The CyberWire Daily Podcast 2.5.16
Ep 30 | 2.5.16

The CyberWire Daily Podcast 2.5.16


John Petrik: [00:00:04:12] Is the ISIS narrative losing some charm, as it comes up against actuality?European governments show double-mindedness over privacy and surveillance. Malware authors make their products warier and more evasive. WordPress-based ransomware campaigns continue unabated. And, just because you wear a white hat doesn't mean the law will necessarily recognize you as a good guy.

Dave Bittner: [00:00:27:13] This CyberWire podcast is made possible by the Johns Hopkins University Information Security Institute, providing the technical foundation and knowledge needed to meet our nation's growing demand for highly skilled professionals in the field of information security, assurance, and privacy. Learn more online at

John Petrik: [00:00:50:22] This is John Petrik, the CyberWire's editor, here in Baltimore filling in for Dave Bittner, with your CyberWire daily podcast for Friday, February 5th, 2016.

John Petrik: [00:01:00:17] Reports from US intelligence sources suggest a weakening of ISIS in its core territories. The causes of such weakening, if real, are complex. They may include: competition from a resurgent Al Qaeda, particularly in the Sahel and Afghanistan, an ISIS pivot to operations in Libya, encouragement of international recruits to stay home and work terror there, and simple combat attrition. But from the point of view of information operations, perhaps the most encouraging sign, to ISIS opponents, is a rise in desertions. The realities on the ground are increasingly seen, on that ground, as disconnected from the self-proclaimed Caliphate's aspirational messaging.

John Petrik: [00:01:41:15] Concerns about terrorism, largely centering on ISIS but extending to other groups as well, continue to prompt governments to push for more comprehensive surveillance powers. Poland has just enacted a law assuming such power, and it's done so in explicit response to the rising threat of Islamist radicalization and terrorism. The EU's not happy about the laws, but Poland is probably more bellwether than outlier in European surveillance policy.

John Petrik: [00:02:07:03] The United Kingdom and the United States are in talks about extending the UK's ability to serve wiretap warrants in the US. US officials seem surprising receptive to the proposal.

John Petrik: [00:02:17:20] Researchers looking to newly evolved strains of malware find that mal-coders are paying increasing, and increasingly effective, attention to evasion and obfuscation. Trustwave, for example, describes how the Neutrino exploit kit is now using OS fingerprinting to screen out devices that may be collecting information on the kit for purposes of defense, reverse engineering and so on. Specifically, Neutrino is parrying Linux machines, which are favorites of security researchers.

John Petrik: [00:02:45:09] And Palo Alto Networks describes a new custom backdoor, they're calling it T9000, that's adopted some fairly snazzy anti-analysis techniques. T9000 identifies, Palo Alto reports, some 24 security products, and then customizes its installation to evade analysis. T9000 is the latest member of the T5000 malware family, also known as Plat1. Its earlier variants have been in use at least since 2013, when Cylance reported on its use by are called Grand Theft Auto Panda. FireEye researchers also found the malware distributed in 2014, and the bait in that case was the disappearance Flight MH370.

John Petrik: [00:03:25:13] The ransomware campaign afflicting WordPress sites continues today, and researchers are still trying to get a good handle on its origins and the specific methods of infection. The campaigns motive, however, is quite clear, and that motive is extortion. Victims find themselves enmeshed in TeslaCrypt ransomware.

John Petrik: [00:03:42:16] This is probably a good time to revisit the ways in which enterprises can protect themselves against ransomware. Dark Reading offers a convenient summary: authenticate inbound email, harden your email servers. Consider ad-blocking, monitor file activity, and have a good current sound and well-exercised response plan in place. We'd add one more to their list, and this works for individuals as well as enterprises: back up your data.

John Petrik: [00:04:08:23] A great deal of ransomware gets its foothold in a device through social engineering. The CyberWire's Dave Bittner spoke earlier this week with the Johns Hopkins University Joe Carrigan about social engineering.

Dave Bittner: [00:04:19:18] This CyberWire podcast is brought to you by the Digital Harbor Foundation, a non-profit that works with youth and educators to foster learning, creativity, productivity, and community, through technology education. Learn more at

Dave Bittner: [00:04:40:21] Joining me is Joe Carrigan, senior security engineer at the Johns Hopkins Information Security Institute. They're one of our academic and research partners.

Dave Bittner: [00:04:48:02] Joe, it strikes me that, no matter the amount of automated security we have for our systems, we still have to deal with the issue of the person sitting in front of the machine.

Joe Carrigan: [00:04:56:19] Right, the people - they're the weakest link.

