The CyberWire Daily Podcast 10.24.17
Ep 461 | 10.24.17

Reaper botnet update, Election hacking in Kenya, Czech Republic. M&A notes. APT28's phishing. Kaspersky's offer of code review. FBI shots in the crypto wars.


Dave Bittner: [00:00:00:22] Just the other day my ten year old son came to me and said "Daddy do you think some day instead of using this old stick of bamboo with a piece of string and a paperclip on the end of it I could get a real fishing rod?" and I said "Son if enough people sign up to support the CyberWire at I'll get you a real fishing rod", I'm kidding of course, he catches the fish with his bare hands.

Dave Bittner: [00:00:32:10] Hurricane Reaper, the big IoT botnet, remains a digital tropical depression, but plenty of people are warning everyone to stock up on the cyber equivalents of flashlight batteries and bottled water. Czech parliament sites are hacked in apparent election-related mischief. Kenya's contentious re-vote approaches. APT28 gets a Bronx cheer for lame CyCon phishing, but don't get cocky, kid. KnowBe4 and Cisco announce acquisitions. Kaspersky seeks to undo reputational damage inflicted by US Government bans. The FBI re-engages in the crypto wars and if you had a nose job at London Bridge Plastic Surgery, someone's got your before and after pix.

Dave Bittner: [00:01:19:17] A few words from our sponsors at E8 Security. If you've been to any security conference over the past year you've surely heard a lot about artificial intelligence and machine learning, we know we have. But E8 would like you to know that these aren't just buzz words, they're real technologies and they can help you derive meaning from what an overwhelmed human analyst would see as an impossible flood of data. Go to and let their white paper guide you through the possibilities of these indispensable emerging technological tools. Remember the buzz around artificial intelligence isn't about replacing humans, it's really about machine learning, a technology that's here today. So see what E8 has to say about it and they promise you won't get a sales call from a robot. Learn more at And we thank E8 for sponsoring our show.

Dave Bittner: [00:02:17:15] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, October 24th, 2017.

Dave Bittner: [00:02:28:15] People are still waiting for the Reaper botnet also called IoTroop, to unleash its expected distributed denial-of-service hurricane, but so far Hurricane Reaper remains the cyber equivalent of a just forming tropical low pressure system. It bears watching—security reporter Brian Krebs, for one, thinks this is the proverbial calm before the storm.

Dave Bittner: [00:02:51:10] The Mirai botnet to which Reaper is being compared incorporated about half-a-million IoT devices. Reaper is thought to have accumulated at least twice that many. Its bot-herding differs from Mirai's: where Mirai relied on exploiting default or hard-coded passwords, Reaper uses at least nine known vulnerabilities present in products of more than ten device manufacturers.

Dave Bittner: [00:03:14:24] Brief denial-of-service attacks interrupted vote-counting in Czech parliamentary elections as the government had to take down two sites temporarily, but effects seem transitory and of little consequence. It's unknown who was responsible. The campaign has been a contentious one, with a—stop us if you've heard this one—wealthy populist emerging as the surprise winner.

Dave Bittner: [00:03:38:22] Kenya is undergoing a troubled election this week, actually a court-ordered do-over prompted by findings of widespread and serious electronic voting fraud when the presidential election was held earlier this summer. Kenya's Supreme Court overturned incumbent President Uhuru Kenyatta's August 8th re-election in a decision handed down on September 1st. With voting now just two days off, it's not even clear if the opposition candidate will be standing for election this time around. Observers fear the possibility of civil unrest whatever the outcome turns out to be.

Dave Bittner: [00:04:14:02] APT28, also known as Fancy Bear, also known as Russia's GRU, is getting razzed for its attempt to phish attendees at the upcoming CyCon conference on cyber conflict, to be held November 7th and 8th in Washington, DC. "Oh you silly APT28, show some respect," is Bleeping Computer's admonition to the Russian hackers who phished for people likely to attend the upcoming CyCon conference. Apparently few have taken the bait. We get the joke, but before we're willing to second APT28's nomination for a Pwnie Award, we'll wait and see. Kids swallow the darndest phishbait.

Dave Bittner: [00:04:53:18] Anyway, we know for sure, for pretty sure, anyway, that we didn't take the bait, even though we'll be attending. On the other hand, we think APT28 didn't bother sending us a baited document, and we're glad of that, because, you know, well kids swallow the darndest phishbait.

Dave Bittner: [00:05:10:18] Kaspersky's offer to subject its source code to independent public review is about as much as the security firm can do to recoup reputational damage sustained from a US Government ban, Observers are skeptical that this will work: a code audit wouldn't preclude compromise by, or collaboration with, intelligence services, and those are the fundamental concerns that customers have.

Dave Bittner: [00:05:32:10] We've had plenty of examples this year of vulnerabilities in industrial control systems and the industrial Internet of things. The folks at CyberX released a new report today called The Global ICS and IIoT Risk Report. Phil Neray is VP of Industrial Cyber Security at CyberX and he gives us an overview of the report.

