The CyberWire Daily Podcast 6.13.17
Ep 369 | 6.13.17

CrashOverride update. Influence ops harder to disrupt than infrastructure. Samba exploited for cryptocurrency mining. NSO Group for sale. Botnets and fake news. Airliner laptop bans.


Dave Bittner: [00:00:00:20] A big thanks to all of our listeners who've also become Patreon supporters. It's

Dave Bittner: [00:00:10:16] CrashOverride looks like a power grid threat, and industry and government are taking it seriously. Cyber operations against ISIS are proving better at collection than disruption. Criminals are exploiting vulnerable Samba instances to spread cryptocurrency mining software. NSO Group has put itself up for sale, valued at more than a billion dollars. Well-informed observers of a civil libertarian bent think botnets don't have First Amendment rights. And if you wondered about that airport laptop ban, here's the rest of the story.

Dave Bittner: [00:00:46:14] Now, I'd like to tell you about some research from our sponsor Cylance. Cylance is a leader among those who believe that artificial intelligence, when realistically conceived, will be a game-changer for security. In particular, it can give you what Cylance calls a temporal predictive advantage: a TPA, where their solution automatically predicts malware and stops it from executing. Now, that's shifting the advantage to the defender. Go to, and check out their explanation of AI's distinctive ability to stop tomorrow's threats today. If you want to execute at machine speed, doesn't it make sense to see what the algorithms a good machine runs on can do for you? See and let them show you what your TPA can be. We thank Cylance for sponsoring our show.

Dave Bittner: [00:01:45:03] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, June 13th, 2017.

Dave Bittner: [00:01:54:24] Yesterday's revelations concerning the CrashOverride, or Industroyer, malware used against Ukraine's power grid last December have prompted a response across the sector.

Dave Bittner: [00:02:04:22] US-CERT in particular has begun work to help utilities stay ahead of the malware ESET and Dragos found in the Ukrainian power grid's takedown. The US Department of Homeland Security's National Cybersecurity and Communications Integration Center, NCCIC, has distributed a set of indicators of compromise to the power industry, and they're freely available to any interested parties. The security firms who produced the research attribute the malware to a threat group, Electrum, with ties to Sandworm. They stop short of calling out a nation-state, but Ukrainian authorities have left no doubt that the attacks they sustained were the work of Russian security services. Most observers agree.

Dave Bittner: [00:02:45:06] Dragos and others believe the attacks in Ukraine may well have been proofs-of-concept or dry runs for other strikes against critical infrastructure. Such concerns may, of course, be overheated and prove unfounded. The Mirai botnet, for example, was also believed for a time last year to have been the work of Russian security services as opposed to the brainchild of a skid entrepreneur hawking Minecraft in-game purchases. But it's not unreasonable to see a larger threat in CrashOverride. It was carefully crafted to its purpose, and done so as close to scratch as such things are, bearing few of the usual fingerprints in the form of reused code that usually accompany malware. The power industry continues to consider the implications of this discovery; we'll be following the story as it develops.

Dave Bittner: [00:03:32:12] Crooks are exploiting the Samba vulnerability in Linux and Unix machines to spread cryptocurrency mining software. Researchers say the criminals have only made about $6,000 so far, but the mining process is resource-intensive, and that means that CVE 2017-7494 remains unpatched on a great many Samba instances.

Dave Bittner: [00:03:55:19] It's fair to say the WannaCry ransomware attack was a big deal, and it had the potential to be a lot worse. Many security teams look to it as a cautionary tale, or even a wake-up call. Kirsten Bay is president and CEO of Cyber adAPT, and she thinks there are some valuable lessons to be learned from high-profile attacks like WannaCry.

Kirsten Bay: [00:04:15:14] Well, my first thought was, oh my gosh, it's finally happening, and hopefully this will get people to pay attention such that they think they actually need to do something about it, as opposed to going, wow, that's a really big problem; hopefully someone does something about that. Fortunately, it was a relatively old compromise and it was weaponized, of course, by the NSA, but it certainly does give us the opportunity to look at something that isn't new, but certainly has changed. And that's really the nature of all of these types of attacks, right? It's not that anything is particularly new; it's how people are manipulating it to be more effective in today's environment. But if this were a zero-day, this could have been a real issue.

