The CyberWire Daily Podcast 4.20.17
Ep 332 | 4.20.17

Trojanized apps in the PlayStore. How cybergangs talk, cooperate, and improve their game. More troubles reported for Tanium. A Chicago lawsuit brings privacy issues to the fore.


Dave Bittner: [00:00:03:18] There are snakes in the Play Store's walled garden; one of them has a helpful flashlight. A look at how cyber gangs communicate; they do it a lot like the rest of us. Source code distribution and the jokers who make annoying use of it. More troubling reports about an IPO-ready unicorn. What information do your products collect about you, and how do you know what vendors are doing with it?

Dave Bittner: [00:00:29:03] We'd like to thank our sponsor, Palo Alto Networks. You can visit them at

Dave Bittner: [00:00:37:15] With the adoption of software as service applications, data now lives beyond the traditional network perimeter, exposing your organization to malware and threats. Palo Alto Networks helps your organization achieve complete SaaS protection with detailed SaaS visibility and granular control, data governance, automated risk remediation and malware prevention. Palo Alto Networks has the broadest, most comprehensive cybersecurity for all cloud and software-as-a-service environments. They know that secure clouds are happy clouds. Find out how to secure yours at We thank Palo Alto Networks for sponsoring our show.

Dave Bittner: [00:01:28:18] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday, April 20, 2017.

Dave Bittner: [00:01:38:12] We begin with a few warnings about malicious apps. BankBot resurfaced this month in various Trojanized apps sold in the Play Store. Google has purged the ones reported to it, but we can expect more.

Dave Bittner: [00:01:50:17] Bratislava, and San Diego-based security firm, ESET, found one bad app that repeats a familiar pattern; it was packaged as a flashlight for Android. It might help you find your keys at night, but the app would also swipe your credentials and maybe lock your screen. So, while the Play Store remains a far better bet than a third party store, be wary, snakes do get in the walled garden.

Dave Bittner: [00:02:14:07] The other problematic Play Store offering was noticed by Trend Micro. It's a bogus version of Super Mario Run. The tip-off to danger is that during installation it seeks to be activated as the device administrator. This, of course, is never a good idea. Mario is no administrator, neither is Luigi.

Dave Bittner: [00:02:35:14] Security company, Flashpoint, has published a study on how cyber criminal gangs communicate. It indicates, again, how much a black market can function like a legitimate market, and the ways in which a criminal ecosystem can resemble a business vertical. While an on-line forum might broker initial connections among criminals, the study finds, the groups tend to move quickly to various instant messaging services. Many are represented, but Skype is number one, possibly because it's bundled with so many other Microsoft products. Flashpoint notes the criminals, like the rest of us, like to “reap the benefits of cross community collaboration, information sharing and even mentorship.” Flashpoint also says, the criminals look for ease of use: they like a simple, intuitive GUI, and they hate buggy apps. They like suitability for communicating in their native language, as well as the messaging platform vendor's willingness to resist subpoenas, and, of course, security and anonymity.

Dave Bittner: [00:03:31:01] Criminal organizations also tend to learn from the best, and if you want to find the sector leaders the other gangs follow, well, the Russian mob is the pick of the litter.

Dave Bittner: [00:03:43:03] SurfWatch Labs has drawn security lessons from the growing availability of source code and malware online. "Resenware", the joke ransomware a South Korean under-graduate put together, serves as a cautionary example. When SurtWatch and others called it a joke they mean "joke" literally. The Resenware impresario encrypted files, but didn't ask for money. Instead, he required the victims to win the "Lunatic" level of a shooter game, Touhou Seirensen. Score 200 million points, and you'll get your files back. The undergraduate has apologized to everyone for a prank he no longer finds funny, but SurfWatch's point is that the ready availability of swapped malware on the market makes this kind of nonsense all the more likely to continue.

Dave Bittner: [00:04:29:00] Secure authentication is an area of active research and innovation as increasingly people are concluding that the old username, password combo just isn't enough. One company claiming to have a solution to authentication challenges is Secret Double Octopus, and, yes, we love that name too. Amit Rahav is VP of business development at Secret Double Octopus.

