The CyberWire Daily Podcast 4.27.17
Ep 337 | 4.27.17

Fancy Bear in France (and in Germany, too). Israel debates Cyber Authority's charter. Sudan says its using Electronic Jihad against ISIS. Verizon, Symantec threat reports out. Adware campaigns.


Dave Bittner: [00:00:03:09] Bear tracks seen in Macron's campaign for France's presidency. (They're also appearing in German political parties' think tanks.) Cyber gangs continue to pore over Shadow Brokers' leaks. Verizon and Samsung threat reports see ransomware and nation-state espionage as the trending issues. Amid debate over cyber authorities, Israel says it detected and stopped a major attack. And Adware infests online markets through spam and Trojanized apps.

Dave Bittner: [00:00:35:11] We'd like to thank our sponsor, Palo Alto Networks. You can visit them at With the adoption of software as a service applications, data now lives beyond the traditional network perimeter, exposing your organization to more malware and threats. Palo Alto Networks helps your organization achieve complete SaaS protection with detailed SaaS visibility and granular control, date governance, automated risk remediation and malware prevention. Palo Alto Networks has the broadest, most comprehensive cyber security for all cloud and software as a service environments. They know that secure clouds are happy clouds. Find out how to secure yours at And we thank Palo Alto Networks for sponsoring our show.

Dave Bittner: [00:01:34:06] Major funding for The CyberWire podcast is provided by Cylance. This is Dave Bittner, in Baltimore with your CyberWire summary for Thursday, April 27th, 2017.

Dave Bittner: [00:01:44:22] France will hold its runoff election for president in a little more than a week. The campaign has been marked by accusations of Russian influence operations, paralleling those conducted against American targets, notably the Democratic National Committee, last year. The tactics, techniques, and procedures used point to the same actor, Fancy Bear, also known as Pawn Storm, also known as APT28, and officially known as the Russian military intelligence agency, GRU.

Dave Bittner: [00:02:12:24] Intelligence firm ThreatConnect reviews the circumstantial evidence that Emmanuel Macron's campaign for France's presidency was indeed phished by Fancy Bear. The threat actor used the spoofed domain onedrive-en-marche[.]fr in its phishing. En-Marche is Macron's political movement. The domain was registered using the email address johnpinch@mail[.]com, and Fancy Bear is known for registering its spoofed domains from addresses. The johnpinch address was also used to register three other domains, accounts-office[.]fr, portal-office[.]fr, and mail-en-march[.]fr. All are hosted on dedicated servers, which, as ThreatConnect points out, is typically a sign that a domain has been "operationalized," a pricey option, but one that gives operators more control over their infrastructure. And, finally, the IP address used by an associated domain is the same one called out in the US Intelligence Community's report on Grizzly Steppe, the allegedly Russian operation against the Democratic National Committee. So the evidence is circumstantial, but ThreatConnect is reasonably convinced that it points to Fancy Bear.

Dave Bittner: [00:03:23:11] Macron's campaign has confirmed that it sustained phishing attempts, but it also says that no data were lost. Observers are watching for leaks timed before the second round of the elections, May 6th and 7th. If the intent is to spring a last-minute surprise in the campaign's endgame, Fancy Bear has less than ten days to work with

Dave Bittner: [00:03:42:24] Chinese and Russian criminal organizations continue to pick through ShadowBrokers' recent dump, as they look for tools they can exploit in the wild. Chinese criminal gangs tend to have a casual, moonlighting relationship with their government, but the connection in Russia is considerably closer, as the gangs are suborned to work for the security services, and are afforded a measure of protection when they do.

Dave Bittner: [00:04:05:23] Israel's government takes the unusual step of reporting that it sustained and stopped a cyberattack mounted by an unnamed foreign state. The disclosure may be related to ongoing controversy over a proposed cybersecurity law in draft before the Knesset, that would grant expansive powers to Israel's Cyber Authority. Haaretz reports that senior officials of both the Shin Bet security service and the Mossad intelligence agency have protested to Prime Minister Netanyahu that the revised Cyber Authority charter would prove detrimental to Israel's security. The deputy chief of staff of the Israeli Defense Forces and other senior defense officials are said to have joined Shin Bet and Mossad in objecting to the proposed law.