Dave Bittner: [00:04:52:15] And you all are advocating what you describe as a detection-led approach. Can you tell us what do you mean by that?

Kirsten Bay: [00:04:59:06] Well, it has a number of components to it, but the detection-led approach, from our standpoint, really being a threat-centric approach, is to understand both the outside world, that being a threat intelligence world, the bad guy world, where everything's happening live on the wire in the sense that these are live attacks happening in the environment. But then there's also what's happening on the network, whether it's just basic network traffic or something anomalous happening in the network traffic.

Kirsten Bay: [00:05:27:12] Our view is that we really need to understand the motivation and intent of an adversary to then identify the indicators of compromise, so that we can be much more effective and efficient in helping incident responders remediate those attacks, but also be a little bit ahead and be able to prevent some of them by alerting as they're hitting the firewall, and preventing them from getting in in the first place.

Dave Bittner: [00:05:49:16] What kind of advice do you offer for people going forward, now that this attack is in our rearview mirror?

Kirsten Bay: [00:05:57:02] The key thing for me always is about prioritization. I come from a risk background, so I try to take the risk management approach to these solutions, which is: first try to understand what it is that you need to be prioritizing to protect it. Very often I have executives and security professionals alike asking me, "Can you please just tell me what to do?" Which is something that we've tried to do with our solution, but also what we're really trying to do is help people identify what is the event that could have substantial ramifications and impact to your business? And then let's figure out how we prioritize around those events, because I think for years before now, we had this peanut butter spread approach to security, which was - we'll just deploy everything the same way. It's expensive and it's not particularly effective.

Kirsten Bay: [00:06:46:13] So what I really have been trying to get people to think about is: what are your critical assets? What are your critical business functions? And how do you secure that a different way, where you really put the Fort Knox around that, but then do other elements of securitization around your perimeter and inside your network, that then give you the layered approach? The defense and depth strategy, really. But the prioritization is key to me.

Dave Bittner: [00:07:09:11] That's Kirsten Bay from Cyber adAPT.

Dave Bittner: [00:07:13:13] In industry news, NSO Group, the controversial vendor of the Pegasus lawful intercept tools, is up for sale. The valuation of the Israel-based company is in unicorn territory, being pegged as somewhat more than a billion dollars. NSO Group's products have attracted adverse comment from Citizen Lab and others who object to their use by various authoritarian regimes: there are dissidents in prison who were caught by Pegasus software.

Dave Bittner: [00:07:41:15] The New York Times credits US cyber operators with successes against both Iran and North Korea, but says efforts against ISIS have been less successful. In this they perhaps overrate US success against North Korea's missile program, which are by no means as clear, or even as clearly attempted, as third-party sources in the UK have said.

Dave Bittner: [00:08:02:21] But Iranian and DPRK nuclear programs present a very different set of challenges than do the operations of ISIS in cyberspace. The Caliphate isn't running a readily identified and attacked industrial infrastructure. Instead, it uses cyberspace for recruiting and inspiration. The networks and resources it devotes to these are reconstituted almost as soon as they're taken down, and they continue to reach terrorists and impel them to jihad. This suggests that influence operations are tougher to block than traditional IT or OT hacks.

Dave Bittner: [00:08:36:21] At the CyberTech Fairfax today we heard a keynote by former US Homeland Security Secretary Michael Chertoff, who offered an interesting perspective on information operations. Asked specifically about fake news, and what could be done to control or restrict it, Chertoff identified himself as, essentially, a First Amendment absolutist. "I'm old-fashioned about the First Amendment," is how he put it. He offered familiar observations about the difficulty of distinguishing fake news from real news, and about the proper response to bad speech being other, better speech. He also noted that "botnets don't have First Amendment rights." He suggested that rather than devoting attention to censorship, interesting lines of work might be pursued in authentication and identity management, in being able to determine that people are in fact whom they represent themselves to be. And he thought advances that enabled one to readily distinguish robots from natural persons would be welcome. We'll have more on CyberTech Fairfax in tomorrow's CyberWire.

