The CyberWire Daily Podcast 3.15.17
Ep 306 | 3.15.17

Influence ops, third-party apps with an appetite for permissions, and criminal competition. Google purges malicious apps from the Play Store. Advice for whistleblowers. Farewell to Becky Bace.


Dave Bittner: [00:00:03:15] Influence operations reported in the UK and in Europe. Third-party social media apps increase your attack surface. Petya ransomware is stolen and improved by rivals crooks. Google purges bad apps from the Play Store. A convicted leaker offers some unexpected wisdom for perspective whistle blowers. Lawyers can't figure out the GDPR. The US is said to be ready to indict four for the Yahoo! breaches. And we bid a respectful farewell to Becky Bace, one of our industry's thought leaders.

Dave Bittner: [00:00:38:21] Time for a few words from our sponsor, Dragos, the ICS security practitioners who offer protection for industrial systems along three axis. Technology, people and intelligence. If you operate the infrastructure that keeps communities running, you should know about their services. They create technology that keeps power running, water flowing and oil and gas getting safely where it needs to go. Dragos offers the first industrial cybersecurity automation platform, its threat operation center delivers industrial control system specific threat intelligence and, if you need incident response or threat hunting services, Dragos has those for you as well. To find out more, visit They've brought the world's leading industrial security professionals into a healthy ICS ecosystem. Check out their new white paper, Insights for Building an ICS Security Operation Center. It's a valuable perspective, you won't find elsewhere. Again, that's - D R A G O S - and we thank Dragos for sponsoring our show.

Dave Bittner: [00:01:49:08] Major funding for the CyberWire podcast is provided by Cylance, I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday March 15th, 2017.

Dave Bittner: [00:01:59:16] The UK continues to worry about Russian influence operations targeting up coming elections. In an odd, possibly related development, Russia's embassy to the UK is said to have been converting its Twitter followers into newsbots, ready to disseminate the Moscow line. But the big Twitter story this week has been the use of a common third party app to hijack some high profile Twitter accounts to spread a variety of messages running to Nazi symbolism, and, especially, pro-Turkish messages in support of the Erdogan government and in opposition to several European states, notably the Netherlands and Germany.

Dave Bittner: [00:02:37:05] The enabling vulnerability the hijackers exploited was in the third party Twitter Counter app, as its name suggests, Twitter Counter is used for keeping track of a Twitter account's followers, but it did so at the cost of some pretty extensive permissions. Twitter Counter requested both read and write access to your account in order to tote up your followers. Why it asked for right access is unclear, but one of its victims, security expert Graham Cluley, speculates that the app's intent was to facilitate some self promotion. In any case, Twitter Counter has blocked its own ability to write, which the company believes should take care of the issue.

Dave Bittner: [00:03:13:18] The campaign was crude and implausible but probably had some effect, many of the Tweets featured a Swastika with the words "Nazi Holland," or "Nazi Germany" as appropriate, usually displayed alongside a Turkish flag. It's unlikely, to say the least, that Amnesty International would be tweeting swastikas - did we mention that the effort was crude? The campaign's intent appears to be the discrediting of EU states' preparations to tighten restrictions on guest workers and other immigrants and to support demonstrations by Turks resident in those countries.

Dave Bittner: [00:03:46:05] We heard from several security companies about this third party Twitter hack, it's worth looking to the security of your social media accounts. R. J. Gazarek of privileged account management shop Thycotic thinks we'll see more hijacking like this. Social media accounts provide a high profile way of getting a message out and, as cyber operations increasingly serve influence operations, attackers will devote more attention to account hijacking.

Dave Bittner: [00:04:11:03] Nathan Wenzler of AsTech noted that the incident shows a typical attack sequence, start with a vulnerable app then pivot into your ultimate objective. He advises reviewing the applications you've connected to your Twitter account, and removing anything you don't use, and, especially, anything you don't trust. And, of course, keep an eye on your Twitter timeline to see what's showing up there.

