The CyberWire Daily Podcast 1.19.17
Ep 268 | 1.19.17

France braces for election hacking. Ukrainian utility says December blackouts were hacker-induced. Finding "Fruitfly." Tracking Mirai's master.


Dave Bittner: [00:00:03:13] France prepares for election hacking. Ukrenergo acknowledges its electrical service was hacked. Malwarebytes reports on Fruitfly, malware swarming about biomedical research facilities. Krebs believes he's found the author of Mirai. Anonymous says it's going to dox US President-elect Trump. And the RSA Conference announces the finalists in the Innovation Sandbox.

Dave Bittner: [00:00:31:20] Time for a message from our sponsor E8 Security. You know, the old perimeter approach to security no longer protects against today's rapidly shifting cyber threats. You've got to address the threats to your network once they're in your networks. E8 Security's behavioral intelligence platform enables you to do just that. Its self learning security analytics give you early warning when your critical resources are being targeted, whether it's credential misuse, unknown processes or malicious command and control traffic, the E8 Security platform automatically prioritizes alerts based on risk and lets your security team visualize the relationship among targets, explore diverging hypotheses and uncover hidden attack patterns. To detect, hunt and respond you need a clear view of the real risks in your business environment. That's what E8 gives you. Visit and download the white paper to learn more. That's E8, transforming security operations. And we thank E8 for sponsoring our show.

Dave Bittner: [00:01:43:24] Major funding for the CyberWire podcast is provided by Cylance.

Dave Bittner: [00:01:48:04] I'm Dave Bittner, in Baltimore with your CyberWire summary for Thursday, January 19th, 2017.

Dave Bittner: [00:01:54:23] France continues to prepare for election hacking. ANSSI, the country's National Information System Security Agency, has warned political parties and others to expect attempts on their networks. So far one political movement, "En Marche", led by former socialist Emmanuel Macron, now running as an independent, has acknowledged being hacked; the major parties so far have nothing to report.

Dave Bittner: [00:02:19:05] ANSSI's responsibilities include securing the vote at the polling places and as the electorate's choices are transmitted through regional prefectures to the Ministry of the Interior for their final, official tally. The leading suspect against which ANSSI and the Ministry of Defense are warning would be, of course, Russia.

Dave Bittner: [00:02:37:21] Farther east, Ukrenergo, the electrical utility that supplies Kiev, confirmed to Reuters that last month's power outages were indeed the result of a cyberattack. The utility found that workstations and SCADA systems connected to the major "North" substation came under external influence. Ukrenergo declined to attribute the attack to any particular actor, speculation, again of course, has pointed to Russia, but it did say, "The analysis of the impact of symptoms on the initial data of these systems indicates a premeditated and multi-level invasion."

Dave Bittner: [00:03:14:05] Security of industrial control systems remains a matter of much concern. We spoke with Nir Giller of CyberX, who believes that a false sense of security still surrounds industrial control systems.

Nir Giller: [00:03:20:24] People might have the perception of security by obscurity. And this comes into play when people think about serial interfaces or technology which is proprietary. And people tend to think that because no one has the inner workings or the documentation of the actual software, hardware, it might mean that the attacker cannot attack these devices. And that's security by obscurity. It has never been proven to be successful. Obscurity is something that, with enough resources, you can always bypass and figure out what you need to figure out as an attacker and get your way. So I think that this is something that needs to be very well understood within industrial environments because it seems that there are a lot of proprietary technologies although, as time passes by more and more people relate to the concept that attackers can attack proprietary protocols and systems. We see examples more and more frequently and so I believe that in order to actually protect industrial environment, the ultimate answer is that you need detection. You need a solution which is capable, very efficiently and very wisely, to the detection within the industrial environment and you need to do so continuously.

Nir Giller: [00:05:05:05] Because if you have a firewall that's separating between the IT and the OT environment, it doesn't mean that you won't get attacked. There is a very good probability that the firewall will be bypassed. You as an asset owner of the industrial environment, the OT environment, you need to remember that cybersecurity is all about risks. And you need to have the right system put in and the right methodology to make sure that you are continuously protected because you will get attacked whether it's highly targeted or a simple attack but the network will be attacked. And you need the tools in place to make sure that you have detection and once an attack will be detected, you will be able to take the right actions in order to mitigate the incident.

Dave Bittner: [00:06:08:21] That's Nir Giller from CyberX.

Dave Bittner: [00:06:13:03] Security researchers at the firm Malwarebytes report finding malicious code used in targeted attacks against biomedical research centers. The malware affects primarily MacOS, but Linux systems are also thought vulnerable. Apple is calling the code "Fruitfly." It's multifunctional: it takes screen captures, accesses webcams, and enables attackers to take remote control of an endpoint. Sophisticated yet with an oddly retro approach to persistence, Fruitfly is thought to have circulated undetected for several years. Malwarebytes speculates that its highly targeted character helped it evade notice.

Dave Bittner: [00:06:50:10] KrebsOnSecurity investigates Anna-Senpai, as Mirai's creator has come to be known, tracking her or him or them through Minecraft and Rutgers. Krebs names names, and if we follow him we can safely call Anna-Snepai "him." Krebs notes that Mirai, the botnet-herding malware that took down his site and other services (most famously OVH in France and Dyn in the United States) last autumn, had ancestors. Its forebears went by "Bashlite," "Gafgyt", "Qbot", "Remaiten", and "Torlus." In 2014 hoods calling themselves "lelddos" amused themselves by taking down Minecraft servers using variants of this ancestor code.

