The CyberWire Daily Podcast 10.17.17
Ep 456 | 10.17.17

Panama Papers assassination? Black Oasis exploits Flash Player. DPRK hacked TV show. Patching KRACK and ROCA. WikiLeaks prepping something? DHS BOD 18-01. SCOTUS to rule on data warrants.


Dave Bittner: [00:00:01:03] We know a lot of you value the CyberWire and that it helps you do your jobs better and we hope you'll check out our Patreon page at and become a regular supporter. Thanks.

Dave Bittner: [00:00:14:21] A reporter who covered the Panama Papers is assassinated in Malta. Black Oasis is found distributing FinFisher by exploitation of a bug in Flash Player. North Korea hacking is said to have been responsible for cancellation of a projected television show. Infineon patches a firmware flaw that could be exploited in a Coppersmith's attack. Vendors work to close the KRACK in their wifi products. WikiLeaks appears to be preparing for a large dump. The US Department of Homeland Security mandates improved email and website security across the Federal Government, and the US Supreme Court will review a significant cloud data decision.

Dave Bittner: [00:00:57:06] Time to take a moment to tell you about our sponsor, Recorded Future. If you haven't already done so, take a look at Recorded Future's cyber daily, we look at it. The CyberWire staff subscribes and consults it daily. The web is rich with indicators and warnings but it's nearly impossible to collect them by eyeballing the internet yourself, no matter how many analysts you might have on staff and, we're betting, that however many you have, you haven't got enough. Recorded Future does the hard work for you by automatically collecting and organizing the entire web, to identify new vulnerabilities and emerging threat indicators. Sign up for the Cyber Daily email to get the top trending technical indicators crossing the web: cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today and stay ahead of the cyber attacks. Go to to subscribe for free threat intelligence updates from Recorded Future, and we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:02:02:18] Major funding for the CyberWire Podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, October 17th, 2017.

Dave Bittner: [00:02:13:07] One of the reporters who had been most active in pursuing leads into corruption and money laundering surfaced by the Panama Papers was killed yesterday in a car bombing. Daphne Caruana Galizia, a journalist working in Malta, who had been called a, one-woman WikiLeaks, died when a powerful bomb destroyed her car Monday afternoon. No one has claimed responsibility. Galizia's reporting had, for the past two years, focused largely on chasing down stories suggested in the Panama Papers, as leaks from the Mossack Fonseca law firm have come to be called. Her posts to her Running Commentary blog, had made enemies in both of Malta's principal political parties, the ruling Labor Party and the opposition Nationalists. She had also earned the enmity of organized crime. Galizia had filed a police report two weeks ago concerning death threats she had received. Investigation of the murder is in its early stages. Major political parties have condemned the killing and called for calm.

Dave Bittner: [00:03:14:11] Yesterday Adobe patched a Flash Player zero-day (CVE-2017-11292) that Kaspersky Lab discovered being exploited in the wild. The exploitation, attributed to the little known and less understood threat actor, Black Oasis, was installing FinFisher spyware into selected targets. FinFisher is famous as the lawful intercept tool that's been controversially used by governments around the world. Black Oasis is thought to be a threat actor operating from somewhere within the Middle East. They have tended to select their targets from Russia, Iraq, Afghanistan, Nigeria, Libya, Jordan, Tunisia, Saudi Arabia, Iran, the Netherlands, Bahrain, the United Kingdom, and Angola. Microsoft tracks Black Oasis under the name Neodymium. They tracked the threat actor last year also using a Flash Player exploit to distribute FinFisher. The targets then, were for the most part, located in Turkey. Black Oasis exhibits a broad range of interests, but they tend to center on Middle Eastern politics, including UN operations, opposition figures and activists, regional news reporters, and, of course, the oil industry, which would seem a possible explanation for some of the out-of-area targeting.

Dave Bittner: [00:04:30:12] It's been revealed that a 2014 North Korean cyber attack against British production company, Mammoth Screen, prompted cancellation of a projected television series. The show, Opposite Number, had a plot revolving around the imprisonment of a British nuclear scientist in the DPRK. This is the second major known hack of a media company related to Pyongyang's objections to media content. The other case, of course, is the Sony hack.

Dave Bittner: [00:04:58:04] A firmware patch from, Infineon, closes a vulnerability that could be exploited to reveal private encryption keys in a fast prime attack. A proof of concept uses a variant of the Coppersmith's attack, ROCA, for, Return of Coppersmith's Attack. Coppersmith's Attack is an old one, and users of devices with Infineon chips are advised to apply the firmware patch as soon as possible.

