The CyberWire Daily Podcast 2.6.17
Ep 280 | 2.6.17

Crime, not education. Slot machine scams. Ransomware updates. Fancy Bear in Norway? Russian treason charges. GCHQ say no to "witchcraft."


Dave Bittner: [00:00:03:15] Criminal markets offer ransomware-as-a-service under the guise of education. The UK's NHS and Licking County Ohio deal with separate ransomware accounts. The Slammer worm attempted a comeback after 14 years so patch those known vulnerabilities. Crooks scam slot machines, possibly by defeating their pseudo-random number generator. Norway tracks Fancy Bear. Russia says the FSB officers charged with treason gave info to the Americans, but not necessarily the CIA. And GCHQ says security companies are peddling "witchcraft."

Dave Bittner: [00:00:42:23] Time to take a moment to tell you about our sponsor, CyberSecJobs. If you're an information security professional seeking your next career or your first career, check out and find your future. CyberSecJobs is a veteran-owned career site and job fair company for information security professionals and students. Job seekers can create a profile, upload their resumé and search and apply for thousands of jobs, and it's great for recruiters too. If you're an employer looking to source information security professionals, contact CyberSecJobs about their flexible recruitment packages, designed to meet your needs. Here's one of the current hot jobs. WakeMed is looking for an information system security officer to help safeguard sensitive information. You'll find this and other great opportunities at That's And we thank CyberSecJobs for sponsoring our show.

Dave Bittner: [00:01:46:10] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Monday, February 6th, 2017.

Dave Bittner: [00:01:56:24] We've been following the evolution of criminal markets for some time now. The black market has seen customer service portals, even reviews on the criminal equivalent of Yelp, In these cases, the bad actors make little pretense about being, well, bad. But that's not always the case. Some of the bad actors pose as legitimate or at least gray market services. Radware has discovered a new ransomware-as-a-service portal on the dark web. This one is called "Ranion" and it cloaks its crooked shame behind a fig leaf inscribed, "For educational purposes only." You'd be unwise to take it at face value. The portal looks much more like a standard straight-up black market money-making operation. You can subscribe for 0.95 Bitcoin annually. That's about $960, or if you're not quite as all-in as that you can get six months for just 0.6 Bitcoin, about $600. Presumably, if you act now. A word to the wise, there are a lot of legitimate security businesses that will teach you everything you need to know about ransomware without requiring you to dump hundreds of dollars into a dodgy dark web portal.

Dave Bittner: [00:03:07:11] Ransomware of course remains a threat with medical services and local governments particularly hard hit. Several national health trusts in the UK are still digging out from under their own infestations, and in the US a county in Ohio, Licking County, is also dealing with ransomware that's locked them out of a number of services, including police and emergency responder systems. So it's a threat not to be taken lightly. If you're interested in a model of how to plan for recovery, take a look at the St. Louis, Missouri library system. They were hit but they recovered swiftly and without paying the ransom, because they had a well-thought-out and well-executed backup system.

Dave Bittner: [00:03:46:05] Speaking of Missouri, the Show-Me state's Gaming Commission has concluded that a Russian national, a fugitive from the law of averages and unnaturally lucky at slots, finagled some of the one-armed bandits. The caper happened in June 2014 but remains puzzling. Whatever they did gave them an implausibly high win rate on the slots. The Lumiere Place Casino noticed payouts on its machines running far higher than could be reasonably expected. Indeed, Wired reports the casino hadn't seen the likes of it before.

Dave Bittner: [00:04:17:06] So security investigated and reviewed surveillance footage of the casino floor. The cameras showed a 30-something dark-haired guy playing exclusively older slot machines manufactured by Aristocrat Leisure of Australia. Most slot cheats physically compromise the victim machines. Not so this guy, since identified as one Murat Bliev, a Russian national employed allegedly by a St. Petersburg cyber criminal certificate. And note that this is St. Petersburg, Russia, not St. Petersburg, Florida. Shuffleboard players in the Sunshine State seem airgapped against hacking. At least for now.

Dave Bittner: [00:04:53:10] How the scam worked isn't yet fully understood but it may have gone something like this. Bliev would play, pushing buttons on games like 'Pelican Pete' or 'Star Drifter' while holding his smart phone unusually close to the screen. The first attempts were normal, but he'd return in half an hour or so, play the machine and win big, parlaying $20 or $60 into a reliable payout of $1,300. It appears that he was in touch with mathematicians in the home office who cracked the devices pseudo-random number generators.

Dave Bittner: [00:05:25:01] Bliev returned to Russia but incautiously returned stateside, where he linked up with three fellow scammers. The quartet were arrested last month, the first three copping a plea, the last one using his status as a religious refugee to provide US authorities with evidence.

Dave Bittner: [00:05:42:22] Those who've been in the industry for a while will recall the Slammer worm which enjoyed its heyday 14 years ago. According to Check Point, someone made a concerted attempt to revive Slammer at the end of 2016. We heard from Tripwire's senior director of security, Lamar Bailey, who takes the opportunity to remind everyone that zero-days may get all the press but your biggest threat probably comes through unpatched and known vulnerabilities. "Organizations spend millions on the latest, greatest security products, but fail to fundamentally secure their network by just upgrading and patching old vulnerabilities". Patching, he says, is like locking your door. Criminals may still get in but you haven't made it too easy for them.

Dave Bittner: [00:06:25:07] Norway's intelligence service continues to follow the tracks of Fancy Bear through Foreign and Defense Ministry email servers. Fancy Bear, of course, is widely believed to be Russia's GRU.

