The CyberWire Daily Podcast 3.1.17
Ep 296 | 3.1.17

Internet outages were errors, not attacks. Evolving Trojans and botnets. M&A news. Cyber casus belli. Terminators and teddy bears.


Dave Bittner: [00:00:03:09] Yesterday's Internet outages were due to errors in Amazon's S3 servers. Dridex has evolved to become more evasive. The Necurs botnet acquires a DDoS capability. Web cache deception attack techniques are described. Austrian authorities think they have a suspect in the attempted cyberattack on Vienna's airport. Palo Alto buys LightCyber. Companies continue to grapple with GDPR compliance. Uncertainty about US policy direction expected to drive an increase in foreign cyber espionage. And in the IoT, worries run from Terminators to Teddy bears.

Dave Bittner: [00:00:44:00] Time from a message from our sponsor, Netsparker. You know, when you want automated security, you want it to be automatic. Netsparker delivers a truly automated web application security scanner. It can be surprisingly labor intensive to scan websites and other solutions need a lot of human intervention. To take one example, with other scanners you have to configure URL rewrite rules to properly scan a website. Not with Netsparker. They say it's the only scanner that can identify the set up and configure its own URL rewrite rules. Visit to see how Netsparker's no false positive scanner frees your security team to do what only humans can. And don't take their word for it, if you'd like a free trial, go to and you'll get a 30 day fully functional version of Netsparker desktop. Scan your websites with no strings attached. That's And we thank Netsparker for sponsoring our show.

Dave Bittner: [00:01:47:22] Major funding for the CyberWire Podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, March 1st, 2017.

Dave Bittner: [00:01:57:20] Is the Internet working for you, again? Well, it is for us. Contrary to some initial alarmist screamers, yesterday's Internet outages weren't caused by an attack, but rather by problems in Amazon's S3 cloud storage service. Ars Technica calls the incident "sputtering." The disruption is more properly understood as outages experienced by a large number of sites and apps dependent upon S3.

Dave Bittner: [00:02:23:00] The problem originated with errors in Amazon servers in the US state of Virginia. Outages were widespread, but particularly severe on the North American East Coast. The incident is a reminder of how much infrastructure is in the hands of the private sector, especially in the US. Wired magazine sees the outages as evidence that industry consolidation can compromise resilience, and compares it to last October's Dyn outages. The Dyn case was, as it happens, an attack - distributed denial-of-service accomplished by the Mirai botnet - and yesterday's Amazon outages were of course a different matter, but in both cases the effects were widespread.

Dave Bittner: [00:03:03:01] IBM's X-Force looks at the venerable Dridex banking Trojan and notices that it's been updated to incorporate a more evasive injection technique, "AtomBombing." The new edition of Dridex - version 4 - is active in the wild against banks in the UK and is expected to spread rapidly.

Dave Bittner: [00:03:21:18] BitSight's Anubis Labs warns that the Necurs spam botnet has been upgraded with a distributed denial-of-service capability that could outstrip the capacity Mirai demonstrated. This hasn't, of course, happened yet, but the threat bears watching.

Dave Bittner: [00:03:37:09] Researchers at the EY Hacktics Advanced Security Center in Tel Aviv have found an issue with caching servers used by major sites. Should a user access a non-existent resource, the servers sometimes cache incorrect page content. Such content can include personal information including credentials, account balances, and so on. To exploit this flaw in what's being called a "web cache deception attack," an attacker would induce a user to access a URL leading to a non-existent resource, whereupon the server would cache the page holding personal information. The attacker would then access the bad URL to get the cached page, and with it the user's personal data.

Dave Bittner: [00:04:19:04] PayPal quickly closed this vulnerability in its own services when the researchers notified it, but EY Hacktics thinks the problem is likely to be widespread and generally unrecognized.

Dave Bittner: [00:04:31:16] Austrian authorities believe they have a suspect in the abortive cyber attack on Vienna's airport. They describe the suspect as "Turkish," and maybe the person is, but fairness demands that we point out that he or she is living in Kentucky. And, of course, that he or she is also entitled to the presumption of innocence.

