The CyberWire Daily Podcast 5.4.17
Ep 342 | 5.4.17

Phishing with a big worm (and other lures). Botnet mining cryptocurrency. Blackmoon upgraded. Aadhaar troubles in India. Passwords, security questions, and Grand Moff Tarkin's CISO.


Dave Bittner: [00:00:00:13] Hi everybody, Dave here. Before we start the show we've got some special news. Thanks to podcast listeners like you The CyberWire has grown to be one of the top cybersecurity podcasts in the world. We couldn't have done it without you and we're truly grateful that you value what we do and chose to make the CyberWire part of your day. We want to continue to produce the news you've come to rely on and with your help we're looking to develop more programs and launch new initiatives that tell the critically important stories taking place in our industry today. And so we've launched a Patreon page for the CyberWire and we hope you'll check it out. Go to, sign up and become a CyberWire Patron today. That's Thanks. Now here's our show.

Dave Bittner: [00:00:47:06] OAuth abuse rushes a worm around Google Docs but the good guys swiftly contain the attack. Bondnet is discovered mining cryptocurrency. The Blackmoon financial malware gets an upgrade. Carbanak is still out there, trickier than ever. No-phishing season at Gannett. India's national biometric ID system runs into security and legal trouble. And reflections on passwords yesterday, today, and tomorrow, both here on earth and in a galaxy far, far away.

Dave Bittner: [00:01:20:11] We'd like to thank our sponsor Palo Alto Networks. You can visit them at

Dave Bittner: [00:01:28:23] With the adoption of software as a service applications data now lives beyond the traditional network perimeter, exposing your organization to more malware and threats. Palo Alto Networks helps your organization achieve complete SaaS protection. With detailed SaaS visibility and granular control, data governance, automated risk remediation, and malware prevention. Palo Alto Networks has the broadest, most comprehensive cybersecurity for all cloud and software as a service environments. They know that secure clouds are happy clouds. Find out how to secure yours at And we thank Palo Alto Networks for sponsoring our show.

Dave Bittner: [00:02:20:06] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday, May 4th, 2017.

Dave Bittner: [00:02:30:00] Another OAuth abuse exploit hit this week. Plausible-looking emails with a Google Docs sharing notification and carrying a worm circulated widely yesterday. Google and Cloudflare responded quickly, containing the incident in about an hour. This is being widely praised as a blue team win but all would do well to remain on alert, and to remain suspicious of unexpected sharing.

Dave Bittner: [00:02:53:19] A Google engineer noticed discussion of the incident trending on Reddit and within an hour of the first complaints, Google was able to block the app from it's OAuth screen. Cloudflare also assisted, taking down domains associated with the attacks. There do not appear to have been any additional malware payloads distributed by the worm but a number of observers have noted the similarity of approach, OAuth abuse, to a tactic Trend Micro recently described as part of Pawn Storm's toolkit. Pawn Storm is, you'll recall, Fancy Bear, Russia's GRU, but there's nothing so far to indicate any particular state actor behind the Google Docs incident. Whoever was responsible, their motive is so far as obscure as their identity.

Dave Bittner: [00:03:37:14] Two interesting discoveries were announced this morning. GuardiCore Labs has identified "Bondnet," a botnet said to consist of thousands of servers. So far it's been applied to mining cryptocurrencies but it seems ready for weaponization into a distributed denial-of-service platform. And Fidelis Cybersecurity has reported the reappearance of the Blackmoon banking Trojan, now with a new man-in-the -browser framework. Blackmoon has so far afflicted mostly South Korean financial services.

Dave Bittner: [00:04:09:01] Trustwave reports that the Carbanak gang has refined its intrusion techniques, using phone call follow-ups to see whether phishing marks have opened and swallowed the phishbait. Carbanak has also come under suspicion in recent restaurant hacks affecting the Chipotle, Baja Fresh and Ruby Tuesday chains.

Dave Bittner: [00:04:27:14] USA Today has reported a phishing attack that compromised some 18,000 accounts belonging to employees of the paper's corporate parent Gannett. The attack appears to have been straightforwardly criminal in nature. It was discovered when Gannett's financial team noticed a compromised account used in an attempt to transfer money fraudulently. That attempt was stopped and Gannett believes the incident is contained and that personal information of current and former employees is not at risk. Those employees will nonetheless be offered free credit monitoring just to be on the safe side.

Dave Bittner: [00:05:01:23] The CyberWire is proud to be a media partner at the upcoming Cyber Investing Summit, May 23rd at the New York Stock Exchange. We spoke with Andrew Chanin about the event.

