The CyberWire Daily Podcast 1.10.17
Ep 262 | 1.10.17

Witch hunts and yard sales. See relationships, not dox. Rebrandings, mergers, acquisitions, and executive moves. Building anti-witch capabilities.


Dave Bittner: [00:00:03:03] California says a nation state was behind the Anthem attack The Shadow Brokers hold a yard sale. We'll pass on the malware. But if they had a nice blender out, we'd consider it. WikiLeaks says it's interested in relationships, not doxing. The US FDA confirms vulnerabilities in cardiac devices. Hello Kitty gets breached. Germany and the UK study ways of increasing cyber capability and Russia complains it's the subject of a witch hunt.

Dave Bittner: [00:00:35:12] It's time to take a moment to tell you about our sponsor CyberSec Jobs. If you're an information security professional seeking your next career, or your first career, check out and find your future. CyberSec Jobs is a veteran owned career site and job fair company for information security professionals and students. Job seekers can create a profile, upload their resume and search and apply for thousands of jobs, and it's great for recruiters too. If you're an employer looking to source information security professionals, contact CyberSec Jobs about their flexible recruitment packages designed to meet your needs. To learn more visit That's And we thank CyberSec Jobs for sponsoring our show.

Dave Bittner: [00:01:30:23] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, January 10th 2017.

Dave Bittner: [00:01:41:14] California, aided by Mandiant, has concluded that it knows "with high confidence" exactly who breached the Anthem health care insurance company in 2014. They've also concluded "with medium confidence" that the responsible actor was working on behalf of a nation-state. The responsible nation isn't named, but most observers have long thought the Anthem breach was a Chinese government operation. Noteworthy among the circumstantial evidence pointing to state espionage is the dog that didn't bark. The compromised data doesn't appear to have been sold or transferred to any "non-state actors," like identity thieves, carders, fraudsters, or other varieties of conventional criminals.

Dave Bittner: [00:02:21:17] The Shadow Brokers have resurfaced. The hacking crew with broken English straight out of Hollywood who say they want to strike a blow against "wealthy elite" and make a little coin on the side. The Brokers have tried since last summer with indifferent success to auction off attack tools they said they obtained by guile or hacking from NSA. They're now holding what Heimdal Security calls a "yard sale." Much of what they've got spread across their virtual front yard consists of Windows malware, especially the unappealingly named "DanderSpritz" remote administration tool.

Dave Bittner: [00:02:55:24] On Friday the WikiLeaks Task Force, a verified Twitter account that represents itself with some plausibility as the "Official @WikiLeaks support account," deleted a Tweet that appeared to indicate plans to build a database of verified Twitter users. There was understandable objection from many Twitter users who saw the effort as an incipient doxing campaign. The WikiLeaks Task Force says it was merely interested in building a database that would display relationships,which many find about as disturbing as doxing, albeit in a different way. WikiLeaks says the ill-feelings are caused by a misperception, and it blames the "dishonest press" for scaring people. So the Tweet is deleted, but it's unclear if the database project it described has also been abandoned.

Dave Bittner: [00:03:42:18] The US FDA confirms that St. Jude Medical cardiac devices are vulnerable to cyberattack. St. Jude said yesterday that it had a patch and was pushing it out. Vulnerabilities in St. Jude devices were initially disclosed in August 2016 by Muddy Waters, a hedge fund interested in shorting St. Jude stock. The vulnerabilities alleged in the public disclosure were reported to Muddy Waters by its partners in the cybersecurity company MedSec. Litigation between St. Jude on the one hand and the team of Muddy Waters and MedSec on the other continues. The FDA finding is expected to prove relevant to the outcome.

Dave Bittner: [00:04:21:12] In a rather different kind of threat to the heart, a database of 3.3 million Hello Kitty fans has leaked online. A poorly configured Sanrio database was copied before it was secured.

