The CyberWire Daily Podcast 3.21.17
Ep 310 | 3.21.17

Extortion claims. Election influence operations seem likely to continue. A Russian bank claims it's being framed by DNS spoofing. "Cyber Pearl Harbor" fears may be a distraction.


Dave Bittner: [00:00:03:20] Is the Turkish crime family for real with its threats to wipe iPhones remotely? WikiLeaks grumbles that it has few takers for its Vault 7 bugs. Germany raises its state of cyber alert, pre-election. The US expects more Russian cyber and influence operations. Fears of a cyber Pearl Harbor may distract from real ICS risks and, no, Martians haven't landed in New Jersey.

Dave Bittner: [00:00:32:08] Time for a few words about our sponsor, Dragos, the ICS security practitioners who offer protection for Industrial Systems along three axes: technology, people, and intelligence. If you operate the infrastructure that keeps communities running, you should know about their services. They create technology that keeps power running, water flowing and oil and gas getting safely where it needs to go. Dragos offers the first industrial, cyber security automation platform. Its threat operation center delivers industrial control systems specific threat intelligence, and if you need incident response or threat hunting services, Dragos has those for you as well. To find out more visit They've brought the world’s leading industrial security professionals into a healthy ICS ecosystem. Check out their new white paper, Insights for building an ICS security operations center. It's a valuable perspective you won't find elsewhere. Again, that is Dragos,, and we thank Dragos for sponsoring our show.

Dave Bittner: [00:01:41:15] Major funding for the CyberWire is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, March 21st, 2017.

Dave Bittner: [00:01:50:11] A group calling itself the Turkish Crime Family claims to have contacted Apple with a ransom demand. If Cupertino doesn't pay them either $75,000 Bitcoin or Ethereum crypto-currency, or $100,000 in iTunes gift cards, they will remotely wipe millions of iPhones and iCloud accounts. The deadline for payment is April 7th. It's unclear whether the threat is real, or even whether the Turkish Crime Family has actually communicated with Apple. This may well be a case of skids crowing large. But it should also serve as a timely reminder of the importance of securing your iOS devices and iCloud accounts.

Dave Bittner: [00:02:31:07] South Korea reports stepped up cyber attacks on its military networks, probably an unsurprising development given that they coincide with the US-South Korean military exercises.

Dave Bittner: [00:02:42:01] WikiLeaks' Julian Assange says, in effect, that companies who decline his disclosure of exploitable bugs – allegedly from CIA files – are stooges for the US intelligence community. That seems unfair. But, on the other hand, Mr Assange knows he's hardly flavor of the month in Langley or Laurel, and the IC certainly discourages anyone from having to do with him.

Dave Bittner: [00:03:06:08] Germany raises pre-election cyber alert levels to prepare for Russian cyber and information campaigns. The US FBI warns that more Russian attempts to influence US elections should be expected. The Bureau continues investigating possible contacts between Trump campaign officials and Russia.

Dave Bittner: [00:03:24:09] FBI Director Comey's testimony to Congress confirmed that the Bureau is convinced Russian intelligence services were involved in hacking the Democratic National Committee. What's surprising is not so much that the Russians would have wanted to do so, but that they were so noisy about it. We heard from Fidelis Cybersecurity Threat Systems Manager John Bambenek, who calls this "classic power projection". In effect, they're sending the message that if they can do this to the US, they can approach smaller countries and say, in effect, nice election you got there; shame if anything happened to it.

Dave Bittner: [00:03:57:17] As Bambenek put it, "The true damage of the hacking hasn't been its impact on the election, as there is little to indicate it had any impact on the final vote count. The real impact is the harm and destabilization we continue to bring upon ourselves. A US that is consumed with bitter infighting and openly questions the legitimacy of its own institutions, is dramatically less able to curtail Russia's geopolitical ambitions. That is exactly what they want."

Dave Bittner: [00:04:26:19] Russia's Alfa Bank has asked US law enforcement for help with what it says are false signs of contact between itself and the Trump Organization. Alfa Bank says it has observed "multiple domain name server requests" that is, DNS requests, "mostly using US server providers, to a Trump Organization server. The bank says the requests were spoofed to make it appear that they originated from Alfa Bank, and were intended to give a false impression that Alfa Bank had some sort of relationship with the Trump Organization. They also say they believe the attacks were launched from a botnet.

