The CyberWire Daily Podcast 11.14.17
Ep 475 | 11.14.17

Influence operations in Catalonia? IcedID banking Trojan. The Shadow Brokers: an intelligence service or a bunch of moles? Patch notes.


Dave Bittner: [00:00:01:07] I know it's a popular thing for people to say: for just the price of a cup of coffee, you can support us on Patreon, and it's true! So do it. Thanks.

Dave Bittner: [00:00:16:12] Spain sees foreign influence operations in Catalonia. IBM's X-Force warns of a new banking Trojan. There may be a mole hunt going on in NSA, and somewhere the Shadow Brokers are smiling. Anti-virus companies fix the AVGater vulnerability. Firefox and Google both commit to security upgrades. Tenable urges people to avoid breaches through good hygiene, and Carbon Black wishes we'd stop calling attackers "hackers."

Dave Bittner: [00:00:48:16] It's time to take a moment to tell you about our sponsor, Recorded Future. If you haven't already done so, take a look at Recorded Future's Cyber Daily - we look at it. The CyberWire staff subscribes and consults it daily. The web is rich with indicators and warnings, but it's nearly impossible to collect them by eyeballing the Internet yourself, no matter how many analysts you might have on staff. And we're betting that however many you have, you haven't got enough.

Dave Bittner: [00:01:13:01] Recorded Future does the hard work for you by automatically collecting and organizing the entire web to identify new vulnerabilities and emerging threat indicators. Sign up for the Cyber Daily email to get the top trending technical indicators crossing the web: cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. Subscribe today to stay ahead of the cyber attacks. Go to to subscribe for free threat intelligence updates from Recorded Future. That's And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:02:00:02] Major funding for The CyberWire podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Tuesday, November 14th, 2017.

Dave Bittner: [00:02:10:11] Spain's government has warned the European Union that a disinformation campaign aimed at influencing the Catalan separatist movement appears to originate in Russian territory, with much of it being repeated from Venezuelan territory. The Spanish Defense Minister stopped short of formally accusing the Russian government, because of course attribution is difficult. It's also risky in a time when influence operations are coming to be considered dangerously close to an act of war.

Dave Bittner: [00:02:39:04] Security researchers from IBM's X-Force have spotted a new banking Trojan, which they're calling "IcedID." It's new, and apparently still under development, but it appears capable of using both redirection and web injection attacks. Until now, Dridex had been the only prominent banking Trojan to employ both kinds of attack. X-Force thinks IcedID is using Emotet's botnet infrastructure to distribute itself.

Dave Bittner: [00:03:07:00] The NSA mole hunt continues, as a long piece on the Shadow Brokers the New York Times published over the weekend is still drawing a great deal of comment. Observers tend to make a couple of points. First, the leaks that have reached the world through the Shadow Brokers cast doubt on any organization's ability to safeguard sensitive information. Second, every enterprise should bring its patches, particularly patches for mobile devices, up to date, as many fear a wave of mobile system hacking. Suspicion centers on either Russian intelligence services, or on some group of disgruntled insiders.

Dave Bittner: [00:03:42:05] A question some pundits are raising, and answering, is this: if the Shadow Brokers are indeed run by Russian intelligence services, why would they have leaked NSA tools to the world? Why wouldn't they simply have used them, quietly, to work their damage against US targets? This is being cited by some as grounds for thinking in fact the Brokers aren't really the Russians at all, but some sort of disgruntled insiders. CBS This Morning, for example, yesterday interviewed their in-house national security contributor Michael Morell, a former acting Director of Central Intelligence, who said he's not sure. He said, quote, "If Russia had access to NSA in terms of cyber, Internet access, or in terms of an insider, why would they go public and give that up? I tend to think this is either a disgruntled insider or an outside group."

Dave Bittner: [00:04:32:01] That's certainly a possibility, and intelligence services everywhere are notoriously sensitive about doing or saying anything that could reveal sources and methods. Indeed, their wariness about doing so is a common source of frustration on the part of the operators who are the intelligence services' customers. But there are at least three other points worth making.

Dave Bittner: [00:04:51:20] First, releasing tools that came rightly or wrongly to be generally attributed to NSA, was a hard shot at the agency's reputation. An article in Esquire this week has the sophomoric but representative title, "The NSA: Still Effing Up". And a reputation for effing up is not a good thing for anybody, still less for the premier US SIGINT shop. But don't take it from Esquire, take it from Sputnik, too. The Russian news outlet primly said Monday that, "The NSA was dealt a severe blow by a massive infiltration that resulted in the theft of cyber-weapons by unidentified hackers, calling into question its value to US national security."

