The CyberWire Daily Podcast 2.16.17
Ep 288 | 2.16.17

Ukraine accused Russia of renewed hacking by BlackEnergy actors. ASLR bypass proof-of-concept reported.  Notes from RSA, and an update on Android gunnery malware.


Dave Bittner: [00:00:03:23] Fresh accusations of Russian government hacking from Ukraine. Threat actors adapt. ASLR bypass exploit is demonstrated. Yahoo!'s acquisition by Verizon appears likely to be deeply discounted. From RSA, notes on coming industry consolidation. An update on the Popr-D3 Android malware. And how they name the bears.

Dave Bittner: [00:00:32:06] Time for a word from one of our sponsors, E8 Security. I have to ask you that question: do you fear the unknown? Lots of people do, of course: Damien, The Predator, stuff like that. But we're not talking about those. We're talking about real threats. Unknown unknowns lurking in your networks. The people at E8 have a white paper on hunting the unknowns with machine learning and big data analytics, that go beyond the old school Legacy signature matching and human watch standing. Go to and download their free white paper: Detect, Hunt, Respond. It describes a fresh approach to the old problem of recognizing and containing a threat no one has ever seen before. The known unknowns, like Ghostface and Pinhead, they're nothing compared to the unknown unknowns out there in the wild. See what E8's got to say about them. Grab that free white paper: And we thank E8 for sponsoring our show.

Dave Bittner: [00:01:37:24] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in San Francisco with your CyberWire Summary for Thursday, February 16th, 2017.

Dave Bittner: [00:01:49:00] Ukraine yesterday accused Russia of conducting new cyber attacks on Ukrainian infrastructure. Oleksandr Tkachuk, chief of staff of Ukraine's security service, said at a press conference that Russian intelligence services were orchestrating a campaign that enlisted the aid of both security firms and criminal hackers to attack Ukraine's energy and financial sector. He claimed the intelligence Ukraine had developed suggested that the threat actors were those responsible for the BlackEnergy malware implicated in earlier attacks on his country's power grid.

Dave Bittner: [00:02:24:15] CrowdStrike CTO Dmitri Alperovitch has been describing how threat actors (again, principally Russian ones) have adapted their tactics since last year's influence operations directed against US elections. Alperovitch sees a trend: hackers are likelier than before to release compromising information taken from their targets, and they're showing a new readiness to alter that information before disseminating it.

Dave Bittner: [00:02:51:10] Researchers at VU have published a method of bypassing the Address Space Layout Randomization protections - that's ASLR - that's in major browsers and operating systems. Should this exploitation method be confirmed, it would have serious general implications for security. We'll be following developments as they become available.

Dave Bittner: [00:03:13:02] In industry news, Yahoo! May be reducing the asking price in its planned acquisition by Verizon. Reports suggest Yahoo! May now be willing to accept more than $300 million less than initially planned. The reduction is seen as having been a result of the very large breaches Yahoo! disclosed last year.

Dave Bittner: [00:03:33:04] Western security intelligences and diplomatic services - especially in the US - are making a renewed, concerted attempt to counter ISIS messaging.

Dave Bittner: [00:03:43:08] RSA, now in its penultimate day, continues its exploration of security industry themes. The prospect of consolidation, with its attendant concerns and perceived opportunities, is much in the air this year.

Dave Bittner: [00:03:56:11] That was indeed the topic of a keynote yesterday by Palo Alto Networks CEO Mark McLaughlin. He called it, "the coming disruption," and he predicted that industry consolidation would emerge from improved security as a natural outcome. Alluding to the common complaint that enterprise security teams struggle with too many unintegrated point solutions, McLaughlin predicted that, quote, "The measure of the industry's success would be instead of people saying, I have 20, 30, 40 vendors, and I have to figure out how to handle that, they'll say, I have 400 vendors, and I'm good with that." End quote. He argued that this happy state would come about as vendors developed, quote, "Better ways of consuming their value proposition." End quote. And that better way would consist of turning the product on. He foresees the security industry being transformed by increased cooperation, especially in threat intelligence, and that this transformation would come about when people realize that everyone doesn't have to be the platform.

Dave Bittner: [00:04:57:12] It's fun to wander the aisles of the RSA conference, and try to get a sense for what the overarching themes might be this year. James Lyne is Global Head of Security Research for Sophos, and we caught up with him on the show floor.

James Lyne: [00:05:11:11] There's a lot of focus here on the tactical but important issues: ransomware. People have realized it's a big issue for companies. So, of course, it's showcased here. There's a lot of focus as well on machine learning, adaptive learning, and the use of data science in driving better security. That's been a really exciting area that we've embraced over, over the past couple of years and it's undoubtedly one of the big hot topics here. And I think that probably will be one of the big hot topics over the next couple of years as well, because it can be applied to so many different areas of security, so many different types of user policy or detection at each of the layers. I think we're really only at the beginning of the journey in application of that to security. I just, I would say to, to anyone listening, don't rest on your laurels as to the approach to security that has to be taken. We're in a fascinating time where there's a lot of disruptive approaches, a lot of interesting new tactics for dealing with old threats and new alike. Challenge your vendors with how they're solving problems more innovatively, and make sure that your implementation is as simple as possible. Complexity is ultimately the greatest enemy of security. Make your life easier: focus on the high value problems.

