The CyberWire Daily Podcast 1.17.17
Ep 266 | 1.17.17

Election influence and election security. Threats to power grids. Ransomware and phishing updates. Loyalty program risks.


Dave Bittner: [00:00:03:03] Hacks of Ukraine's power grid are seen as a wake-up call for utilities (the squirrel threat notwithstanding). Various nations work to shore up their defenses against Russian government hacking and influence operations. Russia protests its innocence, but there are some reliable reports of Fancy Bear sightings in Norway. Cyber criminals are back, except for those behind Locky ransomware, who seem to still be on holiday break. New approaches to ransomware and phishing. And a loyalty program at the Golden Arches may be proving problematic.

Dave Bittner: [00:00:38:13] Time for a message from our sponsor, E8 Security. We're talking about putting your data together with E8's analytics for security that can handle the unknown unknowns. Consider what might warn you to malware on your system. Listening to running programs on a rare or never seen before open port is one of them. It's easy to say that, but could you say what counted as rare or never seen before? Or would that information jump out at you as you reviewed logs? If you had time to review your logs and by the time the logs reached you, the news would be old. But E8's analytical tools recognize and flag that threat at once, enabling you to detect, hunt and respond. Get the white paper at and get started. That's E8 Security, your trusted partner. And we thank E8 for sponsoring our show.

Dave Bittner: [00:01:36:06] Major funding for the CyberWire podcast is provided by Cylance.

Dave Bittner: [00:01:39:15] I'm Dave Bittner, in Baltimore with your CyberWire summary for Tuesday, January 17th, 2017.

Dave Bittner: [00:01:46:16] Last month's takedown of portions of Ukraine's power grid remains spooky, prompting a number of "It could happen here" stories as observers fear that the hack was a dress rehearsal for an attack with widespread consequences. Contrarian observers make the sound point that squirrels have caused thousands of blackouts, while hackers seem responsible for about two. There's surely some breathless fear, uncertainty, and dread around, but it's worth noting that botnet-driven distributed denial-of-service with widespread effect was also seen by some as FUD until Mirai hit last September and October.

Dave Bittner: [00:02:21:08] Russian authorities continue their pious denials of hacking in the service of espionage and influence, but few other governments take such protestations of good global citizenship with the seriousness the Russians would wish. France and Estonia in particular are working to shore up defenses. France is particularly concerned about its May 2017 elections. Guillaume Poupard, Director of the French security agency ANSSI, is quoted by France 24 as saying "We’re clearly not up against people who are throwing punches just to see what happens. There’s a real strategy that includes cyber, interference and leaked information." Commenting on French preparations and concerns, Ilia Kolochenko, CEO of web security firm High-Tech Bridge, told the CyberWire that he thought hardening election systems against attack was clearly a good idea, but he thinks it unlikely that cyber threat actors could change an election's results in a highly developed country like France.

Kolochenko said, "they can cause minor disruptions, however, saying that hackers can fraudulently elect a new president, is like saying that gangs in a Paris suburb can defeat the French army." He added that influence operations, however, are highly probable.

Dave Bittner: [00:03:34:04] Estonia has long been concerned, with good reason, about the neighborhood in which it lives, especially since its victimization in the 2007 cyber riots. The US is still mulling its own responses during this final week of Presidential transition.

Dave Bittner: [00:03:49:14] There have also been reliable sightings of Fancy Bear snuffling and pawing through Norwegian military and foreign ministry targets. Security services throughout NATO are looking to their bear traps.

Dave Bittner: [00:04:01:17] Other threat actors, prominently including criminals, have also stirred to new activity. Palo Alto has identified and is following a second wave of Shamoon attacks. Intel Security notices that some apps available on Google Play are stealing Turkish users' Instagram credentials and collecting them in a remote server.

Dave Bittner: [00:04:21:00] At least three unnamed Indian banks are reported to have sustained attacks on their SWIFT transfer systems. The Reserve Bank of India has been notified and is advising that banks take steps to mitigate the threat. Early reports indicate that no financial losses have been sustained, but the investigation remains in progress.

