The CyberWire Daily Podcast 5.30.17
Ep 359 | 5.30.17

Implications of Manchester bombing investigation on policy, Five Eyes relations. British Airways IT outage. Fancy Bear and Malta? ShadowBrokers prep exploit-of-the-month club. Google deals with Chrome, PlayStore issues. Mall boards and ricrolling.


Dave Bittner: [00:00:01:08] The CyberWire podcast is made possible in part by listeners like you, who contribute to our Patreon page. You can learn more at:

Dave Bittner: [00:00:13:20] British Airways suffers a glitch, not a hack, but whichever it was, it amounted to an infrastructure takedown. Fancy Bears may be snuffling at the Government of Malta. The ShadowBrokers may be cashing out. Google kicks Judy adware out of the PlayStore. Researchers find another Android vulnerability, "Cloak-and-Dagger." Anonymous is working on the Houdini RAT. Mall hackers in Liverpool mind their manners. And security researchers get rickrolled.

Dave Bittner: [00:00:45:10] Time to take a moment to share some research from our sponsor, Cylance. They've been looking at ransomware-as-a-service (RaaS) and they've found that something old is new again - it's NemeS1S. This malicious code can be purchased in the crook-to-crook black market, and it reduces the average skids barrier to entry into the ransomware game to essentially zero.

Dave Bittner: [00:01:09:23] It appeared in the wild this past January, and it's been advertising itself as new, but, no, the binaries it generates are oldies but baddies from the long-familiar PadCrypt family. PadCrypt betrays itself by its behavior under dynamic analysis - so don't pay ransom, instead, get protected. Visit: and check out the Threat Spotlight paper on NemeS1S. We thank Cylance for sponsoring our show.

Dave Bittner: [00:01:50:20] Major funding for The CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore, with your CyberWire summary for Tuesday, May 30th, 2017.

Dave Bittner: [00:02:00:15] British Airways is completing recovery from an IT glitch. It was not, apparently, a hack, as several initial reports over the weekend put it, breathlessly. The incident is instructive in that it illustrates the way in which an accident can be easily misinterpreted as an attack. It also illustrates that some glitches can be as damaging as a deliberate cyberattack against infrastructure.

Dave Bittner: [00:02:23:03] The system outages disrupted flights worldwide, with many passengers either stranded or pushed into buying pricey alternatives. About 75,000 passengers on short-haul flights from Gatwick and Heathrow were most seriously affected, as British Airways found it necessary to suspend flights from London's two principal airports.

Dave Bittner: [00:02:42:19] The airline says the problems arose from a power surge that affected key aspects of its networks, but how that actually happened is so far unspecified. The company took a financial bath from the outage. It's believed to have sustained losses that the Times of London estimates at some £150 million. Flight, baggage, and communication systems, as well as their backups, were knocked out by the incident. British Airways insists it's a one-off. As CEO Alex Cruz put it in an apology to those affected, "Absolutely this will not happen again at British Airways."

Dave Bittner: [00:03:17:13] There's been a Fancy Bear sighting: Fancy may be pawing through Malta's government servers, according to sources in the United Kingdom.

Dave Bittner: [00:03:26:01] The ShadowBrokers are expected to launch their exploit-of-the-month club this week, probably Thursday. The Brokers' auction of Equation Group tools has largely fizzled, prompting speculation that the Brokers' real motivations have been other than financial. However, Motherboard now reports Bitcoin moving from the ShadowBrokers' collection address, which suggests someone's cashing out.

Dave Bittner: [00:03:49:00] In the aftermath of the Manchester bombing, British media point with alarm to the large number of known wolves believed present in the country - more than 20,000. Calls for regulation of encryption rise; observers wonder whether existing powers have been exercised effectively. There seem no obvious quick fixes for either blocking extremist inspiration or developing effective counter-messaging, so a reach for enhanced surveillance capabilities will prove strongly tempting, especially given last week's known-wolf horrors.

Dave Bittner: [00:04:21:05] Authorities in the UK are unhappy with the degree to which their US partners quickly and anonymously leaked information about the ongoing investigation. US Homeland Security Secretary Kelly calls leaks about the investigation from the US Intelligence Community "outrageous," and "close to treason." Former Director of National Intelligence Clapper essentially agrees. Speculation suggests the leakers are unlikely to be senior political appointees, but are more likely to be career intelligence or law enforcement officers.

Dave Bittner: [00:04:52:05] Google is dealing with three issues this week, two in Android, one in Chrome. Judy adware has led Google to kick 41 infested apps from the PlayStore. Security firm Check Point Software discovered and reported the problem. The Korean company responsible for the auto-clicking adware, which you may have unwittingly encountered in the form of the Chef Judy app, is said by news site Neowin to be Kiniwine, registered at the PlayStore as ENISTUDIO Corp.

Dave Bittner: [00:05:20:18] The second problem, Cloak and Dagger, is a family of credential-stealing attacks demonstrated by researchers at Georgia Tech and the University of California Santa Barbara, so far not manifesting itself in the wild, but being addressed by Google.

Dave Bittner: [00:05:34:21] The third issue affects Chrome. It's a bug that doesn't trigger Chrome's red-circle-and-dot warning, and that in principle could help an attacker induce an unwary user to download spyware. Google doesn't consider this flaw a security issue - not entirely without reason, since the security measure is really the pop-up dialog box warning you against installation, and that box still pops. The problem will eventually be addressed, but it won't receive emergency attention.

