The CyberWire Daily Podcast 2.22.16
Ep 40 | 2.22.16

Russian cyber ops in Syria. Ransomware evolutions. Apple vs. the US Justice Department.


Dave Bittner: [00:00:03:14] When it comes to Syria, Russia seems to be following the cyber ops template established in Ukraine. Hezbollah says it's compromised Israeli security cameras. Authorities look for a way to combat ransomware as the Xbot shows a convergence between banking malware and extortion. We take a quick look at insurance, the IOT and Shodan. The issues at stake in the FBI/Apple dispute come into sharper focus. And John McAfee says he's prepared to ride to the rescue.

Dave Bittner: [00:00:31:06] This CyberWire podcast is made possible by the Johns Hopkins University Information Security Institute. Providing the technical foundation and knowledge needed to meet our nation's growing demand for highly, skilled professionals in the field of information security, assurance and privacy. Learn more online at

Dave Bittner: [00:00:54:04] I'm Dave Bittner in Baltimore with your CyberWire summary for Monday, February 22nd 2016.

Dave Bittner: [00:01:01:03] Russian support for the Assad regime in Syria's civil war, strikes observers as following patterns developed in Russia's incursions into Ukraine. Specifically, Russian forces are conducting a widespread cyber espionage campaign against the various groups including of course, ISIS, who align with Assad. They're also working to shape information on humanitarian disasters in Syria and to cloak, as much as possible, the extent of direct Russian intervention. Hezbollah's Qadman hacking unit claims it's compromised a number of network Israeli security cameras. Hezbollah is a Shi'a group aligned with Iran. Israeli authorities haven't confirmed the compromise, but the claim is being widely reported in the Israeli press.

Dave Bittner: [00:01:40:09] Joomla has joined WordPress as a target for ransomware purveyors. The actor's are thought to the same group behind the Ad Media campaign that's afflicted WordPress sites. The number of infections observed in Joomla is smaller than seen in WordPress, but Joomla has a smaller base, meaning the infection rate is proportional to the size of that base. Rackspace, Sucuri, Malwarebytes and Heimdal have been tracking the related campaigns.

Dave Bittner: [00:02:03:13] The $17,000 Hollywood Presbyterian paid to cyber extortionists last week continues to draw more sympathy than criticism. Other medical centers come forward to describe their own experiences with ransomware. Federal law enforcement agencies continue to grapple with an approach to this form of crime, even as the Android Xbot Trojan Palo Alto described last week shows a dismaying convergence between ransomware and credential harvesting.

Dave Bittner: [00:02:27:23] Several experts offered advice on surviving a ransomware attack. The first step in every set of recommendations is to regularly, frequently, and securely back up your data.

Dave Bittner: [00:02:37:21] The JSF Astrix bug Checkpoint disclosed in eBay two weeks ago is now being exploited in the wild. The online auction site's attempts to close the cross-site scripting vulnerability appears, so far, to have been less than fully successful.

Dave Bittner: [00:02:51:00] In industry news, as businesses increasingly turn to cyber insurance as a way of transferring risk, they would be well advised to read their policies carefully. A New York state court found that the owners of several upstate Five Guys restaurants had a policy that specifically excluded electronic data from it's coverage. For their part, insurers are looking for sources of better actuarial data to help manage all forms of risk. Some of them see the Internet-of-things as a potential mine of such data. We spoke with University of Maryland's Joe Carrigan about getting data from the IoT and specifically about the Shodan search tool. We'll hear from him after the break.

Dave Bittner: [00:03:26:03] The dispute between Apple and the Department of Justice over the FBI's request for assistance in unlocking an iPhone used by the San Bernardino Jihadists, continues to dominate cyber news. It's emerging that a San Bernardino county IT staffer reset the iPhone's iCloud credentials within hours of its seizure. The Justice Department acknowledged as much in its filing. Quote, "The owner San Bernardino County Department of Public Health, in an attempt to gain access to some information in the hours after the attack, was able to reset the password remotely. But that had the effect of eliminating the possibility of an auto backup." End quote.

Dave Bittner: [00:04:01:02] The County says this was done at the FBI's request and Apple points out that had they not done so, there's a good chance they would have been able to recover data that had been backed up to iCloud.