Dave Bittner: [00:04:40:04] The attackers who hit MongoDB last week have apparently turned their attention to ElasticSearch servers, more than 2500 of which have been infected with ransomware. This round of attacks suggests that ransomware operators are honing their techniques and adapting to newly perceived opportunities. The CyberWire heard from Terry Ray, Imperva's chief product strategist about this latest round of attacks. He shakes his head (metaphorically speaking) at the way enterprises continue to fail at privilege management. “There is no reason why a company with even a basic data security strategy should allow an administrator to access, much less delete all information from a database without some level of over-site or workflow controls," Ray said. He also finds it noteworthy that the criminals behind these attacks seem to think there's more money to be made through extortion, than there would be for sale of the data on the dark web's black markets.

Dave Bittner: [00:05:34:09] There is some quiet, however, on the ransomware front, Locky seems to have gone on an extended holiday. It would be premature, however, to say good-bye to this particular ransomware strain. Perhaps Locky's masters simply wanted to spend more time with their family, and will return soon enough.

Dave Bittner: [00:05:51:14] A sophisticated Gmail phishing campaign is in progress. The attackers work to compromise a Gmail account, thresh through emails until they find one with an attachment they can use in a screenshot to bait their hook, and then reel in even some security savvy marks.

Dave Bittner: [00:06:07:00] We've heard from a number of experts on this issue. In general, they see automation as security's friend. Jeff Hill, Director of Product Management at Prevalent thinks that our reliance on email, the sheer volume of that email, and what he calls "the frenetic pace of life" have combined to produce an attacker-friendly environment. He thinks relying on intrusion prevention is equivalent to sticking your head in the sand, and that the right approach is to recognize intrusion quickly and contain it, before it can access sensitive information.

Dave Bittner: [00:06:36:17] Lastline's Bert Rankin reminds us that phishing hooks the well-meaning and responsible as easily as it does the malicious and negligent. Education and awareness campaigns alone won't do it, he says. "It is an imperative that IT put filtering mechanisms in place that use technology, not people, to sort, test and eliminate such malicious emails before they even have a chance to test the eyes of the employees."

Dave Bittner: [00:07:01:15] And Balázs Scheidler, Co-founder and CTO of Balabit, sees this latest campaign as another instance of the way phishing techniques are improving, to the point where even the knowledgeable and security-aware find themselves ensnared. He sees behavioral analytics as the solution. "The actual user's behavior is the one thing that helps security professionals discover misused accounts, by automatically spotting behavioral differences an intruder and a legitimate user's baseline."

Dave Bittner: [00:07:30:23] And finally, do you want fries with that? You might, but you probably aren't willing to trade your McDonald's website credentials for a Happy Meal (unless, you know, the toy was a really good one). It seems there are some vulnerabilities over at McDonalds. VASCO Data Security thinks, again, that this is a case in which multifactor authentication and end-to-end client/server encryption should become standard practice. VASCO's John Gunn sees a larger lesson. "This distasteful Big Mac Attack underscores the risks of loyalty programs," he says (and, by the way, he's saying that the attack is distasteful, not the Big Mac, which remains as toothsome as ever). "Because large dollar transactions aren’t involved in loyalty programs, both consumers and companies take a far too casual approach to security. For the 50% of victims that use the same username and password for every account, hackers just gained login credentials for their bank accounts and that will spoil anyone’s happy meal." Food for thought, Mr. Gunn. But no one's asking the important questions, Is the Hamburglar back, and hacking? And what did Mayor McCheese know, and when did he know it? Rubble, rubble.

Dave Bittner: [00:08:47:14] Time for a message from our sponsor Netsparker. You know web applications can have a lot of vulnerabilities, of course you do, you're a regular listener to this podcast. And of course, every enterprise wants to protect its website, but if you have a security team, you know how easy it is for them to waste time calling out false positives. You need to check out Netsparker. Their technology not only finds vulnerabilities in web applications, but it automatically exploits them too and even presents a proof of exploit. Netsparker cloud scales easily. You can use it to automatically scan thousands of websites in just a few hours. Learn more at but don't take their word for it. Go to for a 30 day fully functional trial of Netsparker desktop or cloud. Scan your websites for a month, no strings attached. That's Netsparker/com/CyberWire and we thank Netsparker for sponsoring our show.

