The CyberWire Daily Podcast 4.28.17
Ep 338 | 4.28.17

OilRig fingered as Iranian state-sponsored group behind attempted hacks of Israeli targets. Shamoon still under the same management. Botnet wars in the IoT. Countermessaging, hopes of missile hacks, and more.


Dave Bittner: [00:00:03:06] Researchers name the unnamed country that attempted to hack Israeli targets. Other researchers conclude Shamoon is still under the same management. Thales takes a look at data security in the US Federal sector. A financial malware vector startles phishing victims into clicking. Vigilante botnets are not helping the IoT. Countermessaging is still not as easy as it looks. And there's a lot of thinly sourced hope about hacking North Korean missiles.

Dave Bittner: [00:00:35:09] Time from a message from our sponsor, Palo Alto Networks. You can learn more about them at With the adoption of software as a service applications, data now lives beyond the traditional network perimeter. What are you doing to keep your organization's data protected in this new environment? Palo Alto Networks' integrated platform provides detailed SaaS visibility and granular control, data governance, automated risk remediation and malware prevention. So organizations can achieve complete SaaS protection. Palo Alto Networks has the broadest, most comprehensive cybersecurity for all Cloud and SaaS environments because secure clouds are happy clouds. Get started at And we thank Palo Alto Networks for sponsoring our show.

Dave Bittner: [00:01:35:22] Major funding for The CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Friday, April 28th, 2017.

Dave Bittner: [00:01:46:14] An unnamed country behind a recent cyber campaign against Israeli targets has been named: research by Morphisec, confirmed by iSIGHT Partners, points to OilRig, also known as "Helix Kitten," and Iranian threat actor. Israel's National Cyber Defense Authority says the attacks were blocked. The attacks sought to exploit a known (and patched) vulnerability in Microsoft Word, CVE-2017-0199.

Dave Bittner: [00:02:14:22] Israel’s National Cyber Defense Authority has been operating officially for a year, since April 2016. It’s recently become controversial in a dispute over agency equities. Security officials from Shin Bet, Mossad, and elsewhere in the IDF have expressed concern that pending legislation involving the National Cyber Defense Authority leave its charter too vague, and open to the possibility of mutual interference by organizations working in the same space.

Dave Bittner: [00:02:43:12] McAfee researchers conclude that recent Shamoon attacks were conducted by the same group that first mounted them in 2012, and that group too is generally believed to be working on behalf of Iran's government. Shamoon's principal targets have been Iranian regional rivals, especially Saudi Arabia.

Dave Bittner: [00:03:02:12] To review, Shamoon emerged in 2012 with a destructive wiper attack on the networks of oil producer Saudi Aramco. It resurfaced in late in 2016 with attacks on other Saudi targets. Shamoon is particularly interesting in that it has a clearly destructive and disruptive purpose; it's not conducting espionage, nor is it working any sort of information campaign. Recovery from successfully executed Shamoon attacks has proven both costly and time-consuming.

Dave Bittner: [00:03:31:14] BrickerBot is another destructive campaign, but this one is different in that it appears to be the work of a vigilante. BrickerBot's code searches for Internet-of-things devices susceptible to infection by the Mirai botnet. Once it locates such devices, it preemptively and permanently bricks them, hence its name. BrickerBot, whatever its author's professed intentions, has not been well-received by the security community, nor, obviously, by its victims. Sierra Tel, a California Internet service provider, was disrupted earlier this month by the competition between BrickerBot and Mirai for vulnerable devices, in this case high speed modems. Sierra Tel, which has received generally positive reviews for its transparency with customers concerning the incident, says it had cleared up the problem by April 22nd. BrickerBot's presumed author, who's known by his screen name "Janit0r," claimed credit for the service disruption in a communication with Bleeping Computer.

Dave Bittner: [00:04:28:09] The other vigilante strain of IoT malware, the less destructive but still irritating Hajime botnet, is worrying security experts as its herd of bots grows. Hajime is now believed to have roped in some 300,000 devices.

Dave Bittner: [00:04:43:13] Researchers at security firm Forcepoint have identified a new variant of Geodo/Emotet banking malware pursuing targets in the UK. The vector is an email that appears to be a legitimate billing request. It asks for payment of an abnormally large amount, and, of course, surprised and alarmed recipients are quick to click, and then the crooks have them pwned.

Dave Bittner: [00:05:05:01] Government countermessaging programs, information operations designed to combat ISIS, draw tepid reviews even as lethal strikes have an increasingly clear effect on the Caliphate. Facebook publishes a study of information operations that draws some useful distinctions and offers operators some insights into this difficult art.

Dave Bittner: [00:05:25:22] The US Administration again refuses to say whether it hacked North Korean missile tests. Some in the media (particularly in the UK) take this as an admission that the US did indeed hack them, so speculation proceeds apace, especially among those unfamiliar with the many ways missiles fail. This strikes the steely-eyed missilemen on our staff as wishful thinking, for some reason concentrated in the UK. Sure, who in the civilized world wouldn't like Pyongyang's long-range nuclear strike capability to be hackable at need? But don't get your hopes up, kids. Rockets and missiles fail all the time for reasons completely unrelated to hacking.

