The CyberWire Daily Podcast 6.20.17
Ep 374 | 6.20.17

Who's behind the Android malware infestations? Mirai and Erbus updates. Industry notes. Brussels takes the pro-crypto side in the crypto wars. CrashOverride as a weapon. IG report on NSA insider threat management.


Dave Bittner: [00:00:00:23] Thanks again to all of supporters on Patreon. It's

Dave Bittner: [00:00:09:00] Some believe they've seen the Professor Moriarty behind 2017's Android malware outbreak. Erebus is back, and this time it's in Linux. Mirai may be about to become more resistant to cleaning. Crypto wars flare in the UK and EU as terror investigations proceed. A quick look at SINET's Innovation Summit. Raytheon's DHS cyber contract survives a challenge. CrashOverride looks to a lot of experts like a proven cyber weapon. And did the dog eat the Fort's homework, or did some Bear feed said homework to the dog?

Dave Bittner: [00:00:45:22] A quick note from our sponsors at E8 Security. They understand the difference between a buzzword and a real solution, and they can help you disentangle them too, especially when it comes to machine learning and artificial intelligence. You can get a free white paper that explains these new, but proven technologies at

Dave Bittner: [00:01:04:14] We all know that human talent is as necessary to good security, as it is scare and expensive, but machine learning and artificial intelligence, can help your human analysts scale to meet the challenges of today's and tomorrow's threats. They'll help you understand your choices too. Did you know that while we might assume supervised machine learning, where the human teaches the machine, might seem to be the best approach. In fact unsupervised machine learning can show the human something unexpected. Cut through the glare of information overload, and move from data to understanding. Check out, and find out more. And we thank E8 for sponsoring our show.

Dave Bittner: [00:01:51:23] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore, with your CyberWire summary for Tuesday, June 20th, 2017.

Dave Bittner: [00:02:01:10] If you've been wondering about the recent increase of malware infestations in Google's Play Store, there may be a single hacker behind much of it. Bleeping Computer is tracking someone whose nom de-hack is "Maza-in" in various underground for a. He or she seems to be the one who both created and shared the code for Bank Bot and Mazar Bot, unusually evasive and irritating bits of malicious code, that have been taken up and used by other hoods. Maza-in appears to be engaged in a bit of dark web boasting, which suggests that he or she is off his or her OPSEC game.

Dave Bittner: [00:02:37:05] Trend Micro says Erebus has resurfaced in the form of Linux ransomware. The initial infestation is in South Korea. Erebus had been known for two things - going after Windows systems and not restoring files upon payment of ransom. The first feature has changed, as Linux systems are now in the crosshairs. The second? Probably not. Back up your files.

Dave Bittner: [00:03:00:23] Mirai is back in the news, in a way. Security firm Pen Test Partners has found a vulnerability in widely used DVRs that could be exploited to permit a Mirai infection to survive a reboot.

Dave Bittner: [00:03:13:00] In industry news, with contract award protests over, Raytheon will keep its billion-dollar contract to provide cybersecurity services and solutions to the US Department of Homeland Security. The company sees the win as helping it, not just domestically, but internationally as well.

Dave Bittner: [00:03:30:11] We're at SINET's Innovation Summit in New York today. We'll have a full report of the proceedings tomorrow, but we will say for now that there's much attention being given to emerging standards of care, particularly with respect to the internet-of-things and GDPR implementation.

Dave Bittner: [00:03:46:22] French police begin rolling up the networks of a jihadist killer in Paris. In the UK, no such network has so far been discerned in the case of the killer who attacked Muslims, leaving their Ramadan place of worship. Such attacks have sharpened the crypto wars in the UK, with Her Majesty's Government calling for severe restrictions on the wide availability of end-to-end encryption. The EU is not following suit. A recent ruling from Brussels puts Europe firmly on the other side of the crypto wars. So Prime Minister May, in this respect, is increasingly playing a lone hand.

Dave Bittner: [00:04:22:10] Last week on our podcast, we spoke with Robert M. Lee from Dragos about the crash override malware, and its potential to take down electrical grid systems. In the time since then, we spoke with John Bryk from the Downstream Natural Gas Information Sharing and Analysis Center - that's the DNG-ISAC. He's been pleased with the way the ISACs have been functioning in an event like this, getting information to their members quickly. He also shared an interesting analogy in regards to attribution.