Dave Bittner: [00:04:11:01] Both FBI Director, Comey, and Apple head, Cook, continue their dispute in public. Comey denies asking for a backdoor, saying the Bureau wants access to one device and one device only. The Department of Justice suggested Friday that Apple is in fact more concerned with marketing than privacy. The company's refusal to comply, Justice said, quote, "... appears to be based on its concerns for it's business model and public brand marketing strategy." End quote. For its part, Apple has said that Justice is asking for things, quote, "... not even China" (end quote) has asked for, and CEO Tim Cook sent Apple employees an email early this morning, in which he outlined the company's position and called for a national commission on technology and intelligence gathering.

Dave Bittner: [00:04:50:17] Both sides to the dispute have their partisans and reactions are mixed. The tech industry, generally, although not unanimously, sides with Apple. The general public tends to show more sympathy for the FBI. Among pundits, there's an interesting contrast between Lawfare and the Atlantic. Lawfare thinks that Apple is off base, going so far as to suggest some points of similarity between the company's stance in favor of privacy and Big Tobacco's implication of civil liberties in its push back against health concerns. But an opinion piece in the Atlantic isn't convinced by Lawfare, and thinks the FBI is crying wolf. After all, the Atlantic says, murders were successfully investigated long before there were phones.

Dave Bittner: [00:05:29:08] Antivirus pioneer and libertarian presidential candidate, John McAfee, is generally sympathetic to Apple but he thinks he has a middle way he can offer. "I will..." the security legend says, " of charge, decrypt the information on the San Bernardino phone with my team." That team is a community of hackers McAfee knows at DEF CON and elsewhere. McAfee goes on, "We will primarily use social engineering and it'll take us three weeks."

Dave Bittner: [00:05:54:01] How in principle this problem might be socially engineered is unspecified. But McAfee says, "I would eat my shoe on the Neil Cavuto show, if we could not break the encryption on the San Bernardino phone." We wish him success but we have to ask, why Neil Cavuto? Neil Cavuto is fine but was Maria Bartiromo unavailable?

Dave Bittner: [00:06:16:00] This CyberWire podcast is brought to you through the generous support of Betamore, an award winning co-working space, incubator and campus for technology and entrepreneurship located in the federal hill neighborhood of downtown Baltimore. Learn more at Betamore dot com.

Dave Bittner: [00:06:34:20] Joining me is Joe Carrigan from the Johns Hopkins Information Security Institute. They're one of our academic and research partners. Joe, we have covered Shodan, which is the search engine of the Internet-of-things, according to themselves. Their claim to fame is that you can log on there and you can find unsecured baby monitors. [LAUGHS] Tell us more about this.

Joe Carrigan: [00:06:56:20] It's a search engine where you can find things that are on the Internet and available for you to connect to. I've spent time looking at it, it's very interesting. There are other sites like it, there's one just dedicated to open webcams. You can just load the web page and it starts streaming out page after page of open webcams that have been found on the Internet.

Dave Bittner: [00:07:19:05] There was the story about the child who said they had an imaginary friend.

Joe Carrigan: [00:07:25:19] It turned out to be someone talking to him on the other end of a baby monitor. Super creepy. [LAUGHS]

Dave Bittner: [00:07:32:08] The lesson there is that when you get a new webcam--

Joe Carrigan: [00:07:37:02] Password protected or make sure it can't be accessed from the internet or decide if it's really what you need. You need to consider the size of your attack surface.

Dave Bittner: [00:07:48:06] Another you can find here is SCADA information.

Joe Carrigan: [00:07:54:03] SCADA devices are unprotected. These are industrial control systems that are running at some company controlling a system that's just available on the internet and you can connect to them and see what they're doing.

Dave Bittner: [00:08:07:02] Potentially life threatening.

Joe Carrigan: [00:08:08:16] Yes. And these vulnerabilities need to be considered when people are putting things on the internet. You need to understand how you should be securing these devices, whatever they are, from the personnel level all the way up to the industrial level. You need to understand the risk you're exposing yourself to and to understand how the network traffic flows through the internet and through your network, and what the path is to your SCADA system.

Dave Bittner: [00:08:33:21] Joe Carrigan, thanks for joining us.

Dave Bittner: [00:08:38:10] And that's the CyberWire. For links to all of today’s stories, interviews, our glossary and more, visit And we truly appreciate your help in spreading the word about our podcast. You can review the show on iTunes, like us on Facebook; find us on Linkedin and on Twitter. The CyberWire podcast is produced by CyberPoint International and our editor is John Patrick. I'm Dave Bittner, thanks for listening.