Dave Bittner: [00:04:58:14] Can you talk about social engineering - one of your favorite subjects?

Joe Carrigan: [00:05:03:02] Social engineering is fascinating to me - just the psychology of getting people to tell you information that they're not supposed to tell you. I have a friend who used to work for a company, probably about two decades ago, and their security audit had a very interesting component to it. They would call in to the company that they were auditing, they would be very honest with the people, they'd say, I'm from company X. I'm contracted with your company and we're doing a security audit. I need to know your username and password. 25% of the people would tell them the username and password as part of a security audit. Yeah, you just failed the audit.

Dave Bittner: [00:05:40:10] Let's break that down a little. It seems to be so straightforward as to be almost absurd, but on the other hand, if someone calls and says, I'm from security, it would be easy not to think twice about that.

Joe Carrigan: [00:05:52:22] Correct - people are trusting, generally. That's what I mean about being fascinated about the psychological aspect of it. There's another article that I read recently where somebody was saying, "Why would I spend time and effort reversing engineering someone's password, when I can just call into the organization and ask ten people, and one of them will give me the username and password?"

Dave Bittner: [00:06:12:05] So how big a threat is this? Compared to the automated attacks coming in, how big a component is social engineering?

Joe Carrigan: [00:06:23:03] It's a big component because if I can get someone's username and password I can actually get into the network immediately, without any more delay. So it is a large portion of where people are focusing now. There's some people, some of whom I've known who when I've worked with companies that did security audits, who are very, very good at just talking their way into things, or talking people out of things. They're masters at it - it's almost like a Jedi mind trick.

Dave Bittner: [00:06:52:03] So there's an art, as well as a science?

Joe Carrigan: [00:06:54:14] Absolutely, this is a very much an art.

Dave Bittner: [00:06:57:09] So if I'm a company, and I'm trying to protect myself against these kinds of attacks, is it a matter of training my people? What can I do?

Joe Carrigan: [00:07:03:09] It is a matter of training your people, and that's pretty much all you can do, because if you have people who are giving out username and passwords, that's a real problem. You have to educate everybody that nobody ever needs your password to get your information. It's something that someone ever needs to use, and if I'm an administrative system I don't need your password to access your files. I can either get the access, or I can change your password.

Dave Bittner: [00:07:26:01] Joe Carrigan, from Johns Hopkins University Information Security Institute, thanks again for joining us.

Joe Carrigan: [00:07:30:19] My pleasure.

John Petrik: [00:07:32:23] We finish with two stories that may be about white hats or black hats - you be the judge.

John Petrik: [00:07:38:24] A Dridex botnet is showing some odd behavior. Instead of sticking to its customary last of passing out a banking Trojan, the botnet is instead replacing the usual malicious links with an installer for Avira Antivirus - Avira's a legitimate security product. Now, whoever's doing this isn't Avira, and Avira also notes that people who've gone to the installer received a valid signed copy of the antivirus software, instead of the malicious Trojan. Why this is being done is equally mysterious. It could be a malicious actor seeking to "Mess with the heads of security firms," as the register puts it, but Avira thinks that unlikely. It seems more probably that a white hat vigilante is at work. So nice motive, but as Avira points out, this kind of activity is illegal in an awful lot of jurisdictions.

John Petrik: [00:08:25:15] This isn't the first time an Avira installer has replaced a malicious payload. The phenomenon has been observed before with both CryptoLocker and Tesla.

John Petrik: [00:08:33:19] And on the subject of well-intentioned but probably illegal behavior, CSO interviews a guy prudently identified only as Seth, who's set out to pwn tech support scammers. Seth has set up an old plausible-looking box as his honeytrap adjunct. When the scammers call he pretends to swallow their phishbait, then lets them take over his machine and have their way with it. After some minutes of this, Seth says, "I called B.S. on the guy," and this angers the scammer, who then proceeds to take as much of the baitbox's contents as he can scoop up. Some of those contents consisted of about two dozen malware samples stored in the documents folder. Seth, of course, doesn't know if his whack-back hit the bad guy target, but he seems to have found it a satisfying experience. Again, quite likely illegal in many, even most jurisdictions, so kids, really don't try this at home - you'll break your mother's heart.

John Petrik: [00:09:27:20] That's the CyberWire for Friday, February 5th, 2016. Come back for a Week in Review Podcast up a bit later this afternoon. For links to all of today's stories, along with interviews, our glossary and more, visit the CyberWire.Com. The CyberWire Podcast is produced by CyberPoint International and this is the editor, John Petrik. Our regular host, Dave Bittner, will be back from his sojourn at the second happiest place on earth sometime on the 16th. Until then I'll be filling in. Thanks for listening.