The CyberWire Daily Podcast 8.16.17
Ep 414 | 8.16.17

NIST SP 800-53 updated. Attack on Scotland Parliament's email system. Consequences of Equation Group leaks. "Mr. Smith" and HBO. Attacks of note: Trickbot, OLE exploits, NetSarang backdoor. Extremist inspiration. BEC.


Dave Bittner: [00:00:01:07] If you are a fan of the CyberWire, the best way you can show your support is by going to, and signing up to become a regular supporter. Thanks.

Dave Bittner: [00:00:14:12] A new draft of NIST Special Publication 800-53 is out. Brute-force is used against Scotland's parliaments - its email accounts, we mean - this isn't Braveheart. Fancy Bear's romp through high-end hotel Wi-Fi suggests the Equation Group leaks will be with us for some time. Mr. Smith remains at large and still wants to be paid. Trickbot uses unusually convincing counterfeit sites. PowerPoint malware vectors may be part of a criminal test. NetSarang urges swift patching of a back door in its software. Extremist inspiration persists, and some guy in Nigeria with more moxie than skills is behind a big business email compromise campaign.

Dave Bittner: [00:00:59:01] A few words from our sponsors at E8 Security. If you've been to any security conference over the past year, you've surely heard a lot about artificial intelligence and machine learning; we know we have. But E8 would like you to know that these aren't just buzz words, they're real technologies and they can help you derive meaning from what an overwhelmed human analyst would see as an impossible flood of data. Go to and let their white paper guide you through the possibilities of these indispensable emerging technological tools. Remember, the buzz around artificial intelligence isn't about replacing humans, it's really about machine learning, a technology that's here today. So see what E8 has to say about it. They promise, by the way, that you won't get a sales call from a robot. Learn more at, and we thank E8 for sponsoring our show.

Dave Bittner: [00:01:59:24] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner, in Baltimore with your CyberWire summary for Wednesday, August 16th, 2017.

Dave Bittner: [00:02:09:24] First, some quick news on standards. NIST has issued a new draft of its influential and widely-used Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations. The latest version is noteworthy for the way in which it seeks to incorporate privacy protection throughout its system of controls.

Dave Bittner: [00:02:30:17] Turning to cyber attacks, Scotland's Parliament has sustained a brute-force attack on Members' email credentials. The campaign is similar to the one Westminster sustained in June, and similar measures are being taken to remediate it. The attackers are attempting, as they did with the London incident, to get access to email accounts.

Dave Bittner: [00:02:50:00] Security experts continue to react to cyber firm FireEye's "moderately confident" conclusion that Fancy Bear has been compromising hotel Wi-Fi networks, using tools stolen from Equation Group and leaked by the ShadowBrokers. The leaked exploits involve server message block flaws (SMB). How the Brokers got the exploits they leaked in April remains a mystery, but the SMB flaws they exploit - EternalBlue, EternalRomance, EternalSynergy, and EternalChampion - are likely to present problems for some time, according to an analysis published by security company Cylance.

Dave Bittner: [00:03:23:14] WannaCry and NotPetya were the two malware pandemics to take advantage of the Equation Group leaks. Both presented themselves as ransomware, but both are now generally regarded as pseudo ransomware - disruptive attacks that pose as ransomware to cloak their operators' true intentions. There is, in fairness, some doubt on this score with respect to WannaCry, which some researchers regard as a genuine but botched extortion attempt, possibly a money-making scheme by the North Korean government.

Dave Bittner: [00:03:51:08] Both strains continue to trouble enterprises. The healthcare sector worries about WannaCry, given the effect it had on Britain's National Health Service, and the manufacturing and logistics sectors are still recovering from, and paying for, NotPetya. In one case, shipping giant Maersk has pegged its NotPetya-related losses at $300 million, and the company's CEO has instituted a corporate shake-up to make the business more resilient.

Dave Bittner: [00:04:17:20] Here at the CyberWire we like to think we provide a public service to our listeners by reminding you, repeatedly, to back up your data. It's easier than ever these days. Storage is cheap, be it an external hard drive or space in the cloud. Alas, not everyone heeds our warnings and sometimes things go wrong. Your only copy of that important file gets erased or you just never got around to asking IT why your laptop hard drive was making that horrible clicking sound and you found yourself in need of a data recovery service. Jeff Pederson is Senior Manager of Operations at Kroll Ontrack Data Recovery.

