The CyberWire Daily Podcast 11.9.17
Ep 473 | 11.9.17

Macro-less malware. Metacriminals and botnet herders. Hacking ships and airliners. Cryptocurrency glitch. Congratulations to the SINET 16.


Dave Bittner: [00:00:01:15] The CyberWire podcast is made possible in part by listeners like you who contribute to our Patreon page. You can learn more at

Dave Bittner: [00:00:13:19] There's no honor among thieves, or botnet herders, either. Reaper still seems quiet. Macro-less malware is a problem, according to Microsoft. Researchers show you can hack an airliner's avionics. The maritime shipping sector worries that Maersk’s experience with NotPetya isn't just a one-off. Ether, the cryptocurrency, is disappearing into the aether, at least this once. And we congratulate this year's SINET 16.

Dave Bittner: [00:00:44:12] Here's a quick note about our sponsor E8 Security. We've all heard a lot about artificial intelligence and machine learning. Hey, who of a certain age doesn't know that Skynet achieved self awareness and sent the Terminator back to take care of business? But that's science fiction and not even very plausible science fiction. But the artificial intelligence and machine learning that E8 is talking about isn't science fiction at all.

Dave Bittner: [00:01:06:00] They're here today, and E8's white paper available at can guide you through the big picture of these still emerging but already proven technologies. We all need to turn data into understanding, and information into meaning. AI and machine learning can help you do that. See what they can do for you at, and we thank E8 for sponsoring our show.

Dave Bittner: [00:01:39:19] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Thursday, November 9th, 2017.

Dave Bittner: [00:01:49:10] There's no honor among thieves, and unfortunately sometimes that's a bad thing for the rest of us. According to a report in Bleeping Computer, researchers at NewSky Security discovered one hacker who realized that the hype and fear surrounding the Reaper botnet would inevitably lead poorly skilled crooks, call them script kiddies, or wannabes, or skids, or whatever other leetspeak terms of contempt you'd care to apply, to look for ways of ringing the bell on the Reaper gravy train.

Dave Bittner: [00:02:13:13] So the criminal who saw opportunity here, perhaps we can call him a metacriminal, wrote some PHP script designed to attract skids who wanted to scan for IoT devices vulnerable to being roped into a Reaper-like botnet. That script, however, was backdoored. It would indeed scan for you, but it was also backdoored, so that any hood who used it would get his version of Reaper, but that little Reaper would in turn be roped into the metacriminal's own, big, Kaiten botnet. So, not good news for the skids, but also not good news for the rest of us who might be irritated by a big botnet. The Reaper botnet, by the way, is still keeping itself quiet, apparently. Not many signs of activity, but it's still out there.

Dave Bittner: [00:02:57:20] We've heard, and it bears repeating, that Microsoft has warned of macro-less malware. This is malware that exploits a recently discovered vulnerability in the company's Dynamic Data Exchange (DDE) protocol. The approach is troubling because, even if users take the precaution of not enabling macros, exploitation of DDE can still affect them through Word documents, Excel spreadsheets, or Outlook files. And, of course, one threat actor using this attack vector in the wild is Russia's GRU military intelligence service, which you'll know as our old acquaintance Fancy Bear.

Dave Bittner: [00:03:32:14] Concerns about the vulnerability of transportation modalities to hackers continues to rise. A team of researchers drawn from industry, universities, and the US Government has demonstrated the possibility, "in a non-laboratory environment," as they say, of hacking a Boeing 757 airliner. The demonstration is troubling because the hack didn't require physical access to the aircraft. The researchers were able to establish remote presence in non-cooperating systems. And the systems they got into weren't just in-flight entertainment stuff, but the avionics, the electronic systems that control the aircraft.

Dave Bittner: [00:04:09:17] There are also concerns at sea. These aren't based on a demonstration, but rather on experience in the wild. Many in the maritime shipping sector now believe that shipping giant Maersk's experience with NotPetya pseudoransomware demonstrates that merchant vessels are clearly vulnerable to cyberattack, and that the industry needs to up its cybersecurity game.

Dave Bittner: [00:04:31:13] One series of mishaps at sea, the collisions the US Navy has been involved with in the Western Pacific over the course of the past year, has proven not to be cyber-related. Many observers, and not a few admirals, thought there were too many collisions for coincidence, and the Navy initially entertained fears that its ships had been hacked. But investigation hasn't borne this out. The US Navy has reached the painful conclusion that the accidents weren't induced by cyberattacks, but rather by an erosion of seamanship. Not every problem is a cyber problem.

