The CyberWire Daily Podcast 4.18.17
Ep 330 | 4.18.17

Karmen in the black market. Homograph vulnerabilities. Vault 7 and ShadowBrokers updates. Hacks and missiles. Competing for botnets.


Dave Bittner: [00:00:03:16] Karmen hits the low-end ransomware-as-a-service market. Homograph vulnerability proof-of-concepts are revealed. A Jihadist infosec service advises good cyber hygiene for terrorists post-Vault 7. The Shadow Brokers try to drag a red herring, actually a bad frog, across their tracks. Hopeful speculation continues that the US hacked North Korea's missile test last weekend. And you're not going to get rich by using security cameras to mind Bitcoin.

Dave Bittner: [00:00:36:03] Time to thank our sponsor, Palo Alto Networks. You can visit them at Software-as-a-service applications are changing the way organizations do business as data now lives beyond the traditional network parameter. What are you doing to keep your organization's data secure in this new environment? Palo Alto Networks helps organizations with complete SaaS protection, providing detailed software-as-a-service visibility and granular control, data governance, automated risk remediation and malware prevention. Palo Alto Networks offers the most comprehensive cybersecurity for all cloud and software-as-a-service environments, because secure clouds are happy clouds. Get started securing yours at And we thank Palo Alto Networks for sponsoring our show.

Dave Bittner: [00:01:39:18] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, April 18th, 2017.

Dave Bittner: [00:01:50:11] Recorded Future reports discovery of “Karmen," a low-cost ransomware-as-a-service product being hawked in the dark web market by DevBitox, described as "a Russian-speaking cyber criminal." Karmen is derived from Hidden Tear, an open-source encryption project, coded by an unknown author in Germany and available to anyone. Karmen is both cheap, $175, with free upgrades, and it's devious: it will delete its own decryptor if it detects the victim sandboxing or analyzing it. DevBitox isn't getting rich, he or she has sold twenty copies and has just five more left in inventory.

Dave Bittner: [00:02:29:22] Some browsers are reported vulnerable to homograph attack in which malicious sites spoof ("undetectably") safe, legitimate ones. The problem is so far a proof-of-concept by researcher Xudong Zheng, who informed Google and Mozilla of the issue back in January. The problem lies in the rendering of Punycode characters in a URL as Unicode code characters, which opens the possibility that one could be spoofed into browsing over to a malicious site without realizing it. Chrome, Firefox and Opera are said to be vulnerable to such homograph attack. Mozilla released a workaround mitigation for Firefox and Google has fixed it in Chrome Canary 59, with a permanent patch planned this month for Chrome Stable 58.

Dave Bittner: [00:03:12:17] For soldiers on the battlefield, men and women on the ground, this special operations folks and other forward operating personnel, it's become increasingly common for them to receive feeds of information that may come from drones, for example. Bill Anderson is CEO at OptioLabs and one of their areas of expertise is securing those battlefield mobile devices.

Bill Anderson: [00:03:33:21] Their device of choice is typically a secure android device. The challenge is how do we ensure that those mobile devices that the operations teams are running around with are actually secure and they're reliable and they're as productive as can be and they also don't put personnel in danger?

Dave Bittner: [00:03:57:20] Can you give us an example? What do you mean by danger?

Bill Anderson: [00:04:00:09] You know, who has not done this. You're fumbling around with your phone and you stick it back in your pocket and when your colleague looks over and says 'hey you've got your flashlight turned on', no big deal if you happen to be sitting in an office meeting. If you're on the battlefield and it's dark and you turn on the flashlight on your special rugged Android phone by accident, that makes you a target and, by the way, there's no simple way through software of ensuring that those flashlights are off. That's one of the things we do, is we give the enterprise the controls to be able to say here are the things you're allowed to when you're on a mission.

Bill Anderson: [00:04:40:00] So when you're on a mission you're able to see the secure drone feed, you're able to run the secure drone application but no Bluetooth, no Wi-Fi. You can't tell your true location through GPS. You can't take updates over the air that would affect the operating system. You can't make noise. Instead there's a whole bunch of controls that you want to apply that are mission specific, that will keep that guy productive. In our case the problems that you're looking at is how do we make sure that the individuals on the battlefield who are actually consuming that information are as safe and productive as possible?

