The CyberWire Daily Podcast 5.16.17
Ep 350 | 5.16.17

WannaCry, worm wars, ransomware pandemics, and a place for kill switches. And what might a cyber Pearl Harbor look like?


Dave Bittner: [00:00:00:12] The CyberWire podcast is made possible in part by listeners like you, who contribute to our Patreon page. You can learn more at

Dave Bittner: [00:00:12:20] The developing story of the WannaCry pandemic continues to unfold with speculation about attribution focusing on the Lazarus Group. Why malware would have a kill switch. Throwbacks to the worm wars. The risks of unpatched, superannuated or pirated software. Litigation exposure in the WannaCry affair. And cyber Pearl Harbors, again, what might one actually look like?

Dave Bittner: [00:00:40:22] It's time to take a moment to tell you about our sponsor, Recorded Future. If you haven't already done so, take a look at Recorded Future's Cyber Daily. We look at it. The CyberWire staff subscribes and consults it daily. The web is rich with indicators and warnings but it's nearly impossible to collect them by eyeballing the Internet yourself, no matter how many analysts you might have on staff and we're betting that, however many you have, you haven't got enough. Recorded Future does the hard work for you, by automatically collecting and organizing the entire web to identify new vulnerabilities and emerging threat indicators. Sign up for the Cyber Daily email to get the top trending technical indicators crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today and stay ahead of the cyber attacks. Go to to subscribe for free threat intelligence updates from Recorded Future. That's And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:48:08] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, May 16th, 2017.

Dave Bittner: [00:01:57:23] We continue to follow the developing story of the WannaCry ransomware pandemic. Enterprises of all kinds worldwide, private, industrial, governmental, entered the week bracing for a renewed wave of WannaCry infections. The problem hasn't gone away but attacks on the scale seen Friday and continuing until the now famous kill switch was found and flipped simply haven't materialized. It would, of course, be foolish to think we've seen the end of WannaCry and those behind it but for now at least the world seems to be in the recovery and remediation phase of the incident.

Dave Bittner: [00:02:30:19] So why did WannaCry have a kill switch in the first place? Researchers at security firm Cylance are looking into the ransomware and they offer a preliminary observation that kill switches are holdovers from the worm wars of the early 2000s. That's when owners wanted to be able to dismantle their malware once it had met their goals. The objective would be to keep the malicious code better targeted to, as Cylance puts it, "keep it from going wild once it gets out."

Dave Bittner: [00:02:57:05] The kill switch would appear to be ambivalent, however, since it's easy to change. Cylance told us in an email, quote, "Attackers can either hijack the kill switches by mutating the code to meet their needs or remove the kill switch altogether. If the kill switch is hijacked, malicious actors can alter the code so Bitcoin instructions go to their paypoints. If the kill switch is removed altogether, the downside is that they, the initial users, lose control over the worm when it goes out into the wild," end quote. In this case, the kill switch appears to have been carelessly exposed. One might expect better of criminal or covert tradecraft.

Dave Bittner: [00:03:35:14] It's worth noting that Check Point says it's found a less virulent successor version and Bitdefender thinks last week's attacks are the first of many more to come.

Dave Bittner: [00:03:45:00] Some experts think the WannaCry ransomware campaign has the look of a targeted attack gone wrong. It looks far more indiscriminate in its infection rate, which amounts to a pandemic, than even the best-prepared criminal gang could handle and the Bitcoin wallets established as repositories for ransom payments don't seem equal to the task either.

Dave Bittner: [00:04:03:22] There's no clear attribution yet, but several researchers from Google and elsewhere believe they've discerned a similarity between WannaCry's code and some similar cryptors thought to have been used by the Lazarus Group in 2015. The Lazarus Group, of course, is generally connected to North Korea's government and has been blamed for Dark Seoul attacks against South Korea, the Bangladesh Bank fraudulent fund transfer caper and the wiper attack against Sony Pictures in November 2014.