Dave Bittner: [00:05:01:13] Mandiant, a division of FireEye, recently released their 2017 M-trends report on breaches and cyber attacks. Ronald Bushar is Mandiant's Vice President of Global Government Services, and he gave us an overview of what they gathered.

Ronald Bushar: [00:05:15:20] We have seen a rapid rise in both the sophistication and the volume of financially motivated criminal actor groups. We're actually stating in our latest analysis that in some cases financial actors are as sophisticated, or in some cases even more sophisticated, than government or intelligence agency capabilities. We've also seen a shift from what we term "smash and grab", which was a very kind of visible direct theft of financial data that could easily be monetized, to a shift in tactics that is focused on either direct ransom of information or theft of information for purposes of extortion. So a kind of a secondary, if you will, attack vector that is extremely successful. In a lot of scenarios organizations are often motivated to pay a relatively small ransom to get either their information back or to avoid the possibility of a public disclosure. And it eases the burden, so to speak on the attackers, so they don't have to necessarily find the crown jewel information in the organization; they just have to find any information that is somehow valuable to the business. And they can monetize that very rapidly.

Ronald Bushar: [00:06:27:20] So that's certainly a trend we've seen globally. We've seen an enormous rise in targeting obviously in Asia, Pacific region, especially more sophisticated actors targeting the back end banking infrastructure as well, so looking for those very large pay days with attacks with, you know the financial transaction back end things like SWIFT etc. So it's kind of a combination of what I would deem the front end attack that is rapidly monetizing data from a ransom perspective, and in the more sophisticated back end attack vectors that are really trying to compromise the infrastructure of banking in global financial services.

Ronald Bushar: [00:07:07:06] Another trend we've seen, which is actually a positive trend – and it might be correlated to the shift in tactics – but we've seen a very significant decline in the amount of time it takes organizations to detect an attack. We've seen this trend over the past four or five years of our reporting. So it used to be more than half a year of time between compromise and detection. We're now down to 79 days on average in the latest report. It's still too long but it's much, much improved, compared to years past. We attribute some of that to the relative investment and sophistication of cyber defense capabilities, especially global companies and organizations that are really focusing on cyber security as a business risk and investing more dollars, resources and time and effort in securing their infrastructure. But we're also attributing some of that decline to the fact that threat actors are really starting to become less concerned with how long they can stay in an environment, and more concerned with how fast can they get information, can access to it and monetize it in some way, again especially on the financial threat actors side of the house.

Dave Bittner: [00:08:19:12] That's Ron Busher from Mandiant. You can find the entire M-Trends report on their website.

Dave Bittner: [00:08:26:24] Looking at our CyberWire event tracker, a quick note on some upcoming events worth your attention. Tomorrow, ThreatConnect is holding a webinar on tailoring threat intelligence to fit an organization's needs. A week from this Thursday, on March 30, the Second Annual Billington International Cybersecurity Summit will meet in Washington. And on April 6 then May 5, senior executives will meet in Atlanta and Dallas, respectively, for the Cybersecurity Summit and you can see the CyberWire website for discount registration.

Dave Bittner: [00:08:56:07] Researchers have been looking at threats to infrastructure, and some of those threats might exploit old code written years ago in Cobol. While they acknowledge that the much-talked-about "Cyber Pearl Harbor" is at least a theoretical future possibility, concern about a Pearl Harbor shouldn't blind security officers and operators to an immediate, very real threat: targeted attacks against industrial control systems. Those have happened, and do happen, and, while they may be more limited in their effects than the continent-wide bolt from the blue people fear, they're serious, they're dangerous, and they're here today. In his Unfettered blog at Control Global, Joe Weis identifies eighteen countries that have sustained targeted attacks on control systems.