Phil Neray: [00:05:54:06] We know that experts have been telling us for years that these industrial networks are vulnerable and a lot of that is due to the fact that they were designed many years ago, that the protocols and devices that are using are insecure by design. They were designed at a time when the focus was more on performance and reliability than security and so they don't have a lot of the things that we take for granted in IT networks, like strong authentication. And a lot of these opinions are, you know, based on anecdotal evidence, lots of experience looking at these networks and seeing how insecure they are. So we thought it was important to have more of a data driven discussion about the risk and to objectively evaluate that risk and then talk about what we could do about it short of a massive upgrade to all of these networks.

Dave Bittner: [00:06:47:14] And so this approach involved actually going out and gathering a good bit of data?

Phil Neray: [00:06:52:11] Yeah we took network traffic data from real world industrial networks worldwide. Over the past 18 months we analyzed data from 375 industrial control networks across all sectors, energy, oil and gas, manufacturing, pharma, chemicals. And we used some algorithms that we've developed that are in the general category of network traffic analysis NTA which are specialized algorithms we've developed that by inspecting the network traffic can highlight vulnerabilities such as connections to the public Internet, what types of operating systems are running on the devices, what types of PLC's are installed in the network and using that analysis we came up with some data points that are pretty eye-opening I would day.

Dave Bittner: [00:07:45:03] Yeah I'd agree, well why don't you take us through some of the key findings in the report.

Phil Neray: [00:07:49:10] Sometimes these networks are described as being hard on the outside and soft on the inside like M&M candies and we found that they're definitely soft on the inside but they're actually not that hard on the outside either. And there's this myth of the air gap that because these networks are separated from the Internet or from corporate IT networks and airgapped from them that we don't have to worry too much about patching or monitoring. And what we found is that nearly a third of these networks are actually connected to the public Internet, so that was the first big one.

Phil Neray: [00:08:22:23] The second big one is that these networks have a lot of legacy windows machines in them. We found that three out of four of these sites have legacy windows machines like Windows XP or Windows 2000 which means they're not getting security patches from Microsoft anymore. So even if you wanted to patch them which is a difficult process in OT environments you can't. And if you wanted to upgrade all of them that's a big task because they're running all kinds of skate applications that might be tied to a particular version of Windows and so that would be a pretty massive upgrade. But what that means is once an attacker gets in the network it's pretty easy for them to deploy common malware to those devices, through those Windows boxes including it's sort of newer malware like Wanna Cry, NotPetya, but even the older stuff like Conficker would be running on these machines just 'cause they can't get those patches.

Dave Bittner: [00:09:19:15] So obviously you know sobering information, lots of interesting data, sort of translate it for us. So what does this mean in the real world? How bad is it?

Phil Neray: [00:09:28:20] Well I think it's a wakeup call. I think it's a wakeup call for management teams. Now you know the people who are running industrial security in these organizations they know, they know that their networks are vulnerable. I think the biggest challenge is raising awareness with management teams and boards of directors that this is an issue that really needs to be addressed from a top down point of view, kind of in the same way IT woke up to that fact, you know, ten years ago or so. Anything you can do from a top down point of view to encourage people to work together because look, if malware or a targeted attack shuts down the plant and your main production line that's generating the revenue for your company everyone is gonna suffer. You know the growth of your company is gonna suffer, people's careers are gonna be, you know, slowed down. There's gonna be the client's stock price. So really it's everyone's job to protect the OT network and so getting these guys to talk to each other, to understand each other, maybe assigning an OT person to go work in your corporate soft to learn a bit about security or taking an IT security people from CISO team and assigning them to the operation side of the business to learn a bit about how these OT networks work. Those are all good things to do to break down the barriers between IT and OT.

Dave Bittner: [00:10:49:06] That's Phil Neray from CyberX. The report is Global ICS and IIOT Risk Report. There's a lot more to it than we had time to cover here so you can check out the complete report on the CyberX website.

Dave Bittner: [00:11:04:05] In other industry news, security training shop KnowBe4 has announced that it's buying KnowBe4 expects the acquisition to provide the security awareness training shop with the ability to tailor training to an individual's observed behaviors.

Dave Bittner: [00:11:21:10] Cisco has also made an acquisition—a big one—buying Broadsoft for $1.71 billion. Broadsoft's products are widely used in the telecommunications industry, and the pick-up is expected to bolster Cisco's collaboration offerings and further diversify the company from its core switching and routing products. The deal surprised many analysts, who now speculate that Cisco may make a major push to buy a rival.

Dave Bittner: [00:11:48:16] The US FBI reengages in the cryptowars, still on the anti-encryption side. Director Wray says he gets "that there's a balance to be struck," but he calls unbreakable encryption a "huge, huge problem." The Bureau has been unable to break into some seven thousand devices it tried to access over the past year in the course of investigations.

