The CyberWire Daily Podcast 3.28.17
Ep 315 | 3.28.17

Updates on Cozy Bear and Shamoon tradecraft. Crypto wars flare in the UK. FBI warns of attacks against FTP servers. Typosquatting, scareware, and other problems.


Dave Bittner: [00:00:03:10] Cozy Bear slips through with domain fronting. Shamoon's infection methods are revealed. Crypto wars flare over not-so-lone wolves, but there are some genuine lone wolves out there as well. A networked sterilizer is, well, digitally unhygienic. search functionality is temporarily disabled, and remember, if you want to reach the G-men, it's, not .com.

Dave Bittner: [00:00:32:10] Time for a message from our sponsor Netsparker. Are your security teams deals with hundreds of vulnerability scan results? Netsparker not only automates scanning but it verifies the exploits it finds too. Reduce alert fatigue and improve security with Netsparker. Not only will your protection improve, but your costs will drop and that's a good deal in anyone's book.

Dave Bittner: [00:00:52:01] Netsparker's automated approach to web application scanning lets your security team concentrate on the things best left to the human beings. Find out more about Netsparker Desktop and Netsparker Cloud. Whether you're pen testing or securing your enterprise on line you need to check out Try it out free with no strings attached. Go to for a 30 day fully functional version of Netsparker Desktop. And by fully functional Netsparker means yes really actually truly fully functional. Scan the website with no obligation. Check it out at And we thank Netsparker for sponsoring our show.

Dave Bittner: [00:01:39:08] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, March 28th, 2017.

Dave Bittner: [00:01:48:17] FireEye offers some insight into how APT29 evades detection It's also known as Cozy Bear, that is, by general consensus, Russia's FSB. The threat actor uses domain fronting to disguise traffic with the appearance of its being directed to a host allowed by network censors. Domain fronting has also been used by less sinister organizations to bypass government censorship. The technique is ambivalent; it can be used equally to protect people operating anonymously under conditions of repression, and to insinuate espionage tools on behalf of repression itself.

Dave Bittner: [00:02:21:18] Palo Alto researchers have determined how Shamoon spreads its destructive payload. Its operators use a mix of "legitimate tools and batch scripts" to download it to host names the attackers know exist on the target network. This had hitherto baffled observers, but Palo Alto and others continue to work through the attackers' tradecraft, and that tradecraft is becoming clearer. Shamoon, you will recall, was first discovered in use against Saudi Aramco in 2012.

Dave Bittner: [00:02:50:03] The reprehensible Westminster attacks in London have caused the crypto wars to flare in the United Kingdom. Home Secretary Amber Rudd called for restrictions on encrypted communications, particularly on services like WhatsApp. Her remarks came in a radio interview, but she appears at least for now to have joined US FBI Director James Comey among the crypto-skeptical dead-enders. Most industry observers think encryption solves far more problems than it creates, but it does at times give investigators problems, as it may have in the Westminster attacks. It still appears the perpetrator was less lone wolf than a loosely inspired cell member.

Dave Bittner: [00:03:30:04] Israeli police continue to investigate the motives of the man they arrested in connection with online threats against Jewish community centers in the US and elsewhere. This one does seem to be a genuine lone wolf; the disaffected individual acting out of some as yet undetermined personal grievance. Whatever his motives were, they're unlikely in the extreme to have included jihad.

Dave Bittner: [00:03:51:21] Two warnings are out to the health care sector. First, the US FBI has warned that malicious actors are attacking FTP servers to establish access to protected health information belonging to medical and dental patients. The motive is apparently a mix of extortion, harassment, and potential identity theft.

Dave Bittner: [00:04:11:07] Second – and this one's an IoT story – researchers at Schneider & Wulf have found that the embedded web-server in the Miele Professional PG 8528 is vulnerable to directory transversal attack. There's no patch, yet, so if you use one of the devices, your best bet for now is to disconnect it from the Internet. Observers have been noting the irony of a washer-disinfector used to sterilize biomedical instruments being the occasion of bad Internet hygiene.