Jeff Pederson: [00:04:51:06] Everything that gets put in place in the world seems to be trying to eliminate the need for data recovery, and that's been happening since we started business over 25 years ago and so backups were going to eliminate the need for data recovery, raid systems were going to eliminate the need for data recovery, the cloud was going to eliminate the need for data recovery. What we find is that, no matter what gets put in place, as long as humans are running computers and need access to that data, data recovery's going to be needed on some level. VMware for instance, any visualization, makes it super easy for IT administrators to provision and allocate data for different divisions or departments within a corporation but it also makes it super easy for them to delete those inadvertently and so we've had to build tools and the ability to recover from virtual machines.

Dave Bittner: [00:05:46:10] So what about encryption? You know, I can see there sort of being two sides to that. People say, "Well you want to encrypt everything on your hard drive to make it more secure," but that could make recovery more challenging, yes?

Jeff Pederson: [00:05:57:13] It absolutely can. We've had to customize our tools to accommodate for that encryption that's put on. It matters whether it's put on at the hardware level or at the software level, and we're not in the business of cracking encryption or anything like that. But what we do need to do is to be able to apply the encryption credentials that are used by our customers and sent to us, to then crack open, essentially, and allow us access to the data that's on the disks. Because without that encryption information or if a customer forgets their passwords, we're a professional data recovery company but we still would not be able to recover that data. We can read all of the encrypted data that you want, but to get it decrypted we do need those original credentials.

Dave Bittner: [00:06:42:22] So, as someone who's in the business of helping people recover things that they've lost, what sorts of advice do you have for people to set up ways to, well, not need your services?

Jeff Pederson: [00:06:55:08] We get asked that all the time by our customers, "How do we not call you back ever again?" And so we basically tell them it comes down to vigilance and to basically getting control of your dataset, knowing what data you have, knowing what you absolutely want to backup and maybe not backing up your entire local hard drive. You've got your documents and your pictures, potentially, or your email. Whatever you don't want to have to send to us for recovery, that is what you want to send to the cloud or to a backup device, whether that be a local NAS device or an additional hard drive. But then, much like you do with any of your other protected documents or highly sensitive documents you're going to probably send them off site. You're not going to have them in your house in the same place where, if your house were to have a fire, or some flood or some incident happen, that they're going to be in the same physical location. So you're going send them off to somewhere else and so, if that's a safety deposit box, if that is somebody else's home, if that is the cloud where you're going to replicate that data to the cloud and that's your off site storage, then we say make another copy, so you have at least two places where you can go to to find that very important information.

Dave Bittner: [00:08:19:13] That's Jeff Pederson from Kroll Ontrack Data Recovery. Taking a quick look at a few sponsored events from our CyberWire event tracker; we've got the security in the boardroom event coming up August 23rd in Palo Alto, California, that's from the Chertoff Group. And also the Johns Hopkins Information Security Institute has teamed up with COMPASS Cyber Security. They're hosting the Cyber Security Conference for Executives. That's September 19th, 2017, and that is in Baltimore. To learn more about the events or to find out how you can have your event listed in our event tracker, visit

Dave Bittner: [00:08:55:11] "Mr Smith" is getting more strident with his (or her, or their) demands on HBO, but it's not clear what "Mr Smith" may have actually obtained from hacking the entertainment giant. It is increasingly clear what "Mr. Smith" is after. If hackers tend to seek cash or cachet, "Mr. Smith" is a cash kind of guy.

Dave Bittner: [00:09:14:21] Trickbot banking malware is being disseminated through unusually convincing counterfeit sites; even the URL and certificate are right.

Dave Bittner: [00:09:23:11] PowerPoint vectors may be distributing an OLE exploit as a test, or so Cisco and Trend Micro researchers suspect. The exploit attacks a known vulnerability in Microsoft Office products.

Dave Bittner: [00:09:36:16] Kaspersky Lab has discovered a backdoor in the update mechanism for NetSarang's widely used server management software. NetSarang confirms that the backdoor, called "ShadowPad", inadvertently appeared in a recent build of their product. It's been patched, and, since it was discovered Monday that ShadowPad is being exploited in the wild, NetSarang urges all uses to update as soon as possible.

Dave Bittner: [00:10:00:14] The neo-Nazi website, Daily Stormer, kicked out of most legitimate services, appears to have migrated its unsavory inspiration to the Dark Net. Even there, parties unknown may be pursuing it with distributed denial-of-service attacks. The Stormer, or at least its message, will probably find other outlets, if long experience with ISIS is any guide. The Caliphate has posted more beheading pictures; the victim this time is a captured Iranian IRGC fighter.

