The CyberWire Daily Podcast 7.26.17
Ep 399 | 7.26.17

Counterattackers' advantage? Juche no competition for cat videos, next-day delivery. CopyKitten crude but effective. FBI investigated Fruitfly Mac malware. Adobe will retire Flash in 2020. BSides notes.


Dave Bittner: [00:00:01:06] If your index finger is sore from pressing the skip ahead button on your podcast player, don't forget there's an ad free version of the CyberWire. You can find out more about it at

Dave Bittner: [00:00:15:07] A Symantec study prompts a question: we know there's an attackers' advantage, but could there be a counterattackers' advantage, too? Juche may not extend to the Internet, at least for Pyongyang's leaders. Iran's CopyKitten is characterized as unsophisticated but nonetheless effective. Mac users are awakened by Fruitfly - the FBI is investigating. Adobe tells us to begin saying goodbye to Flash. And some notes from Vegas, because what goes on in Vegas does not stay there.

Dave Bittner: [00:00:48:11] I'd like to tell you about a special offer from our sponsor Cylance for those of you who are heading to Black Hat in Las Vegas this month. As you know, Cylance is a leader in machine learning and artificial intelligence for cybersecurity, and they're going to have an exclusive book signing on Thursday July 27th in booth 716. You can meet author and expert Alex Matrosov, and get a signed copy of his book: Rootkits and Bootkits, reversing modern malware and next generation threats. The latest from Alex and his co-authors Eugene Rodionov and Sergey Bratus.

Dave Bittner: [00:01:19:11] The copy you'll get is not only signed, interesting and informative, but free too? You can't beat that. So on Thursday July 27th join other thinking and thrifty people at booth 716 and don't forget to check out under events for more news and information about all the goings on at Black Hat. We thank Cylance for sponsoring our show.

Dave Bittner: [00:01:51:17] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, July 26th, 2017.

Dave Bittner: [00:02:01:20] We've often heard about the attacker's advantage in cyberspace. The conventional wisdom, and it's well-founded wisdom, is that the cyber attackers have the advantage. They only need one good attempt for success. All their failures matter not a bit, or at least not much. But the defenders have to get it right all the time. One failure and that attacker's in, and probably out, before you know it.

Dave Bittner: [00:02:24:17] So here's some food for thought that may serve to put the usual threat news into perspective. Symantec has taken a look at some prominent Advanced Persistent Threat groups and found that their tools tend to be buggy. The security firm quietly suggests this could be turned to the defender's advantage. Consider it the counterattackers' advantage, and remember, as any graduate of the Leavenworth short course would tell you, that a counterattack is a defensive operation. There's no suggestion here of hacking back, or of cyber marque and reprisal.

Dave Bittner: [00:02:56:04] North Korea is famously isolated, but what about its rulers? They're about as connected as anyone else, according to a Recorded Future study. Pyongyang's elite are assiduous users of Facebook, YouTube, and Amazon, to pick just three attractive Western services. Perhaps because they wish to maintain situational awareness of Imperialist atrocities, although on reflection one is reluctantly moved to skepticism. It seems they like cat videos and next-day delivery as much as the inherently evil American, or rapacious Japanese plunderer. Who knew?

Dave Bittner: [00:03:28:18] This seems inconsistent with the Juche spirit of collective solidarity and self-reliance, but it may provide some insight useful to any elements of the civilized world interested in counter-value targeting in cyberspace.

Dave Bittner: [00:03:43:09] Also in the study are some interesting observations about North Korea's use of foreign networks, sourced by Recorded Future to research done by Team Cymru. Chinese and Indian networks are most commonly exploited by Pyongyang's mix of espionage and criminal operators. They also use networks in Kenya, Indonesia, Mozambique and Malaysia.

Dave Bittner: [00:04:06:09] Various looks at Iran's CopyKitten operators are reaching a consensus that they're not highly skilled, but that they've been effective at espionage nonetheless. ClearSky and Trend Micro report that CopyKitten's Wilted Tulip campaign has successfully exfiltrated data from a range of regional, European, and North American targets.

Dave Bittner: [00:04:27:15] The Fruitfly malware found to have been infesting Apple products is an odd one. Mac Rumors calls it "old and possibly abandoned," but the FBI is investigating. Fruitfly is, or was, essentially criminal spyware.