Dave Bittner: [00:04:38:15] It's a pretty common security practice to use a VPN, a Virtual Private Network, to provide a secure connection to your enterprise network when working remotely. Brian Brunetti is President of Route1 and he says VPNs provide a false sense of security.

Brian Brunetti: [00:04:55:18] There's a lot of risk that goes with a VPN and a lot of trust. And that's where just blindly using VPNs is very concerning for us.

Dave Bittner: [00:05:04:22] Help me understand. So, it's not so much that the actual connection that the VPN is providing between the endpoint and the secure network is itself insecure, it's that that connection is happening at all that opens up the opportunity for insecurity?

Brian Brunetti: [00:05:23:05] That's right. So if we walk through the connection process, the first thing is that trusted network that you're going to connect to with your VPN client, they've had to open inbound ports on their firewall to facilitate a VPN connection. But ultimately I'd say the biggest risk with VPNs is, once that connection is established you effectively have full network access at that point. So wherever that user is, wherever they're connecting from, that trust that's been implied through the authentication process, that allows the network access and in both directions. So if that user is a malicious actor they now have the ability to introduce malicious things into the network. And conversely they now have the ability to remove things such as sensitive data and information from that network.

Dave Bittner: [00:06:20:09] And so take me through what are the types of things that you recommend?

Brian Brunetti: [00:06:23:07] The first piece is the authentication, and confirming the individual is who they say they are. We think that it's critical that you identify that the individual using that device is the appropriate individual and that they have the entitlements to do what you're about to grant them access to do. And then if what the user actually requires is that tele-working or mobility or that full desktop experience, there's ways to facilitate that where you don't need to provide them with a VPN. So as an example we have a technology called MobiKEY where it facilitates that secure remote access without opening up any inbound ports on the firewall and the way that that secure mobility is delivered is effectively that users provided the image or the screen of the desktop that they're controlling in the network, the secure desktop. And then we detect their typing and their mouse movements and we deliver that back to the secure desktop. So we provide the full capability to the user without any of those inherent risks of a VPN. So you're not dealing with data at rest or date in transit with that approach.

Dave Bittner: [00:07:42:12] That's Brian Brunetti from Route1.

Dave Bittner: [00:07:45:15] Microsoft has temporarily disabled the search option on, Redmond's publishing and file sharing service, out of concern that it could be used to trawl through published documents for sensitive information. Some observers see a problem in the service's default visibility setting, which is "Public". There are reports of compromises; users are cautioned to look at and reconsider their settings.

Dave Bittner: [00:08:08:23] Various bad guys are reported to be typo-squatting on the domain name FBI[.]com. Remember, the FBI is at, not .com. Thewhitehouse[.]com caused a similar flurry of misunderstanding a few years ago. It led not to the citizenship and policy material presented by the real site,, but to an enterprising adult site.

Dave Bittner: [00:08:34:11] And speaking of adult sites, iOS users visiting adult sites are being hit by scareware, the usual "you've been found downloading illegal content", and so on. The obvious defense is not to visit such sites, not that you would. And do remember that the consensus among experts concerning both ransomware and scareware hasn't changed: victims should not pay.

Dave Bittner: [00:08:55:10] Finally, the heart may have its reasons which reason knows not, but wow, sometimes the heart really goes off the rails (if we may mix metaphors). For your consideration: a US prosecutor – in Brooklyn, if you must know – who was involved romantically with a detective, forges a judge's signature on a surveillance warrant so she can spy on her rival in what appears to have been a love triangle. The next time your heart tells you to do something like forge a warrant, hack a device, go somewhere likely to be infested by scareware, surreptitiously install surveillance cameras, take it from our advice maven: don't listen.