Dave Bittner: [00:04:49:00] Sudan's government is employing a hacking group called "Electronic Jihad" against ISIS. Critics see a collateral effect on dissidents in general, and many see the capability as more likely to be used against opponents of the regime than against ISIS.

Dave Bittner: [00:05:04:08] At the 2017 RSA Conference Innovation Sandbox, one of the finalists was a new company called Enveil demonstrating what they say are breakthroughs in homomorphic encryption. Ellison Anne Williams is founder and CEO of Enveil.

Ellison Anne Williams: [00:05:19:02] Enveil developed technology that allows folks to interact with data, so that could be the search or analytics, in a way that no one can see into the content of that interaction, so what they would care about. The result that are coming out of that, or even the data itself, because it will operate over encrypted data as well as unencrypted data.

Dave Bittner: [00:05:41:03] So let's dig into that a little bit. What we're talking about is homomorphic encryption, can you just kind of give us an overview of what we're talking about with homomorphic encryption?

Ellison Anne Williams: [00:05:50:23] Yeah, absolutely. So we're powered by homomorphic encryption, is really what we call it. And homomorphic encryption is just a type of encryption that allows you to perform operations on encrypted data as if it were unencrypted, in plain text space. And so, when I say that we're powered by homomorphic encryption, there is, you know, several decades of research on homomorphic encryption out in the open literature, so lots of people have looked at it. And what we've really done, that's very novel and really enables it to be practical, in a way that it was never before is that we use it and employ it in a very creative way through our algorithmics. So even to the point where we're able to, can swap put the homomorphic crypto for other things, if people, you know, were so, desire to do that.

Dave Bittner: [00:06:37:09] So my understanding up until I'd heard about you all, was that homomorphic encryption wasn't really practical. That it was too processor intensive, to really be used in the real world, and people had it functioning in the lab. So what's the discoveries that you all made to make it workable?

Ellison Anne Williams: [00:06:53:07] Yeah, so homomorphic encryption exactly like you said, for the past, you know, 20 years or so has been a computational intractable kind of problem. So not practical for any kind of scale. It's what we did, you know, having backgrounds in both pure mathematics and crypto and then distributed algorithmics as we married those two together. And so, we develop these algorithms that use this homomorphic encryption in very, very efficient and I call it creative ways. So that we're able to leverage the encryption and have it operate over large, large volumes of data to achieve a practicality that's just never been possible before.

Dave Bittner: [00:07:28:23] That's Ellison Anne Williams from Enveil.

Dave Bittner: [00:07:33:24] Both Symantec and Verizon have released major threat studies, and they highlight two trends, the growing popularity of ransomware among criminals, and the very significant rise in cyber espionage by nation-states. Ransomware needs little further introduction, but the increase in cyber espionage is having an effect on targets other than the government organizations espionage services are generally thought to pursue. Again, concentration on industry, political organizations, and individuals represents an updating of traditional espionage practices for the cyber age. It's also striking how thin the deniability of many operations has become. Take the brazen and noisy Fancy Bear as exhibit A.

Dave Bittner: [00:08:15:03] And, finally, in online advertising, bad money continues to drive out good. RiskIQ describes NoTrove, an ad spammer whose large-scale efforts are damaging legitimate advertising. Check Point warns of another quiet botnet, "FalseGuide," infesting Android devices, some 600,000 of them, it estimates, with adware. So watch your phones, everybody.

Dave Bittner: [00:08:42:23] And now a moment to tell you about our sponsor, Control Risks. As your company grows and the global business environment becomes more complex, it gets harder to identify your blind spots and figure out how to see into them. It's now more important than ever, to understand how protecting your systems and date require visibility beyond your network. Control Risks supports its clients by increasing their situational awareness and proactively securing their operational environment no matter where it is. Using their global reach and local risk expertise, they have a unique approach to identifying and mitigating their client's information security risks. From cyber due diligence assessments of third parties around the world, to multi-jurisdictional cybersecurity regulatory reviews, to cyber threat assessments that account for socio-political and economic risk indicators and more. There is uncertainty on the journey toward your business goals. Controlled Risks brings order to the chaos and reassurance to the anxiety. Find out more at Control That's And we think Control Risks for sponsoring our show.

