The CyberWire Daily Podcast 3.22.17
Ep 311 | 3.22.17

Laptop restrictions are for physical, not cyber reasons. Necurs is back, pumping and dumping. MajikPOS notes.


Dave Bittner: [00:00:03:15] Laptop flight restrictions spread as security services continue to grapple with ISIS inspiration operations. The Necurs Botnet returns but now it's swapped pump and dump scans with penny stocks for its usual ransomware payloads. MajikPOS is active in the North American wild. And the Bangladesh bank hack looks like it may have been a North Korean job.

Dave Bittner: [00:00:31:02] Time for a message from our sponsor Dragos Incorporated. If you operate industrial control systems you owe it to yourself and your stakeholders to get to know Dragos. They've got a new white paper, Insights For Building An ICS Security Operations Center, and it's fair to say you won't find their perspective elsewhere. You can find it on their website,, and while you're there check out the three pronged defense they offer infrastructure operators. Cybersecurity technology, expert services for recovery or threat hunting and timely threat intelligence focused on the bad actors who threaten industrial control systems. Whether you operate in the electrical power, water or oil and gas utility sectors, Dragos has something valuable for you and your security. Again, that's, For your industrial control system cybersecurity peace of mind. And we thank Dragos for sponsoring our show.

Dave Bittner: [00:01:34:23] Major funding for the CyberWire podcast is provided by Cylance, I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, March 22nd, 2017.

Dave Bittner: [00:01:44:19] Yesterday's news of US restrictions on carry on electronics in flights originating from a specified number of Middle Eastern airports is echoed today with similar news from the UK. The prohibitions bar large devices, like laptops, generally things larger than mobile phones, from being brought into the passenger cabin, they must go as checked baggage. The UK's ban affects airports in Tunisia, Turkey, Lebanon, Saudi Arabia and Egypt. The UK referenced only "evolving terrorist threats," the US cited intelligence indicating jihadist plans to conceal explosives in electronic devices. Again, both country's restrictions affect only flights originating in a relatively small number of Middle Eastern airports.

Dave Bittner: [00:02:30:07] French police make arrests in connection with the weekend attack at Orly Airport. Police, researchers, policy makers, grappling with the threat from ISIS, continue to look for ways of countering the effects of online inspiration on lone wolves. An op-ed in the Hill argues that the civilized world is losing the cyber war to ISIS, the editorialists mean ISIS information operations continue to succeed, and that to win the civilized world needs to emulate some of ISIS's more successful tactics. And before they do that, the civilized world's information operators need to buck up on their language skills and learn something about the appeal ISIS makes in the name of Islam.

Dave Bittner: [00:03:10:20] Turning to the conventional criminal threat, researchers have observed that spam surged this week after a global drop off dating to mid-December of 2016, the December to March hiatus occurred when the Necurs botnet ceased activity. Apparently at its master's command. Its sudden return seems due to a pump and dump penny stock campaign. Naked Security says the attempted manipulation involves InCapta Inc., a pink sheet listed media company, but the scam seems to be a third party caper. The typical features of pump and dump spam are all there, the scammers tout penny stock trading over the country, and, in an email sent to thousands, they warn you that this tip is a big secret, don't tell anyone. Fraud experts say, "don't bite."

Dave Bittner: [00:03:57:11] Necurs had formerly been used mainly to distribute ransomware, this reappearance of the criminal botnet with a new purpose doesn't mean that ransomware is yesterday's news, the SANS Internet Storm Center continues to track the new Cerber infestations daily. And researchers note that both Cerber and the fading Locky ransomware variants are growing harder to detect.

Dave Bittner: [00:04:20:07] Norwich University is a private military college located in Vermont, and it's the oldest private military college in the United States, having been established in 1819. They're home to the Norwich University applied research institute, funded in part by DHS and DOD. One of their specialties is cyber war gaming and simulation, using a platform they've developed called Decide FS. Philip Sussman is President of the Norwich University Applied Research Institute.

Philip Sussman: [00:04:50:05] So, the Decide Platform, it's distributed environment for critical infrastructure decision making exercises, so the first D in Decide is distributed, and when we run an exercise we have participants in that particular exercise from four continents that played simultaneously in the event. So, you as an organization, can play as you fight, and it allows you to have one large bank, let's say, or a brokerage firm or exchange, and be able to distribute themselves across multiple organizations, because that's exactly how they're organized. If something takes place in the marketplace today and you have to respond, your IT folks may be in one state, your public relations folks in a different headquarters, or the main office where the leadership is is some place else, and so, the capability of the tool set is to allow you, as an organization, to play in different ways. It's a virtual tool set, it's served from the cloud, and it's not focused as much on the bits and bytes, what am I seeing on the wire, it's focused on what are the impacts for my business. And based upon the impacts on my business and the indicators that you would expect within your particular role, and that's the critical piece of what we're doing here. We're putting in front of the leadership a set of challenges that would be reflective of what you would see within a cyber event. There's going to be some messaging that takes place, there's going to be some indicators and warnings that take place, we attempt to create decision tension within the individual participants of the exercise and get them to exercise their internal communications, their incident response plan, and get to that decision tension that allows both the organization, everyone in the organization to know what they're going to do when they face a cyber event, but also to be introspective of whether or not the way that they're organized, not only from a cyber perspective but from a business model prospective, is in the best interest of their risk posture.

Dave Bittner: [00:07:02:11] That's Philip Sussman from Norwich University.

Dave Bittner: [00:07:06:13] In the US, online tax fraud is in full swing. The IRS and the Department of Education have suspended the online Federal Student Aid Tool, that's the FSA, because the IRS system on which it depends, the Data Retrieval Tool, may be exploitable to gain information useful in identity theft. The Data Retrieval Tool has itself been suspended as well.