Dave Bittner: [00:04:33:18] The plaintiff's bar is expected to be paying close attention to negligent patching in enterprises that suffered from WannaCry but Microsoft is not generally thought to have much exposure. There's a growing sense among affected third parties, like patients in the UK's National Health Service, that the organizations victimized by the attack should have taken better measures to protect themselves, particularly since WannaCry was spread by exploiting a known and patched vulnerability that persisted, for the most part, in systems that were beyond their end of life.

Dave Bittner: [00:05:04:05] Observers expect litigation to follow and they doubt that Microsoft will be the plaintiffs' target. Microsoft points out that the affected organizations were running either unpatched or unsupported software and some legal commentators agree that they're arguably negligent to do so. Given that it appears personal data weren't exposed in the campaign, it seems likely that lawsuits, if any, would come people directly injured by the suspension of services the ransomware induced in some organizations.

Dave Bittner: [00:05:33:21] In other news, the University of Texas at Austin Center for Identity recently published their 2017 Identity Theft Assessment and Prediction Report. Paige Schaffer is President and COO of Identity and Cyber Protection Services for Generali Global Assistance. She joins us to discuss the report.

Paige Schaffer: [00:05:50:12] Approximately 50% of identity theft incidents that happened between 2006 and 2016, so really, you know, the last ten years, half are low-tech, criminals exploiting non-digital vulnerabilities, empty prescription bottles, paper documents, really those, those vulnerabilities caused by human error. Another interesting factor is that, you know, we hear about these huge breaches, such as Target and some of the others across the country that really give you kind of this vast national view but it turns out that really 99% of the cases are really localized. They were confined to a local geographic areas, smaller businesses or certain victim profiles.

Paige Schaffer: [00:06:38:14] The other thing that we can't forget and should take to heart that many folks that are victimized occur from insider threat. Roughly 34% of the cases that they studied came from insiders, so employees of companies or family members of individuals had a role in one-third of these cases.

Dave Bittner: [00:06:57:23] When you look at these numbers, when you look at the report, what are some of the key takeaways in terms of what people can do to better protect themselves?

Paige Schaffer: [00:07:04:19] Well, if you think about the low tech initiatives, so rip up or shred your information, don't throw it in the garbage. Certainly where medical information is concerned, there are many aspects of PII that's captured. The top five pieces of PII that are compromised are name, certainly, Social Security Number, address, date of birth and, of course, credit card number. And name and Social Security Number rank the highest, credit card about 7%. So if you think about, you know, your information that's potentially out there, name and address and date of birth, that's on a lot of information. So, best to shred. If you think about, you know, we're past tax season, but get your W-2s from your office, don't have them mail it to you. A lot of times I go to the doctor and sometimes they'll ask for my Social and I just don't give it to them so that it's not printed out on any information and so if you're coming away with forms, just make-- take good care on how you get rid of those things.

Paige Schaffer: [00:08:06:00] Criminals, they capture your information, just your basic information and put it together. They can get it in a really low tech way and, many times, credit cards, though, are also procured on the Dark Web, on chat rooms and what have you, and so it's best to be vigilant about your information and where you keep it, where you put it, how you get rid of it, but also, you know, from a proactive standpoint you want to have some service that's monitoring your information, so that if somebody does get a hold of it, somebody walking through a Starbucks with a card reader and collects a bunch of credit card information, that you're going to get some alerts, whether it's credit or alerts on the Dark Web that your information is showing up in a nefarious place. So you've got a bit of proactive protection there.

Dave Bittner: [00:08:52:01] That's Paige Schaffer from Generali Global Assistance. The report is the 2017 Identity Theft Assessment and Prediction Report, published by the University of Texas at Austin Center for Identity.

Dave Bittner: [00:09:05:00] Finally, returning once again to the fallout from WannaCry, while US targets were hit by WannaCry, they suffered relatively lightly, we stress relatively, compared to targets in Russia, China, India and Britain. Various senior security experts in the US have revived talk of a Cyber Pearl Harbor.