Dave Bittner: [00:09:57:12] Joining me once again is Rick Howard. He's the Chief Security Officer at Palo Alto Networks and he also heads up their Unit 42 Threat Intel team. Rick, welcome back. We wanted to touch base today on a new white paper that Unit 42 has put out around credential theft.

Rick Howard: [00:10:12:12] Yeah, thanks for having me. This is a nice introduction to the topic and you and I have talked in the past about the importance of making it easy for network defenders to deploy prevention and detection controls down the adversary's life cycle. In the 2016 Verizon data breach, investigations report the authors noted that 63 percent of all confirmed data breaches leverage credentials in some way. So our Unit 42 analyst Robert Falcone, he said it this way in the white paper. "Credentials are the oxygen of malicious activity."

Dave Bittner: [00:10:46:15] Hum.

Rick Howard: [00:10:47:01] So there are basically five primary techniques that attackers use for stealing credentials and the most common one is one we all talk about all the time, is credential phishing and spam.

Dave Bittner: [00:10:56:10] Sure.

Rick Howard: [00:10:56:20] But there are other techniques, right? Social engineering, this is where the bad guy calls you on the phone and tricks you into giving up your password.

Dave Bittner: [00:11:04:22] Yep.

Rick Howard: [00:11:05:07] Another one, or a common one is reusing stolen passwords or shared credentials and what I mean by that is the bad guy that's gonna attack your network doesn't actually steal them himself but he goes to an underground, site and buys a bag of them from some other nefarious hacker so he just gets a use of them, he didn't steal them himself. Another one that's been around forever is Brute Force. Yes, it's still possible to guess passwords. And then the other one that's interesting is the security question re-use, you know when you call your favorite website, to change your password. One way the owners of the site checks to see that you are legitimate, is they ask you a set of these security questions, you know, like, what is your favorite dog or what's the name of your first girlfriend or what's the ID of your wife's maiden name?

Rick Howard: [00:11:51:04] The problem with these security questions is that the adversary can easily guess most of these answers, by just rumbling around your social media feeds. You know, so, they're not great. And so, what can be done? First one is use two factor authentication for your SaaS applications. I know that sounds hard for the general public users like the grandmas out there, but it really has become a lot easier to do that today for most of these SaaS applications. The second one is, and I'll probably get a little flack for this, but I think you should be using password manager, like LastPass. Password managers, if you don't know, you know, they plug into your browser and elsewhere and they help you generate strong passwords for your online activity and they store them securely and then they remember them for you as you frequent your favorite sites. And even grandmas can use password managers. Once their nephews or nieces sets it up, even they can figure out how to use it. So password managers, use them.

Rick Howard: [00:12:48:06] I think the last one I like is for the security questions, okay, and here's the recommendation. Don't use the correct answers to security questions. So instead of using or answering "My wife's true maiden name" make up another password of phrase that you can remember, something like, you know, snartblaster. You know. Something like that. Don't tell anybody what it is though, okay, then there's no way for an adversary to pursue your social networks to find that snartblast is your wife's maiden name. So those are just three things you should do and the bottom line for all of these recommendations is to reduce the attack surface. Okay. Users can adopt these easy best practices, use two factor authentication for all your SaaS apps. Use a password manager and don't be truthful on your security questions.

Dave Bittner: [00:13:34:19] All right, as always, good information. Rick Howard, thanks for joining us.

Dave Bittner: [00:13:39:12] And that's the CyberWire. Thanks to all of our sponsors who make The CyberWire possible, especially to our sustain sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit

Dave Bittner: [00:13:52:12] A reminder that one of the best things you can do to help The CyberWire podcast grow is to leave a review on iTunes, it really does help people find our show. And don't forget to check out the Grumpy Old Geeks podcast, where I join Jason and Brian for what's quite often a colorful and sometimes salty review of the week's cybersecurity news. We do have a lot of fun and you can find Grumpy Old Geeks wherever all the best podcasts are available.

Dave Bittner: [00:14:14:01] The CyberWire podcast is produced by Pratt Street Media. The editor is John Petrik. Our social media editor is Jen Eiben, and our technical editor is Chris Russell. Our executive editor is Peter Kilpe. I'm Dave Bittner. Thanks for listening.