The CyberWire Daily Podcast 10.23.17
Ep 460 | 10.23.17

Reaper botnet looming, but not yet landed. CyCon phishing. How to troll for influence.


Dave Bittner: [00:00:01:06] You can show your support for the CyberWire by visiting and signing up today to help support our show. Thanks.

Dave Bittner: [00:00:12:19] We've got notes on active malware campaigns, and a warning to be on the lookout for the Reaper botnet, which hasn't yet realized it's disruptive potential. Kaspersky opens its source code to independent review to show it's got nothing to hide. Fancy Bear is phishing for you if you plan to attend CyCon. The difficulty of recognizing trolls, and the dangers of innocent posts getting badly lost in translation. A quick note about the ICS Security Conference, and look for lulz in all the wrong places.

Dave Bittner: [00:00:45:23] A quick note about our sponsors at E8 Security. They understand the difference between a buzzword and a real solution, and they can help you disentangle them too - especially when it comes to machine-learning and Artificial Intelligence. You can get a free white paper that explains these new but proven technologies at We all know that human talent is as necessary to good security as it is scarce and expensive, but machine-learning and Artificial Intelligence can help your human analysts scale to meet the challenges of today's and tomorrow's threats. They'll help you understand your choices too. Did you know that while we might assume supervised machine-learning - where a human teaches the machine - might seem the best approach, in fact unsupervised machine-learning can show the human something unexpected. Cut through the glare of information overload and move from data to understanding. Check out and find out more. And we thank E8 for sponsoring our show.

Dave Bittner: [00:01:52:23] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary from Monday, October 23rd, 2017.

Dave Bittner: [00:02:03:14] We begin with a few quick warnings. Two active malware campaigns bear watching in the wild: MacOS Proton back doors are being distributed through Trojanized Elmedia players, and the Magniber ransomware strain continues it's geo-focused circulation through East Asia.

Dave Bittner: [00:02:21:17] Security experts are still waiting for the Reaper, IoT botnet storm to hit. It's also called IoTroop. Many think the distributed denial-of-service campaign Reaper appears being readied for, may dwarf Mirai's.

Dave Bittner: [00:02:35:20] Kaspersky Lab has offered a counter to the US Government's ejection of the company's software from Federal networks. Kaspersky is offering, under the slogan, "Don't just take our word for it, see everything for yourself," a Global Transparency Initiative in which the company is offering up its source code for independent public inspection. This will allay some of the more lurid claims that the company's software is engineered as a reconnaissance tool for exploitation by Russian intelligence services. But it's unlikely to assuage concerns that the exploitation and compromise users fear wouldn't be possible in some other form. Still, it's difficult to see what else Kaspersky could offer. Non-governmental users of the security software seem to be following the US Government's lead.

Dave Bittner: [00:03:22:10] Fancy Bear, also known as APT28 or to name it directly, Russia's GRU, is snuffling around people thinking about attending next month's CyCon conference in Washington D.C. Sponsored jointly by the US Army Cyber Institute and NATO's Cooperative Cyber Defence Center of Excellence, this year the well known conference takes the Future of Cyber Conflict as i's theme. Fancy Bear is phishing for prospective attendees with a baited Word document that carries Seduploader as its payload. Seduploader is a reconnaissance tool useful in determining which targets deserve closer attention. The phishbait document, a cut and paste job designed to look like an event flier, is Conference_on_Cyber_Conflict.doc. Stay away from it and the malicious macro it contains.

Dave Bittner: [00:04:12:24] A Twitter executive was apparently successfully trolled by Russian influence operators in 2016, induced to re-tweet positive stories from a bogus Black Lives Matter activist. Twitter CEO Jack Dorsey is said to have retweeted posts from a Saint Petersburg troll factory in early 2016. Observers take the incident as a cautionary tale of how grooming influencers works. It's little different from the ways in which unwitting agents of influence have always been cultivated: start small and start innocent, in this case with tweets about how, "Rihanna collects her Humanitarian of the Year award from Harvard." Who, after all, could object to that? Before everyone piles onto Mr. Dorsey as the naivest kind of sap and stooge, consider a couple of points. First, he's believed to have re-tweeted precisely two tweets from the trolls, both of them entirely anodyne, harmless, the sort of thing anyone who notices pop music - or Harvard for that matter - might have retweeted or liked. Second, few bother to look closely at the sources of social media posts they find interesting and in this case, the Russian troll farm had been at pains to conceal its identity. So we invite anyone who hasn't casually shared some innocent news over social media to cast the first stone.

