The CyberWire Daily Podcast 2.21.17
Ep 290 | 2.21.17

A coming surge in North Korean hacking? Middle Eastern cyber espionage campaigns. Microsoft patch issues. Infowar updates. NIST's draft electrical utility cyber guidance. Problematic toys.


Dave Bittner: [00:00:03:16] Analysts predict a surge in North Korean hacking after China embargoes coal. ViperRAT catphishes the IDF. Magic Hound and Shamoon both use malicious macros to infect victims' systems. TASS says no one really knows who hacked OSCE. Sputnik teases with a WikiLeaks tease. NIST has cyber advice for power utilities. We've got some RSA notes, and my friend Cayla gets the boot from Berlin.

Dave Bittner: [00:00:35:07] Time to take a moment to tell you about our sponsor, CyberSecJobs. If you're an information security professional seeking your next career, or your first career, you need to check out and find your future. CyberSecJobs is a veteran owned career site and job fair company for information security professionals and students. Job seekers can create a profile, upload their resume and search and apply for thousands of jobs. And it's great for recruiters too. If you're an employer looking to source information security professionals, contact CyberSecJobs about their flexible recruitment packages designed to meet your needs. Here's one of the current hot jobs: WakeMed is looking for an Information System Security Officer to help safeguard sensitive information. You'll find this and other great opportunities at That's And we thank CyberSecJobs for sponsoring our show.

Dave Bittner: [00:01:38:12] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, February 21st, 2017.

Dave Bittner: [00:01:49:06] Observers are predicting an upsurge in North Korean hacking. That prediction is driven by recently imposed Chinese sanctions. Like most of the rest of the world, China is upset by North Korean missile tests and has imposed an embargo on coal imports from the Democratic Peoples Republic of Korea. Selling coal to China has long been a main prop of the DPRK's shaky economy, and some analysts think it likely that Pyongyang will seek to recoup its economic fortunes through various forms of cyber crime.

Dave Bittner: [00:02:20:18] There are several stories trending out of the Middle East. A catphishing campaign has been targeting members of the Israeli Defense Forces with Android malware called ViperRAT. Early speculation about attribution, in the Israeli press and elsewhere, pointed in the general direction of Hamas, the Palestinian Sunni group that's the de facto ruler of the Gaza Strip. Lookout Security, however, believes such attribution may have been hasty and that far from initial characterizations of ViperRAT as relatively primitive, the malware is actually more sophisticated than reports made it out to be.

Dave Bittner: [00:02:55:06] Cisco is tracking Magic Hound, a RAT-centric campaign targeting Saudi businesses. The attackers gain their entrée by phishing. Cisco's Talos group says the malware is for the most part commodity stuff: IRC bots, Metasploit Meterpreter payloads, and an open-source Remote Administration Tool.

Dave Bittner: [00:03:15:10] IBM's X-Force has continued its investigation of Shamoon, the destructive campaign against Saudi Aramco and other Gulf targets that reappeared in November 2016 and January 2017. Researchers believe the initial infection was through malicious macros in a compromised document.

Dave Bittner: [00:03:33:11] In the realm of international cyber conflict, the Russian news agency TASS primly notes that TASS is authorized to state that the Organization for Security and Cooperation in Europe - the OSCE - has been unable to determine exactly what actor was responsible for the hack OSCE sustained last year. Pretty much everybody except TASS thinks it was the Russian intelligence services. Another Russian news agency, Sputnik, last week teased the world with reports that WikiLeaks is itself teasing with the prospect of more leaked emails involving Julian Assange's bête noir, former Democratic Presidential candidate Clinton. So far, however, nothing.

Dave Bittner: [00:04:14:15] Bitcoin News Service reports a disquieting trend: an increasing number of US businesses are stockpiling Bitcoin to pay off ransomware attacks. This isn't the best news because first, a stash of Bitcoin maintained against extortion is likely to draw cyber blackmail as meat draws flies; and second, well, if you pay, there's increasingly no guarantee you'll get your files back anyway. Ransomware purveyors are now often in it for the short-term, and devil take the hindmost.