Dave Bittner: [00:09:39:21] Finally, to return to ISIS and what can be learned about it online, governments fighting the Caliphate have done better at collection than they have at cyber disruption. One such intelligence product that's had consequences for air travel is the ban on carrying laptops aboard flights from specified airports. The origins of that ban are now known, at least according the New York Times, and the Times is telling a plausible story. Israeli intrusion into networks used by ISIS bomb-makers found that the bomb-makers were working on fabricating explosives that could pass undetected through airport x-ray machines. The explosives were being crafted to look like laptop batteries.

Dave Bittner: [00:10:24:10] Time to take a moment to tell you about our sponsor, Recorded Future. If you haven't already done so, take a look at Recorded Future's cyber daily. The CyberWire staff subscribes and consults it daily. The web is rich with indicators and warnings, but it's nearly impossible to collect them by eyeballing the Internet yourself, no matter how many analysts you might have on staff. And we're betting that however many you have, you haven't got enough. Recorded Future does the hard work for you by automatically collecting and organizing the entire web to identify new vulnerabilities and emerging threat indicators. Sign up for the cyber daily email to get the top trending technical indicators crossing the web: cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, and suspicious IP addresses. Subscribe today and stay ahead of the cyber attacks. Go to to subscribe for free threat intelligence updates from Recorded Future. We thank Recorded Future for sponsoring our show.

Dave Bittner: [00:11:27:04] I'm pleased to be joined once again by Johannes Ullrich. He's the Dean of Research at the SANS Technology Institute, and he also hosts the ISC StormCast podcast. Johannes, welcome back. We want to touch base today about IPv6 security. So, to start off, just by way of definition, tell us what exactly is IPv6?

Johannes Ullrich: [00:11:48:00] IPv6 is really the next generation of the IP protocol. We currently use predominantly IPv4, or version four of the protocol. IPv6, version six, is the next version. The big substantial change here is that we will end up with a lot more addresses. Currently, IP version four has up to four billion addresses. And if you think about it, that's less than we have people on the world, so it's not enough to give everybody on the world an IP address, in particular considering that we have all these devices now connected to the Internet. With IPv6, for practical purposes, we get an almost infinite amount of IP addresses, so it's really built to grow and scale the Internet.

Johannes Ullrich: [00:12:34:05] The real problem that I run into when talking about IPv6 security is that a lot of people who use IPv6 are really not aware of the fact that they're using IPv6. A lot of our security infrastructure these days is very centered around IPv4, so a lot of the IPv6 traffic is going unnoticed, in particular on mobile networks. On mobile network carriers have a huge incentive to actually implement IPv6, because they can't get any more IPv4 address space and the carrier rate now that they're implemented cost them around $40 a year per customer. So, that's quite a financial incentive to do this.

Johannes Ullrich: [00:13:17:21] Now, if you use IPv6 without actually realizing that you're using IPv6, then you make contact sites like Google, Facebook and the like via IPv6 and essentially bypass all the security infrastructure that you build up to monitor this traffic.

Dave Bittner: [00:13:35:19] How can someone figure out if their mobile devices are actually using IPv6?

Johannes Ullrich: [00:13:40:09] It's really not a straightforward question in the sense that a lot of the times, the network configuration screen in these devices doesn't display the IPv6 configuration - only the IPv4 configuration. The easiest way to do it is go to a website like, or go to Google and look up your IP address via Google, and see if an IPv6 address is coming back.

Dave Bittner: [00:14:06:17] Good information as always. Johannes Ullrich, thanks for joining us.

Dave Bittner: [00:14:11:24] And that's the CyberWire. For links to all of today's stories, along with interviews, our glossary, and more, visit The Thanks to all of our sponsors, who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit Thanks once again to all of our supporters on Patreon. To find out how you can contribute to the CyberWire, go to

Dave Bittner: [00:14:38:06] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jen Eiben, and our technical editor is Chris Russell. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.