Dave Bittner: [00:05:33:24] Touching as Sputnik's concern for good government and US national security may be, it's not a good look for Fort Meade. So reputational damage hurts an intelligence agency as much as it hurts, say, a credit bureau or a telecom company. Maybe it hurts even more, especially when legal authorities like Section 702 are under consideration by Congress. Section 702 gives NSA authority to intercept foreign signals, subject to oversight by the FISA court. This authority is widely regarded within the US Intelligence Community as essential to the IC's ability to do its job. Section 702 skeptics see the law as a threat to privacy and domestic civil liberties, and hope for its sunset at the end of the year. Such damage obviously works to the advantage of nation-state adversaries, who surely have their own reasons for disliking Section 702.

Dave Bittner: [00:06:26:06] Second, one of the most damaging things any security service can undergo is a mole hunt. The most famous one that's broken out into public awareness is the still controversial mole hunt that tore through the CIA during the later tenure of Langley's legendary counterintelligence chief, James Angleton. A mole hunt at Fort Meade, with the attendant mistrust, suspicion, and fear it could engender, could also likewise work to the advantage of a nation-state adversary.

Dave Bittner: [00:06:53:23] Third, it's worth noting that the Shadow Brokers started to sell, or more accurately dump, their material in August of 2016. This is some months after an as yet publicly unnamed NSA worker was found to have highly sensitive material on a compromised laptop. If a foreign intelligence service became aware that their operation had been blown, that would change its calculus about sources and methods, possibly tipping the balance in favor of disclosure. If you'd had an in at NSA but had it no longer, why not go for the confusion and reputational damage?

Dave Bittner: [00:07:29:04] It's been reported that some widely used anti-virus software products are vulnerable to a proof-of-concept exploit, "AVGater," that could bypass their protections. Researcher Florian Bogner found the problem and privately disclosed it to the affected vendors. Emsisoft, Ikarus, Kaspersky, Malwarebytes, Trend Micro, and Check Point have patched. The exploit's not trivial to use, since it requires admin access, but then admin access has been achieved by hoods in the past.

Dave Bittner: [00:08:00:10] In other update news, Firefox 57 will introduce more capable sandboxing in its next version, and Google has put Android app developers on notice that it will kick anything found misusing Accessibility services out of the Play Store.

Dave Bittner: [00:08:16:16] We've been reporting ongoing troubles with organizations misconfiguring their Amazon AWS buckets, exposing sensitive information online. There's a frightening asymmetry there, that an incorrect setting can lead to such exposure; and of course, once the information is gone, it's gone for good. Steve McGregory is Senior Director of Applications and Threat Intelligence at Ixia, a Keysight company, and he makes the case that cloud providers need to simplify their offerings and help cut through the noise.

Steve McGregory: [00:08:46:07] I think what we've done with the cloud, what we've introduced, is basically infinite processing and bandwidth. It's not really infinite, we know that, but if you go back ten years ago, to get access to a lot of bandwidth or, you know--you had co-locations, you would have to take ownership of those systems and manage it yourself. But today, at the fingertips, we can scale massively round the globe very easily. At the same time, it's grown in complexity for the people who need to use it. It's a complex environment, especially in the security world.

Dave Bittner: [00:09:25:01] Take us through that. What sorts of things are people finding themselves up against?

Steve McGregory: [00:09:29:01] It's the unknown. So in the security industry, I've always said that we have a great problem, which is lack of awareness. People don't know what's out there that can harm them. When you go to the cloud, there's a great bit more of that, potentially. You're, you've sort of opened up your attack surface without knowing, possibly. One employee could accidentally leave off a very--an access control list, let's say. Could easily just forget to limit that control, or access to that system, to the IPs that they want to, and because of the way today, you can scan the Internet in literally minutes, that system will be found and probably compromised within a matter of minutes. It's easier to say it will be than just "probably."

Steve McGregory: [00:10:18:09] What we see is the same old, same old, happening over and over again. What we have here are a lot of opportunities in the security and in the cloud industry to simplify the solutions, remove some of the difficulty in this technology that we're putting together, and the opportunities for the security people is to reduce the noise and point to the areas where people need to focus. What I'm saying is that, instead of relying on people to be the primary point that's going to make a decision to make something safe, that system, or infrastructure, or software application, should be safe from the get-go.

Dave Bittner: [00:11:05:15] So when you say "simplify," take us through what you mean by that.

Steve McGregory: [00:11:09:12] Well, to me, technology is complicated to get started with. It's complex, it's hard for people to fully know enough about everything. So, we have to shift from expecting everyone to be focused on security. To be successful in doing that, we have to build products that don't require that. So bankers should focus on banking, accountants get to focus on accounting, but the security world, and the cybersecurity world, tends to expect, most of the time, that we train people to behave differently, right? And I don't think that that's possible. Humans are humans, and the products that we provide to the humans have to realize that humans can be swayed, or do something wrong, and they have to be resilient to that.

Dave Bittner: [00:11:58:16] That's Steve McGregory, from Ixia.