Amit Rahav: [00:04:50:19] The current way we're doing authentication and encryption is based on algorithms that have been around for 40 years, and haven't changed much actually. Whether it's the use of password, or a similar concept, or whether it's the reliance on public infra-structure, these are all great concepts that have served us well, but they were created at a different time, a different era, and the user cases we see today, in terms of complexity, in terms of the scale, in terms of the requirement for user experience, and in terms of the requirements for security, are dramatically different. When you look at things like passwords, right now if you are security admin of a large company, it only takes one customer to make a mistake in order to fail your entire protection environment. In other words, we're talking about the end users. What are the odds to make sure that no end user will make a mistake in terms of somehow giving away a password, someone giving away access to a code. So, that's really something that we have to look again at that approach both in terms of scale, technical complexity and also in terms of user experience.

Dave Bittner: [00:05:56:16] So, take us through, what do you all maintain is the solution?

Amit Rahav: [00:06:01:11] So, today, if I'm relying on SMS, I'm relying on push notification. I'm relying on keys. Somebody can steal that secret behind my authentication, and the same thing with biometric, there's going to be a secret. We're creating something that gets rid of that single point of failure, but without any compromise on user experience. To do that we're actually leveraging well-known algorithms that were used in the past to protect military launch codes. When you have multiple approvals that are required, and in cryptography terms the algorithm to achieve that has been created actually by Adi Shamir, the co-inventor of RSA He also created Shamir secret sharing. So, we created the world's first authentication architecture, the design on Shamir's secret sharing, and what it does is it allows me to authenticate to the server without any point of failure along the way. It allows my admin to deploy the system without having any key management, and then I can eliminate passwords altogether, and it all becomes completely indifferent to hacks that we know today.

Dave Bittner: [00:07:03:24] So, how does it work for the user. What's the user experience?

Amit Rahav: [00:07:07:02] Well, the user will get rid of having to remember passwords, and instead they will use an app. Anything that they do that is sensitive. All the operation will be approved using a highly protected app that is installed on their phone. With a single tap they can approve or reject certain operations. They can have the benefit of knowing that as they do that they are fully protected, but they don't have to deal with the security itself. They don't have to type any codes. They don't have to carry around special hardware: just a simple beeping on my phone, a tap, one touch, and I am approved to go.

Dave Bittner: [00:07:40:08] That's Amit Rahav from Secret Double Octopus.

Dave Bittner: [00:07:45:21] Tanium is in the news again, and not in a good way. The privately held triple unicorn recently valued at three-and-a-half billion dollars, and preparing for a long awaited IPO, has seen the departure of a surprising number of senior executives over the past year. Earlier this week, reports were published complaining that the CEO had an abusive style, and that he'd gone so far as to limit the delusion of his equity by firing employees just before their options were due to vest. Tanium denied that there was any such practice.

Dave Bittner: [00:08:15:03] Late yesterday, however, the Wall Street Journal reported that Tanium had been using a customer's network to demonstrate its security products to other potential customers. The customer, who's network was used in the demos, a California hospital, had said it was unaware that this was going on. They're none too happy about having been so exposed. Tanium's demonstrations apparently began as early as 2014 and continued for some time. Industry reaction to the story has been predictably harsh. We heard from Stuart Okin of software vendor, 1E. He says that, "Using live customer environments for demos is a rookie move", and that a wild west start-up culture won't fly in the security space, the stakes are too high. He draws three lessons from the incident. First, start thinking early about scalable demonstration environments for your products. Second, use testing rigs so you don't disrupt operations. Third, don't contribute to hype, you're probably not, as a security start-up, offering a magical pill so take a measured integrated approach.

Dave Bittner: [00:09:18:19] Tanium CEO, Orion Hindawi, has published an open letter to customers that amounts to a partial rebuttal of the news reports. He acknowledges that mistakes were made in their use of the client's network, and that they could have done a better job anonymizing their demo. He categorically denies reports of a toxic environment within the company, and though he does cop a mildly apologetic way to having a sometimes hard-edged manner, he thinks that some of that is simply a natural expression of the company's commitment to its mission and its customers.