Dave Bittner: [00:07:34:01] The takedowns weren't pure vandalism. Rather, they appear to have been gambits in the highly competitive Minecraft DDoS protection industry. A California security firm, ProxyPipe, which specializes in protecting Minecraft servers, came under effective, 300 gigabyte per second distributed denial-of-service attack in June of 2014. ProxyPipe believed that it was being harassed by competitors, very small, one or a-few-person outfits run by teenagers. The report is worth reading in full at .

Dave Bittner: [00:08:05:18] As the US prepares to inaugurate President-elect Trump tomorrow, the anarcho-hacktivist collective resurfaces to tell Mr. Trump that he "will regret" the next four years. The threat appears to amount to a promise that they'll dox the new President vigorously, something Anonymous began saying at roughly the time Trump announced his candidacy.

Dave Bittner: [00:08:26:15] As you would expect, the CyberWire will be providing special coverage of this year's RSA Conference in San Francisco. The meetings run from 13th to 17th of February, and that's less than a month away, so it's time to start anticipating. The conference has announced the finalists in its Innovation Sandbox. There's a complete listing of all of the finalists on our website and today's daily briefing. Congratulations and good luck to them all. We look forward to seeing them in the sandbox.

Dave Bittner: [00:08:58:11] Time for a message from our sponsor Netsparker. Are you still scanning with labor intensive tools that generate more false positives than real alerts? Let Netsparker show you how you can save time, save money and improve security with their automated solution. How many sites do you visit and therefore scan that are password protected? With most other security products you've got to record a log in macro, but not with Netsparker. Just specify the username, the password, and the url of the login page and the scanner will figure out everything else. Visit to learn more. And if you'd like to try it for yourself, you can do that too. Go to for a free 30 day fully functional trial of Netsparker desktop. Scan your websites and let Netsparker show you how easy it can be. That's And we thank Netsparker for sponsoring or show.

Dave Bittner: [00:09:56:13] Joining me once again in Ben Yelin, he's a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security. Ben, saw an interesting article come by in the Columbia Journalism Review. There's a Journalist named Ed Ou and he had some trouble at the United States border. He is a Canadian citizen and on his way over the border into the United States, a place he's been many times, he had a pretty significant search. Give us some of the details of this.

Ben Yelin: [00:10:23:18] Sure, so Ed Ou was trying to cover the North Dakota protest, the protest over that pipeline that's going through native American territory. So he was trying to board a flight in Vancouver and when he was going through customs, without any sort of individualized suspicion, the customs agents interrogated him for six hours, looked through his materials. Required him to open his electronic devices even though they had been encrypted. Even though this sort of rings alarm bells for all of us, this seems very unjust, it is constitutional, the border sort of has a special quality to it from a constitutional perspective. The Supreme Court has held that there is an exception to the warrant requirement under the Fourth Amendment search and seizure requirement for special needs searches.

Dave Bittner: [00:11:12:20] Help me understand that, Ben, because it seems to me that Mr Ou is a Canadian citizen but it seems to me that as a citizen of the United States, if I come to the border of our country and I have a valid passport, it would strike me that the moment that that passport is accepted and that border agent verifies that I am a United States citizen, that my constitutional rights should kick into place. But that's not the case?

Ben Yelin: [00:11:34:18] Yeah, so the Supreme Court has held otherwise. They basically determine that even though in some cases where normally a warrant would be required, normally the Fourth Amendment rights would be invoked, for some sort of public policy reason, the government should be able to conduct warrantless searches. It's really an exception to the general rule but it's something that's very established in Supreme Court jurisprudence. So the best example of this are sobriety checkpoints. When you're driving and you get pulled over at a sobriety checkpoint, there's no individualized suspicion that you yourself have been drinking and driving, they're checking everyone. But the Supreme Court has allowed that because there's a compelling public policy interest in freeing the roads from drunk drivers. That's a public policy interest that we've carved out from Fourth Amendment jurisprudence. So again, this is something that's constitutionally troubling, at least to me, but it is very well established in constitutional jurisprudence.

Dave Bittner: [00:12:33:17] So where does it stand in terms of being a US citizen? If I'm at the border and I'm coming back into the United States from a vacation in Canada or Mexico or Europe or wherever and I have my laptop and my phone and the border agent says to me, "We wanna take a look at your electronic devices" what should my response be?

Ben Yelin: [00:12:50:04] Well, your response should be citing a case called United States V. Cotterman and this was the case that was decided in the Ninth Circuit, Court of Appeals. Generally a court that's very favorable to civil liberties challenges. And they held that the United States border police or law enforcement at the border cannot examine your electronic storage devices without a reason for suspicion. And this is a holding that has weakened the general border search exception to the Fourth Amendment that we've discussed. The reasonable suspicion is a standard that's used in order areas of law enforcement. I think it's somewhat short of probably cause that somebody's committing a crime. But you still have to have a reason to suspect that there's something untoward on this electronic device. So this decision has been appealed to the United States Supreme Court, so far the Supreme Court has not taken up the case. This opinion is controlling law, so if you're at the border and you don't wanna reveal your electronic information to a forensic examination, cite United States V. Cotterman. You might get some confused looks from your border agents but you would have good legal recourse.

Dave Bittner: [00:14:02:13] Alright, Ben Yelin, good information as always. Thanks for joining us.

Dave Bittner: [00:14:07:24] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible, especially our sustaining sponsor, Cylance. For more information about how Cylance can protect you, visit

Dave Bittner: [00:14:19:15] Today we mark the first anniversary of our podcast's formal launch, this day in 2016. Since then we've produced 294 podcasts. Thanks for listening, and helping us become one of the world's leading security dailies.

Dave Bittner: [00:14:34:07] The CyberWire podcast is produced by Pratt Street Media. The editor is John Petrik. Our social media editor is Jennifer Eiben, and our technical editor is Chris Russell. Our executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.