The CyberWire Daily Podcast 4.11.17
Ep 325 | 4.11.17

Word zero-day spreading Dridex. Password reuse bites Amazon third-party sellers. Mirai now mines Bitcoin. WikiLeaks, the ShadowBrokers, and war in Syria. Cyber first use. Crypto wars in Europe. Penn State prof takes Gödel Prize.


Dave Bittner: [00:00:02:21] There’s a Word zero-day spreading the Dridex banking Trojan. Amazon third-party sellers are bitten by reused passwords. IBM catches Mirai mining Bitcoins. Symantec discerns Longhorn tools in WikiLeaks' Vault 7. Tensions over Syria's civil war seem to be behind the Shadow Brokers' return. Germany considers a cyber first-use doctrine. Crypto wars flare in Europe. And a Penn State professor takes the 2017 Gödel Prize for his work on differential privacy.

Dave Bittner: [00:00:37:22] Time to thank our sponsor Palo Alto Networks. You can visit them at Software as a service applications are changing the way organizations do business as data now lives beyond the traditional network perimeter. What are you doing to keep your organization's data secure in this new environment? Palo Alto Networks helps organizations with complete sass protection providing detailed software as a service visibility and granular control, data governance, automated risk remediation and malware prevention. Palo Alto Networks offers the most comprehensive cybersecurity for all clouds and software as a service environments because secure clouds are happy clouds. Get started securing yours at And we thank Palo Alto Networks for sponsoring our show.

Dave Bittner: [00:01:41:08] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, April 11th, 2017.

Dave Bittner: [00:01:50:22] We begin with a few notes on cybercrime. The zero-day vulnerability in Word that's undergoing exploitation in the wild is now being used to distribute the Dridex banking Trojan. Many hope Microsoft will patch the flaw later today, but Redmond is still tight-lipped. Dridex, regarded as a more dangerous bit of malware than most, had of late been relatively quiescent until yesterday, when the SANS Institute and others observed a large spike in its distribution.

Dave Bittner: [00:02:18:06] Over at Amazon, third-party sellers are being hit with a wave of credential theft that's robbing them of the proceeds of their online sales. The criminals are said to be exploiting reused passwords they've purchased in various dark web markets. We heard from Chris Pierson of secure business network provider Viewpost, who notes that username and password credentials have been gossamer against fraud for years, He advises, really, seriously, and no-joke, to move to two-factor authentication.

Dave Bittner: [00:02:47:20] IBM researchers have discovered a new criminal purpose for the Mirai IoT botnet malware. It's now been adapted, by crooks, and set to the CPU-intensive task of Bitcoin mining.

Dave Bittner: [00:02:59:12] Symantec has picked over recent WikiLeaks dumps and concludes that tools revealed in Vault 7 were used in the Longhorn campaigns—some forty incursions into networks of sixteen countries. Again, Vault 7 purports to represent a leak of CIA hacking documents.

Dave Bittner: [00:03:17:12] Fighting in Syria, especially Assad's horrific use of nerve agent against largely civilian targets, has considerably heightened tensions between Assad's patron, Russia, and the West. The US and UK are taking a joint hardline toward Russia over Syria—that hardline is expected to include sanctions and has already included missile strikes against the Syrian regime's military installations. The conflict has its predictable accompaniment in cyberspace, particularly in information operations. The latest Shadow Brokers leaks seems obviously designed to advance Russian interests in Syria. The Shadow Brokers have long been regarded by close observers as a sock puppet on the hand of the Russian intelligence and security organs. But many continue to regard the Brokers as more mysterious than Muscovite. Whoever they are, they're very very disappointed in US President Trump and they're sounding more alt-right (for the moment) than alt-left. They're also moving in lockstep with Russian diplomacy.

Dave Bittner: [00:03:42:16] ISIS, which of course is one of the several parties fighting in Syria, seems to have expanded its recruiting pool. Catalan police have discovered online attempts by ISIS to actively recruit women.