Dave Bittner: [00:09:50:18] Finally, there's an odd lawsuit being filed in Chicago that alleges audiophile company, Bose, has been collecting user information from Bose wireless headphones and then sending that data to third parties. We'll forgo the obvious wisecracks about how a headphone manufacturer might be listening in, and simply note what Bob Noel of Plixer International mentioned to us: a lot of companies collect data, and a lot of that data is collected by permission of the end-user license agreement, the EULA we all click through impatiently when we get a new product. Noel says, "Because data collection occurs across the encrypted tunnel, as a consumer, it's impossible to verify what data is being taken, and what the manufacturer is doing with that data." So, perhaps the best folk wisdom to cite here is the one sung by American philosopher, Tom Waits, in "Step Right Up". The large print giveth, and the small print taketh away.

Dave Bittner: [00:10:49:00] Now a moment to tell you about our sponsor, Control Risks. You know, successful companies look for opportunities in new markets, but where there's opportunity, there's risk. Whether you want to move your client data to the cloud, bring an office online in China, or acquire a competitor in Colombia, keeping your information secure is paramount. To do that your cybersecurity decisions must be aligned with your business strategy, driven by reducing your risk. In such complex environments there's no substitute for expertise on the ground. With over 2500 employees and 36 offices around the world, Control Risks can help you assess the risk to your business, mitigate what you can and properly manage the rest, as they have for over 40 years. If you need to get a handle on your cyber risk in an emerging market, Control Risks will meet you there. You can find out more at That's Check it out. And we thank Control Risks for sponsoring our show.

Dave Bittner: [00:11:56:17] Joining me once again is Joe Carrigan, he's from the Johns Hopkins University Information Security Institute. Joe, welcome back. You sent over an interesting article about fingerprint sensors on iPhones and Android devices. Certainly a popular way to log in to your phone. I'll admit, I use it to log in to my iPhone every day.

Joe Carrigan: [00:12:14:21] I do too. We just got new phones in our house. I love that I just touch the back of it, and it opens up for me, and that if I need my son to open it, I can tell him what the code is and he can open it with the code. I think it's a very great convenience.

Dave Bittner: [00:12:28:17] It's just convenient, and it's fast but not necessarily so secure.

Joe Carrigan: [00:12:33:18] Exactly. So, this article talks about a paper that came out from NYU in Michigan, and in that paper the researchers have found a set of fingerprints that have enough common features: they're actually partial fingerprints, because these things don't work on full fingerprints. They work on just a partial fingerprint because you're only touching a small portion of your finger to that sensor. What they found is, they have generated this set of fingerprints that has enough of the common features of the population's fingerprints that it can be identified as about 60% of the people by a fingerprint sensor. Now, they didn't talk about doing this on an actual phone, they were using a different device. Still, if you are looking at this from a security stand-point, if you're matching 60% based on this set of of fingerprints, then even if the phone is four times as good then you're still matching 15% of the population, which is probably an unacceptable level for security.

Dave Bittner: [00:13:40:20] Yes. I've always looked at this as being more of a step-up of security versus nothing at all. It's sort of the sweet spot between having a complex password is too much of a pain, and slows me down too much so I'm just not going to use it, but not having anything isn't secure at all. It's a better-than-nothing solution in terms of security, but if you're someone who really needs to have your device locked down, you probably shouldn't rely on this.

Joe Carrigan: [00:14:10:24] This is probably not the best solution. My feeling on this is that, for real security, fingerprints aren't going to cut it.

Dave Bittner: [00:14:20:05] All right. Joe, Carrigan, thanks for joining us.

Joe Carrigan: [00:14:21:24] My pleasure, Dave.

Dave Bittner: [00:14:25:03] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible especially to our sustaining sponsor, Cylance. To find out how Cylance uses artificial intelligence to help protect you, visit The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.