Dave Bittner: [00:06:09:08] And now a moment to tell you about our sponsor Control Risks. As your company grows and the global business environment becomes more complex, it gets harder to identify your blind spots and figure out how to see into them. It's now more important than ever to understand how protecting your systems and data require visibility beyond your network. Control Risks supports its clients by increasing their situational awareness and proactively securing their operational environment no matter where it is. Using their global reach and local risk expertise, they have a unique approach to identifying and mitigating their client's information security risks. From cyber due diligence assessments of third parties around the world, to multi-jurisdictional cybersecurity regulatory reviews, to cyber threat assessments that account for sociopolitical and economic risk indicators and more. There is uncertainty on the journey toward your business goals. Controlled Risks brings order to the chaos and reassurance to the anxiety. Find out more at Control That's And we thank Control Risks for sponsoring our show.

Dave Bittner: [00:07:22:04] And I'm pleased to be joined once again by Dr Charles Clancy. He's the Director of the Hume Center for National Security and Technology at Virginia Tech. Dr Clancy, I saw a couple of sort of conflicting articles come by recently. One was a demonstration that Samsung was doing with the new 5G technology and then a few days later I saw an article that said that 5G is a ways off, you know, basically don't hold your breath. What's the real status here?

Dr Charles Clancy: [00:07:49:05] 5G technology has become synonymous with millimeter wave technology. And millimeter wave technology is essentially moving the frequencies at which your cell phone communicates to the cell tower up to much higher bands. In particular 28 gigahertz is what many of these trials are testing out right now. The FCC recently approved a number of new frequency bands for 5G, in the millimeter waveband and they range from 28 gigahertz all the way up to 73 gigahertz. So many of these companies that are advertising these 5G trials are really just testing out millimeter wave technology in some of these 5G bands, or bands that the FCC has designed as 5G. If you actually look at the progress that's being made in the standards group, in particular 3GPP which the organization that's responsible for defining the standards for cellular communications. They still have a lot of work to do, as you mentioned. a framework for what the 5G physical and data link layers look like. But we are probably at least a year away from having a draft standard of what that actually looks like. Some of the initial reports indicate that it's gonna look a lot like 4G, so just shifted up to higher frequencies. So that'll be interesting to see if any new innovative technologies make their way into the standard in the coming months.

Dr Charles Clancy: [00:08:39:06] There are currently efforts to define the requirements and begin establishing a framework for what the 5G physical and data link layers look like. But we are probably at least a year away from having a draft standard of what that actually looks like. Some of the initial reports indicate that it's gonna look a lot like 4G, so it's shifted up to higher frequencies. So it will be interesting to see if any new innovative technologies make their way into the standard in the coming months.

Dave Bittner: [00:09:06:15] With this millimeter technology, we're going to have a lot more towers, right? There's a range issue at these frequencies.

Dr Charles Clancy: [00:09:15:06] Oh definitely. Current 4G technology can penetrate walls fairly well and it can go reasonably long distances, upwards of a kilometer or two, where the typical design range is for cell towers. In urban areas they're obviously less than that just because of the density of users. Millimeter wave technology is designed for even shorter ranges than that. And in particular because up at these higher frequency ranges, the signals can't propagate through walls. In fact some of the 5G frequencies can't even go through a piece of paper. So as a result there's a lot of research underway, particularly in outdoor environments looking at how 5G signals would work in a dense urban environment. And how it would reflect off concrete buildings and things of that nature. And then if you look at the indoor deployments, you'd probably need a 5G base station in nearly every room in order to provide systematic coverage in an indoor environment. So figuring out how to do that and what the back hole look like, these are all major research questions that are still underway.

Dave Bittner: [00:10:12:03] But then the upside would be higher speeds, right?

Dr Charles Clancy: [00:10:15:04] Oh yeah. Orders of magnitude increase in data rates. So the actual deployments of 5G are likely to be incremental where you're gonna have a sort of a base code of 4G coverage everywhere. And then if you're in a 5G area, you may see 10 to 100 X faster data rates, but it would be in sort of a hot spot sort of environment where you're only getting coverage in these limited areas. Which then necessitates new data models where maybe your mobile device can download and cache content on a dispistory basis, when you happen to be in one of these very high internet rate zones.

Dave Bittner: [00:10:48:16] Alright, interesting stuff. Dr Charles Clancy, thanks for joining us.