Dave Bittner: [00:04:32:08] Germany's newly established independent military cyber force is expected to grow to an end-strength of 13,500 by July. Over the past weekend, German Interior Minister told the news service ARD that he wanted the Budestag to pass legislation that would permit the Bundeswehr to conduct first strikes in cyberspace in the event of clear, imminent, severe danger.

Dave Bittner: [00:04:57:00] There's a lot of momentum behind artificial intelligence and machine learning in cybersecurity these days. So much that it can be challenging to separate the marketing hype from reality. Dario Forte is founder and CEO of information security company DF Labs and he offers some insights.

Dario Forte: [00:05:14:14] The marketing bars and the marketing statements during the RSA, people were - and CISOs and other security professionals are starting to be concerned about what the draw will be after that automation and machine learning will take over. The good news is that there is the possibility to balance both needs, meaning that automation machine learning will be able to relieve security people from their routine tasks and or something that actually is time consuming for them in order to have them focused and concentrated on real important tasks and real important cyber investigation in this particular case. We conducted a reason to survey on many chief security officers in the Fortune 500 space. Some of them is in our advisory board. And we asked them several questions about how they consider automation and machine learning to solve their current problem.

Dario Forte: [00:06:22:04] The first one is that you cannot automate everything, especially in this particular period. There are some pieces of the incident response and security operation ecosystem, for example, that are still requiring human involvement. And the reason is very simple, you cannot trust a machine 100 percent, because if the machine is given the wrong input then the wrong output is consequential and the damage that could become from the wrong output could be even worse than the incident that you are investigating. So this probably one of the most important concerns to address and the solution for that is that keeping the human in the loop, so just being supported by automation, machine learning, is at the moment the best direction that CIOs and CISOs want to take.

Dario Forte: [00:07:19:03] The second concern is that if you rely too much on the machine, especially in data breach and incident response there are many legal implications, and should the CISO be asked to go in court to testify he cannot definitely take a machine as a support and/or expert witness. So machines are still required to help the human but not replace it.

Dave Bittner: [00:07:47:08] That's Dario Forte from DFLabs.

Dave Bittner: [00:07:52:01] The crypto wars are flaring again in Europe. Emmanuel Macron, candidate for the Presidency of France under the banner of the progressive, third-party movement En Marche!, makes some very tough promises to undermine widespread encryption should he take office. He regards the ability to read the encrypted comms of suspected terrorists as essential to the struggle against terrorism, and he would seek a coordinated EU campaign in which France would play a prominent part.

Dave Bittner: [00:08:18:12] The Wall Street Journal reports that an attack last July on the Union Bank of India closely resembled the phishing that compromised the Bangladesh Bank. The Bangladesh Bank SWIFT theft is generally attributed to the North-Korean affiliated Lazarus Group.

Dave Bittner: [00:08:34:14] Congratulations are in order to Penn State's Adam Smith, professor of computer science and engineering at that University. He's been awarded the 2017 Gödel Prize for his origination of the concept of differential privacy.

Dave Bittner: [00:08:49:14] Finally, to all the cybercriminals who may be listening, some news you can use: if you're under US indictment, don't vacation in countries that have extradition treaties with the US. Spanish police have alleged Kelihos botnet master Pyotr Levashov in custody. US authorities are dismantling Kelihos and all its works, and Mr. Levashov is expected to be facing the music stateside at some point after his interrupted holiday in Spain is over. And in Prague, extradition hearings are beginning for alleged LinkedIn, Dropbox, and Formspring breach-artist Yevgeniy Nikulin . So if you're on the lam from the Feds, think about visiting, say, Chad, Sudan, Eritrea, or North Korea. That's just a partial list—your travel agent should be able to advise you fully. Fly direct—no stopovers in, say, Guam—and happy landings.