Dave Bittner: [00:12:10:23] Finally, a plastic surgery practice in the UK has been breached, and of course the question everyone wants answered (that is, everyone who reads celebrity gossip sheet E! Online) is this: was the Royal Family involved? Was their information among those compromised in the hack of London Bridge Plastic Surgery? The aesthetic surgeons to the stars describe themselves as "horrified," and say that of course the attack was the work of a sophisticated group well-known for hitting medical practices in the US. Police are investigating. Apparently photos are involved. Photos usually are.

Dave Bittner: [00:12:54:11] Now I'd like to tell you about some research from our sponsor Cylance. Good policy is informed by sound technical understanding. The crypto wars aren't over. Cylance would like to share some thoughts from ICIT on the surveillance state of censorship and about the conundrum of censorship legislation. They've concluded that recent efforts by governments to weaken encryption introduced exploitable vulnerabilities into applications and develop nation-state dragnet surveillance programs will do little to stymie the rise in terrorist attacks. These efforts will be a detriment to national security and only further exhaust law enforcement resources and obfuscate adversary communiqués with a massive cloud of noise. Backdoors for the good guys means backdoors for the bad guys and it's next to impossible to keep the lone wolves from hearing the howling of the back. Go to and take a look at their blog for reflection on surveillance, censorship and security and we thank Cylance for sponsoring our show.

Dave Bittner: [00:14:00:12] And joining me once again is David Dufour, he's the Senior Director of Engineering and Cyber Security at Webroot. Dave welcome back. Over there are Webroot you publish a report, it's called Your Quarterly Threat Trends and you guys are seeing some interesting stuff when it comes to phishing?

David Dufour: [00:14:14:12] Yes thank you for having me back David and phishing I think to probably no-one's surprise continues to be a really huge attack vector for everyone in the cyber security industry. I may have said this story before but it is one of my favorite stories of all time how in 1988 I joined the Air Force and we were taught that social engineering was the number one way that the bad guys were gonna try to get into a computer system by phoning you or acting like they were maintenance people or trying to someway get your user name and password from you. Again that was 1988 not to date myself. Here we are in 2017 with phishing and that is still ironically, social engineering is the number one way of getting access to someone's information, their accounts and things of that nature. So 29 years it hasn't changed.

Dave Bittner: [00:15:05:20] Yeah what are some of the stats that you all have been seeing?

David Dufour: [00:15:08:18] You know to throw some hard numbers at you we're seeing about 46,000 new phishing sites created everyday. 46,000. And so what's happening here is folks are able to automate the infiltration of unpatched web-servers, things of that nature and then they're propagating across those web-servers with pre-packaged typically phishing tools that you can buy at places like Alpha Bays, you know out of business but you know websites like that you buy these pre-packaged phishing sites that you can just automate the deployment of those if you've been able to hack serves. So we're seeing massive massive numbers and these packages typically are geared towards attacking or phishing information from financial institutions or technology companies. So those are the two main categories we're seeing where these packages or folks are trying to phish information from people to gain access to those environments.

Dave Bittner: [00:16:05:14] So they're trying to get access to people's banking information?

David Dufour: [00:16:08:21] Yes. So banking information would be banking, financial, your stocks, things like that, that's the number one thing we see in terms of you know people trying to steal money. Then on the other side of the fence people are trying to get access to like your email accounts or even hack into technology companies simply because it's fun to hack into technology companies and look cool doing it. So that's why we really see those two verticals as being the primary vehicles of attack.

Dave Bittner: [00:16:39:17] And so observing these things what kind of efforts are there to help shut them down?

David Dufour: [00:16:44:22] There are lists out there that are provided. A lot of that is crowd sourced where someone sees a phishing site, they may have gotten in an email and they're gonna add that to a list. The problem with lists that we experience and this, you know, my view in what I'm seeing. Most of the phishing sites we see are only up for four to eight hours. So there's 46,000 sites created everyday on average are only up and running four to eight hours. So a list is not necessarily gonna provide you accurate information about phishing sites that are up. What you've really gotta do is look for solutions that can identify sites in real time as you're trying to hit that site. From a pure security play what you wanna do is analyze a URL as you navigate to it to ensure that it is not a phishing site, that it is in fact a legitimate site and obviously you're gonna need some type of software or something running on your machine to do that. Short of that David, what you can do to protect yourself from phishing is don't click on those links that someone might send you in a social app or something, you know, verify it, hover over it to make sure it looks legit and really honestly the best thing you can do is if someone sends you an email or sends you a link they want you to navigate to type it in your browser, that's how you can be sure you're going to the site you expect to arrive at.

Dave Bittner: [00:18:16:06] Alright good advice as always, David Dufour thanks for joining us.

Dave Bittner: [00:18:21:10] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible especially our sustaining sponsor Cylance. To find out how Cylance can help protect you using artificial intelligence, visit

Dave Bittner: [00:18:34:09] The CyberWire Podcast is produced by Pratt Street Media. Our Editor is John Petrik, Social Media Editor is Jennifer Eiben, Technical Editor is Chris Russell, Executive Editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.