Dave Bittner: [00:09:37:15] Time to take a moment to thank our sponsor Palo Alto Networks. You can find them at Public clouds like Amazon Web Services and Microsoft Azure are great business tools, but it can be easy to forget that when you use them security isn't just their job alone: it's a shared responsibility. And we know it's not always easy to share, but next generation cloud security can make it a lot easier. It gives you the visibility you need to control your apps and reduce your attack surface from the network to the cloud. With Palo Alto Networks you get the broadest, most comprehensive cyber security for all cloud and software-as-a-service environments. Make sure your apps and data stay secure and protected, your customers and stakeholders expect it. Secure clouds are happy clouds. Find out how to secure yours. Get started at And we thank Palo Alto Networks for sponsoring our show.

Dave Bittner: [00:10:40:02] And I'm pleased to be joined once again by Ben Yelin, he's a Senior Law and Policy Analyst at The University of Maryland Center for Health and Homeland Security. Ben, we find ourselves vising these online child pornography cases and as much as the subject matter maybe unappealing, the fact of the matter is that a lot of interesting legal things happen because of these cases. We've got a new one here from the Eighth Circuit Court. Bring us up-to-date on this one.

Ben Yelin: [00:11:06:21] So this comes from an individual in Nebraska named Michael Hyke. He was convicted of multiple child pornography related crimes, and it all stemmed from an investigation by the federal government using a network investigative technique. Mr Hyke was using a Tor network. I think he was an IT administrator and as we know you have to have a relatively sophisticated amount of knowledge to operate the Tor network. He used that network to obscure his IP address and to access child pornography. What he has said in his defense is that the evidence gained from the original investigation has gone stale and there's not enough hard evidence to prove that he himself was the person who accessed this pornography and who downloaded it on his computer.

Ben Yelin: [00:11:57:24] As part of his defense he said his daughter was also home. He also said that this was an unsecured wireless network so potentially one of his neighbors or somebody walking down the street could have accessed this information.

Ben Yelin: [00:12:10:14] The prosecution has said because this person has specialized knowledge and knows how to access the Tor network, that's what makes him a particularly prime suspect. That in and of itself is sufficient evidence. So we see this situation where a person's professed knowledge, and he admitted that he had knowledge of Tor networks, ends up really hurting him in a court of law because the very evidence that he knows how to use it, he knows the complicated procedures that go into accessing these websites are one of the reasons that the Federal Government has good evidence on him.

Dave Bittner: [00:12:47:01] And so where does it go from here?

Ben Yelin: [00:12:48:12] Now that the evidence has not been squashed, his conviction will be upheld and his only option at this point is to appeal the case to the United States Supreme Court. This was a federal case, made it into the Eighth Circuit, you know I have no idea whether this issue is novel enough for the Supreme Court to consider it, but even so I think the defendant's legal case here is not very strong. I mean as a user you have to download special software, once you have that special software you can't just do a Google search and end up on one of these websites. You have to know exactly where to look. You have to know the Internet forum where people posts, the text files that give you instruction on how to use the Tor network to access these devices.

Ben Yelin: [00:13:34:05] Even if the evidence itself was stale that's not in itself enough reason for it to be unreliable and, again, it was the evidence that this defendant himself had intimate knowledge of how the Tor networks worked, that particularly implicate him in downloading child pornography.

Dave Bittner: [00:13:51:09] So another lesson is you're likely not as anonymous as you may think you are.

Ben Yelin: [00:13:56:07] Absolutely. I mean now that the government has learned how to deploy these network investigative techniques it really cuts into the effectiveness of the Tor network. I mean you can't fully obscure your IP address anymore. We know that the government has employed this NIT playpen and this is the second website, paedoboard, that I've heard of where they've employed this technique. And now that they know it's such an effective tool I'm sure they're going to be using it on any site they can possibly find.

Dave Bittner: [00:14:24:10] Ben Yelin thanks for joining us.

Dave Bittner: [00:14:27:21] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible especially to our sustaining sponsor Cylance. To find out how Cylance can protect you from cyber threats point your browser to

Dave Bittner: [00:14:41:17] The CyberWire podcast is produced by Pratt Street Media. Our Editor is John Petrik, Social Media Editor is Jennifer Eiben, Technical Editor is Chris Russell, Executive Editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.