Dave Bittner: [00:05:21:16] Much advice is being offered on protection from the KRACK wifi vulnerability. Several vendors have issued patches to deal with it, but it's likely to persist for a long time, especially in the internet of things. In the meantime, here are the companies that either have or, are expected to soon have, a fix for KRACK attacks, as reported by ZDNet. Aruba has issued a security advisory as well as patches for its software. Microsoft's Windows products are thought to be relatively little affected, but the company has pushed fixes out through its automatic updating. Linux has made a patch available. Intel has also patched. Netgear, Microchip, MikroTik, OpenBSD, Ubiquiti Networks, HostAP and WatchGuard have all issued fixes. Apple expects to update iOS, macOS, watchOS and tvOS within a few weeks. Cisco is looking into the vulnerability, has some fixes out, and is working on others. Arris and AVM are evaluating the situation. Google is in the same boat, investigating, with patches to come as they're developed. Fortinet is working on a fix. Espressif Systems has begun patching its chipsets. FreeBSD is working on patching its base system. Wi-Fi Standard has made a fix available to vendors. And, finally, the Wi-Fi Alliance is offering a KRACK detection tool to its members. It's also requiring new members to test for the vulnerability.

Dave Bittner: [00:06:46:11] WikiLeaks' Julian Assange has tweeted out some odd code that looks like the "insurance code" released in advance of past major leaks. Nothing has broken yet, but people have their eyes and ears open.

Dave Bittner: [00:06:59:11] Yesterday the US Department of Homeland Security, issued Binding Operational Directive 18-01. This will require US Federal agencies to adopt DMARC security standards to improve email security. The directive also recommends using HTTP Strict Transport Security, HSTS, to ensure https connections and remove a user's ability to click through certificate warning.

Dave Bittner: [00:07:24:24] There are those who say when it comes to suffering a data breach, it's not a matter of if, but a matter of when. Whether or not you subscribe to that philosophy, it's prudent to plan for the worst and have a resiliency plan in place. A way to ensure that while you're recovering from whatever may have happened, your business stays up and running. Neil Murray is chief technology officer at Mimecast, and he offers his thoughts on cyber resilience.

Neil Murray: [00:07:49:07] In summary it's protecting users, data and operations from risks that may arise due to human error, malicious intent or technological failure. So, it's not all about just a defensive barrier that you may think about when you think of cyber security. There are issues related to things, like, ransomware for example, where you might need to recover data – and that's not a defensive technology, that's a technology of recovery – and there are often needs to interact with the systems that are affected whilst an incident is ongoing. So, you have to keep the business running; that's really the summary of cyber resilience. How do you deal with all this stuff and keep the business running? There are additionally, human awareness requirements, so the human firewall is important as part of the cyber resiliency process and that is that technology can do a certain amount but, human beings are the weakest links so you want to make sure that they're also made resilient through awareness.

Dave Bittner: [00:08:49:21] Yes, what, what about the emotional component of all this? You know, when something bad happens, people get upset and I think that's an underestimated part of the equation for many organizations.

Neil Murray: [00:09:01:06] Sure. And you would've seen in the Equifax incident recently that a lot of the damage gets done when the reaction is not prepared and planned. Obviously there's the preparation and if companies are found wanting when it comes to preparation that's one thing, but, you do need effective communications during these kinds off incidents and that does take preparation and planning. You also need to spend a lot of time with your staff trying to educate them about how these things come about, what may happen in those circumstances. They should feel confident that you have done the right things but it gets emotional when it's not done right, I think is the summary.

Dave Bittner: [00:09:42:23] I remember when I was a kid, of course, we all probably experienced having fire drills to practice what would happen in the event that there was a fire. Do companies need to go through a similar thing when planning out their cyber resilience?

Neil Murray: [00:09:55:19] Well there are great technologies out there to do drills like this. There's pluses and minuses to them, fire drills is one way, which is a periodic, you know, process of testing your people. The downsides are that people that get caught out, feel like they were caught out, you know, so there's a negative that can come from that, "oh, you tricked me." I mean, that's obviously the point of it but some of these tests can be pretty negative. That's not to say you mustn't do them, it's just that you have to deal with the fallout that comes from that. One of the approaches we take is real time awareness, which means, that as people are clicking on links inside their emails or, you know, downloading attachments from emails, we may take a moment, on a randomized or periodic basis to provide a teaching moment to them. In other words, ask them a question about where they think they are going and ask them whether they think that site is safe or not. And then we'll tell them whether it is or not, but, we want them to make a call on that and that raises the awareness in, in a more or less, real time fashion. So that's, that's more real time; fire drills are much more periodic.

Dave Bittner: [00:11:03:20] So, what would be your advice for someone who's trying to address this, someone who's trying to get organized and have a proper plan when it comes to resilience?

Neil Murray: [00:11:13:14] I think there are quite a few good resources online about cyber resilience. It's, it's an emerging term for sure, in that we are talking about not just cyber security, the defensive part of it, but something that's a bit more comprehensive. There's obviously a technological component, you'd need to go and source vendors, make sure that they have a broader offering than just a defensive push into their technologies. So, you really do need a recovery options, continuity options, those are the kinds of things that are as critical as the defensive piece.

Dave Bittner: [00:11:46:07] That's Neil Murray from Mimecast.