Dave Bittner: [00:06:36:16] Elsewhere in the Russian intelligence and security services, Russian sources say the former and current FSB officers charged with treason were leaking to America and not necessarily the CIA. That will strike many as a distinction without a difference since it's difficult, although not impossible, to imagine to whom else they might have been leaking. After all, it's unlikely to be the Small Business Administration, even under the leadership of World Wrestling Entertainment impresario, Linda McMahon.

Dave Bittner: [00:07:04:23] Finally the famously outspoken Ian Levy, technical director of the UK's National Cyber Security Center, has told the security industry to knock off the FUD. He says they're peddling "witchcraft" and not the good Hogwarts kind. There's no hint, however, that the NCSC is anticipating prosecution of threat researchers under the authority of the Witchcraft Act of 1735. So no worries, security industry. Our barristers have so far offered no legal opinion as to whether prosecution under the Fraudulent Medium Act of 1951 is similarly unlikely. Brexit makes action under the EU's Consumer Protection Regulations a stretch too. But we certainly wouldn't want to mess with Dr. Levy.

Dave Bittner: [00:07:54:19] Time for a message from our sponsor, E8 Security. You know, the old perimeter approach to security no longer protects against today's rapidly shifting cyber threats. You've got to address the threats to your network once they're in your networks. E8 Security's behavioral intelligence platform enables you to do just that. Its self-learning security analytics give you early warning when your critical resources are being targeted, whether it's credential misuse, unknown processes or malicious command and control traffic, the E8 Security platform automatically prioritizes alerts based on risk and lets your security team visualize the relationships among targets, explore divergent hypotheses and uncover hidden attack patterns. To detect, hunt and respond, you need a clear view of the real risks in your business environment and that's what E8 gives you. Visit and download the free White Paper to learn more. That's E8, transforming security operations. And we thank E8 for sponsoring our show.

Dave Bittner: [00:09:02:15] And I'm pleased to be joined once again by Markus Rauschecker. He's the cyber security program manager at the University of Maryland Center for Health and Homeland Security. Markus, I saw that a bipartisan group of lawmakers have reintroduced the Email Privacy Act which has to do with email and having to get warrants before searching emails. Take us through this. What going on here?

Markus Rauschecker: [00:09:27:12] This new Bill seeks to really close a gap in an existing law of the Electronic Communications Privacy Act, which was passed all the way back in the 1980s. It basically says that government does not need a warrant to search emails that are stored on an Internet service provider's or a provider's servers if that email is older than 180 days. Of course, nowadays, most of us store all of our emails in the cloud if we use a service like Google or Yahoo! We tend to just leave our emails up in the cloud, up with the email service provider and never download them onto our computer. This means that government can read all of those private emails, if they're older than 180 days, without actually needing a warrant.

Markus Rauschecker: [00:10:18:19] This is very concerning and the Bill that was introduced recently by lawmakers seeks to address that and basically asks that government does need to get a warrant before it can search through those emails even if they're stored with the email service provider.

Dave Bittner: [00:10:35:03] It seems remarkable to me. I mean, you're not allowed to come in my house and look through any of my papers that are older than six months old automatically. This notion that at six months my private emails just become available, that's news to me.

Markus Rauschecker: [00:10:53:04] It is concerning but it kind of makes sense when you think about how the existing law came about. The Electronic Communications Privacy Act was passed in the '80s and back then emails were handled very differently than it is today. Back in the '80s people would download emails that they would get sent to them, they would download those emails onto their computers and government certainly needed a warrant, and still needs a warrant, to search emails that are actually exclusively stored on one's computer. Of course, nowadays, people don't do that download anymore so this Electronic Communications Privacy Act is a perfect example of how laws can become greatly outdated based on our advances in technology. This is an issue that is finding bipartisan support because it just doesn't make any sense for government to have that authority to search private emails. No-one really wants that on either side of the aisle.

Dave Bittner: [00:11:54:13] Can you just touch on that notion that back in the '80s they considered that something left on the server that long was abandoned?

Markus Rauschecker: [00:12:00:19] Basically back in the '80s we expected users to download emails onto their computers when they received them. If users did not download emails onto their computers they were considered abandoned. It was considered that a user didn't have any interest in those emails if they weren't downloaded, therefore, the thought was that government really shouldn't be required to get a warrant to look at those abandoned emails.

Dave Bittner: [00:12:30:02] Kind of like they don't need a warrant to look through my trash because it's considered something that I've thrown away.

Markus Rauschecker: [00:12:35:03] Exactly.

Dave Bittner: [00:12:36:04] Interesting stuff. All right, Markus Rauschecker, thanks for joining us.

Dave Bittner: [00:12:42:21] And that's the CyberWire. We passed a significant milestone over the weekend and we want to thank all of you for being part of it. Sometime this past Saturday, in the wee early hours of the morning, we passed 1,000,000 downloads of our show. When we started our show just over a year ago, that seemed like a crazy far-off distant goal. So thanks to all of you for getting us there. We couldn't have done it without you, listening, sharing and helping to spread the word. So from all of us here at the CyberWire a heartfelt thanks.

Dave Bittner: [00:13:13:07] For links to all of today's stories along with interviews, our glossary and more, visit Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor, Cylance. For more information about how they can protect you, visit

Dave Bittner: [00:13:29:15] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Our social media editor is Jennifer Eiben and our technical editor is Chris Russell. Our executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.