Dave Bittner: [00:04:33:15] Ransomware continues to be a threat, showing up at or near the top of just about everyone's list of things we can expect to get worse in 2017. But one company is doing their part to help stem the tide. Cybereason is an Israeli cybersecurity firm and they recently released a free ransomware prevention tool called RansomFree. Uri Sternfeld is Lead Researcher at Cybereason

Uri Sternfeld: [00:04:57:01] If you look at the damages caused by ransomware from 2014 until the end of 2016, you can see an exponential growth from about $25 million worldwide in 2014 to more than $1 billion worldwide. So, what we did was to take a few hundred samples of real world ransomware from about 30/40 different families and sort of looked for the common heuristic. Something that will allow us to catch most types of ransomware without prior knowledge, without concentrating on specific characteristics of each family or even yet unknown families of ransomware. And what we came up with was to concentrate on the low level file activity of ransomware and detect the file encryption patterns that indicated this is a malicious tool trying to encrypt files. This is sort of a very unique activity for ransomware, as opposed to other types of malware and we also managed to distinguish between malicious encryption and the types of legitimate encryption.

Dave Bittner: [00:06:19:06] So, if I'm a user of RansomFree, how will it affect the use of my computer?

Uri Sternfeld: [00:06:24:20] Well, it simply runs in the background. Usually you won't feel anything. One of the techniques we use is to create multiple tiny cannery files throughout the drive. Most of them are hidden from the user, so there's no problem. It simply sits in the background and monitors file activity and doesn't do anything unless it detects a malicious encryption process.

Dave Bittner: [00:06:51:17] And so if it does detect a malicious encryption, what happens next?

Uri Sternfeld: [00:06:55:01] So, it does several things. Uh, the first is to immediately suspend and quarantine the suspected offender. Then it pops up an alert for all the users which are currently logged onto the machine, alerting them to the activity and allowing them to see any affected files, including files they've created or deleted or renamed and then the user is able to either allow the suspect process, if they suspect this was a false positive, which is usually unlikely. Or they can choose to block the threat, which will not only terminate the threat, but also automatically prevent the same threat from ever running again.

Dave Bittner: [00:07:44:17] That's Uri Sternfeld from Cybereason.

Dave Bittner: [00:07:49:23] In the aftermath of last year's two big disclosures of massive data breaches, Verizon may still walk away from its acquisition of Yahoo's core assets, but Yahoo is acting as if it's a done deal. The company has announced that it will be renaming itself "Altaba," and so Yahoo, one of the famous names from the dot com era, will disappear from the tech marketplace. A number of senior Yahoo leaders, including CEO Marissa Meyer, will be resigning. As many note, it's still not clear that Verizon will continue with its acquisition plans.

Dave Bittner: [00:08:23:01] Another big aerospace and defense integrator divests itself of a commercial cybersecurity unit. Northrop Grumman is selling its BlueVector subsidiary to LLR Partners. Financial terms of the sale weren't disclosed, but LLR Partners said that it has committed $50 million to BlueVector "to support the acquisition and future growth plans."

Dave Bittner: [00:08:46:07] Germany and the UK are looking at ways of building their cyber capabilities. Germany is especially concerned about fending off Russian influence operations in the elections the Federal Republic will hold later this year. The UK is conducting a more comprehensive review of its capabilities. Those would likewise include defensive measures against information operations, but Her Majesty's Government is also interested in developing enhanced cyber offensive capabilities. Those who find themselves generally opposed to such capabilities see the beginning of an attempt at control of the media, and opponents of the recently enacted Snooper's Charter are challenging enhanced surveillance powers in court.

Dave Bittner: [00:09:26:18] As the US President-elect comes around to the view that Russia took an interest in US elections, members of Congress and others do some woofing about the possibility that the US is falling behind the opposition in its ability to wage cyber warfare. Historians of the Cold War will be put in mind of the "missile gap" Presidential candidate Kennedy charged the Eisenhower Administration with allowing. For his part, Russia's President Putin decries all of this furor over hacking, mostly in the US but elsewhere, too, as a "witch hunt." It's not our place to advise the Russian government, and if we wanted to do so we'd write a letter to the editor of RT, but it does seem that losing the broomstick and the black conical hat would be a good idea, Vladimir Vladimirovich.

