The CyberWire Daily Podcast 4.19.17
Ep 331 | 4.19.17

Vigilantes in the IoT. Bad actors find a friend in the ShadowBrokers. BankBot is back in the PlayStore. Pixel-tracking for target recon. A very big Oracle patch.


Dave Bittner: [00:00:03:10] There's a new vigilante in the IoT (and vigilantism still isn't a good idea). The industry pores over the most recent Shadow Brokers' files and doesn't like what it sees. BankBot is back in the Play Store with Trojanized video apps. Attackers are seen using pixel-tracking for target recon. And Oracle issues a very big patch.

Dave Bittner: [00:00:29:00] We'd like to take a moment to thank our sponsor, Palo Alto Networks. You can find them at

Dave Bittner: [00:00:38:00] The use of software-as-a-service application takes data security beyond traditional network perimeters. SaaS environments can create gaps in security visibility and pose new risks for threat propagation, data leakage and regulatory non-compliance. With Palo Alto Networks' integrated platform, you get detailed software-as-a-service visibility and granular control, data governance, automated risk remediation and malware prevention. So, your organization can achieve complete SaaS protection. With Palo Alto Networks, you get the broadest most comprehensive cybersecurity for all cloud and SaaS environments. Make sure your apps and data stay secure and protected. Remember, secure clouds are happy clouds. Find out how to secure yours at: We thank Palo Alto Networks for sponsoring our show.

Dave Bittner: [00:01:39:10] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, April 19, 2017.

Dave Bittner: [00:01:49:00] Vigilantes we could all probably live without are riding through the Internet-of-Things. Two weeks ago it was BrickerBot, which Radware caught in a honey pot and described as malware that sought out and permanently disabled, or "bricked", IoT devices vulnerable to infection by Mirai because of their default passwords or otherwise slipshod installation. There's now apparently another vigilante working the Internet-of-Things, the Hajime botnet. We noted yesterday that Hajime's purpose was unclear since the botnet hadn't been implicated in any denial-of-service attacks. It seems to be a Mirai competitor that would bull its way into devices susceptible to Mirai infestation, but then do, well, really nothing in particular. Now, Hajime's purpose may be growing clearer. It's less destructive than BrickerBot, but it's arguably still a misguided freelance attempt to do something about Mirai.

Dave Bittner: [00:02:44:09] Hajime, which has infected at least 10,000 networked cameras, home routers, and other devices, uses a decentralized peer-to-peer network for its own command-and-control traffic, which makes it relatively resistant to takedown by service providers. It's accompanied by a cryptographically signed statement which reads, according to Ars Technica, as follows, "Just a white hat, securing some systems. Important messages will be signed like this! Hajime Author. Contact closed. Stay sharp!"

Dave Bittner: [00:03:16:24] Hajime's name is said to mean "beginning" in Japanese, and researchers take this as an oblique reference to Mirai, whose name means "future." Hajime was first noticed in the wild last October by Rapidity Networks. October 2016, of course, is when Mirai famously took down Dyn, and with Dyn much of the Internet in eastern North America.

Dave Bittner: [00:03:40:00] Symantec, which has been tracking and doing much of the research on Hajime, notes that the worm secures the device it hits by blocking access to ports that host many exploitable services. It also takes measures to operate stealthily and, of course, for now at least, it doesn't appear to be capable of initiating a DDoS attack, but that's dependent upon the current restraint of the author, and on the author's ability to maintain control of Hajime's code.

Dave Bittner: [00:04:07:06] Here's the problem, lest one be tempted to applaud Hajime and its grey hat author, what it's doing is illegal in most jurisdictions, and it's also unlikely to seriously interfere with Mirai. As Symantec notes, Hajime has no persistence. It lives in a device's RAM and is washed out with each reboot. So, on balance, it would seem that Hajime is part of the problem, not the solution.

Dave Bittner: [00:04:32:16] Industry continues to pore over last Friday's Shadow Brokers' leaks, which the Brokers claim disclose NSA hacking tools. Consensus holds that some of the attack code does indeed represent a threat, as it's now open to hacker use in the wild. Some observers think the incident should prompt re-evaluation of the U.S. Intelligence Community's Vulnerabilities Equity Process. If the leaks are genuine, they argue, there's no safe place to keep zero days, but it would seem naïve to expect intelligence services anywhere to forswear productive collection techniques even in the cause of herd immunity. Rapid7 advises patching, and thinking hard about securing end-of-life systems you can't do without. Where the Shadow Brokers got their wares remains unknown. The same might be said for WikiLeaks and Vault 7. Presumably, investigation is underway.

Dave Bittner: [00:05:27:10] We've covered the ongoing acquisition of Yahoo! By Verizon and specifically how revelations of major breaches affected the price Verizon was willing to pay, lowering it by hundreds of millions of dollars. Companies are realizing that due diligence in the cyber realm is a critical part of mergers and acquisitions. Greg Reber is CEO of AsTech Consulting. They provide a variety of risk management and security services including M&A security due diligence assessments.

Greg Reber: [00:05:55:02] What we're looking at now is there is more and more interest in acquiring companies, being interested in the IT and the information security stance of an acquired company, but what kinds of risks are inherited from cybersecurity or general IT standpoint?

Dave Bittner: [00:06:17:02] When people don't do the kind of due diligence that you're talking about, why do they make that choice?

Greg Reber: [00:06:26:06] In some ways, they don't know that it's a possibility to find security vulnerabilities before an acquisition: before things actually get to signing. In other cases, they're not incented to do that because they believe they have insurance cover, reps and warranties coverage that, if something comes out, then there'll be an insurance that kicks in. This is a very nascent market for that type of insurance, there's a lot of misunderstandings about what is covered and what is not, but it's a risk distribution. They're taking their own risk of this acquiring company and moving it to an insurance company, but in more and more cases, reps and warranties insurance is not mature enough to really cover vulnerabilities that are in either the IT infrastructure or software package. There is an industry now for searching for open source components and software packages that result in licensing issues if someone is selling a software package that has open source components in it. As they are owned, then they are subject to lawsuits for that breach of contract.