Andrew Chanin: [00:05:12:14] There's thousands of conferences around the world that focus on cybersecurity, however they tend to fall into two kind of tracks. One where they focus on the technologies and services and the solutions where they are really promoting kind of products that are out there. And the other type kind of is more educational and, you know, teaches kind of best practices and cyber hygiene. However from my background to create the world's first cybersecurity exchange trade fund I realized that there was a huge interest in investing in cybersecurity yet not too many avenues for doing it, or for discussing it. And with that in mind I partnered with family to create the Cyber Investing Summit which really tries to highlight the potential investing opportunities in both the public as well as the private side of the cybersecurity industry.

Dave Bittner: [00:06:08:09] So take me through what can people expect if they come to the summit.

Andrew Chanin: [00:06:12:00] I think they can expect, you know, experts in the cybersecurity space both from the vendors side, from the acquire side, and from the investment community as well. Private equity companies, VC companies, those that are publicly trading in cybersecurity companies, those looking to raise capital as well as well as the financial advisory and other family offices that hedge fund, individuals looking to learn or gain insight as to potential investing ideas for getting exposure to the cybersecurity sector.

Dave Bittner: [00:06:47:17] And so who, who are you targeting here? Who would be the ideal person to come to the summit?

Andrew Chanin: [00:06:52:15] I think anyone that's looking to learn more about the industry, not necessarily as much about how each of the products work but really the trends in the industry, the market, the areas for potential growth, the drivers and potential catalysts for the overall industry, those looking to potentially raise capital for their own businesses, those looking to deploy capital for investment into this industry.

Dave Bittner: [00:07:22:02] That's Andrew Chanin. The Cyber Investing Summit is coming up May 23rd, 2017 at the New York Stock Exchange.

Dave Bittner: [00:07:31:13] Cerber ransomware now has VM and sandbox evasion capabilities, but extortion is nowadays less confined to ransomware than it had been. The Netflix hack is seen as a bellwether. Criminals are increasingly threatening to either take a network down through distributed-denial-of-service attacks or saying they'll release sensitive, embarrassing or otherwise valuable information if they're not paid off.

Dave Bittner: [00:07:56:17] India's Aadhaar national ID system is in trouble. Not only is the system's legality under challenge before India's Supreme Court, but it's proven leaky. Already more than 133,000,000 individuals' biometric records have been exposed.

Dave Bittner: [00:08:14:11] Today is Password Day, as you may have heard, and the trade press is filled with ruminations over the past, present and likely future of the password as a cornerstone of security. It's an old approach to be sure. Consider the Book of Judges, chapter 12, verse 6, where the war between the men of Gilead and the men of Ephraim is described. To identify spies from Ephraim, the Gileadites made suspects say, "Shibboleth," a word the Ephraimites inevitably pronounced Siboleth. So passwords and countersigns, not to mention security questions, have been around about as long as we have written records. Their use continues into the 20th century. US Marines fighting on Guadalcanal used passwords with lots of L's in them like Lollipop or Lollygag or Hallelujah because of the difficulty Japanese speakers were thought to have had distinguishing the liquid consonants L and R. Every language has it's phonemic pitfalls, native speakers of English, our linguistics desk informs us, are not even capable of distinguishing a hard from a soft L and that's a distinction that's obvious to every native speaker of Russian. We have to trust them. We can't hear the difference no matter how often they pronounce the two. They gave up on us, shouted something like MYAHK-eez-nahk and left in frustration.

Dave Bittner: [00:09:34:08] Security questions are old wheezes too. Who hasn't seen the World War Two movie where the plucky G.I.s stop the S.S infiltrators because the infiltrators, despite their American disguises and fluent English, can't answer simple questions like, "What's a Texas Leaguer?" Or, "Who's Olive Oyl's boyfriend?"

Dave Bittner: [00:09:53:00] Of course today's another holiday, Star Wars Day, or May-the-fourth be with you. It makes us wonder why the Empire was so cover-your-eyes awful at identity management. I mean, their authentication practices would have made any self-respecting man of Gilead blush. And biometrics? Forget about it, defeated by the opaque face masks worn by stormtroopers and Death Star crewmembers. We could go on, but we'd best leave it at that. Just one question. Who was Olive Oyl's boyfriend, really? Popeye? Or Bluto? Ask around the next time you're on Tatooine or Scarif, but first see if the Jawas in the cantina can pronounce Rumpelstiltskin properly.