Dave Bittner: [00:09:40:03] Finally, you do all know that the Cyber 9/12 event held this past Friday and Saturday was a competition for student teams, not something that actually happened? And that the exercise scenario that posited a 2018 cyber conflict between the US and China was fictitious? That there's no imminent cyber war prompted by hacking back? That there are no cyber letters of marque and reprisal? We feel a need to say these things again, since some reaction to our accounts of the Atlantic Council's well-conducted event made us feel like Orson Welles and the Mercury Theater of the Air dramatizing "The War of the Worlds". And no, should you YouTube over to the Mercury Theater, Martian cylinders have not landed in New Jersey, either. We're reliably informed that New Jersey remains Martian-free.

Dave Bittner: [00:10:27:17] Now that we're clear that all this was an exercise, we note again how rich and well-structured the scenario was, and how effective it exhibited the risk of escalation through misunderstandings, incomplete information, and unintended consequences. But please do remember: it was, as Gilbert and Sullivan wrote, "merely corroborative detail, intended to give artistic verisimilitude to an otherwise bald and unconvincing narrative."

Dave Bittner: [00:10:56:05] Time for a message from our sponsor Palo Alto Networks, available at Organizations and their data are in the cloud, sometimes whether they know it or not, and the cloud is no longer just a convenient place that's somewhere out there to store things. Today it's an integral part of the way almost every enterprise level organization does business. Palo Alto Networks understands this. They also get the fact that your data and applications are distributed across the private cloud, the public cloud, software as a service environment, and any number of configurations in between. Make sure your data and apps are secure and protected wherever they may be. Palo Alto Networks offers the broadest most comprehensive cyber security for private cloud, public cloud and SaaS environments, because secure clouds are happy clouds. Find out how to keep yours happy at And we thank Palo Alto Networks for sponsoring our show.

Dave Bittner: [00:12:00:10] Joining me once again is Jonathan Katz. He's a professor of computer science at the University of Maryland, and also Director of the Maryland Cyber Security Center. Jonathan, welcome back. I wanted to talk to you about this recent story that came by about a SHA-1 collision being found.

Jonathan Katz: [00:12:15:21] Yes this was certainly very big news. In some sense it wasn't very much of a surprise because the cryptographic community had known for a while that SHA-1 was in principle weak, and that there were better ways to find collisions than a pure brute force attack. Nevertheless, it was still considered to be quite difficult to actually go ahead and find that collision. And what these researchers had done is actually use both algorithmic improvements as well as the computational power available to them at Google, to go ahead and carry out the attack and find a collision.

Dave Bittner: [00:12:49:08] So what were some of the technical details behind this as a cryptographer that caught your eye?

Jonathan Katz: [00:12:55:05] Well a couple of things. First of all there was prior work showing Phoebe's theoretical vulnerabilities in SHA-1. And what these researchers had done was improve on those and reduce the costs of the attack further. And then it was really just impressive to see the amount of computational power that was available, that they were able to harness at Google. Those of the listeners who are more technically minded, they basically carried out about 2^63 SHA-1 invocations. That's an amount of work that for a while was considered at the edge of practicality, and I guess maybe still might be considered at the edge of practicality. But you can see that an organization with the resources of Google is able to carry out that amount of work to do an attack.

Dave Bittner: [00:13:38:21] 2^63, 2^64, whatever it takes, right?

Jonathan Katz: [00:13:41:18] Right, exactly.

Dave Bittner: [00:13:43:21] No SHA-1 has been deprecated and certainly the word has been out for a while that people who are using it need to move on SHA-2. But it seems like there are still plenty of instances where it's hanging around and lurking out there on the web.

Jonathan Katz: [00:14:00:08] Yeah that's right and I think this is going to be again a wake up call for people. It's not something which is going to have impact immediately, so the fact that these researchers have found a collision doesn't mean that these protocols using SHA-1 all of a sudden overnight become insecure, but it's again another warning that they really do need to start actively migrating away from SHA-1 to the alternatives like SHA-2, or even SHA-3, the recently standardized hash function.

Dave Bittner: [00:14:23:13] Jonathan Katz, thanks for joining us.

Dave Bittner: [00:14:28:03] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can protect you from cyber attacks, head on over to

Dave Bittner: [00:14:40:08] The CyberWire podcast is produced by Pratt Street Media. The editor is John Petrik. Our social media editor is Jennifer Eiben, and our technical editor is Chris Russell. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.