Dave Bittner: [00:06:35:15] That's James Lyne from Sophos. We'll have more reports on the conference tomorrow and early next week, but we did want to close by adding some clarification to a story that attracted much attention earlier this year: CrowdStrike's report that the Russian Army was using Android malware to target Ukrainian artillery units operating in the Donbas. We were able to catch up with CrowdStrike and discuss their research. We confirmed that the compromised app in question, Popr-D30, is in fact a technical fire direction application: a gunnery program that computed the technical solution to be applied to the guns themselves, enabling them to deliver indirect fire against the targets they've been ordered to engage. It was developed to replace the older, slower, more cumbersome manual computations done with charts and slide rules. The malware did not, as had been widely reported (although not by CrowdStrike), extract GPS data from the devices of Popr-D30 users. It did collect information that would be useful in deriving some order-of-battle intelligence. More interestingly, it collected coarse location information about the compromised device. Such information isn't precise enough to generate a target, but it does provide a very useful target indicator that could then be confirmed and refined by more precise methods of observation: drones, radar, forward observers, and so on. Pulling coarse location only also offered the attackers a measure of stealth: extracting more precise geolocations would have drawn down device batteries more quickly, possibly arousing user suspicions.

Dave Bittner: [00:08:11:13] The advantages of an app that can compute gunnery data are obvious. Only the most paranoid operator would counsel a return to charts, pins, protractors, and slide rules. That said, there's no doubt someone in the basement of Fort Sill's Knox Hall is mulling exactly that. Oh, and one more thing. How does CrowdStrike name the Bears it finds? The honor goes to the researcher who discovers the threat actor.

Dave Bittner: [00:08:40:23] Time for a message from our sustaining sponsor, Cylance. Are you looking for something beyond Legacy Security Approaches? If you are, and really who isn't, you're probably interested in something that protects you at machine speed and that recognizes malware for what it is, no matter how the bad guys have tweaked the binaries or cloaked their malice in the appearance of innocence. Cylance knows malware by its DNA. Their solution scales easily, and it protects your network with minimal updates, less burden on your system resources, and limited impact on your network and your users. Find out how Cylance is revolutionizing security with Artificial Intelligence and machine learning. It may be Artificial Intelligence, but it's real protection. Visit to learn more about the next generation of anti-malware. Cylance: Artificial Intelligence, real threat prevention. That's And we thank Cylance for sponsoring our show.

Dave Bittner: [00:09:40:00] Joining me once again is Dale Drew. He's the Chief Security Officer at Level 3 Communications. Dale, you wanted to share some specific advice when it comes to choosing and hiring your cybersecurity providers.

Dale Drew: [00:09:52:07] Yeah. So, so we recently wrote a, a blog on this, you know, to sort of put this, this concept out there. But, but in essence our theory is, with, with security being as competitive as it is, with the resources being as thin as they are, and with the bad guys being as capable as they are - and that, that capability evolving at a more rapid pace than we've ever seen before - the sort of theorem that we, that we're posing out there for a dialog is: why would you hire your own security capability and organically try to, not only grow and evolve that capability, but try to respond to, to the, to the sophisticated landscape rather than give that capability to a third party? So, if you take a managed security provider, most managed security providers not only have to have a fairly significant compliance regiment, they also serve a significant number of industries. So they have a pretty cross domain set of expertise associated with fighting security threats. And so you have the sort of concentrated set of security expertise who's vetted the, the, the security product capability landscape already, who has crossed a main expertise and can see threats in industries before they hit your industry, and who has solved the hiring problem associated with that, that finite set of resources in solving cybersecurity problems.

Dale Drew: [00:11:29:05] And it's pretty much the same mentality that people have today with regards to how they hire security guards. They don't hire their own security guards as employees, they contract that out through a third party service because that's a capability they don't want to be good at. They want to be good at their core business. And we think it should be the same for security. Especially as those threats evolve, and especially as those threats are not specific to individual companies anymore, but they're specific to industries. We really think companies have a responsibility to spread that capability across your, your, your managed security providers.

Dave Bittner: [00:12:03:22] You know, the argument I, I often hear on the other side of that, is that people say, "Well that's great, but I really want to, I want to be in control I need to have control."

Dale Drew: [00:12:12:22] Yeah. And I, and I would say, you know, if, if you're--Well I mean, I would argue the other way. I would argue, if you want to take a, a bus to work, you don't have to be the driver. You know, you, you want to be a passenger on that bus and you want to give the expertise to that driver. And I would say, security has evolved to the point now where you almost have a, a, a fiduciary responsibility not to be an expert in that field, because you can only be an expert up to your individual total capability, whereas a managed service provider who's got capability across multiple industries and multiple domains, has no choice other than to be experts across that entire field, and you get the overall benefit from that. If I have a dollar of investment, I'm having to spend more of that dollar in the sort of niche security capability to protect my company, than I am my core responsibility. And so I'd say from a budgetary perspective, you have a responsibility from an investment perspective to spend that dollar the wisest way you can. And the wisest way you can is to give it to someone who already is an expert in that, in that field and, and who can provide that capability better than you can today.

Dave Bittner: [00:13:32:04] All right. Dale Drew, thanks for joining us.

Dave Bittner: [00:13:36:20] And that's the CyberWire. Our team has had a busy few days at the RSA conference this week, and we'll be sharing more interviews and insights in the coming days. Thanks to everyone who took the time to say hello. It's a lot of fun to meet our readers and listeners in person, and to find out how they're using the CyberWire. For links to all of today's stories, interviews, our glossary and more, visit Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how they can help protect you from cyber attacks, visit The CyberWire podcast is produced by Pratt Street Media, our editor is John Petrik, social media editor is Jennifer Eiben, technical editor is Chris Russell, our executive editor is Peter Kilpe, and I'm Dave Bittner. We're headed back to Baltimore. Thanks for listening.