Dave Bittner: [00:05:30:19] It's become clear that where influence operations are concerned, lies require a bodyguard of truth and the vicious will stand unobtrusively amid a crowd of the virtuous. It's a bit like the way the devil is said to be able to appear in the guise of an angel of light.

Dave Bittner: [00:05:46:09] It's also becoming clear that hopes for salvation through Artificial Intelligence are premature at best, if not actually impossible in principle. This is not to say that AI isn't useful and won't form an indispensable part of technology's future, but AI is not the philosopher's stone, whatever the alchemists of Mountain View and Cupertino might lead one to believe.

Dave Bittner: [00:06:07:17] Consider the difficulties Facebook has been seen to have with selling ads to Russian influence operators and others they'd rather not be associated with. It's a tough problem that's induced the company to open positions for a large number of human analysts.

Dave Bittner: [00:06:23:06] And the limitations in the state of the natural language processing art were on display this week in Israel. Haaretz reports that Israeli police arrested a Palestinian man for "suspicion of incitement." The suspect in question seems entirely innocent. A construction worker, he posted a photo of himself leaning against a bulldozer and holding a cup of coffee and a cigarette. His caption was a simple, "Good morning." But Facebook's algorithms rendered the Arabic greeting as, "Attack them," in Hebrew and, "Hurt them," in English.

Dave Bittner: [00:06:56:18] We've got our people down in Atlanta this week for the annual ICS Security Conference that began today. The event, which serves "energy, utility, chemical, transportation, manufacturing and other industrial and critical infrastructure organizations," focuses on the distinctive challenges of securing industrial control systems - ICS.

Dave Bittner: [00:07:16:24] The conference opens just after US authorities warn that the Dragonfly threat group, also known as Energetic Bear, is actively engaged in spearphishing operations against utilities - principally electrical power organizations. The campaign appears to be in it's reconnaissance phase. A similar warning was delivered last week in Belfast by Ciaran Martin, head of GCHQ's National Cyber Security Center, who said that while the NCSC had successfully blocked attempts to penetrate North Ireland's grid, the attackers could be expected to return.

Dave Bittner: [00:07:51:21] And finally, teenage hacker but legal adult, Meetkumar Hiteshbhai Desai, now 19, was looking for lulz in all the wrong places when he hacked and shut down 911 services throughout Maricopa, Arizona last year. Master Desai has received three years probation, and he got off lightly. Shutting down 911 is no joke. We close with a word to our fellow youths out there: stay in school, stay away from cyber crime, and think twice before you think something's funny and harmless.

Dave Bittner: [00:08:28:07] Time to share some news from our sponsor Cylance. Cylance has integrated its artificially intelligent CylancePROTECT Engine into VirusTotal. You'll know VirusTotal as the free online service that analyzes files and URLs to identify viruses, worms, Trojans, and the other kinds of badness antivirus engines and website scanners pick up. Well, Cylance has pledged to help VirusTotal in its mission of making the security industry more perceptive, and the internet a safer place. It's like public health for cyberspace. Free tools and services help keep everyone's risk down. Cylance sees their predictive approach to security as a contribution to the fight against cyber attacks, and they're now fully integrated as one of the analysis engines available in VirusTotal. Visit and look at their blog for more on their contribution to our online immune system. And we thank Cylance for sponsoring our show.

Dave Bittner: [00:09:28:00] And I'm pleased to be joined once again by Dale Drew, he's the Chief Security Officer at Level 3 Communications. Dale, welcome back. You know, you wanted to make the point today that when it comes to the supply chain, we've got some real issues here.