Dave Bittner: [00:05:04:11] We're down in Washington today for the annual SINET Showcase. The SINET 16 are being recognized today. We'll have a full report on our website after the conference's conclusion. In the meantime, you can follow conference-related tweets with the hashtag #SINETDC. And our congratulations to this year's SINET 16, innovative companies who've won recognition for new solutions and new approaches to those challenges and trends. They are, in reverse alphabetical order, Virtru, Versive, Verodin, vArmour, Twistlock, ThreatQuotient, ProtectWise, Prevoty, Phantom, PatternEx, Menlo Security, iProov, Infosec Global, Haystax Technology, Fireglass, and Centripetal Networks. Well done all.

Dave Bittner: [00:05:52:16] Accidental code deletion has rendered a lot of ether digital currency, about £214 million, inaccessible, perhaps frozen, perhaps gone. So watch out. You don't want your ether to disappear into the aether.

Dave Bittner: [00:06:12:02] Now I'd like to tell you about a new white paper from our sponsor Delta Risk. More than 90 percent of companies are using the cloud. Although the benefits are clear, moving to the cloud comes with new and unique security challenges. In the white paper, understanding the challenges of cloud monitoring and security, Delta Risk cloud security experts outline the key methods organizations can adapt to gain clearer visibility into their network and critical assets.

Dave Bittner: [00:06:38:10] You can get your copy of the white paper by visiting Delta Risk LLC, a Chertoff Group company, is a global provider of cybersecurity services to commercial and government clients. Learn more about Delta Risk by visiting And we thank Delta Risk for sponsoring our show.

Dave Bittner: [00:07:06:22] And joining me once again is Justin Harvey, he's the global incident response leader at Accenture. Justin, great to have you back. We want to take stock today and I wonder, are we gaining on the problem here? It seems we're spending billions of dollars every year on cybersecurity and I don't get the sense that we're gaining on the problem.

Justin Harvey: [00:07:27:03] Yes, no-one likes taking vitamins or working out, at least I don't. I think that what we're encountering here, I'm seeing a really big growing trend of companies that are failing the basics. What I mean by failing the basics here is to do the stuff that no-one really likes to do, it's the grunt work. It's the knowing where your sensitive data is in your HVAs, your high value assets. I got to tell you, just that sentence alone, knowing what your assets are. For the multi billion dollar companies, this is nearly a whole team's responsibility, is making sure that they understand the digital assets within the organization.

Justin Harvey: [00:08:16:15] Then on top of that, even if you did know where all of your sensitive data lives and where it's traversing and ensuring that it's being securely communicated, then you've got to know what applications and what versions all of those are on. Then on top of that you've got to be able to synthesize and curate and monitor the open source. So when Microsoft releases a new patch or Orca releases a new patch for a web server, you've got to be able to know that that's been released. You've got to know if it affects you and then what the net effect of that is within the business because as you know, security does not own the operational responsibility for applications and operating systems typically.

Justin Harvey: [00:09:05:10] These are the basics that companies are struggling with. I think that some of the companies today and organizations that are doing security, are losing focus because they see these new savior technologies like AI and machine learning and the ability to automate a lot of things. But if you're not doing the basics, if you don't know where your sensitive data is and where it's traversing and or your assets, and the ability to keep them patched and monitored, then how can you move toward automating that?

Dave Bittner: [00:09:42:10] Is this a matter of properly setting priorities?

Justin Harvey: [00:09:46:05] Yes, I think that one of the patterns that I see a lot is the board gives the C suite the funding, and then the C suite is comprised of CEO, CFO, Chief Risk Officer and then the CIO, the Chief Information Officer. And I've seen a pattern develop where if the CISO reports into the CIO and there's not a really good partnership there, the CIO's job is to foster innovation, to manage the information flow within a corporation, and to reduce expenses or reduce the overhead. And security is seen as one of those cost pockets if you will, or cost sinks that the CIO could say, "I'm trying to fund security but it's never ending. They always need more money and I'm not reducing my expenses."

Justin Harvey: [00:10:44:03] I think that one of the ways that we have been successful at Accenture is working with the board, and working to get them to understand the risks and the threats on a macro level and to understand that security, cyber defense security, information security, not only should be taken seriously, but it can have a direct affect to the bottom line, to the customers, et cetera. And once you get the board bought into this model, they are then able to task the C suite and it cascades down, even to the lower levels around compliance, budgeting and at least having a much better understanding of the risks associated with not properly funding the security team.

Dave Bittner: [00:11:28:19] Justin Harvey, thanks for joining us.

Dave Bittner: [00:11:34:13] And now a few words about our sponsor Dragos, the ICS and OT security experts. They've got some advice to help people understand threat detection for industrial control system security. Dragos has determined that there are four basic ways of detecting threats, through configuration, modeling, indicators and behavioral analytics. If an ICS security team understands these modes of detection, how they're different, and how they can be used to monitor industrial environments, they'll be able to help their organization invest intelligently for improved security.

Dave Bittner: [00:12:06:09] Check out their webcast on the topic hosted at and learn all about detection. And to find out more about Dragos, including the paper they've prepared on the four kinds of threat detection, go to and meet the people who built the first industrial cyber security ecosystem. That's And we thank Dragos for sponsoring our show.