Greg Reber: [00:07:40:00] A lot of people are talking about the growth of cyber insurance, and that whole market is taking off and expected to be billions more in the next three or four years.

Greg Reber: [00:07:50:10] The cybersecurity benders often guarantees kind of goes hand-in-hand with that because, for a smaller medium sized company, if a security vendor is offering a million dollars in breach insurance, that may cover their whole breach costs. For a larger company, it may cover their deductible. So, we definitely see this working hand-in-hand with the cyber insurance market, and also the digital due diligence in M&A transactions. It's going to help drive the reps and warranties market matures.

Dave Bittner: [00:08:27:23] That's Greg Reber from AsTech.

Dave Bittner: [00:08:31:18] In other cybercrime news, the hoods behind the BankBot financial malware continue to find ways of getting Trojanized apps into Google's Play Store. Researchers of the firm, Securify, found that the criminals first passed BankBot through the guise of weather forecasting apps, Good Weather and World Weather. Now, they've infiltrated the Play Store with malicious video apps Funny Videos 2017 and Happy Videos. Even if you're the grouchy type, disinclined to watch the sort of cheerful, amusing, and life-affirming content, the Trojanized apps promise, beware.

Dave Bittner: [00:09:06:14] Check Point warns that pixel-tracking, a familiar marketing tool used to track email opens, is being exploited by criminals performing target reconnaissance to improve their phishing success.

Dave Bittner: [00:09:18:20] Physical security can affect cybersecurity, and here's another example in which it has. An ExpressPoll unit was stolen last week from a car belonging to a precinct manager in Cobb County, Georgia, USA. The stolen election device can't be used to commit voter fraud, but it does contain a copy of the state's voter file.

Dave Bittner: [00:09:40:03] In patch news, Oracle releases 299 files, a record for the company. Among the problems addressed is the Solaris vulnerability the Shadow Brokers disclosed.

Dave Bittner: [00:09:52:01] Finally, lest we appear smug over the Shadow Brokers' leaks or mom and pop's vulnerability to Hajime, we hereby decline to throw the first stone at any user. It can be difficult for anyone to keep up with the many small, insignificant and otherwise easily overlooked smart-in-a-dim way devices quietly gurgling around in their home or small business network. Dumping an end-of-life system can be a more tangled affair than one might hope. Still, all of us would do well to take basic cyber hygiene as seriously as possible. Configure as securely as you're able, patch, wean yourself from superannuated, unsupported software, and hope that vendors and their developers up their game.

Dave Bittner: [00:10:40:11] Now, a moment to tell you about our sponsor, Control Risks. You know, successful companies look for opportunities in new markets, but where there's opportunity there's risk. Whether you want to move your client data to the cloud, bring an office online in China, or acquire a competitor in Colombia, keeping your information secure is paramount. To do that, your cybersecurity decisions must be aligned with your business strategy driven by reducing your risk. In such complex environments, there's no substitute for expertise on the ground. With over 2500 employees in 36 offices around the world, Control Risks can help you assess the risk to your business; mitigate what you can and properly manage the rest as they have for over 40 years. If you need to get a handle on your cyber risk in an emerging market Control Risks will meet you there. You can find out more at: That's, Check it out. We thank Control Risks for sponsoring our show.

Dave Bittner: [00:11:49:02] I'm pleased to be joined once again by Professor Awais Rashid. He heads up the academic Center of Excellence in cybersecurity research at Lancaster University. Professor, welcome back. An area of research for you that you wanted to share with us was putting together a cybersecurity body of knowledge. What can you tell us about that?

Professor Awais Rashid: [00:12:07:07] As we know, cyber attacks are a regular feature in the news these days, they are on the rise. There are lots of estimates that they cost hundreds of billions of dollars to global economies, but there is a long recognized skills gap within the cybersecurity sector. The skills gap is compounded by the fact that our foundational knowledge on this topic is rather fragmented and we are a relatively new field. Mature disciplines such as mathematics, physics, chemistry, they have long established foundational knowledge and clear learning steps from people learning about these subjects since school to university through to professional development programs. The key thing that we are aiming to do here is to develop a cybersecurity body of knowledge that will provide the foundational resource that can be used for educational programs at various levels.

Dave Bittner: [00:13:02:11] How do you imagine it coming together, and then being shared with the rest of the world?

Professor Awais Rashid: [00:13:06:14] The really interesting thing about this project is this will be a resource for the community by the community. While I'm leading the project and a few other colleagues are involved as the lead scientists in this project, ultimately we will be engaging the wider community internationally to decide what should be the scope of such a body of knowledge; what should be, for lack of a better word, the top level knowledge areas that should be covered by the body of knowledge. Then we will be inviting leading international figures around the world from academia and industry to actually alter descriptions of those knowledge areas, and then the wider community will actually review and critique those descriptions before they are somehow cast in stone. The key point to bear in mind is that it will never actually be cast in stone in the sense that such a body of knowledge can effectively never be completely finished. Technology moves at a fast pace; the security tracks moves at a fast pace. So, there will have to be a regular cycle of updating it, but what we are doing here is a first step in what we hope will be a long-term thing that the community collectively will do.

Dave Bittner: [00:14:18:24] All right, Professor Awais Rashid, thanks again for joining us.

Dave Bittner: [00:14:24:12] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible especially to our sustaining sponsor, Cylance. To find out how Cylance uses artificial intelligence to help protect you, visit The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.