repository, one accessible to contractors and employees. That is, they think it unlikely that the agency was hacked from the outside. They also think that one of the more widely believed early theories about the source of compromise, that some operators carelessly left the code exposed on a staging server, is also unlikely. You can see their report on Flashpoint's blog,

Dave Bittner: [00:03:31:16] WordPress vulnerabilities may have been overestimated as source code analysis shop RIPS noted last week but some bad actors are paying them a lot of attention nonetheless. Over the past three weeks the security shop WordFence has observed 1,600,000 brute-force attempts daily against WordPress sites. About a sixth of these attacks originate from a single Ukrainian ISP.

Dave Bittner: [00:03:55:13] Cisco's Talos unit warns of a hailstorm spam. It evades detection by sending low volumes of spam from a large number of IP addresses. PerimeterX observes a similar technique used in botnet-driven brute-force attacks which avoid tripping volumetric warnings by using a very large number of bots.

Dave Bittner: [00:04:14:20] Neustar's study of DDos growth by 2016 is out. They find, not surprisingly, that growth was explosive and it's likely to be fueled by the commodification of attack tools that's proceeding apace. The most famous of those black market commodities, the Mirai bot-herding malware, is, according to the SANS Institute Internet Storm Center, prowling the wild, seeking the ruin of IoT devices exposed at Port 6789.

Dave Bittner: [00:04:41:19] For more on DDoS attacks and where we can expect things to go in 2017, we checked in with Dave Larson. He's the COO and CTO at Corero Network Security and he tells us where the DDoS arms race stands.

Dave Larson: [00:04:54:19] At the moment it's the attackers have the upper hand because they have this new tool in these growing IoT botnets that they can leverage and that tool is not going to be quickly remediated. It's all well and good for one of the Chinese manufacturers of the DVRs and CCTV cameras associated with initial incursions to issue a recall. That doesn't mean that the products will actually be recalled. It means that, you know, their IoT devices that are in place, in utilization and very rarely touched, patched, updated or monitored by the end users who use them, so for a little while at least I think this weapon remains in place.

Dave Larson: [00:05:40:10] The good news is that now everyone is aware of the danger and at the very first stage I think you're going to see significant more attention paid to setting up devices without default passwords. The good news on the Dyn attack is that it took down Twitter and Okta and Reddit and made it onto the mainstream news for that entire day which means even the average person is aware of it now and that passwords are probably something that you should have, you know, put some thought into.

Dave Larson: [00:06:12:15] So I think in one respect the attack itself has probably diminished the future capacity and scale of these attacks because people are going to take proper practice and procedures to lock things down but I think it's also going to set the tone for Internet service providers to understand that they're going to have to be involved in the remediation of the problem. It's very, very difficult remotely across the world to deal with these engines that exist on someone else's access network but it is quite straightforward for a service provider to be able to monitor their own access network, notice when a device is infected and then blacklist it off of the network so that it can't cause further damage and then get the attention of their subscriber to go and do the remediations. If that involves sending the product back on a recall or just reflashing it to factory defaults and giving it a good password but if we follow all of those procedures then we'll be better off a year from now than we are today.

Dave Bittner: [00:07:16:08] That's Dave Larson from Corero Network Security.

Dave Bittner: [00:07:21:20] According to security researchers at White Ops, Russian criminals are exploiting ad networks in the Methbot scam, diverting between three and $6,000,000 a day from US advertisers.

Dave Bittner: [00:07:34:16] The latest version of the Wassenaar cyber arms export controls has still not found consensus approval from policy mavens and the security industry. Vulnerability researchers continue to believe that it will unreasonably restrict and possibly criminalize legitimate and essential security work.

Dave Bittner: [00:07:51:13] The US continues to mull its response to the ways in which it's convinced Russian intelligence services inserted themselves into the now concluded presidential election. The electors have met and Donald Trump is now formally and officially the President-elect. That Fancy Bear and Cozy Bear were in US political party networks seems established with a clear preponderance of evidence. Who actually gave WikiLeaks the damaging DNC emails is far less clear.

Dave Bittner: [00:08:17:21] And finally to return to the ShadowBrokers, the well-known information security researcher who goes by the name of "the Grugq" offers an interesting and wide-ranging cultural and linguistic close-reading of the communications surrounding their Equation Group leak. He describes analyzing those communications, especially those from the newest cut-out, "Bocephus Cleetus," as being, quote, "like semiotics and lit crit on steroids," end quote. And we're not saying he's wrong.

