The CyberWire Daily Podcast 1.12.17
Ep 264 | 1.12.17

Grid hacks and influence operations. Propaganda sauce spread liberally over geese and ganders. Peace sign hacks? Hamas catphishes the IDF.


Dave Bittner: [00:00:03:22] A brother and sister are arrested for an EyePyramid spyware crime spree that may have been in progress since 2010. Ukraine confirms that Kiev's power grid was hacked last month and the Ukrainian government tries to tide over some influence operations of its own. Policy wonks talk information operations and some realize such ops aren't new. The peace sign hack joins the Gummibear hack as a challenge to biometric authentication and Hamas goes catphishing.

Dave Bittner: [00:00:37:07] Time to take a moment to tell you about our sponsor CyberSecJobs. If you're an information security professional seeking your next career or your first career, you need to check out and find your future. CyberSecJobs is a veteran owned career site and job fair company for information security professionals and students. Job seekers can create a profile, upload their resume and search and apply for thousands of jobs, and it's great for recruiters too. If you're an employer looking to source information security professionals, contact CyberSecJobs about their flexible recruitment packages designed to meet your needs. To learn more visit That's And we thank CyberSecJobs for sponsoring our show.

Dave Bittner: [00:01:31:19] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday, January 12th, 2017.

Dave Bittner: [00:01:41:05] Two Italian citizens, a brother and a sister, Giulio Occhionero and Francesca Maria Occhionero, both on the downhill side of 45 and therefore old enough to know better, have been arrested for hacking high-profile Italian figures and at least one high-profile Cardinal in the Vatican. An international operation reeled them in. Giulio was born in Italy and Francesca in the United States. Both were "residing" in London but "domiciled" in Rome. Italian police made the collar. The siblings face trial in Italy and the FBI seized the "dropbox" servers to which the pair are alleged to have deposited stolen data. That "alleged" reminds us that this is a good point to offer the routine disclaimer that, of course, persons accused of a crime are entitled to a presumption of innocence, at least on this side of the Atlantic. Their lawyers, at any rate, say the Occhioneros didn't do it. Sure, Giulio owned some of those American servers, but the lawyers point out, that's just because he does business in the US.

Dave Bittner: [00:02:42:06] The incident draws attention to the malware used in the caper. A security researcher tipped off police when he received an email purporting to be from a lawyer that contained malware. Trend Micro has been taking a look at the spyware. It's being called "EyePyramid" and they say it’s a data exfiltration tool delivered as the payload of a malicious email attachment. In the case under investigation, EyePyramid is said to have been used to siphon off more than 87 gigabytes of data, which Trend Micro says includes usernames, passwords, browsing data, and filesystem content.

Dave Bittner: [00:03:16:03] Whether the Occhioneros prove Innocent or not, it looks as if the spyware campaign they stand accused of running had been in progress since 2010. Those behind the crime appear to have been interested principally in political and financial information about Italian political figures, and also in similar information about some bankers and Vatican officials. The hackers' motives in all of this are unclear. They could be political, but Italian police think they were financial. How the information might have been monetized isn't discussed in early reports.

Dave Bittner: [00:03:47:22] According to the BBC, Ukrainian officials have confirmed that this past December's power outages in the vicinity of that country's capital were caused by a cyberattack. Investigators see the same actors behind the 2016 blackout in Kiev that they saw behind the 2015 blackout in Ivano-Frankivsk, which means, of course, that they're seeing Russians. Investigators also suggest, as they did in the aftermath of the 2015 hacks, that this incident could be a dress rehearsal for something much bigger.

Dave Bittner: [00:04:18:07] The Ukrainian government, Politico reports, is also quietly trying to mend fences with the incoming US Administration after evidently having conducted some quiet, minor influence operations of its own on behalf of the President-elect's opponent. Those appear to have been conducted relatively casually, and without the high-level attention and direction the US Intelligence Community perceives in Fancy Bear's prance through the Democratic National Committee. Minor and quiet as they may have been, the alleged operations are instructive. Influence operations are nothing new. Foreign policy and security intellectual types are busily reviewing other cases of propaganda, disinformation, forgery, provocation, and the like. Many consumers of old and new media are receiving these unsurprising stories as surprises.

Dave Bittner: [00:05:08:07] By the way, President-elect Trump has also said he now thinks the Russians hacked the DNC. He's still mad about Buzzfeed's stories of compromise.

Dave Bittner: [00:05:18:07] So, be prepared for what incidents might come your way. If you're planning to be around Norfolk, Virginia, the first week in February, and if you think you might be hungry, say noonish, take a look at our event sponsor Rsam's lunch-and-learn session on security incident response. SANS instructor Alissa Torres and Rsam CISO Bryan Timmerman will feed your mind, as lunch feeds your body. See the Event Tracker at for information.

Dave Bittner: [00:05:43:15] Biometric technology has for some time been a leading light in efforts to replace passwords for authentication. But that light may be something of a will o' the wisp. You may recall the Gummibear hack, in which the mark's fingerprints are stolen when the mark handles a toothsome, but sticky piece of candy, then for some reason, puts it back. This always struck us as a bit of a garbage hack. Entertaining, sure, but more parlor trick than serious risk.