John Bryk: [00:04:51:16] If you have a cabin in the woods and a forest fire is sweeping towards it, you really don't care who started the forest fire, you care about protecting your property. Putting water on it or calling the Fire Department etc. Who started it is a question for the Government Agency, for the local Fire Department, or the FBI, and it's the same thing with malware. It's not really useful for us to know who did it at the operational level. It's very interesting for me at the threat analyst level, but we can't take action upon that because we're not Law Enforcement, we're not able to issue a diplomatic démarche. You know, we can't do those kind of things. Now, having said that, if we work backwards and we look at the forest fire example, we might not know or care who started it, but if we look around our cabin, we can see that there's dry brush, we can see that perhaps we have a neighbor who's storing fuel outside, or who's doing open welding. These are the kind of things that contribute to our problem. We might not be attributing the actual attack or problem to these people, but they're contributors. It's very important in the cyber world for everybody to take the kind of corrective or preventive measures that are available. Whether those are patches, whether those are following advisories from the Industrial Control System CERT, ICS-CERT. If everybody plays the game, everybody's safer. It's that guy who ignores the problem, or remains unpatched, or doesn't take any effort and then that allows everybody else to fall victim to these kind of things when they sweep through the networks.

Dave Bittner: [00:06:42:21] That's John Bryk from the DNG-ISAC.

Dave Bittner: [00:06:46:13] Experts think the CrashOverride malware used against Ukraine last December, represented the culmination of a long and patient campaign, prepared by infestations of Havex and BlackEnergy. WIRED puts it directly: Ukraine "became Russia's test lab for cyberwar." Observers think Russia now has a proven cyber weapon ready for use. CrashOverride is disturbing, apparently purpose-built from scratch and used in deliberately, highly targeted campaigns.

Dave Bittner: [00:07:15:21] There are indications that US policy at least, is more firmly tilting to the Ukrainian side in that country's long-running hybrid war with Russia. Reports that say President Trump will meet Ukrainian President Petro Poroshenko, before he meets Russia's President Putin, are causing a sensation in Kiev, where it's been perceived as a strong signal of diplomatic support at least.

Dave Bittner: [00:07:38:16] The European Union has decided to adopt a united front with respect to answering cyber attacks with sanctions. The EU thus joins NATO in adopting a collective posture with respect to cyber warfare.

Dave Bittner: [00:07:51:07] Results of a US Defense Department Inspector General look at NSA's insider threat program, suggests the agency has a lot of work ahead of it. The results of the 2016 inspection, conducted at Congressional request, are at best mixed, and in this context "mixed" isn't good.

Dave Bittner: [00:08:09:06] The IG look at seven of the most important measures NSA undertook in the wake of the Edward Snowden leak incident, and the IG found that the agency was falling far short of where it should be in managing personnel with privileged access to its data and systems. In many cases, NSA was unable to say who had such access. Records were kept in a manual spreadsheet, but that spreadsheet could no longer be found. As Motherboard unsympathetically puts it, either the dog ate their homework, or someone fed that homework to the dog. The second possibility is more disturbing. We can think of a couple of bears who might be interested in dishing up that kind of puppy chow.

Dave Bittner: [00:08:52:17] I'd like to tell you about an opportunity our sponsor ThreatConnect is offering, and this one is worth your attention. ThreatConnect gets threat intelligence. They equip organizations with a powerful defense against cyber threats and they give enterprises of all kinds the confidence to make strategic business decisions on the basis of a sound, timely and accurate picture of the threat. Built on the industry's only intelligence-driven extensible security platform, whatever your security team size or level of maturity, ThreatConnect will help them with threat intelligence, aggregation, analysis and automation. ThreatConnect can show you how to orchestrate your defense against today's advanced malware, and they'll do it for you in a convenient webinar. Go to and sign up. The presentation is June 22nd at 1pm Eastern time, 10am Pacific. That's for insight into orchestration. And we thank ThreatConnect for sponsoring our show.