Dave Bittner: [00:05:18:06] I mean, it sounds to me like what we're really talking about here is securing the android device itself and so the android device may be the weakest link in the chain.

Bill Anderson: [00:05:27:15] It is invariably the weakest link in the chain. If you were to tell me that there was no malware [LAUGHS] or weaknesses on my android phone, I couldn't take your word for that because we have seen them. In fact we continuously see them. They're there. The android platform is an incredibly broad, deep, promiscuous networking device with many many sensors, many, many interacting software systems that are built by different vendors and many vulnerabilities. And so, when you have operations folks running drones, running around on the ground, you need to make sure that everything works right. You need to go well beyond taking an off the shelf device if you really want those guys to be safe.

Dave Bittner: [00:06:14:04] That's Bill Anderson from OptioLabs. Catching up with news about the two recent tranches of leaks that have hit the Internet with considerable éclat recently, we turn to WikiLeaks' Vault 7, which purports to disclose CIA cyberespionage campaigns and the Shadow Brokers' Good Friday release of alleged NSA material. The US Intelligence Community, for obvious reasons, has no official reaction to both incidents but the consensus among observers is that both dumps appear to contain material stolen from the IC.

Dave Bittner: [00:06:47:16] Flashpoint has looked at the former set of leaks and they've paid particular attention to how the jihadist infosec group Horizon is reacting to Vault 7 on the dark web. Horizon is a group roughly aligned with ISIS that offers counsel on how to communicate online without compromising yourself to the civilized world's intelligence and police services. ISIS adherents are being advised that two of their favorite communication tools, Telegram and WhatsApp, may be vulnerable to interception. It seems doubtful that Horizon will have better luck instilling sound OPSEC and digital hygiene into the terrorist pool than legitimate enterprises have.

Dave Bittner: [00:07:25:10] Turning to the other big release, the Shadow Brokers' dump is thought by many to be bad news and worse optics for the US Intelligence Community. Both SWIFT and Microsoft are reassuring users that their systems are now safe against the exploits the Shadow Brokers' documents describe - many observers note Microsoft's quietly proactive pre-leak patches last month. Motherboard notes an oddity that many others have overlooked: the Shadow Brokers' password to access their stolen files is a typographic squeal associated with bad-boy meme Pepe the Frog. Thus, do the Brokers associate themselves with the alt-right, continuing their fitful but longstanding pose as hacktivists motivated by a touch of profit. Pepe has appeared before in Russian information operations and so here again many will find evidence of Moscow's involvement in the doxing.

Dave Bittner: [00:08:17:21] Reactions to both Vault 7 and the Shadow Brokers have shown concern about US intelligence services' ability to conduct cyberespionage, which is a reasonable enough concern if one is a potential foreign target of collection. But the surprise that intelligence services collect foreign intelligence does seem either naive or disingenuous, or some mix of the two. Such collection is, obviously, what intelligence services do.

Dave Bittner: [00:08:42:20] Speculation continues that the US hacked North Korea's weekend missile tests. The source of this hopeful talk seems to be former UK Foreign Secretary Sir Malcolm Rifkind. The lad-mag Maxim, of all places, has put on its patriotic epaulettes and is swaggering in the face of Supreme Leader Kim. While any thinking person in the civilized world would be likely to welcome cyber disruption of Pyongyang's nuclear delivery research-and-development, it's important to stress that this appears to be a priority speculation. Nonetheless the possibility bears watching.

Dave Bittner: [00:09:17:04] A quick congratulatory shout-out to the University of Maryland, Baltimore County for taking home the Alamo Cup from last week's National Collegiate Cyber Defense competition in San Antonio, Texas. Bravo Zulu, Cyber Dawgs.