Dave Bittner: [00:10:17:19] Time for a message from our sponsor Netsparker. Are your security teams dealing with hundreds of vulnerability scan results? Netsparker not only automates scanning, but it verifies the exploits it finds too. Reduce alert fatigue and improve security with Netsparker. Not only will your protection improve, but your costs will drop, and that's a good deal in anyone's book. Netsparker's automated approach to web application scanning lets your security team concentrate on the things best left to the human beings. Find out more about Netsparker Desktop and Netsparker Cloud. Whether you're pen testing or securing your enterprise online, you need to check out Try it out free with no strings attached. Go to for a 30 day fully functional version of Netsparker Desktop. And by fully functional, Netsparker means yes, really, actually, truly fully functional. Scan the website with no obligation. Check it out at And we thank Newsparker for sponsoring our show.

Dave Bittner: [00:11:21:08] Joining me once again is Jonathan Katz. He's a Professor of Computer Science at the University of Maryland and also a Director of the Maryland Cybersecurity Center. Jonathan, I was hoping today you could take us through and help us understand some different types of encryption and I wanted to start with attribute based encryption.

Jonathan Katz: [00:11:37:13] So, this is something that's been developed over the past ten years or so in the cryptography community and let's step back actually and just talk about regular publicly encryption. In a regular publicly encryption scheme, anybody has the ability to encrypt and only a designated receiver who has the matching private key can decrypt. Attribute based encryption allows you to do publicly encryption with a more complicated access control essentially. And what this allows you to do is to derive private keys that are policy specific. So they have a particular policy embedded in them that dictates whether or not somebody can decrypt. So, for example, that allows now anybody to again encrypt, like in a regular publicly encryption scheme, but only people whose keys match a particular policy specified by the sender can decrypt.

Dave Bittner: [00:12:23:23] And so, there's another type of encryption called functional encryption. Can you take us through that?

Jonathan Katz: [00:12:29:02] Yes, a functional encryption actually is even a generalization of attribute-based encryption. You still have the same idea of private keys being tied to policies, but now, rather than, you know, either the policy allowing to decrypt everything or to get nothing, the policy can now specify an arbitrary function and with that private key you can learn that function of the plain text. So, just as an example of that, you might imagine you have different people having different levels of clearance and somebody, a sender can encrypt a document, marking each paragraph with a particular classification level and then, depending on a particular key that a recipient has, they would only be able to see the particular paragraphs of the plain text that they have the rights to be able to see.

Dave Bittner: [00:13:13:15] And are both of these in regular use, or are they still in the developmental stages?

Jonathan Katz: [00:13:17:23] So, they're still in the developmental stages, but, actually the schemes we have now for simple access policies are relatively efficient and I think there are some companies now trying to commercialize them. And I think these kind of schemes can be very useful in large organizations for exactly managing this kind of control to data. You can imagine having an encrypted operating system, for example, where every file is encrypted using activity-based encryption and then you give keys to particular users that allow them to decrypt only the files that they should have the rights to access. So I think we'll see, perhaps, some developed railroad use of these systems in the next five years or so.

Dave Bittner: [00:13:52:22] Interesting stuff. Jonathan Katz, thanks for joining us. And just a reminder that we'd like to hear from you if you have any questions for any of our academic or research partners. You can send those questions in to and we will pass them on and try to get them answered on the air.

Dave Bittner: [00:14:10:09] And that's the CyberWire. For links to all of today's stories, along with the interviews, our glossary and more, visit Thanks to all of our sponsors who make the CyberWire possible and especially to our sustaining sponsor Cylance. Find out more about how Cylance can protect you at Don't forget to follow us on Twitter and on Facebook. The CyberWire podcast is produced by Pratt Street Media. The editor is John Petrik. Our social media editor is Jennifer Eiben and our technical editor is Chris Russell. Our executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.