Dave Bittner: [00:12:03:01] For all the justified concern about foreign intelligence services' hacking, Tenable's CEO Amit Yoran thinks that sometimes attempts to blame state-sponsored espionage services for major data breaches can be a load of self-serving hooey. He's been blogging about recent testimony by some current and former CEOs before Congress, and he points out that a lot of the more spectacular data breaches of 2017 and before could have been prevented by some sensible application of digital hygiene.

Dave Bittner: [00:12:32:16] And finally, another security executive, Carbon Black's National Security Strategist Eric O'Neill, says we ought to stop calling people who break into enterprises "hackers," because he sees a pervasive pattern of such crime being enabled by espionage services. So we ask you, listeners, what should we call the people behind big-time cyber crime, pre-attribution? Hoods? Gonifs? Bad Guys? Black Hats? Maybe we can find something in the comic books. Hydra, anyone? We await your consensus.

Dave Bittner: [00:13:08:12] Time to share some new from our sponsor, Cylance. Cylance has integrated its artificially intelligent CylancePROTECT engine into VirusTotal. You'll know VirusTotal as the free online service that analyses files and URLs to identify viruses, worms, Trojans, and the other kinds of badness antivirus engines and website scanners pick up. Well, Cylance has pledged to help VirusTotal in its mission of making the security industry more perceptive, and the Internet a safer place. It's like public health for cyberspace; free tools and services help keep everyone's risk down.

Dave Bittner: [00:13:42:10] Cylance sees their predictive approach to security as a contribution to the fight against cyber attacks, and they're now fully integrated as one of the analysis engines available in VirusTotal. Visit and look at their blog for more on their contribution to our online immune system. And we thank Cylance for sponsoring our show.

Dave Bittner: [00:14:08:06] And joining me once again is Johannes Ullrich. He's from the SANS Technology Institute, and he's also the host of the ISC Stormcast podcast. Johannes, welcome back. Random numbers are an important part of cybersecurity, certainly cryptography. You wanted to touch on issues with weak random number generators today.

Johannes Ullrich: [00:14:26:11] Yes, thanks for having me again. Weak random number generators is just one of these issues that doesn't seem to go away, in particular, as we are talking about Internet-of-Things and small devices. The latest incarnation of this particular vulnerability was this ROCA vulnerability in these Infineon chips. So whenever you're doing encryption, you have to come up with good random keys, and the problem here is, in particular for the small devices, it's hard to come up with randomness.

Johannes Ullrich: [00:15:02:22] There are some services actually now, that provide entropy as a service, where you have a network service you can connect to, and you get random numbers from them. But, again, for the small devices, it's not really an option, because they don't have the connectivity to actually do that in a secure way. Because, again, that stream of random numbers has to be secured somehow, too. So it's really one of those catch-22s. Like I said, the ROCA vulnerability is where this came up recently. It also keeps coming up in wireless networks, and while the KRACK vulnerability wasn't directly related to random numbers, it was a very similar issue as with these group keys.

Johannes Ullrich: [00:15:43:14] When you have a wireless access point that needs to send messages to all of the clients connected to the wireless access point, it uses a proof key that's the same for all of these clients; but this key is created just as the access point loads up. And at that point in time, the access point of course hasn't done much, so again, there isn't much randomness. And that's another vulnerability that's also overlooked, where you have these devices that have to make up good random keys, but they don't really yet have enough random events to actually create them.

Dave Bittner: [00:16:22:24] What do you suppose is a good solution to this?

Johannes Ullrich: [00:16:26:07] One solution is to have some dedicated hardware in these devices that creates random keys - that has been done, in part. The access points, they're actually having the advantage of having radios in them. Radios actually make pretty good random number generators; if you think about it, sort of that radio noise that you have in the air. There are some potential issues with this, because an adversary that's close to the access point could send particular radio signals then, then bias this random number generator, but if this is done correctly, that's sort of how this, how this can be solved. You know, also, mobile devices often have radios in them that can be used.

Johannes Ullrich: [00:17:09:09] Another very simply random number generator is off the microphone, that you can use. But again, you have to be careful where you, where you collect the randomness from. You know, again, the sound in a room could be biased by an attacker.

Dave Bittner: [00:17:24:06] You have to get permission to use the microphone at all.

Johannes Ullrich: [00:17:27:22] Yes, and that's another thing. You have to get permission to use the microphone, so it couldn't really be done at the application level. It could be done by the operating system, probably; but I think these random number services are really an interesting option - in particular for Internet-of-Things devices that do not have, sort of, radios built in necessarily. Some older Linux kernels, they use network traffic, but that has turned out to be really easy to bias, and a bad idea to use network traffic sort of as is. The, the Linux network, the Linux random number generator actually has been audited by multiple organizations and is considered reasonably good, but again, it all depends on the underpinning hardware that's being used.

Dave Bittner: [00:18:17:09] All right. Johannes Ullrich, thanks for joining us.

Dave Bittner: [00:18:22:01] And that's The CyberWire. Thanks to all of our sponsors who make The CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using Artificial Intelligence, visit

Dave Bittner: [00:18:34:01] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.