Dave Bittner: [00:09:48:18] Joining me once again is Dale Drew, he's the Chief Security Officer at Level 3 Communications. Dale, you sent me a subject that you wanted to talk about today, it's BGP Flowspec. Now this to me sounds like something that I would hear a plumber's convention. But evidently it has something to do with DDoS attacks. So help us out here, what does it mean?

Dale Drew: [00:10:07:00] I mean, yeah, welcome to the world of the internet, where we make everything as compact--

Dave Bittner: [00:10:10:11] [LAUGHS] A three letter acronym, right?

Dale Drew: [00:10:11:12] Exactly, as complex as we possibly can. We're actually very, very sort of proud of this implementation. So Flowspec... so BGP is sort of the heart of the internet. It's the thing that tells the network how to route packets across its fabric and tells other network providers what networks is allowed to come to it and it's allowed to send to it. So it really is sort of the flow, you know, the blood flow of the internet itself. And we like to think of it as the heartbeat.

Dave Bittner: [00:10:43:23] Uh, huh.

Dale Drew: [00:10:44:07] From a Flowspec perspective, what this allows us to do is, this allows us to push essentially firewall rules to the internet via BGP. It allows us to be able to say, if there's a bad guy coming in from a particular network, we can now have automation that identifies that bad guy, sees where that bad guy is coming from and automatically pushes out the ability to prevent that bad guy from putting bad packets on the internet. At least our internet. And so what we're talking about with other internet providers is this concept or this idea that we could be sharing this data across the entire backbone ecosystem. So imagine a situation where backbone providers now have access to enriched IP reputational data that tells it who the bad guys are, what sort of attacks they're originating in. Which ones are super serious backbone impacting events versus sort of the normal every day, you know, scanning and turning.

Dale Drew: [00:11:49:12] And now backbone providers can take proactive steps as a collective entity to be able to stop bad guys in their tracks across the entire backbone ecosystem. So it's something that we used to protect our backbone, something that we use to protect our customers. It's very, very adaptable and it uses a lot of the existing ecosystem to do it. So this works on 20 year old routers as well as one day year old routers. But it's something that we can also communicate out to the rest of the ecosystem. And so we think it's gonna be a major step function in identifying and stopping bad guys globally.

Dave Bittner: [00:12:26:20] Is there any resistance to it? Is there any overhead that goes along with it, that might be an issue for anyone?

Dale Drew: [00:12:33:10] Yeah, I think the devil's in the details, right? I mean it's this idea of what's the temperature setting or the barometer setting for a particular ISP that they're willing to block versus another one. You know, one provider might be a little bit more aggressive in stopping threats more proactively. And other providers may wanna be a little bit more cautious and only do those events that could be potentially backbone, directly backbone impairing or currently backbone impairing. And so we're having a lot of discussion about how we directly associate the weight of the reputation to the data feeds that we're sending so that this enriched data could be used across all those sort of spectrums of temperament. And you know, the whole goal is that once you feel comfortable with it and once it starts to work, we can then, as an ecosystem, have a really good communication channel to be able to focus that for more specific threats.

Dave Bittner: [00:13:27:19] Alright, Dale Drew. That's for joining us.

Dave Bittner: [00:13:32:22] And that's the CyberWire. For links to all of today's stories, along with interviews, our glossary, and more, visit Thanks to all of our sponsors, who make the CyberWire possible, especially our sustaining sponsor, Cylance. Learn more about how Cylance prevents cyberattacks at If you enjoy our show and find it a valuable part of your day, we hope you'll take a few minutes and write us a review on iTunes. It's one of the best ways you can help spread the word about our show. It may even save you from buying yourself a midlife-crisis BMW!

Dave Bittner: [00:14:04:07] The CyberWire podcast is produced by Pratt Street Media. The editor is John Petrik. Our social media editor is Jen Eiben, and our technical editor is Chris Russell. Our executive editor is Peter Kilpe. I'm Dave Bittner. Thanks for listening.