Dave Bittner: [00:10:55:20] Time for a message from our sponsor DomainTools. You know, whether they're phishing or hacking or spying, threat actors use domains and IP addresses to launch their attacks. And while you might not be interested in targeted attacks yet, targeted attacks are interested in you. Your ability to map and characterize the attacker's infrastructure is crucial to defending yourself. Join DomainTools Senior Security Researcher, Kyle Wilhoit and Director of Product Manager Tim Helming on a virtual ride along using DomainTools Iris. They use real world cases to show you how you can quickly and efficiently expose the adversary's infrastructure. Join their webinar at Learn how to protect yourself against various crime, espionage and hacktivism by seeing how investigators and threat hunters work in the trenches. Visit and see how you can recognize the staging area of the next attack. And we thank Domain Tools for sponsoring our show.

Dave Bittner: [00:12:04:09] My guest today is Peter Galvin, Vice President of Strategy at Thales eSecurity. They recently published the federal government edition of the Thales Data Threat Report for 2017: Trends and Encryption and Data Security.

Peter Galvin: [00:12:19:10] I think there were three big takeaways from that report. The first takeaway was really how at risk the federal government or federal and civilian agencies feel against cyberthreats, hackers and nation-states. And really the biggest area they were concerned about when it came to hackers were really cyber criminals. So as much as we hear a lot today about nation-states and nation-states being the biggest concern, the area that we actually found that they were most concerned about, like most organizations were cyber criminals. The second area was that these organizations are looking at lots of new technologies and looking at adopting them pretty quickly so the federal government has been promoting for the civil and defense agencies the use of, you know, things like cloud technology, IoT and containers, which is part of the DevOps revolution and how they're adopting those and the concerns, you know, there are high concerns about using security in those areas.

Peter Galvin: [00:13:26:19] And I think the third area of interest was that in the federal government, budgets are growing around for cyber security. But the biggest thing that we found out was that of all the other verticals that we looked at, so we looked at, for example, health care, retail, financial services, the increases in the federal budgets for cyber security were among the lowest, although fairly significant in their budget increases. And I think what's interesting about that federal government is they're moving from many very old systems with reduced staffing levels, you know, they're one of the biggest areas where cyber criminals are going after them. So those are the big three takeaways from the report that we saw.

Dave Bittner: [00:14:15:05] One of the reports findings is that the risks to federal data is very similar to the risks to data in commercial environments.

Peter Galvin: [00:14:21:16] I think there are so many nation-states and so I think that you know, cyber criminals see the federal government as another big area where they can find sensitive data. Or personal identical information or personalized identical health information. And so I think that cybercriminals look at that as a way to be able to, "Wow, if I can break into some of these systems, there's some very valuable information that I can get and sell on the dark web." I think, you know, why the federal government agencies face so much more security threats is that it's just not the cybercriminal but it's also nation-states who are trying to find out, you know, secrets about the government or secrets about how agencies work or travel habits of agencies, et cetera. And so they have an additional threat. And then the third threat that you don't have as much in the commercial world is really the hacktivists, right, who are going in and thinking they're doing some kind of civic duty by hacking into private information and leaking that information to the rest of the world. So I think they have similar vulnerabilities when it comes to cybercriminals but they also face, you know, additional threats from nation-states and hacktivists which a lot of commercial enterprises don't face as much of that pressure.

Peter Galvin: [00:15:48:17] And so the other encouraging thing is that we have seen year over year that people believe that encryption is what will meet their privacy requirements and allow them to safely expand some of those new technologies. So as organizations are looking at these new technologies around, you know, Cloud computation, IoT, mobile and containers in DevOp type of activities, the one technology that now is coming out more strongly is encryption because they believe that encryption will help them protect against these data beaches. That even if the data is breached, if somebody accesses that data, that data is encrypted and those organizations, that information is still protected from those cybercriminals or those nation-states that might attack them.

Peter Galvin: [00:16:42:19] And one of the things that we found out is that when we talk to the federal government about what do they think are some of the top three data security controls that agencies can implement over this next year, especially if they are moving to the Cloud, almost half of them said tokenization which was, okay, take that information and tokenize it so that it is not in the clear and use that token as a method of being able to authenticate identity or purchase something. And then the second aspect is really use Cloud gateways or Cloud encryption gateways so that everything that's leaving your premises and going to the Cloud, is automatically encrypted. And then also using encrypted services within the Cloud. And so I think there is a realization that it's happening across the federal government and the federal agencies.

Peter Galvin: [00:17:35:04] That one of the missing pieces in making sure that they are securing their environment is using encryption. So essentially to use encryption you need to figure out where your sensitive data is and then make sure you're encrypting that data and using the right policies and procedures for people to act off that data.

Dave Bittner: [00:17:56:09] That's Peter Galvin from Thales eSecurity. The name of the report is Thales Data Threat Report 2017: Trends in Encryption and Data Security, Federal Government Edition.

Dave Bittner: [00:18:12:13] And that's The CyberWire. Thanks to all of our sponsors who make The CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can protect you through their use of artificial intelligence, check out

Dave Bittner: [00:18:27:08] The CyberWire podcast is produced by Pratt Street Media. The editor is John Petrik, social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe. And I'm Dave Bittner. Have a great weekend everybody, we'll see you back here on Monday. Thanks for listening.