Dave Bittner: [00:04:32:04] The messaging was generally aligned with Turkish government policy, but whether it was a state-directed attack, a state-inspired attack or patriotic hacktivism isn't immediately clear.

Dave Bittner: [00:04:44:01] There's also news from the criminal world, courtesy of researchers at Kaspersky Lab, the code for Petya ransomware, a strain of malicious code that's long been familiar, has been stolen and improved by a rival gang. The new variant is circulating as a Trojan called PetrWrap, which installs Petya on machines and enterprise networks and then modifies the malware on the fly to suit its purposes.

Dave Bittner: [00:05:08:23] The emergence of PetrWrap is being taken as a sign of increasing competition among criminal gags, signatures for the new ransomware are being developed, but, as Matt Kingswood of the managed service provider IT Specialists told us, there is no failsafe way of recognizing and preventing ransomware. Your best bet is regular, secure backup.

Dave Bittner: [00:05:30:01] ESET found some 13 malicious android apps designed to steal user credentials and pay card information, they notified Google, which has purged the bad apps from the walled garden of the Play Store.

Dave Bittner: [00:05:42:03] Yesterday was Patch Tuesday, Microsoft issued 18 bulletins, nine critical. It also has continued to issue its patches in their old, familiar form. Redmond evidently will delay the promised new style of patching for at least another month. Adobe has also fixed seven issues in its Flash Player.

Dave Bittner: [00:06:00:15] When a private company discovers they've been hit by a cyber attack, there's often an understandable desire to publicly name the attacker. That's known as private sector attribution. Justin Harvey, as Managing Director of Incident Response and Threat Hunting at Accenture Security, wonders if it's time to stop bothering with private sector attribution.

Justin Harvey: [00:06:20:22] It's really difficult when you are working these investigations to have empirical evidence or have forensically sound evidence that someone has done something to you, there's the internet saying, "on the internet no-one knows your dog," and in this case, for attribution, there's no way to empirically or forensically prove you're a dog or not, meaning a company thinks that a nation state or a criminal entity has attacked them based upon the malware, based upon their tactics, based upon what they were looking for or the searches, but, you have to remember, all of those can be imitated, most digital information can be reproduced in such a way that it could appear that it is that adversary but it's actually another adversary masquerading as that entity or party.

Dave Bittner: [00:07:10:00] What about the notion that there's something to be gained by naming and shaming?

Justin Harvey: [00:07:13:20] That hasn't worked to date. I mean we've seen that with President Obama - naming and shaming and indicting Chinese PLA officers. We've seen President Obama publicly accuse certain nation states of cyber espionage, but nothing really moved the needle on that until he confronted President Xi Jinping in person about it in September two years ago. Because there's been so much talk about attribution, I'd like to point to some of the cases last year around the election where you have a case where there are the yes sayers, or you have the accusers and then you have naysayers, and the naysayers, whether they were right or wrong, brought up very interesting scenarios around false flag operations, essentially masquerading your operations to lay the blame on someone else. Because there's been so much awareness around this, I think that nation states and adversaries out there are going to take advantage of this, and you're going to find false flag operations to be the norm because, as an adversary, why would you create malware and compile it in your own time zone and have your own natural language? It's very easy to compile it in a different time zone and insert some Cyrillic or Chinese characters and then, voila, now you're this other adversary and with the proliferation of malware as a service and malware tool kits you can buy off the web, you can take that one step further. So I would look to that to be one of the signs of, essentially the cyber landscape or the cyber field of battle changing, a sign of the times.

Dave Bittner: [00:08:55:00] That's Justin Harvey from Accenture Security.

Dave Bittner: [00:08:59:19] In the UK, attorneys aren't sure whether the GDPR is legally binding already in advance of its formal implementation next year.

Dave Bittner: [00:09:08:17] In a breaking story, the US Justice Department is said to be preparing indictments of four individuals in connection with the Yahoo! breaches, especially the loss of data for 500 million accounts in 2014. One of the hackers is said to be resident in Canada, the other three are thought to be in Russia. And, in even more recently breaking news, Russian authorities are said to have charged at least one of the three who are in that country with treason. They say he was spying for the Americans.

