The CyberWire Daily Podcast 10.2.17
Ep 446 | 10.2.17

Bots, sockpuppets, and trolls. Facebook talks to Congress. Some suggest China hacked Equifax. DPRK gets more Internet. ISIS inspiration. Section 702 authority in doubt.


Dave Bittner: [00:00:01:01] Thanks once again to all our Patreon supporters. You can find out how you can support our show by going to

Dave Bittner: [00:00:11:20] Bots, sock puppets and trolls, oh my. Mr Zuckerberg goes to Washington. Equifax sources suggest China did it. Credit bureau phishbait chums the Internet. Pyongyang gets a new Internet connection, and observers bet it's not for checking Mr. Kim's fantasy sports leagues. ISIS posts more inspiration and warnings. NSA prepares to wind down Section 702 operations. US and Russia seem to agree on one thing at least: Bitcoin fraud is bad.

Dave Bittner: [00:00:45:05] Time for a message from our sponsors at E8. We've all heard a great deal about Artificial Intelligence and machine learning in the security sector, and you might be forgiven if you've decided that maybe they're just the latest buzzwords. Well, no thinking person believes in panaceas, but AI and machine-learning are a lot more than just empty talk. Machine-learning, for one thing, is crucial to behavioral analytics. You can't recognize the anomalous until you know what the normal is, and machines are great at that kind of base-lining. For a guide to the reality, and some insights into how these technologies can help you, go to and download E8's free white paper on the topic. It's a nuanced look at the technologies that have both future promise and present day payoff in terms of security. When you need to scale scarce human talent, AI and machine-learning are your go-to technologies. Find out more at And we thank E8 for sponsoring our show.

Dave Bittner: [00:01:51:07] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Monday, October 2nd, 2017.

Dave Bittner: [00:02:02:06] Facebook is expected today to provide the US Congress with evidence concerning 2016 election ads purchased by Russia's Internet Research Agency. Bots have become more visibly active in social media. Their tendency has been to exacerbate conflict, without much discernible interest in conflict's outcome. Thus there's been some vigorous bot tweeting on both sides of the take-a-knee protests surrounding the US national anthem at professional American football games.

Dave Bittner: [00:02:32:17] McAfee reports that one of the fastest growing bits of malware last quarter was Faceliker, a Trojan that infects a user's browser when it visits a compromised site. Faceliker then proceeds to pony up Facebook "likes" and advertising content without the user's knowledge or permission. This is principally a criminal enterprise engaged in illicitly goosing advertising revenue, but the information operational uses of this sort of tool are easy to envision.

Dave Bittner: [00:03:01:00] US Senator Warner, a Democrat from Virginia, Vice Chair of the Senate Intelligence Committee, thinks social media have now become decidedly weaponized. He says, quote, "We're increasingly in a world where cyber vulnerability, misinformation and disinformation may be the tools of conflict." End quote. He also says, and in this he's literally correct, that social media accounts are a lot cheaper than a fifth generation fighter aircraft. Who's doing the weaponization isn't in doubt: Warner says it's Russia, and he's been disappointed by his committee's meeting with Twitter officials, whom Warner said showed an enormous lack of understanding of just how serious the matter is.

Dave Bittner: [00:03:41:13] So bots, sock puppets, trolls and advertising seem to be the principal modes in which the ill-intentioned seek to shape and influence opinion online. Facebook founder, Mark Zuckerberg, expressed his wishes to atone for the sorry state of badthink his platform has contributed to. It's a tough problem to be sure, and ideas are quicksilver. They seem to flow into new channels as soon as one is closed to them.

Dave Bittner: [00:04:09:08] Equifax is suggesting its data breach was probably the work of Chinese intelligence services. Sources claim to perceive similarities of tactics on approach to the 2016 intrusion into the US Office of Personnel Management. The OPM breach has been widely attributed to cyber operators in China's People's Liberation Army. Sources also say a dispute between Equifax and FireEye unit Mandiant may have contributed to the problem. Equifax is said to have thought Mandiant substituted junior personnel for the senior consultants Equifax believed they'd hired, and that this led the credit bureau to discount the security consultants' warnings during a crucial phase of the attack. Once they'd made up, the attackers had put themselves in a position to steal what they wanted to steal. There was evidently no permanent rupture between Equifax and Mandiant. Mandiant is the firm Equifax says it brought in this past August to investigate and help remediate the damage done by the hackers. One immediate criminal impact of the Equifax breach has been to chum the Internet with a lot of credit-themed phishbait; most of it spoofing emails from financial institutions. All would be well-advised to treat emails that offer solutions to Equifax issues with appropriate skepticism.

Dave Bittner: [00:05:28:11] TransTelecom, a Russian telecommunications firm, appears to have established an Internet connection with North Korea. This supplements the DPRK's other previously existing Internet connection through China Unicom. North Korea is famously a minimally connected country, and the new capacity surely hasn't been established with a view to enabling locals to download free Space Invaders from retro gamer shops, shop on Ali Baba, or access Dennis Rodman's Facebook page. As the DPRK faces financial pressure from international sanctions imposed in the hopes of curbing Pyongyang's nuclear and ballistic missile programs, the country's regime has turned increasingly to online crime to finance itself. The willingness of a Russian telco to deliver the Internet to North Korea also speaks volumes about where the biggest holes in any international sanctions regime are likely to be found. The new connectivity increases Pyongyang's bandwidth and resilience. It remains to be seen whether this will produce more attack potential than it does potential attack surface.

