The CyberWire Daily Podcast 8.28.17
Ep 422 | 8.28.17

Maritime cybersecurity concerns. ExpressLane dump stirs up international trouble. IoT botnet threat addressed. Defray ransomware. Cyberattack in Scotland. Tehran's info-ops rapper.


Dave Bittner: [00:00:00:18] I want to thank our latest Patreon supporters, if you haven't checked it out yet, please do so, it's at Thanks.

Dave Bittner: [00:00:11:21] The USS McCain collision appears unrelated to any cyber attack, but, observers warn of ICS security issues as maritime cyber concerns rise. WikiLeaks' ExpressLane Vault7 dump raises concerns in India. Telnet credentials for internet of things devices are exposed. Defray ransomware is being distributed with unusually precise and plausible spearphishing. Ransomware disrupts some healthcare services in Scotland. Acquisition news in the cyber sector. And Iranian information operations seem to be piping the devil's tune.

Dave Bittner: [00:00:48:19] Time for a message from our sponsor, Recorded Future, you've probably heard of Recorded Future, they're the real time threat intelligence company. Their patented technology continuously analyses the entire web to give info tech analysts unmatched insight into emerging threats. We subscribe to and read their Cyber Daily, they do some of the heavy lifting and collection and analysis that frees you to make the best, informed decisions possible for your organization. Sign up for the Cyber Daily email and every day you'll receive the top results for trending, technical indicators that are crossing the web. Cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today and stay ahead of the cyber attacks. Go to to subscribe for free threat intelligence updates from Recorded Future. It's timely, it's solid and the price is right. And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:52:01] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Monday, August 28th, 2017.

Dave Bittner: [00:02:02:18] The US Navy's investigation of the destroyer USS McCain's collision with a merchant tanker a week ago seems to be tending toward the painful conclusion that seamanship errors and not cyber attacks were the cause. This hasn't halted speculation about a cyber attack with many observers offering suggestions as to how such an attack might have been accomplished. These are perhaps best regarded absent further evidence as hypothetical, cautionary tales, most will be familiar to those who have followed accounts of industrial control system vulnerabilities, there's a strong family resemblance.

Dave Bittner: [00:02:36:18] Remember, these are cautionary tales about control system vulnerabilities, not findings from any investigation into the collision. They include a malware laden USB drive, this is believed to have been the method used to introduce Stuxnet into an Iranian nuclear research and development facility. Infected diagnostic and maintenance equipment perhaps during a visit to its home port. Infection by a malicious insider, although the famous cases of malicious insiders have typically involved espionage, not sabotage. Installation of a rogue device into an internet connected network. Malicious components introduced into a compromised supply chain. Exploitation of an unpatched vulnerability in a legacy control system, and, of course, all the other methods by which control systems are rendered vulnerable.

Dave Bittner: [00:03:22:17] The bodies of all ten McCain crew members who were missing have now been recovered. We spare a thought for them, their families and their shipmates as we follow news of this sad mishap.

Dave Bittner: [00:03:34:13] WikiLeaks' Vault7 dump last week featured descriptions of ExpressLane, an alleged CIA program for installing liaisonware to, allegedly, extract information from partner agencies. Most of those agencies are believed to be other US organizations, including NSA, FBI and the Department of Homeland Security, but, WikiLeaks suggested, Friday, that international partners were similarly affected. The information ExpressLane is said to have collected included biometric data.

Dave Bittner: [00:04:05:06] The strongest reaction so far seemed to be from India where the public is already skittish about several disclosed vulnerabilities in their national identification program. The Unique Identification Authority of India, responsible for the program, dismissed any suggestion that the CIA was trawling through India's biometric data, they say they had stringent security features in place to prevent the sort of compromise WikiLeaks insinuated Langley accomplished. They also said that allegations to the contrary were coming from "sources with vested interests," the authority's denials are being received with a grain of salt by the Indian media, which has seen too many other issues surface with the identification program to accept easy reassurance.

Dave Bittner: [00:04:49:03] New Sky Security researchers have noticed a large list containing thousands of working IOT device Telnet credentials dumped on line, an obvious distributed denial of service threat. Security experts are scrambling to forestall that possibility. The GDI Foundation, a not for profit organization, who's stated mission is "to defend the free and open internet by trying to make it safer," addressing security issues through a responsible disclosure, says the list includes just over 8200 unique IP addresses, just over 2000 of the devices were still running open Telnet services this weekend, and around 1700 of these were reachable with the leaked credentials. The concern, of course, is that the IOT devices could be roped by bot-herders to give greater effect to a distributed denial of service campaign. It appears that prevention is well in progress with the GDI foundation, and others, reporting a gratifying response to the warnings they've sent device owners.

Dave Bittner: [00:05:47:04] Proofpoint researchers have found a new strain of ransomware, Defray, infesting targets across a range of sectors, especially healthcare, but also manufacturing and even an aquarium. Defray is a small scale, highly targeted effort, selective in its prospecting and not asking for an unusually high ransom, $5,000 is the amount being mentioned. The campaign is unusual in its very plausible, carefully baited spearphishing.

Dave Bittner: [00:06:14:07] It's unknown, for now, whether the incident is a Defray infection, but healthcare services operated by National Health Service Lanarkshire, in Scotland, were hit last weekend by a ransomware attack that disrupted patient care into the week. NHS Lanarkshire, the Register sourly notes, was among the British healthcare operations hit by WannaCrypt earlier this year. The service's Chief Executive apologized to patients asking them to bear with the healthcare provider as it brought its systems back online and requesting that people delay non-urgent care.