Dave Bittner: [00:09:37:05] The Vault 7 story is still developing but there's little new today. Wired does have an interview on Leaks however with former CIA whistleblower, and convicted leaker, John Kiriakou, about whistle blowing. His surprising advice to prospective leakers? Don't go directly to the media. Take the matter up with your chain of command first, then lawyer up.

Dave Bittner: [00:09:59:10] And finally we close on a sad note, our friend, Becky Bace, passed away yesterday. We offer our condolences to her family. Becky was not only a researcher of distinction but a friend and mentor to many information security professionals. She'll be missed. We've lost a founding figure.

Dave Bittner: [00:10:25:17] We'd like to take a moment to thank our sponsor, Palo Alto Networks. You can find them at The use of software as a service applications takes data security beyond traditional network perimeters. SaaS environments can create gaps in security visibility and pose new risks for threat propagation, data leakage and regulatory non-compliance. With Palo Alto Networks' integrated platform, you get detailed software as a service visibility and granular control, data governance, automated risk remediation and malware prevention. So your organization can achieve complete SaaS protection. With Palo Alto Networks you get the broadest, most comprehensive cyber security for all cloud and SaaS environments. Make sure your apps and data stay secure and protected. Remember, secure clouds are happy clouds. Find out how to secure yours at And we thank Palo Alto Networks for sponsoring our show.

Dave Bittner: [00:11:33:09] And I'm pleased to be joined once again by Emily Wilson, she's the Director of Analysis for Terbium Labs. Emily, we had the recent Cloudbleed breach, which certainly gathered a lot of attention in the press and elsewhere, this sort of thing causes a bunch of activity on the dark web when they happen.

Emily Wilson: [00:11:51:12] Yes. I think plenty of people are quick to piggyback on whatever the latest thing in the headlines is, whether it was something like the LinkedIn breach or as we're seeing with Cloudbleed. I know of vendors claiming to have something like 150 million credentials for these sites that are impacted by Cloudbleed but, conveniently somehow, there were credentials or sites that weren't impacted at all like Netflix.

Dave Bittner: [00:12:15:08] So they're using the notoriety of the breach to sell unrelated goods?

Emily Wilson: [00:12:22:09] I think one of the things to keep in mind is that people who are looking for the latest set of whatever credentials are going to be looking for the same key terms that we would think of in terms of what's new, what's out there? And people are curious what other vendors have for sale.

Dave Bittner: [00:12:37:00] Some of the credentials that have shown up in this particular breach have already been available, have already been for sale.

Emily Wilson: [00:12:43:05] Yes. I think we're all waiting to see just how big of an impact this breach is going to have in terms of credentials and what gets leaked. But, yes, definitely some of the names that are in this breach - not these credentials if these credentials are available - but definitely these companies have had issues in the past and there are plenty of credentials for sale and now we're hearing a new interest because this breach is new and people suddenly care about it. However, it didn't seem to be all that interesting to people before with these listings that have been up for months or years in some cases.

Dave Bittner: [00:13:15:15] So even on the dark web, buyer beware.

Emily Wilson: [00:13:18:17] Yes. No, if it sounds too good to be true it probably is.

Dave Bittner: [00:13:22:12] All right, Emily Wilson. Thank you for joining us.

Dave Bittner: [00:13:26:21] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance uses artificial intelligence to keep you safe and secure online, check out

Dave Bittner: [00:13:40:06] A quick reminder for you to check out the Grumpy Old Geeks podcast, where I join Jason and Brian for what is quite often a colorful and sometimes salty review of the week's cyber security news. We do have ourselves a good time. You can find Grumpy Old Geeks wherever fine podcasts are available, so do check it out.

Dave Bittner: [00:13:57:04] The CyberWire podcast is produced by Pratt Street Media. Our Editor is John Petrik, our Social Media Editor is Jennifer Eiben and our Technical Editor is Chris Russell. Our Executive Editor is Peter Kilpe and I'm Dave Bittner. Thank you for listening.