Dave Bittner: [00:07:29:13] MajikPOS, a new strain of point of sale malware, has been observed circulating in North America, we've heard from several experts who commented on the threat. Brian Laing, of Lastline, offers some encouragement. While more advanced than some of its precursors, MajikPOS is detectable by monitoring network traffic for anomalous behavior. He also cautions, "each time there's a breach like this where public samples are available, companies need to verify that their advanced malware protection is capable of detecting the new threat."

Dave Bittner: [00:08:02:04] Robert Capps, from NuData Security, reminds us that stolen credentials are the black market's preferred currency. MajikPOS is after valid consumer data that can be used in future crimes.

Dave Bittner: [00:08:14:10] US armed services are looking for ways of punishing bad online behavior. Whatever they come up with will no doubt fall under Article 134 of the Uniform Code of Military Justice.

Dave Bittner: [00:08:26:01] And the NSA has offered its conclusions about the Bangladesh Bank heist of February, 2016. As many others have speculated, NSA thinks that signs point to North Korea.

Dave Bittner: [00:08:41:09] Time for a quick thanks to our sponsor, Palo Alto Networks, you can visit them at Businesses and their data are heading to the cloud in record numbers, making the cloud an integral part of almost every enterprise level organization. Palo Alto Networks understands this. Along with the fact that your data and applications are distributed across the private cloud, the public cloud, software as a service environments and any number of configurations in between, make sure that your data and apps are secure and protected wherever they may be. Palo Alto Networks delivers the broadest, most comprehensive cybersecurity for private cloud, public cloud and SaaS environments. Secure clouds are happy clouds. So, find out how to secure yours, get started today at And we thank Palo Alto networks for sponsoring our show.

Philip Sussman: [00:09:40:06] Joining me once again is Joe Carrigan, he's from the Johns Hopkins University Information Security Institute. Joe, welcome back, not too long ago Cloudflare had what we in the biz call a very bad day, I wanted to swing back around and discuss that with you. There's some interesting lessons here to be learned from what happened to Cloudflare.

Joe Carrigan: [00:09:58:13] They're a web hosting company.

Dave Bittner: [00:09:59:09] Yeah.

Joe Carrigan: [00:09:59:14] And they're a big one. They handle about ten percent of the Internet's web traffic, and recently they had a bug in their code that allowed information to be leaked. It was found by a researcher at Google. Yeah, they're calling it Cloudbleed, because it is reminiscent of the Heartbleed vulnerability from a couple of years ago. The problem is, a Boolean operator in the code, somebody used a greater than or equals to as opposed to an equals to, and that allowed more information to come out. I'm not sure of all the technical details but it certainly seems like something very similar to the Heartbleed where you could ask for more characters than you said you wanted and it would just dump memory back to you in the response.

Dave Bittner: [00:10:39:23] Yeah, so it's a memory leak.

Joe Carrigan: [00:10:41:10] Right, exactly. And, you know, these Boolean operators in code, you could be reviewing the code and look at it and say, this should work just fine, because you're not considering the edge case where somebody is asking for more information than they should be asking for, and the program will give it to them. In fact, these Boolean operator errors, there was, back in I think 2005, there was a back door found in the Linux Kernel that was from a very similar operator, but, the problem is that in C the Boolean operator for equals is two equal signs, but the assignment operator is just one equals sign. So if you're just reading it casually you might not notice that that's an assignment operator and not a Boolean operator. And I'm quite sure the same thing happened here, if you're looking at greater than or equals to versus equals to, which is again two equal signs, you could just gloss over that and not even see that it's an error.

Dave Bittner: [00:11:36:06] And so it'll make it through testing and certainly this system has been deployed for a while before anyone noticed there was a problem.

Joe Carrigan: [00:11:43:13] Yep, exactly, it'll make it through testing and code reviews just fine.

Dave Bittner: [00:11:46:13] So, they're saying that one out of every 3.3 million requests through Cloudflare potentially resulted in a memory leakage?

Joe Carrigan: [00:11:53:05] Correct.

Dave Bittner: [00:11:53:14] That sounds like an uncommon thing, but, when you're talking about a provider as large as Cloudflare it adds up.

Joe Carrigan: [00:12:00:10] Right. But that's 3.3 million requests, and how many HTTP requests are on the internet every day and what's ten percent of that number? I'll bet that's a big number.

Dave Bittner: [00:12:10:03] Yeah. It does add up. So, it's interesting, I mean, you know, the other thing you and I talk about a lot are passwords, and they're saying change your passwords.

Joe Carrigan: [00:12:20:15] This is the host for companies like Uber and Okay Cupid and some other big names, you know, I'm not sure that I would be-- I wouldn't be in a panic telling people to go out and change their passwords, but you certainly cannot hurt yourself right now by changing your password. You can never hurt yourself by changing your password. If you follow my frequent advice of using a password manager, it's very easy to do.

Dave Bittner: [00:12:44:14] Right. Get yourself on whatever schedule to change those passwords.

Joe Carrigan: [00:12:49:12] And then when you have an event like this just go out and make sure you can change your passwords again.

Dave Bittner: [00:12:54:06] All right. Joe Carrigan, thanks for joining us.

Joe Carrigan: [00:12:55:23] My pleasure, David.

Dave Bittner: [00:12:59:10] And that's the CyberWire, thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance uses artificial intelligence to protect you from cyber attacks visit The CyberWire podcast is produced by Pratt Street Media, our editor is John Petrik, our social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.