Dave Bittner: [00:04:41:20] Adobe has announced that it will finally retire Flash. The software has been an important part of the Internet for two decades, although its second decade has been marked by an unwanted role as an often exploited attack surface. But now we can all begin our goodbyes, although they'll be long goodbyes. Adobe has scheduled Flash's final retirement for 2020.

Dave Bittner: [00:05:05:17] When it comes to securing ICS and critical infrastructure, one of the challenges is communicating securely with devices that are physically spread out. One company working on tackling that problem is Full Spectrum, a provider of private licensed wireless broadband networks. Stewart Kantor is CEO of Full Spectrum.

Stewart Kantor: [00:05:25:15] It's not just the electric grid, it’s pipelines, water pipelines, waste water, oil. And so you have all this infrastructure out there that needs to be managed. Historically it was managed over these dedicated phone lines, and now you have the capability to do pervasive computing, very low cost devices at the grid edge or any infrastructure edge. And how do you communicate with that device, and collect the information in this secure way?

Stewart Kantor: [00:05:56:20] One easy way would be to go wherever there's cellular coverage - go get some cellular modems and throw it on the public internet and then we'll have access. So that's what's introducing some of these vulnerabilities to the various networks because most likely it'll have a public IP address or the source is a public address that's been converted to a local address. You're now depending on the infrastructure of these large companies that are vulnerable to all sorts of attacks.

Stewart Kantor: [00:06:27:17] Our customers are large electric utility companies, using our equipment to create their own private wireless internet over very large areas.

Dave Bittner: [00:06:37:19] So just from a security point of view, when you're dealing with radio signals, with RF, what's to keep someone from tossing up a mast antenna and intercepting communications or jamming them or trying to insert their own data into the line?

Stewart Kantor: [00:06:55:13] There are vulnerabilities there in all the technologies. In our aspect we do encryption over the air. They also do VPN, so there's multiple layers on the air interface protocol. We're what they call software defined radio technology and the construction of even the data frame is unique to the customer. This makes the ability to hack a system very difficult.

Stewart Kantor: [00:07:26:08] Our customers are using frequencies that were legacy paging frequencies, legacy television frequencies - things that have been abandoned over time. With our technology we repurpose those licensed frequencies for them, where they own, operate and control the frequency. For example, if they find that their signal's being compromised in a certain area, the FCC is responsible to go out and find that interference and shut it down. There's a layer of even enforceability from the government.

Stewart Kantor: [00:07:56:07] We also have other capabilities in how we dedicate traffic, uplink and downlink, so there's a whole host of designs that can be implemented over the network that allow layers of redundancy and security.

Dave Bittner: [00:08:11:02] That's Stewart Kantor from Full Spectrum.

Dave Bittner: [00:08:15:00] Keynotes at BSides yesterday in Las Vegas highlighted calls for true multidisciplinary cooperation on the very large-scale problems we face in cybersecurity. The disciplines that could make a major difference would prominently include economics, behavioral sciences, and machine learning.

Dave Bittner: [00:08:31:21] Endgame gave an interesting talk: Destructive Malware and Interstate Rivalries - The Evolution of Digital Weapons and Geopolitical Conflict. Andrea Little Limbago and Mark Dufresne gave attack timelines and details of destructive attacks, with an emphasis on the destructive, as opposed to the merely intrusive, from Stuxnet to recent attacks centered on but extending beyond Ukraine. Limbago put the incidents into geopolitical context by describing the various rivalries that created the conditions for the attacks: a smart paring of the political and the technical.

Dave Bittner: [00:09:06:06] In general the atmosphere at BSides has been easy-going. It's free, the teachers are volunteers, and the attendees struck our stringer as passionate people who care about security and at the same time liked to have fun. Therefore we had a chat with the BSides bartender. She told our stringer that the most commonly chosen morning beverage so far has been beer, followed by Jägermeister. Our sociological desk suggests this means one thing - young crowd, college drinking habits.

Dave Bittner: [00:09:35:01] Around 10:30 local time the first Jack and Coke was ordered up. Being Jack and Coke and not vodka and cucumbers suggests that the demographic is more American than Russian. So cheers, BSides, and be sure you designate a driver or hire a Lyft or Uber or a taxi.

Dave Bittner: [00:09:56:04] Now I want to share some notes from our sponsor Cylance. We've been following WannaCry, Petya, NotPetya, and other forms of destructive ransomware for weeks. Cylance would like you to know that they can prevent Petya-like ransomware from executing in your system and they'd also like you to know that they've been doing that since October of 2015. How's that for getting ahead of the threat?