Dave Bittner: [00:09:54:10] Joining me once again is Ben Yelin. He's a Senior Law and Policy Analyst, at the University of Maryland Center for Health and Homeland Security. Ben welcome back. A story came by from the Chicago Tribune about the Illinois Senate approving a right to know online privacy bill. What's going on here?

Ben Yelin: [00:10:10:06] So we saw at the federal level, a major rollback of Internet privacy rights. Of course, Congress passed and the President signed a bill that repealed an FCC Regulation that prohibited Internet Service Providers from sharing subscriber information. That has left the state to sort of fill this void and protect Internet privacy, and the first major effort we've seen is taking place in the State of Illinois. As you mentioned there, State Senate passed a bill this past week, called the Right To Know Act and this measure would require online companies like Google, Facebook, Amazon, to disclose to their consumers the exact data that has been collected and share it with third parties. And this sounds like a very promising idea for privacy advocates, but there's been a significant push back from the industry and from some of the Internet trade groups and also the Illinois Chamber of Commerce, saying that this Bill is really a bonanza for trial lawyers couched in a privacy Bill.

Ben Yelin: [00:11:15:21] I was listening to a radio segment in Illinois with the Head of the Chicago Chamber of Commerce, and he was saying that this Bill was largely pushed by one trial attorney firm in the State of Illinois and, at least, his allegation is that those trial attorneys want to be able to sue the Googles and Facebooks of the world if they don't reveal the information that they have collected. So it's not necessarily that we would be stopping Google and Facebook from collecting that information. We would just be holding them liable for a lawsuit in the State of Illinois if they didn't properly disclose that information. And what he argued is that it would actually have a reverse effect against data privacy because Google and Facebook would be so conscious about maintaining data, about complying with this new law, they would actually collect more data to ensure that they were in compliance. Whereas you know, previously they wouldn't be as concerned with exactly what they were collecting.

Ben Yelin: [00:12:17:13] So I think this is a noble effort at digital privacy, but I think it's an incomplete effort at this point. The Bill is now headed for the State House, where I think lobbying pressure will certainly increase. So far it's been opposed in the State Senate by Republican Legislators, and the reason that that's significant is that Illinois has a Republican Governor. So this Bill is subject to a potential veto if it comes to that.

Dave Bittner: [00:12:41:12] So just to be clear, this is not a direct replacement for the roll-backs that just happened with the FCC?

Ben Yelin: [00:12:48:01] No. So the Bill that Congress passed and the President signed, rolled-back an FCC Regulation that applied to Internet Service Providers like Comcast, AT&T and Verizon. That rule would have prohibited those service providers from sharing private information with third party vendors. This Bill in the Illinois legislature applies to sites like Amazon, Google and Facebook. So not the providers themselves, but the providers of content. So the Bill is slightly different in its scope. It's not sort of intended to be a one replacement of the overturned Federal Regulations. It is more intended to be a concurrent effort to show that there is still some momentum for digital privacy. and I think it's also a recognition that with a Congress and a President that's been hesitant to some of these digital privacy measures, that the action for advocates is going to have to be at State level.

Dave Bittner: [00:13:46:19] But this could be a potential nightmare for these global providers, if they have to deal with state by state regulations?

Ben Yelin: [00:13:54:22] Yes. So that's one of the reasons they're apoplectic about it. The one thing that providers want is regulatory certainty. They do not want to be in a situation where they are going to have to defend against a million lawsuits from Illinois plaintiffs in Illinois courts and they want to have to tailor their policies just to avoid lawsuits from one particular state. And that's the argument that a lot of the Bill's opponents were making in the Illinois State Legislature, is that it would be an enormous burden on E-commerce, and it would be just an inordinate burden on these providers, because they would be subject to a whole slew of law suits, and would be pretty sour about doing any business in the State of Illinois.

Dave Bittner: [00:14:40:24] Alright, Ben Yelin, thanks for joining us. And that's the CyberWire. For links to all of our stories, along with interviews, our glossary, and more, visit Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsors Cylance. To find out how Cylance can help protect you using artificial intelligence, visit Thanks to all of our supporters on Patreon, you can find out more at The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe and I've Dave Bittner. Thanks for listening.