Dave Bittner: [00:09:23:07] We'd like to conclude by taking that metaphor seriously. Consider the Pearl Harbor attack. It involved not strategic surprise, the US expected Japan to go to war, nor operational surprise, the Pacific Fleet in Pearl Harbor was warned, as was the Army's Hawaiian garrison and General MacArthur's command in the Philippines. What it did involve was tactical surprise. The US was caught napping on Battleship Row and Wheeler Field.

Dave Bittner: [00:09:49:00] So would a Cyber Pearl Harbor involve tactical surprise? Pearl Harbor also seemed to be a failure of middle management. Junior enlisted radar operators saw and reported inbound aircraft but were told by their higher-ups not to worry and the USS Ward depth-sank a midget sub entering Pearl Harbor and reported the sinking. The highest Navy and Army commanders in the islands knew they were under a war warning and thought they'd directed appropriate precautions and alerts.

Dave Bittner: [00:10:19:00] So perhaps a Cyber Pearl Harbor would be one suffered when someone between the CISO and the SOC failed to get the word? And finally, of course, 2,403 people died in the attack and a further 1,143 were wounded. Would a cyber attack need to work that kind of kinetic effect before it qualified as a Pearl Harbor? Seriously, these questions are worth thinking about.

Dave Bittner: [00:10:47:15] As our sponsors at E8 Security will tell you, bliss is not only knowing what's going on in your networks but being able to distinguish the goodness from the badness. That's their promise for their behavioral analytics and they're willing to show you, too. So, go to for a small scale checkout where you can see for yourself. Their behavioral analytics platform gives you insight into every stage of the attack lifecycle across your network, users and end points, even those often overlooked little things in the Internet of Things. The bad actors can spoof an identity, they can steal a credential but their crimes will betray them. That's what behavioral analytics can do for you. You can check it out for yourself at Don't let the data trees get in the way of seeing the risk forest and enjoy the ride. And we thank E8 for sponsoring our show.

Dave Bittner: [00:11:46:12] And joining me once again is David Dufour. He's the Senior Director of Engineering and Cyber Security at Webroot. David, welcome back. You know, every now and then we think it's good here to reach back and talk about some of the basics and so we're asking you today to give us an overview of exploits and scripts.

David Dufour: [00:11:53:00] Alright, great. Well, it's nice to be back, David. Thank you for having me. You know, there's always a lot of talk about ransomware and malware and the things that those can do to you and sometimes we forget to talk about the delivery mechanisms of how that stuff gets on your system or infects your mobile device. Two very common delivery mechanisms are exploits and scripts.

David Dufour: [00:12:28:22] Scripts are probably the more simple example of the two, and those typically come in the form of email attachments. You know, you used to have script exploits embedded in web pages and things of that nature, but the browser manufacturers have done a pretty good job of blocking malicious scripts from being able to execute in your browser. So now we see scripts-- the two most common scripting languages out there are VBScript and JavaScript. We're seeing those come into organizations or into your home as email attachments, where it might say "resume.script" or something like that. And what they're trying to do is entice you to open this script, that will then execute and pull down that malware or that ransomware and install it on your machine.

David Dufour: [00:12:55:00] The other more sophisticated and, you know, in my position the one I really enjoy looking at because it's pretty sexy, are exploits. And typically, you see exploits on web pages through third party apps, where someone has gone out and they've figured out how to take advantage of the operating system, the browser or some third party plug-in to a browser, such that if you navigate to a web page this exploit will run behind the scenes. You won't know it ran and it'll do a drive-by, where it'll actually pull down some malicious code without your knowledge and then install that code and you're in trouble.

David Dufour: [00:13:59:14] So, exploits, they're more expensive, they're much harder to find and once they're known about they get plugged very quickly, but the scary thing is you don't know they happened until you're infected.

Dave Bittner: [00:14:10:24] Alright. It's good to review the basics. David Dufour, thanks for joining us.

Dave Bittner: [00:14:18:04] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance protects you using artificial intelligence, visit

Dave Bittner: [00:14:29:17] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Social media editor is Jennifer Eiben. Technical editor is Chris Russell. Executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.