Dave Bittner: [00:08:48:04] If the ShadowBrokers wrote like a lazy screenwriter's approximation of Boris Badanov, Mr. Cleetus comes across as that same lazy screenwriter's impersonation of a hillbilly, less credible than Jed Clampett or Ernest T. Bass at their hee-haw worst. References to sun people and the deep state touch the rhetoric of the fringier alt-right and alt-left. Other allusions pay homage to people ranging from Hank Williams Junior to Rage Against The Machine, to the Dukes of Hazzard and their nemesis, Boss Hogg. The Grugq suggests the public-facing activities of the ShadowBrokers, Fancy Bear and Bocephus Cleetus represent a coordinated Russian campaign providing at least some misdirection for influence operations directed against the US elections.

Dave Bittner: [00:09:33:18] Take a look at the Grugq's stuff. He can be found at, that's G-R-U-G-Q, and enjoy. Maybe even earn a credit hour in cultural studies. We'll leave the Grugq the last word, quote, "These guys are hilarious but they also operate like an intelligence agency."

Dave Bittner: [00:09:58:18] Time to tell you a little bit more about today's sponsor, Recorded Future. Recorded Future is the real time threat intelligence company whose patented technology continuously analyzes the entire web, developing cyber intelligence that gives analysts unmatched insights into emerging threats. Here at the CyberWire we subscribe to and benefit from Recorded Future's Cyber Daily. As anyone in the industry will tell you, when analytical talent is as scarce as it is today, every enterprise owes it to itself to look into any technology that makes your security teams more productive and your intelligence more comprehensive and timely because that's what you want, actionable intelligence. Sign up for the Cyber Daily email and every day you'll receive the top cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today and stay a step or two ahead of the threat. Go to to subscribe for free threat intelligence updates. And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:11:02:09] Joining me once again is Jonathan Katz. He's a professor of computer science at the University of Maryland and also director of the Maryland Cybersecurity Center. Jonathan, I saw a recently released paper talking about homomorphic encryption which is something you and I have talked about on the show before but this paper's talking about how perhaps there have been some breakthroughs that could make homomorphic encryption more practical. Why don't you start off by just giving us a quick review on homomorphic encryption?

Jonathan Katz: [00:11:28:07] Sure, I'd be happy to. So normally when we encrypt stuff using public key encryption, you transform a message into a completely unintelligible blob that only the holder of the secret key can decrypt, and what fully homomorphic encryption allows you to do is actually allow somebody who doesn't have the private key and can't decrypt to still perform computations on the encrypted data. So basically that means you can have a user encrypting some data and then some third party doing a computation, an encrypted computation on that data, and then forwarding that data along, either back to the client or to somebody else who can decrypt and get the result. And this is something that's been a long-standing goal for cryptography since the late 1970s and really a breakthrough was made about a decade ago now, showing that this could even be done at all.

Dave Bittner: [00:12:16:14] And, and so tell us about this recent research that might make it more practical.

Jonathan Katz: [00:12:21:12] So there was some recent work out that showed out to improve the efficiency of fully homomorphic encryption by about a factor of ten, and this is really quite amazing because, like I said, for decades people were not even sure that fully homomorphic encryption was possible. And then since the time that it was discovered, there's been a sequence of improvements in the efficiency of fully homomorphic encryption and people are hoping that it'll get to the point where one day it will in fact be practical.

Dave Bittner: [00:12:48:03] So when we'd spoken previously about homomorphic encryption, you'd told us about how it wasn't really practical for general use. It was really in the experimental phases and so if this research shows that it could be ten times faster than it was, does that put it in the realm of being something that's usable?

Jonathan Katz: [00:13:04:22] Well, the work is really great. I mean, the work is giving a factor of ten improvement over the previous best results, and like I said earlier, there's been a lot of work in improving the efficiency of fully homomorphic encryption since it was invented. Unfortunately, we're still a little bit far from the point of where it's going to be practical. Basically, we started out when it was invented with being about ten to the eight times slower than a native computation, and it's been improved by several orders of magnitude since then but it's still about 10,000 or so times slower than a regular unencrypted computation. So researchers are definitely making progress, and this is certainly work in the right direction, but we still have a ways to go before we're going to see it deployed in the real world, I think.

Dave Bittner: [00:13:45:01] Jonathan Katz, thanks for joining us. And by the way the title of the paper that we were discussing is, "Faster Fully Homomorphic Encryption: Bootstrapping In Less Than 0.1 Seconds." The authors are Ilaria Chillotti, Nicolas Gama, Mariya Georgieva and Malika Izabachène.

Dave Bittner: [00:14:04:14] And that's the CyberWire. For links to all of today's stories along with interviews, our glossary and more, visit Thanks to all of our sponsors who make the CyberWire possible. The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Our social media editor is Jennifer Eiben and our technical editor is Chris Russell. Our executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.