Dave Bittner: [00:06:47:04] In industry news, Forcepoint announces its acquisition of behavioral-analytics shop, Red Owl. Details of the price are not presently available, but it represents a significant addition to Forcepoint's capabilities.

Dave Bittner: [00:07:01:10] Finally, with all the attention rightly devoted to ISIS it's easy to overlook ISIS's competitors in jihad which includes not only Sunni rivals in al Qaeda, but, of course, Shi-ite Iran. The Islamic Republic has long denounced America as "The Great Satan," and chants of "Death to America," have long been a staple of popular information. But Iran's leaders have apparently decided that this mode of delivering the message is stale, The New York Times reports that the Islamic Republic has permitted distribution of a rap version as updated way of inspiring the rising generation, this, despite Tehran's longstanding condemnation of rap music, and for that matter, dancing. The online videos feature rap delivered from atop the bridge of a frigate, stomping soldiers, flags, effigies of the Statue of Liberty clutching a menorah, in case you didn't get the point that the Great Satan is involved with the Zionist Lesser Satan and so on.

Dave Bittner: [00:07:58:02] Reviews have been mixed, it's perhaps worth remembering from an information operation's point of view that Satan is, in his supposed interactions with believers, fundamentally a tempter, and so one might think twice before playing the tune that the devil's piping. But that, of course, is a matter for authorities in Tehran to decide.

Dave Bittner: [00:08:18:04] It's also perhaps worth recalling that Russian information operations, for all their historic success, have always played best with straight disinformation. Our linguistics desk says they never came across a lamer attempt than they did in the Cold War endgame, when they tried to use rock and roll as a way to reach youth. We leave you with one such example. [MUSIC]

Dave Bittner: [00:09:15:24] And now some information from our sponsors at E8. We all hear a great deal about artificial intelligence and machine learning in the security sector, and you might be forgiven if you've decided that maybe they're just the latest buzz words. Well, no thinking person believes in panaceas, but, AI and machine learning are a lot more than just empty talk. Machine learning, for one thing, is crucial to behavioral analytics, you can't recognize the anomalyst until you know what the normal is, and machines are great at that kind of base lining. For a guide to the reality and some insights on how these technologies can help, go to and download E8's free white paper on the topic. It's a nuanced look at technologies that have both future promise and present pay off in terms of security. When you need to scale scarce human talent, AI and machine learning are your go to technologies. Find out more at And we thank E8 for sponsoring our show.

Dave Bittner: [00:10:17:20] Joining me once again is Ben Yelin, he's a senior law and policy analyst at the University of Maryland's Center for Health and Homeland Security. Ben, welcome back. Interesting story came by from Gizmodo about companies that were logging your data, let's say you went to fill out a form online, a web form, like all of us do, but before you even hit the submit button this company has already grabbed that data that you may have put into that field. What's going on here?

Ben Yelin: [00:10:44:12] So, this is technology from a company called Navastone, and many familiar companies to us use this particular technology. One of them is Quicken Loans, if you want to find out how much a mortgage is going to cost you go to Quicken Loans' website, you fill out some personal information, what your income is, your location etcetera, etcetera, and they'll give you a quote. Now, most of us assume that unless we press that submit button that the website is not going to collect that information, but, what Navastone's technology does is it collects every piece of information that you've filled out even before you've pressed the submit button. And in a survey of a bunch of different websites that use this technology, only a few of them actually give a warning anywhere on the website, anywhere on the page, that says some of the information you enter into the applicable fields could be stored and retained. So, this potentially could run afoul of a whole number of laws, including some business fraud laws, where they're misleading consumers about what information is being collected.

Dave Bittner: [00:11:50:17] Yes, let's dig into that a little bit, I mean, I think most of us probably, as you said, assume that our information isn't being collected there, is this a matter of just bad form on their part? Or run us through what are some of the actual legal traps that these folks could fall into for doing this?

Ben Yelin: [00:12:07:00] So, there's a US law, I actually have a citation here, part of the US Code, section 45, that prohibits unfair deceptive acts or practices in effecting commerce, now, this was just one legal analyst who was hypothesizing that this law could be applicable, because this is potentially deceptive, you think that any information you fill in before pressing that submit button, and I think all reasonable people think this, you think that that information has not been submitted, that it's being protected, if you change your mind at the last minute you're not forfeiting your personal information. This is potentially unfair and deceptive, especially if there's no warning in the terms or conditions. Obviously none of us really read the terms and conditions anyway, but it was especially disturbing to see that of all the companies that use this Navastone software only one of them actually had an item in the terms and conditions saying that the information you enter into the fields can be collected even before it's submitted.

Dave Bittner: [00:13:05:00] Yes, so, browser beware, and hopefully by shining a light on this maybe some of these companies will back off this policy.

Ben Yelin: [00:13:12:06] Yes, and one of the interesting things about this is, after Gizmodo posted the story on its website I think it generated some very bad publicity for Navastone and they have now said they're not going to collect email addresses from people in this way. Which I think is interesting. It's interesting that the activism of the electronic privacy community gets results once in a while and can shame, in a way, some of these companies from the most abusive consumer practices.

Dave Bittner: [00:13:39:17] Alright, Ben Yelin, thanks for joining us.

Dave Bittner: [00:13:44:02] And that's the CyberWire. For links to all of today's stories along with interviews, our glossary and more, visit the Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you, using artificial intelligence, visit Thanks once again to all of our supporters on Patreon, and to find out how you can contribute to the CyberWire go to

Dave Bittner: [00:14:10:05] The CyberWire podcast is produced by Pratt Street Media, our editor is John Petrik, social media editor is Jennifer Eiben, and our technical editor is Chris Russell. Our executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.