Dave Bittner: [00:12:40:14] My guest today is David Barzilai. He's the executive chairman at Karamba Security, a company that provides end point security for connected cars. I began our conversation by asking him about the mixed blessing of cars becoming more and more networks of small computers connected to the internet.

David Barzilai: [00:12:59:10] So first of all, the benefit is fantastic. For us as consumers it means that cars are far more convenient, being connected we can browse the web, we can download, make phone calls from the car, and so on. When cars are self driven then it makes it even better because we are less exposed to safety risks when we do not see someone crossing in front of us, the car will stop by itself. But the problem is that we have this consistent pattern that when systems become connected, they also become targets for hackers.

Dave Bittner: [00:13:44:18] Give me an idea what's going on underneath the hood in cars. Are there standard operating systems independent of the brand of cars or is there a variety, similar to how there are various desktop operating systems? How do car manufacturers choose what's going to be running underneath the hood?

David Barzilai: [00:14:04:07] That's an excellent question. First of all, cars are somewhat complex by virtue that what we have is several ECUs, meaning electronic control units. These are small embedded systems that each one is responsible for different functionality of the car. So when we use the steering wheel, in essence we make the ECU of the steering wheel turn the wheels to the right or the left. Same goes with the windshield wipers, the infotainment, the airbags, telematics, meaning the GPS, and anything like that.

David Barzilai: [00:14:48:19] We have in each car a network of about 100 ECUs, embedded systems. Each one of them is responsible for a different functionality of the car and they're all connected. That means if I hack into one of those ECUs, in essence I have access to all others. Those small controllers run real time operating systems, schedulers, those that are more heavy, those that run the infotainment system which is the entertainment, the radio, GPS, the gateway of the car.

David Barzilai: [00:15:31:24] They run operating systems that they're very familiar with. They run Linux, QNX, so what you see is a network of about 100 controllers, and each one of them is responsible for a different functionality of the car. They're all connected and each one of them is running an operating system or a scheduler. That means that when we look at the car as a target for a cyber hack, then the idea is that some of those 100 ECUs are externally connected. They have connectivity. Not too many of them by the way, it's about four to five.

David Barzilai: [00:16:20:12] But the point is that those externally connected controllers, once compromised, hackers could use the network connectivity from these gates to the car and get into the safety systems of the car. This is how with quite a famous example, the infotainment system was hacked and then the car went overly crazy. The windshield wipers started to go on and off, the radio volume went out of control, and then eventually the car was halted in the middle of the highway.

Dave Bittner: [00:17:03:17] Help me understand here, because in this case, this was a vehicle that was being sold. It was on the streets, and surely the vehicle manufacturer would have taken that vehicle through various safety tests and had the software tested to make sure that these sorts of things couldn't happen? When they shipped this vehicle, they thought this was a safe vehicle, and it turned out to not be the case.

David Barzilai: [00:17:27:19] You're right, they had a very good reason to assume it's a safe vehicle because every car goes through rigorous quality assurance tests, including safety tests and now also cybersecurity tests. The problem is, what hackers are doing is to exploit security bugs, so the bottom line is that unfortunately, there are always bugs, always some of those security vulnerabilities escape us, they're hidden, they cannot be uncovered with even the most rigorous quality assurance test. And this is what hackers are looking for.

David Barzilai: [00:18:03:15] The good thing is that car manufacturers are gearing up to the risk and to addressing it. So the idea is that almost all car companies, at least those that we are aware of, all of them have integrated in-house security teams. Secondly, they also do what's called pen testing which is penetration testing for the car, so they try to raise the bar. In addition we also have the government, so we have NTSA, the National Highway Traffic and Safety Administration. NTSA published about a year ago, something like that, some guidelines of what should be done.

David Barzilai: [00:18:45:12] But you're right that cybersecurity is not currently part of the five star safety system or the safety ranking. One of the reasons for that is that cybersecurity risks have just started, that's the first reason. The second reason is that unlike consumer products, meaning laptops or mobile phones, where we as consumers bear the liability for protecting our own devices, here vendors, the providers, see themselves as liable. So they're putting money and trying to embed cybersecurity software and hardware into the new generation of cars, with the intent to make it seamless for us as consumers.

Dave Bittner: [00:19:42:05] That's David Barzilai, he's from Karamba Security.

Dave Bittner: [00:19:50:14] And that's the CyberWire. A quick program note. Here in the US tomorrow is the day we observe Veterans Day so we will not be publishing tomorrow. We'll be back here on Monday with more of the CyberWire. Thanks to our sponsors who make the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you using artificial intelligence, visit

Dave Bittner: [00:20:12:01] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Our social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe and I'm Dave Bittner. Have a great weekend, we'll see you back here on Monday. Thanks for listening.