Dave Bittner: [00:04:50:18] In industry news, Palo Alto Networks has announced its acquisition of security firm LightCyber. LightCyber's automated behavioral analytics will be added to Palo Alto's Next Generation Security Platform.

Dave Bittner: [00:05:03:20] Companies that collect data internationally - and that's essentially any business working online - have yet to come to grips with GDPR compliance. The European Union's General Data Protection Regulation will take full effect on May 25th, 2018, a date that will surely arrive with haste.

Dave Bittner: [00:05:22:12] The problem of compliance is inherently complex, and in this case even more so because of the jurisdictional lines crossed when one considers how, say, a US firm must negotiate European requirements. And such standards and regulations can be widely influential even when they're established by sub-national governments. New York State's new cybersecurity regulations affecting banks take effect today, and those effects will by no means be confined to the Empire State.

Dave Bittner: [00:05:50:19] Uncertainty about the direction of US policy is expected to prompt other countries to try to resolve those uncertainties through increased espionage, particularly those like Russia and Iran, not particularly well disposed to the Americans.

Dave Bittner: [00:06:05:12] Influence operations are also expected to continue. Japan seems ready to sustain a significant information operations campaign if suspicions about Snake Wine are borne out.

Dave Bittner: [00:06:16:07] Jon Gross is Director of Threat Intelligence at Cylance.

Jon Gross: [00:06:20:04] When we started to do some of our initial investigations and stuff, it looked like it was an old CN-APT group called menuPass. But as we delved, I guess, further into the malware, it really didn't share the code similarities that you would expect. It seemed like a lot of work was done to attempt to obscure attribution, which really I personally haven't seen any other, I guess, Chinese APT operators attempt to do that ever. So, if it is the Chinese, it would be out of form for them. And I can just say, the things that we saw them doing, in addition to using hosting providers that accept bitcoins, or are anonymous payment services, they signed a large majority of the malware samples that we saw, at least early on, with the stolen hacking team co-signing certificates. Which, to us, really didn't make any sense, right? Because that's going to be an instant red flag, and you would really derive no benefits from that, other than sending somebody on a potential goose chase, or making someone question why in fact you did that.

Jon Gross: [00:07:47:07] This targeting was very clearly focused solely on Japanese interest, right? So Japanese commercial government and research interests. The culmination of lots of little things led us to start questioning whether or not this was actually Chinese APT. I mean, it just didn't really add up, especially what from a research perspective, should have been a clearly cut and dried case. And what we found was that a lot of the infrastructure, to us, it at least seemed like it wasn't active, right? So it's going to potentially be spun up in the future, and it's just currently being used now and we're only seeing what we're seeing. As with anything related to cyber, you only know what you know. In this case, and judging from the information that we had, it was very clear that someone was attempting to obfuscate attribution.

Dave Bittner: [00:08:56:15] That's Jon Gross. He's Director of Threat Intelligence at Cylance.

Dave Bittner: [00:09:01:24] The US Congress is currently trying to think through when a cyberattack would constitute an act of war, and what might be done in retaliation. Congress and the Administration are required by legislation passed last year to arrive at some clarity on the issues. It's very much a work in progress.

Dave Bittner: [00:09:20:00] And, finally, there's much worry in the press at midweek over the Internet-of-things and its security, particularly in the world of robots, where the US Army and others think they discern a revolution in warfare comparable to the Blitzkrieg of the late 1930s. "Five Terminator movies have taught us nothing," moans CSO Online, as they report their inquiry into how robot manufacturers seem to be falling short of Asimov's Laws of Robotics.

Dave Bittner: [00:09:45:18] But scary stories about the connected home, also with Robots, are also being retailed. As Spiral Toys works with its customers and gets ready to file the breach reports required under California law, see the local regulation angle again? Their connected CloudPets are still creeping out security journalists. Until things are sorted out, remember: the teddy bears may have a big surprise for you, Moms and Dads. If a stuffed animal says, in its best Austrian-accented English:

Excerpt From Film: [00:10:16:13] I'll be back.

