The CyberWire Daily Podcast 8.23.17
Ep 419 | 8.23.17

Independence day cyberattack worries in Ukraine. US Navy eliminating possibility of cyberattack on USS McCain. More malicious apps in Google Play. US state cyber regs. ISIS still works to inspire online.


Dave Bittner: [00:00:01:01] We've had a bunch of new supporters sign up at, to help support our show. If you're not yet a supporter, we hope you'll check it out. Thanks.

Dave Bittner: [00:00:12:24] Ukraine worries about cyberattacks in conjunction with tomorrow's Independence Day holiday. The US Navy investigates the possibility of cyberattack in this week's Malacca Straits collision. Zscaler finds more malicious apps in Google Play. New York State's Department of Financial Services' cyber regulations begin to take effect Monday. Delaware is also stepping up data security regulations. And ISIS continues its inspiration online, as police in many countries scramble to follow the Caliphate's messaging.

Dave Bittner: [00:00:48:08] A few words from our sponsors at E8 Security. If you've been to any security conference over the past year, you've surely heard a lot about Artificial Intelligence and Machine Learning. We know we have. But E8 would like you to know that these aren't just buzz words. They're real technologies and they can help you derive meaning from what an overwhelmed human analyst would see as an impossible flood of data. Go to and let their white paper guide you through the possibilities of these indispensable, emerging technological tools. Remember the buzz around Artificial Intelligence isn't about replacing humans, it's really about Machine Learning, a technology that's here today. So see what E8 has to say about it. They promise by the way that you won't get a sales call from a robot. Learn more at And we thank E8 for sponsoring our show.

Dave Bittner: [00:01:49:03] Major funding for the CyberWire Podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, August 23rd, 2017.

Dave Bittner: [00:01:59:21] Ukrainian security firm ISSP adds its voice to those warning that it sees signs of an impending wave of cyberattacks on that country. Ukraine's independence day will be celebrated tomorrow, August 24th, and politically motivated or state-directed cyberattacks have in the past coincided with major holidays.

Dave Bittner: [00:02:20:12] The US Navy's investigations into this week's collision between the destroyer USS John S. McCain continue, as does the sad work of recovering the sailors who lost their lives in the incident. Much talk centers on issues of basic seamanship. China's navy suggesting that the Americans are too overstretched to be good sailors. But US Navy officials say they haven't ruled out the possibility of cyberattack. Note, "possibility." It's early in the investigation and consideration of cyberattack is a sensible measure. There are some anonymous reports circulating that discount the possibility of a cyberattack, but these are preliminary and lightly sourced. We'll continue to follow this aspect of the developing story.

Dave Bittner: [00:03:04:13] The past two weeks have seen a flurry of problematic apps discovered in Google's Play store, and then ejected by Google once researchers identify the threats.

Dave Bittner: [00:03:13:09] Security firm Zscaler today announced that on August 21st it found two more malicious apps in Google Play. The first one they uncovered was an app called, "Earn Real Money Gift Cards," which, as one might suspect from the grifter's come-on of a name the author gave it, was a variant of the familiar BankBot. So Zscaler's researchers went a bit further and looked for some of the Earn Real Money Gift Cards author's other work. They found one, which promised not easy money but easy fun, "Bubble Shooter Wild Life." It looks like a kid's game, with a cute cartoon bluebird beckoning players in. In fact, of course, it's malware.

Dave Bittner: [00:03:51:14] When you download and start the game, after about twenty minutes it shows what appears to be a legitimate Android system alert. "For applications to work properly, enable Google Service." Should you click "OK" you'll be taken to a series of screens that mimic a Google menu. Including a convincing copy of Google terms and conditions. Should you agree to enable the bogus but plausible "Google Service," you will find you've allowed the malware to abuse Google's legitimate Accessibility Service to download other programs at will.

Dave Bittner: [00:04:22:06] Zscaler calls this abuse of Accessibility Service, "unique," which of course is a large claim, but the researchers do seem to have found something unusual and dangerous. Accessibility Service is intended for use only to help users with disabilities use Android devices and apps. Users should be wary, and researchers might be on the lookout for similar tactics used by other malware authors.