Dale Drew: [00:09:40:00] Yeah. We, we think that the supply chain management for the average CISO is getting out of control. You know, there was a recent study that said that the average CISO has to maintain up to 75 separate security vendors just to protect their ecosystem. And that sort of chaos management and making sure that, that each of those layers is properly effective and efficient, is is really difficult. And so these are things like your antivirus vendors, your intrusion detection vendors, your firewall vendors, data protection, governance risk and compliance, I mean, so it's a pretty broad spectrum.

Dale Drew: [00:10:17:24] We're also hindered by the fact that, that vendors are selling solutions that are based on unknowns, right? You're buying a solution from a third party and relying on their expertise, and so sometimes evaluation of that capability can be difficult by the CISO in their team. So to sort of prove this point, we operated a, a web page awhile back called Zero Functionality. And so it was taking advantage of the nomenclature of zero footprint and zero effort, and so we operated a web page for a while called Zero Functionality as a parody site. And so the, the sort of whole theme of it was, if you want a security solution with zero effort, and zero footprint, and zero capability, you should buy Zero Functionality. We had things like, Devin Knowle was the CEO of the company. We had Les Ismore, was the head of marketing. MT Suit was our CFO. Within a week, we sold three solutions. We had three customers who were interested in that sort of zero effort in being able to protect their enterprise, that we actually had to three people wanting to buy our solution based on an empty PowerPoint presentation, and a empty zip file demo.

Dave Bittner: [00:11:32:14] So you--wait, wait, wait. So you had actual customers, money in hand, who did not get the joke and were ready to buy what you were pretending to be selling?

Dale Drew: [00:11:41:14] That's absolutely right. We, we had people not realizing that this was a parody site, were really sort of attracted to that sort of zero effort capability of protecting their enterprise 'cause they didn't have the expertise. They came to us dollar bills in hand, wanting to buy this zero product.

Dave Bittner: [00:11:57:22] Wow.

Dale Drew: [00:11:58:03] So we, we think that, that not only is the ecosystem complex even for the most qualified technical team, but it can be a, a pretty significant overwhelming experience for organizations that don't have the right expertise. So, you know, some of our recommendations are that, you know, when you want to evaluate technology, have a Request For Information, or an RFI, in hand for each of the areas of security technology that you want to review. You can also go to a third party and have them help you write an RFI, and the RFI should have a list of detailed questions about what you want to accomplish with that solution, how effective that solution is going to be, and what its capabilities are. And that gives you sort of an independent sort of peer review across the vendors in that space when you're evaluating solutions. Go talk to a Value Added Reseller about the vendors that you're evaluating, and ask them about their reputation and about their capabilities.

Dale Drew: [00:12:31:10] VARs who resell security solutions are going to have sort of a, an effectiveness capability and reviews from their other customers, and, and will be able to provide you with some, you know, advice and guidance. We'd also advise that you test that solution in a small deployment - whether it's a test network or a small piece of your production network - before you commit to buying it to see if you were to buy and deploy it, how effective is it going to be, so you don't end up buying a solution purely on a PowerPoint presentation.

Dale Drew: [00:13:24:14] And then the last one is, you know, we'd also recommend that, that you ask the vendor for references of people who are like in size, and like in industry that you are, and ask for their summary of the use of their solution in that company's network. And so you get again, a peer review, a like for like review of the same sort of company. These sorts of tools are going to help you make sure that when you're evaluating a solution, you're not doing it just based on the sales pitch, you're doing it based on a, a fairly deep understanding of the capabilities of that solution when you do deploy it in your network to protect yourself.

Dave Bittner: [00:14:02:05] Alright. Pays off to do your homework. Dale Drew, thanks for joining us.

Dave Bittner: [00:14:07:12] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our sustaining sponsor, Cylance. To find out how Cylance can help protect you using Artificial Intelligence, visit

Dave Bittner: [00:14:20:08] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.