Dave Bittner: [00:04:45:14] Google's Project Zero is seen as having effectively shamed Microsoft when the Redmond giant pulled its expected patches instead of issuing them as expected a week ago. Google has disclosed several vulnerabilities publicly that it had earlier privately passed over to Microsoft. Industry sources are baffled by Microsoft's decision. Initially, the company announced it would delay the February patches, but shortly thereafter amended its public statement to say that it would skip February entirely, deferring fixes until March.

Dave Bittner: [00:05:18:03] The NIST Cybersecurity Practice Guide, SP 1800-7 “Situational Awareness for Electric Utilities,” was issued late last week. Public comments on the draft will be accepted through April 17, 2017. The practice guide is likely to be as influential in the energy sector as other NIST publications have been elsewhere.

Dave Bittner: [00:05:39:09] Turning again to RSA 2017, the event's organizers claimed record attendance - 43,000 is being widely reported - and the show's floor was crowded, as were surrounding streets and hotels. The many companies exhibiting were being asked by those they pitched to explain the problems their technologies solved, to demonstrate the ease of their solutions' implementation, and (this question largely, although not exclusively from investors) to show how they differentiate themselves in a crowded marketplace that seems ready for consolidation. Zulfikar Ramzan is Chief Technology Officer for RSA Security, and he was the keynote speaker at this year's conference. We caught up with him at the show.

Zulfikar Ramzan: [00:06:21:14] To me, this past year the defining issue for us, I think, as we look at our industry was a cyber attack on the Democratic National Committee. Because it was one of the first times where the mass public realized that there are these massive implications that occur when cyber threats are carried out successfully. So if you look at the actual techniques themselves in the DNC hack, there was some sophistication, there were some basic tools being used, but nothing that was earth-shattering by any stretch of the imagination. I think what was earth-shattering is that electoral ripple effect where people started questioning the foundations of democracy. It's the first time that I feel people have truly questioned that, and they're questioning it because of a cyber attack. So I think, for us as an industry, that has to be top of the mind, because that's what our customers are thinking about in so much detail, and we've got to think about what it means for us to move forward as an industry in a world where that is now the new norm. We live in this sort of post-cyber threat world, or this post-ripple chaotic world of what cyber attacks can create.

Zulfikar Ramzan: [00:07:21:00] Today, we see researchers--or a couple of years ago, we saw researchers able to compromise a car and find a way to remotely stop it from working with the brakes on remotely. You know, imagine if they can do that in the future when there are millions of cars in the road or, even worse, if they can do that with millions of cars and they can direct where they go, and push them towards a common target. I mean, it wouldn't be an exaggeration to call that almost like a cyber-911 type of event, except this time the attackers can do it for the comfort of their own home and not have to be in a physical airplane to make that work.

Zulfikar Ramzan: [00:07:52:24] And so those implications to me are truly profound, because I think we have to take a step back and realize that that's not beyond the art of the possible right now. That's actually within the realm of what we can conceive of. And it just takes one or two bad people out there, and there's a lot of people in the world - there's always a few bad eggs - and it doesn't take that many resources for those few bad eggs to cause some real and sophisticated damage to infrastructures that we take for granted as being available to us at any time of day and night. And so there's a very careful balancing act we have to play as professionals in security of, how do we educate the public about the art of the possible without sometimes revealing too much? Because that can turn people off from, you know, really appreciating the risks that are involved.

Zulfikar Ramzan: [00:08:34:12] We live in a world where things can go wrong any time, and we rely on trust in so many ways for everything we do. Look at the human body. There are viruses running in our bodies at any given moment in time. It's not like we all are in this perfectly clean state; I mean, that's the case for the cyber world as well. There's always issues happening, but we focus on the ones that matter most. If you're a human, you focus on, "Okay, is my heart working correctly?" Or, you know, if I have a serious illness, maybe I should go and address that. But if I've got, like, a light cold, I wouldn't treat it with the same remedy as if I had a flu. And so, I think we have to re-think security models around priorities for what we're trying to achieve, and then take a step back and look at things much more holistically than we have been in the past, as opposed to doing that whack-a-mole, one by one job.

Dave Bittner: [00:09:13:05] That's Zulfikar Ramzan from RSA Security.