Dave Bittner: [00:06:03:00] Chris Olson of The Media Trust told the CyberWire that he thinks the Chrome bug deserves more attention. He said, "Not only does this flaw expose the lack of control website operators have over their digital properties, but it also violates consumer privacy expectations." This, he concludes, can only contribute to further erosion of consumer faith in the security of the Internet.

Dave Bittner: [00:06:26:18] Someone claiming affiliation with Anonymous is working on the Houdini RAT: Recorded Future predicts Houdini's appearance in some future hacktivist op. Anonymous has had more fizzle than ka-boom over the last couple of years. May we hope for more fizzle.

Dave Bittner: [00:06:42:17] According to various Tweets, and a story in Motherboard, there are some polite security vigilantes at work in Liverpool. We deprecate vigilantism, but at least these bravos are polite. The message they're said to have left on an electronic billboard at the Liverpool One shopping center read, "We suggest you improve your security. Sincerely, your friendly neighborhood hackers." So nota bene, hackers and mallrats: courtesy costs nothing. Still, stay out of other people's networks, kids. Right? Right.

Dave Bittner: [00:07:17:12] Finally, you know Yara, the tool that helps security researchers assemble their own rules for malware tracking? Trend Micro primly points out that while Yara's a good thing, it shouldn't be your only thing. And why not? Because some funsters modified a Yara rule to generate an alert that will pull up a version of a 1987 chart-topper by Rick Astley. So don't let your tools drive you to Mr. Astley. We know, we know - you're never gonna give up Yara, but at least consider a mix, lest you too be rickrolled.

Dave Bittner: [00:07:56:17] Time to take a moment to tell you about our sponsor, Recorded Future. You've heard of Recorded Future - they're the real-time threat intelligence company. Their patented technology continuously analyzes the entire web to give infosec analysts unmatched insights into emerging threats. We subscribe to and read their Cyber Daily. They do some of the heavy lifting in collection and analysis that frees you to make the best-informed decisions possible for your organization.

Dave Bittner: [00:08:20:23] Sign up for the Cyber Daily email, and every day you'll receive the top results for trending technical indicators that are crossing the web: cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, and suspicious IP addresses. Subscribe today and stay ahead of the cyber attacks. Go to: to subscribe for free threat intelligence updates from Recorded Future. It's timely, it's solid, and the price is right. We thank Recorded Future for sponsoring our show.

Dave Bittner: [00:08:57:22] I'm pleased to be joined once again by Johannes Ullrich. He's the Dean of Research for the SANS Technology Institute, and he also hosts the ISC Stormcast podcast. Johannes, welcome back. You wanted to tell us today about some information about DNS security.

Johannes Ullrich: [00:09:14:12] Yeah. There's an important change coming up in how DNS and SSL or TLS certificates intersect. Over the last couple of years, there has been a lot of talk about weaknesses in SSL and how people should move to TLS, but aside from these fairly subtle and difficult to exploit vulnerabilities in the algorithm, there have been ongoing issues with certificate authorities just issuing certificates they weren't supposed to issue.

Johannes Ullrich: [00:09:45:19] To help with this there is a new DNS record, that was introduced back in 2013, by RFC 6844, that is supposed to allow for certificate authorities to check whether or not they are supposed to issue a particular certificate. So what's happening here, now, is that the organization that essentially governs TLS in browsers will make this change mandatory as of September 2017. What this means in practical terms for you, that if September this year or later, you're going to ask for a certificate, the certificate authority will check if you have this certificate authority authorization record in your DNS zone.

Johannes Ullrich: [00:10:38:11] Now, if you don't have this record, nothing will change, but you have the option to add this record, which really provides significant additional security for your TLS certificates. Certificate authorities will only issue certificates if they're authorized to actually issue them, and they will notify you whenever a new certificate's being issued. This is a really important change to how certificates will work, and something you should consider adding before September to your zone to take advantage of it.

Dave Bittner: [00:11:13:08] All right, good information. Johannes Ullrich, thanks for joining us.

Dave Bittner: [00:11:23:05] That's The CyberWire. For links to all of today's stories, along with interviews, our glossary, and more, visit Thanks to all of our sponsors, who make the CyberWire possible, especially to our sustaining sponsor, Cylance. Find out how they use artificial intelligence to help protect you at

Dave Bittner: [00:11:40:07] You know, hardly a day goes by where someone doesn't approach me on the street and say, "Dave, I listen to The CyberWire every day! How can I support the show?" Well, friend, there are a number of ways. You can support us directly via Patreon, by signing up for a monthly contribution to The CyberWire, to help make sure we continue to provide the news and information you expect in a fun and interesting way. And of course, you can recommend us to your friends and coworkers, write a review on iTunes or Facebook, or share our show on social media. We do appreciate it.

Dave Bittner: [00:12:10:19] And don't forget to check out the Grumpy Old Geeks podcast, where I stop in regularly to help Jason and Brian sort through the latest cybersecurity news. It's a raucous good time - there is some salty language, but we think you'll enjoy it. You can check that out at

Dave Bittner: [00:12:26:17] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jennifer Eiben, our technical editor is Chris Russell, and our executive editor is Peter Kilpe. I'm Dave Bittner. Thanks for listening.