Dave Bittner: [00:04:46:17] Taking a quick look at our CyberWire event tracker. The fourth annual Cyber Security Conference For Executives is coming up, September 19th. It's co-sponsored by COMPASS Cyber Security and the Johns Hopkins University Information Security Institute. The CyberWire is proud to be a media sponsor of the event. Tony Dahbura is from the Johns Hopkins University, and he joins us to tell us about the event.

Tony Dahbura: [00:05:08:00] The theme this year is emerging global cyber threats. We're hosting the one day conference on the campus of the Johns Hopkins University at Homewood, here in Baltimore. What we hope to do is give our, our attendees a broad overview of what's going on in cybersecurity and things that they should be paying attention to from the point of view of their enterprise. And, just give them some useful information, opportunities to network with experts in the field, with researchers and kind of be their radar for what might lie ahead in the cyber security terrain.

Dave Bittner: [00:05:51:17] And give us a quick overview about some of the speakers that you have lined up.

Tony Dahbura: [00:05:55:15] Our keynotes are retired Brigadier General Guy Walsh, who's an Advisor to the Deputy Commander of U.S. Cyber Command at Fort Meade. And our other keynote speaker is Stephanie Reel, who's the Chief Information Officer for Johns Hopkins University and Health Systems. She's going to talk about managing an enterprise where there are mixed cultures, which is all too common out there. In the case of Johns Hopkins, it's the cultures of a health care system with all of the regulatory environment health care aspects as well as a research university. So she's going to be describing the challenges associated with providing the I.T. infrastructure and how Johns Hopkins deals with that.

Tony Dahbura: [00:06:47:03] And then we have a number of other speakers, in all kinds of areas. The agenda is far reaching, over the course of the day, of course, under the theme of emerging global threats, we will have talks on social engineering, cloud security and some of the threats that people should be aware of. We're going to have a talk on the Internet of Things. We're going to have a talk on legal aspects of privacy, building a cybersecurity program and a panel section on emerging regulations. So, it's going to be an exciting day and the way we've designed it is so that people can get a lot of information in a relatively short period of time.

Dave Bittner: [00:07:30:09] That's Tony Dahbura from the Johns Hopkins University. You can find out more about the fourth annual Cyber Security Conference for Executives, co-sponsored by the Johns Hopkins University Information Security Institute and COMPASS Cyber Security at You can find out how to get your event listed on our CyberWire event tracker at

Dave Bittner: [00:07:56:07] US state governments are continuing to fill gaps in cybersecurity standards of care. Where California had led with privacy protections, two other states are moving into other regulatory areas.

Dave Bittner: [00:08:07:14] New York State's Department of Financial Services on March 1st of this year promulgated a set of cybersecurity regulations, "23 NYCRR Part 500." The regulations were released with an announced set of phases for implementation. The first phase becomes effective this Monday, August 28th, 2017, on which day affected companies will be expected to be in compliance. Full compliance will be required by March 1st of 2018, coincidentally just two months before GDPR takes effect.

Dave Bittner: [00:08:39:12] In the first phase of the New York regulations implementation, non-exempt organizations will be expected to have seven mandated measures in effect. The sections that go live Monday include a cybersecurity program in which organizations must create a program related to the risk assessment that will become effective in phase two. Second, organizations must have and maintain policies and procedures relative to certain specified cybersecurity practices. Including incident response and network monitoring.

Dave Bittner: [00:09:07:04] Third, if you haven't got one, you'll need a CISO. Interestingly, that person could be provided by a third-party. To whom the CISO must report will be established in Phase Two. The fourth measure deals with access privileges. It requires that the enterprise be able to establish a privileged access management system. The next section deals with cybersecurity personnel and intelligence. It requires putting trained personnel in place, as was the case with the CISO. Such personnel could come from a third-party, a managed security services provider, for example. Next is an incident response plan. An obvious requirement designed to foster resilience and recovery. And finally, affected organizations must alert the Superintendent of Financial Services within 72 hours, when it suffers a cyber event that affects normal business operations or requires the organization to alert any other regulatory body.

Dave Bittner: [00:09:57:21] New York law and regulation are particularly important to the financial sector. Delaware law is important to US corporations generally. That state has enacted tighter data privacy protection rules. Effective now, anyone doing business in Delaware who maintains personal information must safeguard it. A breach of security is now defined as including, "the unauthorized access, use, modification or disclosure of personal information and the information that is included in the definition of personal information." The law legally defines encryption, and creates a "safe harbor" if data exposed in a breach is encrypted. It also strengthens consumer protections in privacy matters. Expect more such legislation and regulation from these and other states.