Dave Bittner: [00:09:31:14] Finally, we return to the world of on-line crime. Mirai apparently has a competitor. "Hajime" has been found in the wild by security researchers from DDoS protection shop BackConnect. Hajime has been competing for bots with Mirai for about six months, although to what end remains unclear, since the botnets it's been assembling haven't so far, according to BackConnect, been used to conduct denial-of-service attacks. BackConnect finds Hajime "much more sophisticated" than Mirai, especially with respect to its command-and-control. So what's Hijime up to, it's not clear but it's probably not minding Bitcoins. Errata Security has posted an analysis of recent claims that Mirai is being used to do exactly that and Errata Security thinks this is unlikely. By their calculations, if all the two-and-a-half-million devices McAfee estimated were infected with Mirai were set to work mining cryptocurrency, they'd be earning the botmasters twenty-five cents a day and Errata Security sniffs at this amount as "a joke." Well, if you're as rich as Errata, maybe you don't need the cash, but over the course of a year that would pull in $91.25, which is a zero-labor alternative to the lemonade stand we ourselves were considering.

Dave Bittner: [00:10:49:14] Now a moment to tell you about our sponsor Control Risks. You know successful companies look for opportunities in new markets but where there's opportunity there's risk. Whether you want to move your client data to the cloud, bring an office on-line in China or acquire a competitor in Colombia, keeping your information secure is paramount. To do that your cybersecurity decisions must be aligned with your business strategy, driven by reducing your risk. In such complex environments, there's no substitute for expertise on the ground. With over 2500 employees and 36 offices around the world, Control Risks can help you assess the risk to your business, mitigate what you can and properly manage the rest, as they have for over 40 years. If you need to get a handle on your cyber risk in an emerging market Control Risks will meet you there. You can find out more at That's Check it out. And we thank Control Risks for sponsoring our show.

Dave Bittner: [00:11:57:14] And I'm pleased to be joined, once again, by Dr. Charles Clancy. He's the Director of the Hume Center for National Security and Technology at Virginia Tech. Dr. Clancy, welcome back. We wanted to talk today about the Vault 7 and the Shadow Brokers releases of information and really you wanted to contrast the two of them.

Dr. Charles Clancy: [00:12:14:17] I think it's important to understand when you hear about all these leaks of cyber capabilities from now both NSA and CIA that there's a difference between leaking tactics, techniques and procedures or so-called TTPs versus the actual tools themselves, the actual code behind zero to exploits for example. So if you look at a lot of the data that's been released so far, particularly in the Vault 7 leaks, it's been mostly documents, power point, that really talk about how the CIA does what it does and based on that some security companies have been able to fingerprint certain TTPs and attribute, with some degree of confidence, a wide range of hacks across the world to the Vault 7 TTPs.

Dr. Charles Clancy: [00:13:03:06] Shadow Brokers, on the other hand, is more than that, it includes a lot more than source code which has an even greater devastating impact, because now you're not just fingerprinting attacks and building defenses against the techniques and procedures that have been used, but you actually can build specific malware identifiers and hashes that can be used to detect and block the actual exploits themselves. There's a lot of debate ongoing right now as to the total impact. I think the folks that are in the trenches in the intelligence agencies who work with these problems would claim that there is a huge impact to national security as a result collectively of these leaks. But at the same time, there are plenty of unpatched computer systems out in the world and there is lots of opportunity to be had just doing basic run of the mill phishing attacks against unpatched windows computers, which remains the largest threat surface that hackers, whether you're part of an intelligence agency or organized crime leverage today.

Dave Bittner: [00:14:00:04] While these releases of information are certainly interesting and damaging, sometimes the old fashioned ways are the easiest ways in.

Dr. Charles Clancy: [00:14:07:18] [LAUGHS] Indeed. So for those that are looking to have a good defense against these sorts of things, please just keep your software up to date, have antivirus installed and basic cyber hygiene will win out most of the time.

Dave Bittner: [00:14:21:11] Alright, Dr. Charles Clancy, thanks for joining us.

Dave Bittner: [00:14:26:14] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance uses artificial intelligence to help protect you visit The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.