Dave Bittner: [00:09:18:00] Finally, there's some news from the Island of Misfit Toys. Only, if you believe German security authorities - and who wouldn't - the toys in question aren't nice and underappreciated toys like Yukon Cornelius rescued in the old Puppetoon. In this case, the toy in question is one, My Friend Cayla, a doll that Germany's Federal Network Agency calls, "an espionage device." Parents are being advised to "destroy" any Cayla's, because Cayla is recording their children's conversations and sending them back to Cayla's American manufacturers, Genesis. Genesis says it's all on the up-and-up, they've got a privacy policy, and the interactions are just there to improve the customer experience, but the Germans are having none of it. It's also been noted that the ever-helpful community of security researchers has done some proof-of-concept hacking that modified Cayla to curse and yell scary stuff at kids. So it's research, everyone. We thought maybe Cayla was just hanging out with Tay. Tay? Are you listening? Tay?

Dave Bittner: [00:10:26:15] Time for a message from our sustaining sponsor, Cylance. Are you looking for something beyond legacy security approaches? If you are - and really who isn't - you're probably interested in something that protects you at machine speed and that recognizes malware for what it is, no matter how the bad guys have tweaked the binaries or cloaked their malice in the appearance of innocence. Cylance knows malware by its DNA. Their solution scales easily, and it protects your network with minimal updates, less burden on your system resources, and limited impact on your network and your users. Find out how Cylance is revolutionizing security with artificial intelligence and machine learning. It may be artificial intelligence, but it's real protection. Visit to learn more about the next generation of anti-malware. Cylance, artificial intelligence real threat prevention. That's And we thank Cylance for sponsoring our show.

Dave Bittner: [00:11:25:16] Joining me once again is Markus Rauschecker. He's the Cybersecurity Program Manager at the University of Maryland Center For Health and Homeland Security. Now Markus, I wanted to touch on Section 230 of the Communications Decency Act, which has sort of come under a closer microscope lately because of some, some things going on. But before we get into all of that, why don't you start off, give us an overview of why is Section 230 of the CDA so important?

Markus Rauschecker: [00:11:52:02] It's critical to the internet as we know it today. Basically, Section 230 provides that providers of interactive computer services cannot be treated as publishers or speakers of information that's posted by users of those services. So in other words, a service provider cannot be held legally responsible for something that a user posts on that service. As you can imagine, if this protection did not exist, there would be very few companies or service providers that would actually be willing to continue offering their services because, if they could be held legally responsible for something somebody else posted on their service, you know, that's probably a risk that no one would want to be confronted with.

Dave Bittner: [00:12:38:16] And, and it's commonly referred to as a safe harbor provision, but it's--there's some people who are, are sort of chipping away at it thanks to some conflicts with AirBnB.

Markus Rauschecker: [00:12:49:02] Yeah. So basically, a lot of cities and municipalities around the country are trying to sue AirBnB for violations of some of the postings that are, are on the AirBnB site. So users use AirBnB to kind of rent out their apartments or their, or rooms. And sometimes, those listings on AirBnB violate zoning laws or other regulations in those cities and municipalities. So, cities are actually suing AirBnB for those, those illegal posts, those illegal listings. And, of course, AirBnB is taking objection to that, to those suits, claiming that they have, they have no legal responsibility to prevent those kinds of listings based on Section 230 of the Communications Decency Act. But, cities and municipalities are passing new laws to try and circumvent the Section 230, and AirBnB is finding itself more and more on the defensive here and, and facing legal hurdles here.

Dave Bittner: [00:13:53:08] All right. So, it's something to keep an eye on because it really is foundational to the internet as we know it.

Markus Rauschecker: [00:13:58:10] Absolutely. And if we see a, a development here in the, in the case of AirBnB as regards to Section 230, we might see this--these kinds of encroachments in other areas of the internet as well. So, it's definitely something to keep an eye on.

Dave Bittner: [00:14:14:21] Alright. Markus Rauschecker, thanks for joining us.

Dave Bittner: [00:14:19:20] And that's the CyberWire. For links to all of today's stories, along with interviews, our glossary and more visit Thanks to all of our sponsors who make The CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can protect you from cyberattacks, head on over to The CyberWire podcast is produced by Pratt Street Media. Our Editor is John Petrik. Our Social Media Editor is Jennifer Eiben. Technical Editor is Chris Russell. Executive Editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.