Dave Bittner: [00:10:44:11] The CyberWire is in Palo Alto today for the Chertoff Group's event Security in the Boardroom. We expect to learn from the experts presenting, more about how evolving concepts of risk management and security responsibility are playing out in corporate boards.

Dave Bittner: [00:11:00:05] Investigation into jihadist attacks in Spain continue as ISIS and, coincidentally, the Taliban, step up their efforts at recruitment and inspiration. Indonesian authorities are working to counter an increased use of social media in radicalization. The US is pressuring Pakistan to pull back what the US sees as the quasi-official support for extremism emanating from that country.

Dave Bittner: [00:11:28:09] Now I'd like to tell you about a webinar from our sponsor Delta Risk. With threats to the health care industry at an all time high, I.T. and information security professionals in hospitals, health care provider firms and insurance firms, have more concerns than ever about patient data and business continuity. In the 45 minute webinar, “Preparing for Cyber Risks to Health Care Operations: Be Ready, not Sorry,” experts from Stanford Children's Health, Delta Risk and Huntzinger Management Group discuss essential elements of how to respond to a cyberattack and properly prepare a business continuity plan. Visit for more information. Delta Risk LLC, a Chertoff Group company, is a global provider of cybersecurity services to commercial and government clients. Learn more about Delta Risk by visiting And we thank Delta Risk for sponsoring our show.

Dave Bittner: [00:12:29:23] Joining me once again is Johannes Ullrich, he's Dean of Research at the SANS Technology Institute and he also hosts the ISC Stormcast Podcast. Welcome back.

Johannes Ullrich: [00:12:39:00] Thanks for having me.

Dave Bittner: [00:12:40:07] So, today we wanted to talk about a tax against Uber driver accounts. So tell us what we need to know about here.

Johannes Ullrich: [00:12:47:05] Yeah, what we are seeing is that social engineering is used in order to get passwords from Uber drivers and drain their accounts. The way this works is that the criminal will ask for a ride with Uber and when you do that you have the ability to contact a driver via the app, essentially keeping your own caller ID and such anonymous. Now, they use this to then call the driver, claim that they're actually working for Uber and that they're going to send them a text message, to then identify the driver. Now that text message is actually a password, a reset text message, typically sent from an email account like Gmail and that is then used to take over the driver's email account. Which in turn, then allows the hacker to reset the driver's Uber password and drain their earnings into a different account.

Johannes Ullrich: [00:13:50:06] So, not highly technical this attack but what we see a lot really is that these social engineering attacks always work and are really difficult to defend against.

Dave Bittner: [00:14:01:19] And so how would an Uber driver protect themselves against something like this?

Johannes Ullrich: [00:14:06:15] It's really just up to the Uber driver to recognize that this is not a valid call from Uber itself. And that's the hard part, there is really no technical defense against these types of attacks. They actually do bypass two-factor authentication, yet in some way because Google does send that text message, but the Uber driver doesn't recognize the text message as coming from Google and expects it to come from Uber.

Dave Bittner: [00:14:34:00] Is there anything that Uber could do on their side to help better protect the driver's identity?

Johannes Ullrich: [00:14:39:18] Uber could probably better identify and educate drivers how to recognize calls from coming Uber. Also, whenever a significant change is made to the account, like in this case, I believe in some countries, it's even possible to redirect the earnings to a prepaid credit card. So, if a significant change is made like this to notify the driver, and maybe also hold off on a change for a day or two, to allow the driver to intervene if they don't really want this change to be made.

Dave Bittner: [00:15:13:13] Right, it's an interesting story. Johannes Ullrich thanks for joining us.

Dave Bittner: [00:15:19:15] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible. Especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you using Artificial Intelligence, visit

Dave Bittner: [00:15:32:10] A quick note that I am a guest on this week's Down the Security Rabbithole Podcast. I join up with Rafal and James to talk about big scary numbers. It's Episode 258 of Down the Security Rabbithole. You can find it wherever all the fine podcasts are found.

Dave Bittner: [00:15:47:03] The CyberWire Podcast is produced by Pratt Street Media. Our editor is John Petrik. Our social media editor is Jennifer Eiben. Technical editor is Chris Russell. Executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.