The CyberWire Daily Podcast 3.29.17
Ep 316 | 3.29.17

Hybrid warfare objectives and tactics. Physical threats, lost and found. Vulnerability and threat recap.


Dave Bittner: [00:00:03:16] ITSEF offers a look at Russian hybrid warfare: it aims, experts say, at redressing the loss of the Cold War. Microsoft Internet Information Services 6.0 is found vulnerable to a buffer overflow attack. Cerber ransomware evolves to evade detection. There are bugs found in Siemens ICS products. VMWare patches some vulnerabilities and malicious USB sticks are strewn around a Canadian university campus.

Dave Bittner: [00:00:33:22] It's time for a message from our sponsor, Netsparker, you know, when you want automated security you want it to be automatic. Netsparker delivers a truly automated web application security scanner, it can be surprisingly labor intensive to scan websites and other solutions need a lot of human intervention. To take one example, with other scanners you have to configure URL rewrite rules to properly scan a website. Not with Netsparker. They say it's the only scanner than can identify the set up and configure its own URL rewrite rules. Visit, to see how Netsparker's no false positive scanner, frees your security team to do what only humans can. And don't take their word for it, if you'd like a free trial, go to and you'll get a 30 day fully functional version of Netsparker desktop. Scan your websites with no strings attached. That's And we thank Netsparker for sponsoring our show.

Dave Bittner: [00:01:38:03] Major funding for the CyberWire podcast is provided by Cylance, I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, March 29th, 2017.

Dave Bittner: [00:01:47:15] SINET's 12th annual IT Security Entrepreneurs Forum, most often known by its acronym ITSEF, convened yesterday in Mountain View, California, with sessions continuing today. ITSEF describes its goal as bringing together policymakers and security technology innovators to discuss ways in which they can cooperate to the benefit of their stakeholders. We'll be publishing detailed accounts of this reciprocal illumination beginning tomorrow. But today, we've been hearing a great deal about Russian hybrid warfare. A panel of cyber threat, intelligence and foreign affairs experts was asked to comment on Russia's motivation and goals in information operations. The panel's take on the matter was brief, clear, and not offering much ground for hope.

Dave Bittner: [00:02:30:04] Russia, and in particular its president, resents its loss of position caused by the fall of the Soviet Union at the end of the Cold War. They seek to recoup their place in the world and regain the world's respect, which they believe has been damaged through the insult of defeat. They do not see a clear line between war and peace, they see themselves as always in a state of war with the US and Western Europe and that to fail to damage their adversary through cyber attack and especially information operations, would constitute negligence. They do not see the political, economic, and personal domains as distinct and will use cyber attacks to damage the opposition in any of those spheres. They make extensive use of criminal gangs, since, after all, economic damage to the enemy is counted a gain. And they have a long history of effective propaganda and disinformation.

Dave Bittner: [00:03:22:09] Coincidentally, the Finnish Security Intelligence Services have released their annual report on national security. The cyber threat, especially from Finland's large Russian neighbor, receives prominent attention and the report, linked in this morning's CyberWire Daily News Brief is worth checking out.

Dave Bittner: [00:03:39:08] A few new developments in the threat and vulnerability spaces have come to light at mid-week. Security vendor Trend Micro reports that Microsoft Internet Information Services, IIS 6.0 is vulnerable to a buffer overflow attack. This zero day is thought to have been exploited in the wild in July or August of 2016. Trend Micro also reports that Cerber ransomware has shown signs of evolution into a more evasive form: it now has loaders delivered by self-extracting Dropbox files which seem designed to avoid detection by machine-learning security tools.

Dave Bittner: [00:04:14:05] Researchers at the German security firm, Cure53, have disclosed bugs in Siemens RUGGEDCOM ROX VPN industrial communication endpoints and firewalls. There are no patches, but Siemens has issued advice on mitigating the vulnerabilities.

Dave Bittner: [00:04:30:10] VMWare has issued patches for moderate-to-critical vulnerabilities found in three of its products: ESXi, Workstation and Fusion. Users should heed the security bulletin.

