The CyberWire Daily Podcast 7.27.17
Ep 400 | 7.27.17

"Mia Ash" is an Iranian catphish. WikiLeaks dumps UMBRAGE from Vault7. Germany braces for hacking by Russia, China, and Iran. Google kicks unwelcome intercept tool Lipizzan out of the PlayStore. WhatsApp scammers phish for banking credentials.


Dave Bittner: [00:00:01:04] If the CyberWire is an important part of your day and helps you do the work that you do, we hope you'll consider becoming a Patreon supporter. You can find out more at Thanks.

Dave Bittner: [00:00:14:10] There's a new catphish in the wild. WikiLeaks throws shade by dumping UMBRAGE from Vault7. Germany braces for hacking from Russia, China and Iran, especially from Russia. Google kicks an unwelcome intercept tool out of the Play Store. WhatsApp scammers phish for banking credentials. Business disruption kills small businesses in ransomware attacks. Facebook makes a plea for culture change. And there are enough anti-drone products out there to make Wile E. Coyote max out his Acme loyalty card.

Dave Bittner: [00:00:49:01] I'd like to tell you about a Black Hat presentation from our sponsor Cylance. Did you know that guardians of the BIOS are failing? That the BIOS is being betrayed? Well okay, it's not exactly Benedict Arnold in your firmware but there are still, Cylance will tell you, issues. Come to Cylance's presentation: Betraying the BIOS, and learn the ins and outs of unified extensible firmware interface security, from both an attacker's and and defender's point of view. Learn how some hardware vendors have left SMM and SPI flash memory wide open to rootkits. How UEFI rootkit work. How specific technologies aim to kill them, and about weaknesses in those protective technologies. It's all there for you, Thursday evening, July 27th, from five to six in the Mandalay Bay, South Seas ABE. You may not be interested in the UEFI but Cylance assures you, that UEFI is interested in you. Learn more at Mandalay Bay or at least online at under events. We thank Cylance for sponsoring our show.

Dave Bittner: [00:01:58:05] Major funding for the CyberWire Podcast is provided by Cylance. I'm Dave Bittner, in Baltimore with your CyberWire summary for Thursday, July 27th, 2017.

Dave Bittner: [00:02:08:16] Remember catphishing? Remember Robin Sage, the security expert who never was, but who nonetheless attracted friends and job offers from within the US Defense Department and the industry that surrounds it? She was a demonstration catphish, but now she has some counterparts in the wild. Dell Secureworks Counter Threat Unit presented their findings on one Mia Ash, a 20-something fictitious persona who purports to be a photographer based in London. She's also supposed to be an amateur model who's into social media and "tech-savvy guys with ties to the oil and gas industry," as Threatpost puts it.

Dave Bittner: [00:02:45:06] Mia is an elaborately curated catphish run by the threat group Cobalt Gypsy, a.k.a. OilRig, TG-2889 or Twisted Kitten. Cobalt Gypsy is thought to be operating on behalf of the Iranian government. Its targets are governments, telecommunications infrastructure, defense companies, oil companies and financial service outfits in the Middle East and North Africa. Mia Ash is being used to troll for connections in the oil and gas industries. The operation's goal is to infect the marks with PupyRAT malware in a cyber espionage play. So if you're bored out there on your production platform, sorry to rain on your parade, petroleum engineers, but Mia's not really interested in you because, well, there's no Mia.

Dave Bittner: [00:03:30:14] WikiLeaks has dropped more documents from its Vault7. This week it's the UMBRAGE Component Library, UCL. A collection of publicly available exploits scouted, WikiLeaks says, by Raytheon under a CIA contract between November 2014 and September 2015. The tools described in the UCL include Embassy Panda's keylogging RAT, the Samurai Panda version of the NfLog RAT, surveillance malware Regin, command-and-control arranger HammerToss, and the information-stealing Trojan Gamker. These are for the most part thought to be state-tools. The Pandas are believed to belong to China, and HammerToss is thought to be Russian. But WikiLeaks offers a sinister, if not fully convincing spin - why would the Agency be interested if not to repurpose these tools for its own attacks? We can imagine a few reasons: security, counterintelligence, threat profiling, situational awareness, all come to mind. But WikiLeaks is not in the business of looking on the sunny side of Langley.

Dave Bittner: [00:04:33:15] German elections are scheduled for September, and that country's authorities are determined to conduct them without interference, especially Russia's interference. German officials warn that Russia is interested in elections, China is interested in intellectual property, and Iran is interested in many things. The German government has established a command center and beefed up security capabilities to deal with an elevated level of threat, expected to continue to rise at least through September's elections.