Dave Bittner: [00:06:34:19] ISIS does some virtual whistling past the graveyard with online videos displaying captured coalition small arms, specifically an AT4 shoulder-fired anti-tank rocket, an M4 carbine, and one each M16 and M14 battle rifles. This is pretty small beer - and four very widely-used weapons - that AT4 may well just be a discarded launch tube too. And it hardly compensates for the destruction of the Caliphate's hold on territory, but perhaps this won't matter to the callow audience for ISIS inspiration.

Dave Bittner: [00:07:09:17] More worrisome than a handful of guns, is ISIS's warning to Muslims conveyed via telegram, to avoid public places in infidel lands as these will be targets of the "Soldiers of the Caliphate." The warning specifically calls out the US, Russia, France, the United Kingdom, Canada, Belgium, Australia and Italy. It also appears to represent cheerleading, of course, but also inspiration and a gesture of preemptive absolution for any Muslim deaths that will occur as foreseeable collateral damage.

Dave Bittner: [00:07:43:12] In the US, the National Security Agency said Friday that it would have to begin winding down it's online surveillance program, commonly known as Section 702 Authority, even before it expires at the end of the year. The intelligence community has been urging Congress to reauthorize Section 702 before that winding down begins.

Dave Bittner: [00:08:04:17] And finally, alleged Russian Bitcoin fraudster, Alexander Vinnik, told a Greek court in Thessaloniki Friday that he didn't do it, and that Greece shouldn't extradite him to the US, which is interested in giving Mr. Vinnik an opportunity to make his case for innocence in front of a Federal court. Even if the Greek authorities don't send him to the US, Mr. Vinnik probably isn't home-free. The Russians say they want him on a fraud beef as well. And in these troubled times, isn't such a display of solidarity between Russians and Americans a breath of fresh air?

Dave Bittner: [00:08:42:07] Now I'd like to tell you about a new infographic from our sponsor, Delta Risk. Delta Risk is a National Cyber Security Awareness Month champion. As we kick off NCSAM, they've put together a handy 31 day cyber security calendar full of tips to help the public protect themselves, and their communities online. Throughout the month of October, Delta Risk will post additional infographics and blogs that address weekly NCSAM themes, to educate and spread awareness around important cyber security topics. You can view the infographic by visiting Delta Risk LLC, a Chertoff Group company, is a global provider of cyber security services to commercial and government clients. Learn more about Delta Risk by visiting And again, that link for the infographic is And we thank Delta Risk for sponsoring our show.

Dave Bittner: [00:09:45:22] And I'm pleased to be joined once again by Johannes Ullrich. He's from the SANS Technology Institute, and also the host of the ISC Stormcast podcast. Johannes, welcome back. There are some new malware techniques floating around, and you wanted to give us some details.

Johannes Ullrich: [00:10:01:06] Yes. What we saw recently was some malicious spam, and it was very much obviously malicious, because one of those spam messages claimed to contain an invoice, but really with a zip-file. Now where it got interesting was, when we looked at the zip-file, the zip-file actually turned out to be non-malicious. It actually turned out to be a security product. It was Avast's SafeZone browser. It was validly signed. The tricky part here was that this particular safe and valid executable came with a malicious DLL. Now DLLs are these libraries that are being loaded by Windows software and runtime. Many of the programs, nobody checked very carefully what they were loading. As long as the attacker is able to place a DLL with the right name in the directory from which you are starting the software, it will load this malicious DLL. So, pretty neat little trick here that the bad guys are using in order to bypass anti-virus and other techniques, like whitelisting for example, in order to infect users with their malware.

Dave Bittner: [00:11:16:02] So what, then what does the DLL do?

Johannes Ullrich: [00:11:18:22] The DLL in this case was a banking malware. It did inject pages into banking sessions, just like what your average banking malware would do.

Dave Bittner: [00:11:30:03] So is there a way to protect against this?

Johannes Ullrich: [00:11:32:14] Not really. Other than, well, don't click on these attachments of course, that's always good advice. But hard to follow through with if you think about how many legitimate attachments users are receiving every day.

Dave Bittner: [00:11:45:06] So it's a benign attachment on the whole, but then inside of there is hidden the actual malware?

Johannes Ullrich: [00:11:51:05] Correct.

Dave Bittner: [00:11:52:05] Alright. Good information. Johannes Ullrich, thanks for joining us.

Dave Bittner: [00:11:57:07] And that's they CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our sustaining sponsor Cylance. To find out how Cylance can help protect you using Artificial Intelligence, visit Don't forget, I'm a regular guest on the Grumpy Old Geeks podcast, where I take part in a segment called Security Ha. You can find the Grumpy Old Geeks podcast wherever all the fine podcasts are listed. And another reminder, if you enjoy our show it will help us a lot if you can leave a review and subscribe on iTunes. It really is one of the best ways to help people find the CyberWire.

Dave Bittner: [00:12:30:19] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.