Dave Bittner: [00:04:42:08] Election hacking, or at least a big compromise, has come to Hong Kong. The Chinese city's Registration and Electoral Office has disclosed that the loss of two laptops taken from a locked room in the AsiaWorld-Expo conference center exposed the personal information of some 3.7 million voters. The laptops are said to have been encrypted, but how strong that encryption might be is unknown.

Dave Bittner: [00:05:06:16] Many organizations are moving more and more of their IT infrastructure to the cloud and data security and compliance are an understandable concern. David Kidd is VP of Governance Risk and Compliance at Peak 10, a national IT infrastructure provider. He makes the case that shifting much of the burden of compliance to an outside cloud provider is worth a look.

David Kidd: [00:05:28:16] When you think about an IT professional and the burden they're under just every day, keeping systems up and running. IT professionals are systems guys, these are men and women that deal with technology and making new systems and making them work. They're not attorneys; they're not folks that are up on all of the latest regulations and up on those standards. The basic level and driver of IT professionals is always to push for the new technology and security professionals are a little more cautious as are the regulators that they have to answer to and those that define the industry standards that they have to answer to.

David Kidd: [00:06:12:09] So, when the technology guys that said, hey, this is some really neat technology, we want to play around with this and see what we can do," and looking at virtualization and cloud services and the flexibility and the ability to scale up and down and the disaster cover benefits of virtualization and living in the cloud, that was just really appealing to the technology guys. But with the security and regular folks, they took a look at this and said, "You know what, we're scared of this, this makes us nervous, we understand standards where we can look at the box and we can define the limits of the system, we know the limitations of the network and where those system boundaries are. We can look at physical storage and we understand those boundaries, but when you start talking at putting it in the cloud, that scares us, we're frightened of it." And they really said no and pushed back hard on that for a while.

David Kidd: [00:07:05:14] Some of that was internal with larger organizations particularly and some of that was external because frankly regulators did not understand the cloud in the early days. And over time, the financial sides starts to look at this and they were hearing about the benefits. Out here in the hallways, the conversations that as IT guys would have when they were excited about the new technology, they said, "Perhaps this was the refresh cost." It helps us with disaster recovery and makes that faster and cheaper because no-one could scale up and down on this, this business needs to change and that put some pressure back on the regulatory world and the security world to say, "You know what, they need to come up with a way to make this cloud work and work well and provide the security that we need." To be able to take a piece of that burden off of them and noted that to be underlying infrastructure, that they are building their systems on top of, is not only highly available and highly secure, but to know that in each regulatory requirements and industry standards, that they are beholden to, is an enormous relief because that's just one piece that they don't have to chase after and have to get up to speed on.

Dave Bittner: [00:08:25:23] That's David Kidd from Peak 10.

Dave Bittner: [00:08:30:09] Just as physical loss can pose a threat to data and systems, so too can things physically found. Canada's Carleton University sustained a ransomware attack in November 2016, but the university has now found another, hardware-delivered threat: USB sticks left strewn about the campus. The devices contain a keylogger. It's unclear whether there have been any successful infections and it's not known if there's any connection to last year's ransomware incident.

Dave Bittner: [00:08:58:23] And we close today's report with some sad news. Trend Micro's CTO, Raimund Genes passed away suddenly over the weekend at his family's home in Germany. He'd been one of those most responsible for building Trend Micro. He was well-liked and much respected in the security community and he'll be missed. He was only 54. Our condolences to his family, friends, and colleagues, as people who work in infosec look back at a life that, while too short, was nonetheless well lived.