Dave Bittner: [00:05:02:12] Google has discovered and blocked a new strain of Android malware, "Lipizzan," a very highly targeted surveillance tool believed to have been produced by the Israeli firm Equus Technologies. The discovery came during an investigation into Chrysaor, spyware attributed to another Israeli lawful intercept shop, NSO Group. Lipizzan has been expelled from the Play Store and is remediated by Google Protect.

Dave Bittner: [00:05:29:13] Phishing continues to plague Internet users. There's a WhatsApp scam running in which hoods send an official-looking email telling the mark that their trial of WhatsApp is almost over, and they need to pay if they want continued service. Needless to say, the mark is directed to a plausible looking portal where they're asked to enter banking information.

Dave Bittner: [00:05:48:20] Ransomware is found to kill small businesses through disruption, not extortion payments. It's the inability to do business at all that proves lethal, not losses connected to paying off the criminals.

Dave Bittner: [00:06:01:00] You've probably heard the term, "security by obscurity." Counting on the fact that you're too small or uninteresting for the bad guys or gals to bother with you. Neill Feather is President of website security company SiteLock, and he says relying on security by obscurity is asking for trouble.

Neill Feather: [00:06:18:10] More than 80% of attacks are targeted at business with fewer than a hundred employees. A lot of the attacks that get the major kind of publicity tend to be against large organizations, you know think: Sony, Target, Home Depot those kind of things. But what folks don't realize is that even the smallest business has data, website traffic and other kind of resources that are of value to cyber criminals. And so, they really view small businesses at times as the low hanging fruit, that they're able to take advantage of out there on the Internet.

Dave Bittner: [00:06:51:21] What kinds of stuff would they be after from a small business?

Neill Feather: [00:06:57:05] They tend to be after anything from traffic, like website traffic. So, even if you have a small business website, you have visitors that are coming to your site and if a hacker is able to take those visitors and redirect them to a malicious location or some other kind of site, a phishing site for example, where they're able to get user credentials, usernames and passwords - they can use that information for subsequent attacks against those visitors. Beyond that, every website also has a certain value for search engine optimization and a lot of, "gray hat" search engine optimization is hacking links to third-party websites into otherwise legitimate websites, to help boost the SEO of the third-party website, and hackers are getting paid to insert links into other people's sites. So those are just a couple of the things that every website has access to, that hackers would be interested in for financial gain.

Dave Bittner: [00:07:58:06] And you all make the point that quite often even folks who've had their websites hacked may not even know it.

Neill Feather: [00:08:04:10] Exactly. One of the things that we notice is a lot of times website owners will come to us, only after they've been told by a visitor or a search engine or an anti-virus provider that something happened with their website. What is unfortunate about that is there's been some damage done there both to their reputation and to the website. One thing that criminals have got really good at is hiding the fact that they've hacked a website. They really don't want to be caught, right? So the longer they're able to continue to siphon off traffic, siphon off data, that means the more money they're going to make. So they do a good job of hiding themselves from the website owner, either through disguising their code or making sure that they only show the malicious information one time to each user, or other techniques that really help them kind of live in the shadows of your website.

Neill Feather: [00:08:57:04] You really need to work with experts to make sure that you're applying the right type of product to the right type of infrastructure asset that you have. If you a website, you really want website security. Whereas, if you're trying to protect a PC or an endpoint, you really want something that's tailored-made for that. So, it's really important for small businesses to be working with experts in the various different security fields.

Dave Bittner: [00:09:21:06] That's Neill Feather from SiteLock.

Dave Bittner: [00:09:24:24] A presentation at Black Hat by two researchers, one from ZeroFOX, the other from RIT, suggests that academic training for cybersecurity is misaligned with the job market because it's misaligned with the realities in the wild. Thus, they conclude, traditional academic programs and certifications continue to fall short. They see a hermetic system and say, "Academia really traditionally encourages people to stay within academia and not get out and learn new things and come back."

Dave Bittner: [00:09:54:15] In his Black Hat address, Facebook's security chief made a strong pitch for more empathy in the security profession. Only this, he suggests, is likely to produce much needed change, particularly in opening the industry to those who've previously felt excluded or marginalized. He stressed that recruiting is one thing, retention quite another, and that companies should work to keep the talent they bring in.

Dave Bittner: [00:10:18:17] The Game of Drones at Black Hat, it's like Game of Thrones, but you've got that, right? Just trying to be helpful here! Well, it showed that stopping drone incursions is harder than it looks. Security firm Bishop Fox has taken a look at the anti-drone market and found lots of stuff that looks as if Rube Goldberg and Heath Robinson had been retrained by the Acme Company as engineering consultants. They've seen jammers, bazookas that shoot nets, other drones that go up and dogfight the intruding drones, and so on. Bishop Fox notes cautiously that many of these may be illegal in certain jurisdictions, especially the jammers.