Dave Bittner: [00:10:17:20] Grab your bug-out bags, head for the hills.

Dave Bittner: [00:10:24:22] We'd like to thank our sponsor Palo Alto Networks. You can visit them at When you move to a public cloud, like Amazon web services or Microsoft Azure, you share responsibility for security with your service provider. To do your share, you've got to protect your apps and data wherever they are. Fortunately, with Palo Alto Networks, you can do just that. Their next gen cloud security gives you complete visibility, so can you control your apps and reduce your attack service. Palo Alto Networks has the broadest, most comprehensive cybersecurity for all clouds and software-as-a-service environments. They know that secure clouds are happy clouds. Find out how to secure yours. Get started today at And we thank Palo Alto Networks for sponsoring our show.

Dave Bittner: [00:11:22:22] Joining me is Jonathan Katz. He's a Professor of Computer Science at the University of Maryland and Director of the Maryland Cyber Security Center. Jonathan, I want to take our audience through some of the key concepts surrounding encryption, things like plain text, ciphertext and key encryption. What can you tell us about that?

Jonathan Katz: [00:11:37:18] Well, there are two sorts of encryption schemes. There is private-key encryption and public-key encryption. In a private-key encryption scheme, there's a mechanism that allows two users who have shared some secret information, called a key, in advance, to then use that key to communicate securely. And the way that works is that these two users have shared their key in advance. One user who wants to send the information, will take their message, called a plain text, and encrypt it using the key to get some ciphertext. Transmit that ciphertext over a public channel to the other party at the other end, and then they can decrypt that ciphertext using the key that they've shared with the other party and recover the original message.

Dave Bittner: [00:12:16:15] And how does that differ from public-key encryption?

Jonathan Katz: [00:12:19:05] Public key encryption is really amazing. Public key encryption is something that was not even possible until the late 1970s, or early 1980s. And what that allows is for two parties to have a secure communication channel without sharing any information in advance, without sharing the secret key. And the way it works is that you have one party generating a matched pair of keys, one being a public key, and one being a so-called private key. The private key is kept secret by that individual, and the public key can be broadcast to the world, and sent over a public communication channel to anybody else who wants to communicate with that first individual.

Jonathan Katz: [00:12:53:10] Anybody with the public key can then encrypt, take the plain text as before, encrypt it to get a ciphertext that they transmit to the first party, and they can then decrypt that using their private key to recover the original message. This is really amazing, it kind of blows my mind that it's even possible, because it means that you can have two people standing at opposite ends of a room communicating back and forth with everybody else in the room listening to everything they're saying and still not being able to figure out what message is being transmitted.

Dave Bittner: [00:13:19:10] It's my understanding that there's been developments related to this with quantum computing, what can you tell us about that?

Jonathan Katz: [00:13:24:20] People are very concerned about the advent of quantum computers and the reason for that is that all the current public-key encryption algorithms that are currently used are vulnerable in case a quantum computer is ever developed. So what that means is that if we have quantum computers becoming a reality within the next 20 years or so, all of the encrypted communications currently on the Internet will be vulnerable. Thankfully, however, quantum computers are not believed to impact private-key encryption as severely. They may allow an attacker to speed up the time required to brute force a key, but they don't fundamentally weakening algorithms the way they do in the public key case.

Dave Bittner: [00:14:00:07] Jonathan Katz, thanks for joining us.

Dave Bittner: [00:14:04:11] And that's the CyberWire. For links to all of today's stories, along with interviews, our glossary, and more, visit Thanks to all of our sponsors, who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can protect you from cyber threats, point your browser to

Dave Bittner: [00:14:23:06] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Social media editor is Jen Eiben. Technical editor is Chris Russell. Executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.

Song: [00:14:30:13] "Teddy Bears Picnic".