Dave Bittner: [00:09:35:07] We'd like to thank our sponsor, Palo Alto Networks, you can visit them at clouds. When you move to a public cloud, like Amazon web services or Microsoft Azure, you share responsibility for security with your service provider. To do your share, you've got to protect your apps and data, wherever they are. Fortunately, with Palo Alto Networks you can do just that. Their next gen cloud security gives you complete visibility, so you can control your apps and reduce your attack surface. Palo Alto Networks has the broadest, most comprehensive cyber security for all clouds and software as a service environments. They know that secure clouds are happy clouds. Find out how to secure yours. Get started today at clouds. And we thank Palo Alto Networks for sponsoring our show.

Dave Bittner: [00:10:32:20] Joining me once again is Joe Carrigan, he's from the Johns Hopkins University Information Security Institute. Joe, we got a story that came by on Ars Technica about an IOT device, this is actually a teddy bear, from a company called Spiral Toys and the line of toys are called Cloud Pets.

Joe Carrigan: [00:10:49:18] Right, sounds like a great idea.

Dave Bittner: [00:10:52:14] There's an indicator right there, Cloud Pets, so we know what's going on with this. And I guess the notion here is that the stuffed animals could record some kind of a voice message from a grandparent and the voice would come out of the bear and the kids could record a message, and the grandparents could get the message out of the bear, and this all sounds fun and adorable--

Joe Carrigan: [00:11:14:18] And creepy. [LAUGHS]

Dave Bittner: [00:11:15:24] Yes, probably a little bit creepy but they had a problem because it turns out, over two million of these messages got leaked online.

Joe Carrigan: [00:11:23:23] Right and they were using a very secure password hashing algorithm called Becrypt. There is some debate about the security I've seen in the community about whether or not it's secure, but I like it and mind you, I'm not a cryptographer but one of the things I like about Becrypt is unlike other hashing algorithms you can make it more difficult as time goes on. So, it's pretty resistant to brute force cracking. However, these people at Spiral Toys didn't enforce a good password policy, so you could use a single character as your password. Well, it takes a very short amount of time to run through every single one character password and whatever percentage of people are using one character passwords, if those passwords are leaked, they're already known, they're known within seconds of those passwords being leaked. Because there are these password cracking tools, my favorite is called Hashcat, anybody can go out and download this, if you have a GPU, which is a graphics card for gaming, even a commodity GPU can crack passwords at an impressive rate.

Dave Bittner: [00:12:26:09] So in terms of these toys, then because of the allowance of weak passwords, are they just tossing random things into Hashcat, to see if they stick? How does it work?

Joe Carrigan: [00:12:36:21] Yes, well the first thing you do is you check the lists of known passwords, so every year somebody publishes the ten most common passwords and every year, one two, three, four, five, six is one of them. So that's the first one you guess and then you go through and you'll probably get, maybe .5 percent of the passwords will be cracked with that top ten list. But .5 Percent is a significant number of passwords that you can crack with the top ten list. And there are password lists that are hundreds long, ten thousand long, the top 10,000 passwords, you can just Google these and find them. You put them as an input file into Hashcat and it just goes through and brute forces the passwords using the list. Then you can apply other things could rules, like common substitutions. For example, instead of using an A, I'm going to substitute an “@” sign or maybe I'm going to substitute a four. I can find more passwords just because I've changed the word password to capital P-@-5-5-W-0-R-D that doesn't make it any more secure, it's still password and there's only a couple of rules I need to apply to crack that password.

Dave Bittner: [00:13:39:20] The lesson here that we come back to, many times, is you can't assume that any of these IOT connected devices are actually secure.

Joe Carrigan: [00:13:50:16] Yes, we get back to the same problem that we always talk about with the IOT and that's surface area. All you're doing when you buy these things and put them in your house is you're increasing your attack surface and how many different ways attackers have to exploit things that are on your network.

Dave Bittner: [00:14:05:23] Joe Carrigan, thanks for joining us.

Joe Carrigan: [00:14:06:17] It's my pleasure.

Dave Bittner: [00:14:10:05] And that's the CyberWire. Thanks to all of our sponsors, who make the CyberWire possible. Especially to our sustaining sponsor, Cylance. To find out how Cylance protects you using artificial intelligence, visit Cylance dot com. The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.