Dave Bittner: [00:10:56:09] The authorities might have fewer problems with your bazooka than with your attempts at meaconing an unwelcome drone. So get smart and lawyer up before you take matters into your own hands. We're sure there's some Second Amendment jurisprudence on this waiting to be litigated in the US, right counselors? Or just get in touch with Wile E. Coyote, he is after all a super genius.

Dave Bittner: [00:11:24:11] Now another message about some research from our sponsor Cylance. You know good policy is informed by sound technical understanding. The crypto wars aren't over. Cylance would like to share some thoughts from ICIT on the surveillance state and censorship and about the conundrum of censorship legislation. They've concluded that recent efforts by governments to weaken encryption, introduce exploitable vulnerabilities into applications, and develop nation-state dragnet surveillance programs will do little to stymie the rise in terrorist attacks. These efforts will be a detriment to national security and only further exhaust law enforcement resources and obfuscate adversary communiques within a massive cloud of noise. Back doors for the good guys, mean back doors for the bad guys, and it's next to impossible to keep the lone wolves from hearing the howling of the pack. Go to and take a look at their blog for reflections on surveillance, censorship and security. We thank Cylance for sponsoring our show.

Dave Bittner: [00:12:32:13] Joining me once again is Ben Yelin. He's a Senior Law and Policy Analyst at the University of Maryland Center for Health and Homeland Security. Ben welcome back. We had an article come by from the Star Tribune and once again we find ourselves talking about a case that involves child pornography. In this case, the FBI is investigating a Minnesota man after he took his computer into the Geek Squad and they turned him in.

Ben Yelin: [00:12:56:19] So every time that you go to the Geek Squad, when you are consenting to service, you sign a piece of paper that says if they discover any illegal illicit material on your device, that they have the right to send it to law enforcement. So it's pretty clear based on that, and based on the principle that when you bring anything into the public sphere, when you submit any of your information to a third-party, you are forfeiting your reasonable expectation of privacy in that information. The particular issue here is that there were allegations that the FBI was paying the Geek Squad to detect information from an individual's computer and use that in a law enforcement investigation. That could potentially run a foul with the Fourth Amendment prohibition on illegal searches and seizures, particularly when they're using this forensic software program.

Ben Yelin: [00:13:47:18] In one of the instances, in a different case, an image was located on the drive's unallocated space - that's a place that can contains deleted data. So it would be difficult to prove for example that somebody knowingly possessed that data, and that presents Fourth Amendment issues, because you don't have probable cause that someone actually has child pornography, yet you're doing the search regardless.

Dave Bittner: [00:14:11:07] So this is the difference between the Geek Squad folks happening upon something, and actively seeking it out?

Ben Yelin: [00:14:18:13] Exactly. So when the Geek Squad stumbles upon it, in the course of their technological repair work, that's one thing. When it's a coordinated effort between the FBI and the Geek Squad, when they're working together to figure out how to search an individual's computer, you start to almost get into issues of entrapment. Is this just a back door way of doing a search? That runs afoul of our Fourth Amendment principles, where you actually have to have a reason, probable cause to search somebody's private information. If it's in plain view, I think somebody who had child pornography on their computer is going to be completely out of luck. But if it's the FBI using the Geek Squad and using their information security knowledge about how to extract information that's not in plain view on one's computer, then we start to run it foul of Fourth Amendment principles.

Dave Bittner: [00:15:09:17] So, just to be clear, this is an allegation - it has not been established that this is actually what was going on, correct?

Ben Yelin: [00:15:17:09] Yes. So, neither the Geek Squad nor the FBI has confirmed this relationship. Although I think one of the parties admitted that there has been a similar relationship in the past. I think somebody from the Geek Squad, while they say we don't work for the FBI, he acknowledged that supervisors have received payments from the FBI in years past. But those Geek Squad employees were similarly dismissed, because it's against company policy. Those employees were not employed when this latest case came to light.

Dave Bittner: [00:15:49:24] We'll keep an eye on it. As always, Ben Yelin thanks for joining us.

Dave Bittner: [00:15:55:11] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor Cylance. You can find out more about Cylance and how they can help protect you with artificial intelligence at

Dave Bittner: [00:16:08:11] The CyberWire Podcast is produced by Pratt Street Media. Our editor is John Petrik. Social media editor is Jennifer Eiben. Technical editor is Chris Russell. Executive editor is Peter Kilpe. I'm Dave Bittner. Thanks for listening.