Dave Bittner: [00:10:40:22] And now a moment to tell you about our sponsor Control Risks. Control Risks thinks like your adversaries and knows that they attack as a means to an end. Whether you're worried about malicious insiders stealing intellectual property, state support foreign competitors targeting M&A data or hacktivists looking to smear your reputation, one thing is clear, a standard technical approach to incident response is not enough to address the entirety of your problem and protect your businesses future growth, profit and brand. Control Risks has conducted more than 5,500 complex investigations in nearly 150 countries. Their 360 degree response framework pulls together their expertise in investigations, crisis management, network and host forensics, data analytics, and legal compliance support. Effective response often requires more than standard incident response and how you respond can mean the difference between an isolated incident and an enduring crisis. Let Control Risks navigate you through it. Find out more at That's And we thank Control Risks for sponsoring out show.

Dave Bittner: [00:11:58:15] And I'm pleased to be joined once again by Rick Howard. He's the chief security officer at Palo Alto Networks and he also heads up Unit 42 which is their threat intel team. Rick, we've spoken before about the Cybersecurity Canon. And you all have an award ceremony coming up, yes?

Rick Howard: [00:12:13:19] Yes, it is true, it is that time of year again. Palo Alto Networks is hosting the fourth annual Cybersecurity Canon awards ceremony in beautiful downtown DC. In other words it is Oscar night for cybersecurity book lovers.

Dave Bittner: [00:12:28:02] Wow. Talk about your niche market.

Rick Howard: [00:12:30:20] I know. I'm wearing a tux and a tie-- tied-up-- bow tie, I don't know.

Dave Bittner: [00:12:34:20] Will there be a red carpet? Will we ask who you're wearing?

Rick Howard: [00:12:37:16] Absolutely, I will send you the photo.

Dave Bittner: [00:12:40:10] Alright, very good.

Rick Howard: [00:12:41:22] So as you know, okay, we have set this up like a rock and roll hall of fame. Today there are about 30 books on the candidate list and each year we add more books to it. And each year we chose two or three to be inducted into the Hall of Fame. So over the three years we've been doing it so far, we've put about ten books into the hall of fame and that's kind of exciting. Now, now in order to get onto the candidate list some practitioner has to write a book review making the case that this is a book that all of us should have read by now. Now, we have a committee of network defenders, these are CISOs and journalists and cyber lawyers and lots of other kinds of people who review all the submissions to see if they're worthy and if they are, they go on the candidate list. Once there the Canon Committee meets once a year, at a secret bunker somewhere in the Alaskan Tundra, to decide which book will be placed into the Hall of Fame that year. That meeting happened last December. Past winners have been, okay, "We Are Anonymous" by Parmy Olson, that is the most fantastic book on hacktivism that has been out there.

Rick Howard: [00:13:42:11] "Spam Nation" by Brian Krebs, if you want to learn about cybercrime, that's the book to read. "Countdown to Zero Day" by Kim Zetter all about the Stuxnet attacks, both technical, and political, fantastic book. And my favorite out of the ten that are in there is "Cuckoo's Egg" by Clifford Stoll. It's rather long in the tooth but everything he talks about in there is still true today, so I guess we haven't learned our lesson. Cuckoo's Egg was the book that got me into security, so it's one of my favorites. This is a free resource to the Network Defender Community, just like Canon as in Canon of literature, not canons that blow things up, and Palo Alto Networks and you'll find the site, click on the book cover of your choosing and read the book review and if you don't like to read that much, there's even an executive summary.

Dave Bittner: [00:14:27:14] Wow.

Rick Howard: [00:14:28:09] So, so stay tuned.

Dave Bittner: [00:14:30:05] All bases covered. All bases covered.

Rick Howard: [00:14:31:22] All bases.

Dave Bittner: [00:14:32:14] Now the actual award ceremony, is that a public event or is that invitation only?

Rick Howard: [00:14:37:23] It's invitation only because we have a very small facility this time but we're bringing in students from the local universities, we're flying in the winners, the authors that are the winners and some local government luminaries so we can all shake hands and sing Kumbaya. So I'm very much looking forward to it.

Dave Bittner: [00:14:55:11] All right, well, we'll look forward to hearing who the big winner is this year. once again Rick Howard, thanks for joining us.

Dave Bittner: [00:15:02:07] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance helps protect you using artificial intelligence, visit The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Social media editor is Jennifer Eiben. Technical editor is Chris Russell. Executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.