Dave Bittner: [00:09:45:14] Time to take a moment to tell you about our sponsor, Control Risks. For 41 years, across over 130 countries, Control Risks has partnered with the world's leading companies to help them succeed in complex, physical, political, and virtual risk environments. They've been with their clients as risks have evolved from kidnapping in the jungles of Columbia to extortion by cyber attack. In an increasingly interconnected world, cyber risks are everywhere you operate. Control Risks has a comprehensive view of cybersecurity as a business risk within a context of geopolitical, reputational, regulatory, and competitive complexity, and thanks to their unique heritage they provide clarity and actionable guidance that only decades of risk experience can bring. Control Risks brings order to chaos. Let them show you what over 40 years in the risk business has taught them. Find out more at That's And we thank Control Risks for sponsoring our show.

Dave Bittner: [00:10:52:12] And I'm pleased to be joined once again by Ben Yelin, he's a Senior Law and Policy Analyst at the University of Maryland Center for Health and Homeland Security. Ben of course a big story that came by recently was congress overturning the Internet privacy regulations allowing ISPs to sell some of our personal data. Give us the background on this.

Ben Yelin: [00:11:11:18] Sure, so in October of last year, the Federal Communications Commission promulgated a regulation prohibiting ISPs from selling personal information from their users. There's this little-used device, or at least it was little-used until this year, called the Congressional Review Act. Now, the way that this works is that Congress has 60 legislative days after a regulation has been published in the Federal Register to express its disapproval, and if both Houses of Congress express disapproval and the President signs it, that regulation is overturned. And that's what happened here.

Ben Yelin: [00:11:49:06] The impetuous behind this legislation was that the ISP's complained to members of Congress since the Trump administration that such a regulation would put them at a competitive disadvantage compared with what we call edge providers like Google and Facebook. Those companies are regulated by the Federal Trade Commission, they face less stringent requirements. These ISPs are under the authority of the FCC which has more stringent communications. I think the proponents are trying to argue just a simple case of there should be uniformity. My personal opinion is that argument is not well founded. You don't see any sort of effort at trying to develop a uniform policy between the regulations that exist at the FTC and at the FCC.

Ben Yelin: [00:12:37:15] One last thing I'll mention is the way the Congressional Review Act works. Once you overturn a regulation under the Congressional Review Act that agency is prohibited for a statutorily defined period from issuing a separate regulation that would do the same thing as the previous regulation. In other words now the FCC, no matter what happens through the next several years, will not be able to promulgate a similar regulation because this bill has passed. And it's a huge, huge loss for privacy advocates but a major win for the Internet Service Providers.

Dave Bittner: [00:13:13:05] This one is a real head scratcher because who would be for this, other than the ISPs, to be able to, you know, make a buck off of selling your personal information?

Ben Yelin: [00:13:22:06] I mean I think you answered your own question there. I think what we've seen in the public opinion polling is, you know, basically what you said. There actually is no real constituent interest in overturning this regulation. I think it's the industry and, you know, they can make all the arguments they want about how there should be uniformity and privacy regulations, that's fine and good but I think it at least appears that the true motivation is to sidestep these FCC regulations, to sell personal information to make a profit for the Internet services companies.

Dave Bittner: [00:13:55:17] All right, Ben Yelin, as always, thanks for explaining it for us. We'll talk to you again soon.

Dave Bittner: [00:14:02:09] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible especially to our sustaining sponsor Cylance. To find out how Cylance uses artificial intelligence to help protect you visit

Dave Bittner: [00:14:14:22] A quick reminder that we're partnering with our friends at Recorded Future to produce a new podcast focused on threat intelligence. It comes out once a week and we hope you'll check it out and help spread the word. You can search on iTunes for Recorded Future or visit

Dave Bittner: [00:14:31:05] The CyberWire podcast is produced by Pratt Street Media. Our Editor is John Petrik, Social Media Editor is Jennifer Eiben, Technical Editor is Chris Russell, Executive Editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.