Dave Bittner: [00:10:16:07] Their success against NotPetya demonstrates the benefit of their temporal predictive advantage. Cylance Protect stops both file and fileless malware. It runs silently in the background and best of all it doesn't suffer from the blind spots in legacy defenses that NotPetya exploited to such devastating effect. If you don't have Cylance Protect, and if you'd like to learn more about how it can defend your enterprise, contact them at and find out how their AI driven solution can predict and prevent the unknown unknowns from troubling you. We thank Cylance for sponsoring our show.

Dave Bittner: [00:10:58:13] I'm pleased to be joined once again by Jonathan Katz. He's a professor of computer science at the University of Maryland and also a director of the Maryland Cyber Security Center. Jonathan, welcome back. We saw a story from Wired magazine, it was talking about some physicists trying to do some work with quantum cryptography. They were using lasers and an airplane. Before we get to that part of the story can you just give us an overview about quantum cryptography?

Jonathan Katz: [00:11:22:05] Sure. So I think most of the cryptography we're familiar with is classical cryptography where you're doing classical computation on classical information. Quantum cryptography's really interesting because it uses the fundamental laws of quantum mechanics in order to build a protocol. What's particularly interesting there is that it's possible to build protocols that you can prove unconditionally are secure against any possible attacker, quantum or not.

Jonathan Katz: [00:11:47:13] So people are very excited about using what's called quantum key distribution to allow two parties to set up a key remotely, much like we do now when we do key exchange when setting up an SSL or a TLS connection. And people are excited about the possibility of maybe doing that with quantum mechanics and getting an invulnerable system for sharing keys.

Dave Bittner: [00:12:06:22] This is the situation in physics where the measurement of the key actually changes the key?

Jonathan Katz: [00:12:13:07] Yes. So basically the way that you can improve security of the protocol is by arguing that if an attacker interferes with a channel in any way, then that interference would be detected by one of the parties. That's something that fundamentally is different from what you have in classical communication where in theory an attacker could read all the bits going across the channel and neither side can even tell that the attacker is there.

Dave Bittner: [00:12:36:02] What's going on with this story in particular? Why did they have to use lasers and an airplane to do their tests?

Jonathan Katz: [00:12:43:17] Well, because it's based on quantum mechanics, you need some quantum mechanical particle essentially that can act as a means of communication in the protocol. One of the most popular was of trying to implement that is using photons, which of course means light, which brings us to the lasers that you mentioned earlier.

Jonathan Katz: [00:12:59:18] What these people were trying to demonstrate is how far apart the two parties could be while running the protocol and so they were using a laser and they were having one person stand on the ground and another person flying around in the air to try to get a larger distance between them. Of course the challenge is you want something where the people are far apart, but yet they can see each other in a straight line. If they're too far apart, but they're both on the earth, then the curvature of the earth will make them not be able to see each other by a straight line, but if one of them is flying in the air they can get quite far away and still be in line of sight of the person on the ground.

Dave Bittner: [00:13:34:00] Is being able to use it at a distance one of the challenges of this type of cryptography?

Jonathan Katz: [00:13:40:07] Yes, very much so. For one thing it's very sensitive to noise, so you need to be able to send these photons from one party to the other over a large distance without having the signal being corrupted by the noise. Currently the distance over which you can run these protocols is relatively small and it's not yet to the point where you can imagine running this, say, between a user in Los Angeles and a user on the East Coast.

Dave Bittner: [00:14:03:14] So you can't just send it along say like fiber optic cables and that sort of thing?

Jonathan Katz: [00:14:07:03] People are trying that also and looking at maybe using repeaters along the way to try to increase the distance. But this is still very much research that people are carrying out, and a lot of engineering work as well, to push it to larger and larger distances. But we're not there yet.

Dave Bittner: [00:14:21:08] Alright, interesting stuff. Jonathan Katz, thanks for joining us.

Dave Bittner: [00:14:27:05] That's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor, Cylance. You can find out more about Cylance and how they can help protect you with artificial intelligence at

Dave Bittner: [00:14:40:09] We've gained a lot of new listeners over the past couple of months, welcome, we're glad you're here. A reminder that one of the best ways you can help spread the word about our show is to leave us a review on iTunes. It really does make a difference.

Dave Bittner: [00:14:51:12] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.