Dave Bittner: [00:06:09:14] Researchers at Japan's National Institute for Informatics, however, may be on to something more disturbing. The peace sign hack. A digital image from a mark's incautious selfie perhaps, is used to copy the mark's fingerprints. It's a lot quicker and a lot less sticky. It's been shown in the past that the eye's iris can be matched from a photo, so the peace sign hack may bear watching.

Dave Bittner: [00:06:33:21] In industry news, Arxan Technologies has bought security shop Apperian, and cyber startup Infocyte gets a $3.4 million Series A funding round.

Dave Bittner: [00:06:44:17] Finally, Hamas is reported to be using catphish as honeytraps to install spyware on Israeli soldiers' smartphones. The winsome catphish promised video chats with predictably lovelorn troops. Alas, soldiers, you're gonna get malware with that chat, and maybe not much chat, either. The IDF thinks the damage was minimal, but with the troops, one never knows. We once heard a general of US Marines lament the misguided initiative of a lance corporal who thought it a good idea to recharge his Samsung Galaxy by plugging it into SIPRNet. So to all you sergeants and company grade officers out there, in the IDF and indeed in every army in the world, if you want to keep them out of trouble, keep them busy. You may remember the movie 'Stripes' where Ox, one of our favorite characters, found himself having to explain just what happened when the men found themselves out for a little extracurricular activity.

Ox: [00:07:40:23] Well, sir we were, we were going to a bingo parlor at the YMCA. Well, one thing led to another and the instructions got all fouled up there and we ended up... just shut up. Okay, sir.

Dave Bittner: [00:08:02:16] Time for a message from our sponsor Netsparker. Are you still scanning with labor intensive tools that generate more false positives that real alerts? Let Netsparker show you how you can save time, save money and improve security with their automated solution. How many sites do you visit and therefore scan that are password protected. With most other security products you've got to record log in macro, but not with Netsparker. Just specify the user name, the password and the URL of the log in page and the scanner will figure out everything else. Visit to learn more. And if you'd like to try it for yourself, you can do that too. Go to for a free thirty day fully functional trial of Netsparker Desktop. Scan your websites and let Netsparker show you how easy it can be. That's And we thank Netsparker for sponsoring our show.

Dave Bittner: [00:09:00:19] And I'm joined once again by Israel Mirsky. He's a Research Project Manager at the Ben-Gurion University Cybersecurity Labs. You've got some interesting research that involves the use of some exploit and vulnerability databases?

Israel Mirsky: [00:09:15:02] That's right. So a vulnerability database is a platform used to collect, maintain and disseminate information about discovered vulnerabilities and there are many different kinds of vulnerability databases available to the public, such as the NVD National Vulnerability Database maintained by NIST, the National Institute of Standards and Technology. So, different from all these other common vulnerability databases is a database called the Exploit DB, which is maintained by Offensive Security and they collect actual malware code within the high level languages such as in C or in Java. This is different from other databases or dumps of malware which are obtainable, which are the actual raw machine code with a compiled code. So here you have little excerpts of the malware code written in the original language. Typically, you can use this code to kind of run it and see if you can find holes in your system and pen testing what's referred to as white hat hacking. But we thought, why don't we use this high level code and exploit database to assist us in detecting or discovering new malware trends?

Israel Mirsky: [00:10:23:23] So, as opposed to again, the pre-compiled code you find in other databases, the high level code contains all sorts of different semantics that help you better capture the intent or the objective of the malware author. So I'll give you an example. So, if you look at some sort of code that performs a buffer overflow. In the machine code, you can track where the pointers are heading and what the malware's trying to accomplish. But, ;ooking at the high level code, you can see what the names of the variables are and what libraries are perhaps being used. And just the fact that the malware author called his variable buffer, may indicate some sort of usage of this code. And again, of course, you know, once it's compiled this information is lost, because the compiler doesn't need that for any reason.

Dave Bittner: [00:11:10:24] So, what we did is we extracted a dataset from Exploit DB's C code samples and we built a whole dataset based on these kinds of semantic features and we used the self-organizing map, which is kind of like a neural network for clustering, to try and discover different kinds of patterns and trends of malware over the last few years, because in the exploited database we know when the malware was published, we know what kind of malware it is because it's all been labeled and then we try and get an understanding of sort of kind of different trends. When different malwares were more popular, what perhaps is their next up and coming malware and so on and so forth. So, that's the kind of ongoing research that we're very interested in. Trying to see how we can exploit database to try and not just see trends, but also help us build better predictors to detect different malwares that may come out in the future.

Dave Bittner: [00:12:04:22] Israel Mirsky, thanks for joining us.

Dave Bittner: [00:12:09:00] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor Cylance. Find out more about how Cylance can protect you at Don't forget to follow us on Twitter and on Facebook. The CyberWire podcast is produced by Pratt Street Media. The editor is John Petrik. Our social media editor is Jennifer Eiben and our technical editor is Chris Russell. Our executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.