Dave Bittner: [00:10:30:07] Finally, a very large business email compromise campaign, that hit major organizations worldwide, has been tracked to its source. The operation was so large that many observers thought it was a state-directed series of attacks. But, no, researchers at security firm Check Point have run it to ground, and they say it's the work of a not particularly skilled but very brassy 20-something Nigerian guy. He was armed with the commodity NetWire Trojan and the Hawkeye keylogger, and with some fairly clumsy broadcast phishing was able to do some damage. Check Point has shared what they know with Nigerian authorities, who have taken an interest in the unnamed young man. His motto is said to be, "Get rich or die trying." Hopefully it doesn't come to that.

Dave Bittner: [00:11:19:22] Now I'd like to tell you about an upcoming Webinar from our sponsor, Delta Risk. With threats to the healthcare industry at an all time high, IT and information security professionals in hospitals, healthcare provider firms and insurance firms have more concerns than ever about patient data and business continuity. In the 45 minute Webinar, Preparing for Cyber Risks to Healthcare Operations: Be Ready, Not Sorry, experts from Stanford Children's Health, Delta Risk and Huntzinger Management Group will discuss essential elements of how to respond to a cyber attack and properly prepare a business continuity plan. Save the date for August 23rd at 1 p.m. Eastern Time by visiting Delta Risk LLC, a Chertoff Group company, is a global provider of cyber security services to commercial and government clients. Learn more about Delta Risk by visiting and reserve your seat for this interactive discussion, and we thank Delta Risk for sponsoring our show.

Dave Bittner: [00:12:25:16] And joining me once again is Ben Yelin. He's a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security. Ben, welcome back. We had a story come by about privacy concerns with smart vacuum cleaners. You got Roombas and the little robot vacuums like that, that wander around your house and it turns out they may be collecting information and data on our homes?

Ben Yelin: [00:12:49:15] Yeah, it seems like there's no limit to which devices can collect data within our homes these days, but this one was especially interesting to me. So this article said that Roomba devices, which are produced by iRobot, collect mapping information about your house. So they basically internalize the location of various rooms, various devices, to help get a complete picture. The fear here is that iRobot is going to sell this data to third parties, or they could potentially turn this data over to the government for a criminal prosecution, and in their contract it says that they have the right to do that. So as soon as you except the terms and conditions, when you activate your Roomba device, you are signing away your rights to this information. Can never know what situation will present itself in the future, if law enforcement is in a situation where there's some crime with a specific location ends up mattering. I mean we've seen instances that you and I have talked about, Dave, where Alexa has cut through somebody's alibi just by hearing that person's voice in a recording. So we can see the same situation here. You could get potential incriminating information from someone based on mapping information that occurs within the house.

Dave Bittner: [00:14:06:16] To be clear, the reason that the robot is gathering this information for its own use, this is to do a better job of vacuuming your home. I could certainly see, like you say, law enforcement using that. If they had a warrant to enter someone's house it'd be useful for them to be able to know where everything is in that house. But also I could see, you know, on the flip side, it being helpful to a fire department. If they have to come in your house in the middle of the night, if they could bring up a map of where all the furniture is, where the beds are located, maybe they could do a quicker job of locating people in a burning house.

Ben Yelin: [00:14:39:20] Yeah, I think that's true, and you could certainly see the benefits when you think about third parties. I mean, let's say it's just selling it to Amazon. They could improve the acoustics or the music you listen to based on data submitted by these Roomba devices. They could know, you know, how big a room is, so the acoustics can be better when your Amazon Echo device comes on. So there are certainly legitimate and potentially good uses of this data.

Dave Bittner: [00:15:06:22] And, to be fair, the CEO of iRobot, his name is Colin Angle, says that they would not sell that data without consulting the customers first. So they're saying you'd have to opt in but, at the same time, the ULA that you sign when you sign up to use this technology says they don't have to tell you.

Ben Yelin: [00:15:27:22] Right, exactly. So, there's no legal obligation for them to notify you if they submit your data to a third party. Perhaps there's an ethical or moral obligation and, more important than that, there could be a business justification. I mean we've seen telecommunications companies and all other sorts of companies, companies that produce all sorts of hardware, using their security features as a selling point. You know, perhaps that can give them a niche in the market for people who are security savvy. So there are ethical reasons but also just bottom line reasons to withhold that data.

Dave Bittner: [00:16:01:13] All right, it's an interesting story. Ben Yelin, thanks for joining us.

Ben Yelin: [00:16:05:00] Absolutely. Thank you.

Dave Bittner: [00:16:08:09] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit Thanks to all of our supporters on Patreon; we really do appreciate it. The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.