Dave Bittner: [00:11:50:08] The US Supreme Court has agreed to hear an appeal of a Second Circuit decision that exempted data stored abroad from US search warrants. The Second Circuit's decision in favor of Microsoft found that emails were beyond the reach of US domestic search warrants when the user, whose emails were sought, signed up for Microsoft's service while he was in Ireland. The ruling affected warrants issued under the Stored Communications Act of 1986, a law that's widely regarded as ripe for revision. The decision the US Justice Department is appealing, was widely regarded as a victory for privacy advocates and the tech companies who offer geographically dispersed cloud services. Law enforcement saw the ruling as a loss, depriving them of access to data needed to investigate crimes ranging from child exploitation to murder.

Dave Bittner: [00:12:40:09] In the appeal, the two sides are basically represented by the tech industry – Microsoft, Amazon, Apple, CNN, and Verizon, to take the most prominent companies with an assist from the ACLU and the US Chamber of Commerce. And, in the other corner, the Justice Department, with backing from 33 US States and the Commonwealth of Puerto Rico. The Supreme Court's decision will have far-reaching implications.

Dave Bittner: [00:13:08:16] A quick note from our sponsors at, E8 Security. They understand the difference between a buzz word and a real solution and they can help you disentangle them too, especially when it comes to machine learning and artificial intelligence. You can get a free white paper that explains these new, but proven, technologies at We all know that human talent is as necessary to good security as it is scarce and expensive, but machine learning and artificial intelligence can help your human analysts scale to meet the challenges of today's and tomorrow's threats. They'll help you understand your choices too. Did you know that, while we might assume supervised machine learning, where the human teaches the machine, might seem to be the best approach, in fact, unsupervised machine learning can show the human something unexpected. Cut through the glare of information overload and move from data to understanding. Check out and find out more. And we thank E8 for sponsoring our show.

Dave Bittner: [00:14:11:09] Joining me once again is, David DuFour, he's the senior director of engineering and cyber security at Webroot. David, welcome back, we wanted to talk today about some vulnerabilities when it comes to Bluetooth.

David DuFour: [00:14:22:07] Hi David, thanks for having me back. Yes, Bluetooth is making a lot of noise here. A little tit-bit about me – I'm not going to do this anymore – but I've been spending the last couple of months on Sunday mornings sitting at a restaurant eating my oatmeal, with my Bluetooth scanner, out there looking for people with their Bluetooth devices, with their Bluetooth turned on. And then this news drops, so it's been advised to me, I probably want to stop doing that. The trick here is, your Bluetooth, it's a radio, just like a wifi device and a lot of people don't think that's it's capable of doing two way communication, they think it's a lot more secure than it is. But as your listeners know, anything that's software or hardware can be hacked and there's exploits that abound, BlueBorne being one of them, in terms of being able to take advantage of the actual Bluetooth standard and how it's been implemented in many devices, there's actually the capability, through Bluetooth, even if it's connected to some other device, that you could get into a user's device by simply poling that solution. First off you're going to scam for the radio to see if it's on, then you're going to ping that device to try to make a determination of what the operating system is, potentially diversion, maybe even the hardware of that and then, from there a nefarious hacker could go out and look for exploits on that device.

David DuFour: [00:15:42:10] To be fair, you do have to be within a pretty tight range, Bluetooth doesn't have the range of other radio technologies and it is complicated. But it's becoming more prevalent as people figure out you can do it. One of the only things you can do to protect yourself is to make sure you turn Bluetooth off if you're not using it.

Dave Bittner: [00:16:01:02] Now, what about if I am using Bluetooth? Let's say I'm in my care and I'm using the Bluetooth connection. If I'm connected between my phone and my vehicle am I still vulnerable to someone else, you know, a drive-by attack?

David DuFour: [00:16:12:23] If you're in your car, unless they're in the trunk and you don't realize it, they're probably not going to be within range to be able to get between there. But, but you do ask a great question, because if I'm sitting at, at a table and the person behind me is using their phone to listen to Bluetooth, potentially on headphones, it is possible, and it's very clear how to do this with BlueBorne, it's possible to actually get access to that device and exploit it, even if it's connected to a different device. This isn't a situation where it has to be in pairing, looking for other devices. So, a lot of people think that it has to be in that state but, no. the actual flaws are with the Bluetooth implementation that lets you get in if that radio is on, and if it's connected to something else.

Dave Bittner: [00:17:01:03] So, is this a hardware problem or is it software that can be patched?

David DuFour: [00:17:04:20] It's, it's definitely software that can be patched, provided you're running the Bluetooth radio on a device that's update-able and that your vendor provides a patch for it.

Dave Bittner: [00:17:16:00] David DuFour, thanks for joining us.

Dave Bittner: [00:17:19:21] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you using artificial intelligence, check out If you find this podcast valuable, we'll hope you'll consider becoming a contributor. You can go to to find out how. The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.