The CyberWire Daily Podcast 11.15.17
Ep 476 | 11.15.17

Hidden Cobra's RATs. IoT bugs. Patch Tuesday notes. Backdoored smartphones. Russian trolling, propaganda. DPRK short wave hacked?


Dave Bittner: [00:00:01:03] Why not make today the day that you support us on Patreon? Check out and find out how. Thanks.

Dave Bittner: [00:00:12:18] DHS and FBI warn that two North Korean malware campaigns are active in the wild. IoT vulnerabilities are disclosed - smartphones ship with apparently inadvertent backdoors. Patch Tuesday was a big one, this month. Russian trolls took both sides in the Brexit vote. A pro-tip from the squints: a screenshot from a video game isn't, you know, actually gun-camera footage. And North Korean shortwave gets hacked to play Eighties rock.

Dave Bittner: [00:00:44:05] Time for a message from the good folks over at Recorded Future. Recorded Future is the real-time threat intelligence company whose patented technology continuously analyses the entire web to develop information security intelligence that gives analysts unmatched insight into emerging threats. And when analytical talent is as scarce and pricey as it is today, every enterprise can benefit from technology that makes your security teams more productive than ever. We at The CyberWire have long been subscribers to Recorded Future's Cyber Daily, and if it helps us, we're confident it can help you too.

Dave Bittner: [00:01:17:09] Subscribe today and stay a step or two ahead of the threat. Go to to subscribe for free threat intelligence updates from Recorded Future. That's And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:42:19] Major funding for The CyberWire podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Wednesday, November 15th, 2017.

Dave Bittner: [00:01:52:12] Hidden Cobra, better known as the North Korean threat actor Lazarus Group, has been discovered distributing a remote administration tool to targets in the aerospace, finance, and telecommunications sectors. The US Department of Homeland Security - DHS - and the Federal Bureau of Investigation - the FBI - in their warning yesterday called the RAT "FALLCHILL." It appears to be an espionage tool.

Dave Bittner: [00:02:16:17] DHS and FBI also issued in a separate warning of a different North Korean bit of malware. This one, a Trojan called "Volgmer," is being distributed by spearphishing.

Dave Bittner: [00:02:28:08] Two Internet-of-things vulnerabilities have been disclosed. Cisco researchers report critical vulnerabilities in the widely used Foscam C1 Indoor HD Camera. Cisco disclosed the problems to Foscam, and Foscam has issued fixes.

Dave Bittner: [00:02:44:08] And security firm SEC Consult reports finding exploitable issues in older Siemens SICAM remote terminal unit modules. They're at the end of their life, and Siemens advises updating to newer versions.

Dave Bittner: [00:02:58:03] Smartphones from OnePlus - their models 5, 3, and 3T - appear to have shipped with backdoors. It occurs in the form of an "Engineer Mode" application that seems to have been a tool for development in factory testing. Such tools are common, but they're typically removed or disabled before the products ship. In this case, it appears to have been inadvertently left in place. It's not immediately obvious, but the backdoor can be found with a little bit of searching. OnePlus is preparing a fix.

Dave Bittner: [00:03:26:24] Most security experts who've commented seem to think that this particular issue isn't in itself a large problem - it is, of course, a less-than-large problem - but they see it as indicative of a certain carelessness about security and privacy at OnePlus. More generally, they see it as another example of the sort of flaw that crops up in firmware all the time.

Dave Bittner: [00:03:48:15] Orion Hindawi is co-founder and CEO of security company Tanium. The company recently hosted their annual Converge conference in San Francisco, bringing together customers and high-profile speakers for informational and educational sessions. I asked Mr. Hindawi what some of the takeaways were from the conference.

Orion Hindawi: [00:04:07:06] Within security, we've got a few challenges that in the last year have become very apparent, and within manageability we've got a few. So, you know, on the security side, a lot of our customers are much more concerned about destructive attack than they were even a year ago. So, you know, you think about a few years ago - probably, you know, before Sony - and what most people were concerned about was this opportunity for attackers to come in and take their data, and take their IP potentially, and use it to copy their products, or take their customer data and use that, sell it. And now, what I think a lot of our customers are becoming more and more concerned with is this idea that they potentially could be put out of business in one day. Because, if every asset that they have, every computer that they have, is no longer functional, in most of our customers at this point it would be existentially threatening to their business.

Orion Hindawi: [00:05:02:10] On the management side, I think we've got a real fundamental change that's happened in the last couple of years, which is that IoT did not used to be IT's problem. So, you know, you think about heart-rate monitors and all this stuff that is entered into enterprise, it used to be that that was a business line problem. And so if the business line was buying these things that were network-connected, they should really be thinking about how do you manage them.

Orion Hindawi: [00:05:26:10] And I think what's happened in the last couple of years is that there have been some botnet attacks that were very visible, but also IT has realized that that's--in some environments, the majority of assets on the network are becoming IoT, and that's only going to become more and more aggressive over time. And so I think from a manageability side, a lot of our customers are starting to realize that between Cloud, and Work-From-Home, and IoT, the vast majority of assets that they now have responsibility for didn't exist five years ago, or ten years ago. And so they've been forced to really change the way that they're doing manageability, at a basic level; like inventory, or patching or, you know, figuring out whether there are vulnerabilities present or, you know, doing software license management. All those things have to pretty dramatically adapt to that new world.

Dave Bittner: [00:06:19:10] Swinging back around to your Converge conference, you know, in this interconnected world, when it's easy to look up information and easy to watch videos online, or, or online seminars, why do you think it's still important for folks to get together face-to-face?

Orion Hindawi: [00:06:34:18] So what we've found, with our customers in particular, is that if they meet somebody who is a peer of theirs - and maybe it's over a beer - and they get a chance to really talk to them about how they're using our platform, what challenges they have in their environment, where they see their future from the standpoint of the challenges that they're seeing on the horizon, they can build trust.

Orion Hindawi: [00:06:58:19] And what we're finding is that as - especially within the same industry - people meet a bunch of their peers, when they have a question or they have a challenge, they're starting to call them, and really build a community that is organic. It's not something that we're curating, that we're trying to kind of turn into this well-curated environment, but instead something that's organic, and that they're building themselves. And so we've been trying to give them, like, our community site forums in which they can do this, but we do really think that bringing them together, showing them how we're looking at our platform, but also letting them interact with other people who are their peers, in a face-to-face setting, really is irreplaceable.

Orion Hindawi: [00:07:43:22] And, you know, I, I definitely have friends of mine in Silicon Valley who think that we're all going to be wearing HoloLenses, and that's going to be the future of human interaction; and they may be right. But today, I'm not sure that it's easy to replace that ability to just sit down at a table and chat about, you know, really something that if you look at many of our customers, has become integral to their ability to do basic manageability and security. And have them discuss what's working, what's not working, what advice they have for us, and really inform us on where we should be taking the company for the next year so that when they come back a year from now, many of the things that they wish we'd done, we were able to do.

Dave Bittner: [00:08:23:12] That's Orion Hindawi. He's the CEO at Tanium.

Dave Bittner: [00:08:28:07] Both Microsoft and Adobe issued a large number of patches yesterday. Microsoft's fifty-plus fixes includes some 20 that addressed Explorer and Edge critical browser issues. Adobe issued 80 patches affecting Flash Player, Photoshop, Connect, Acrobat and Reader, DNG Converter, InDesign, Digital Editions, Shockwave Player, and Experience Manager.

Dave Bittner: [00:08:51:12] The UK reports Russian trolling during the run-up to the Brexit vote. There was a lot of pro-Brexit chatter, but also a fair amount of Bremain support expressed from Russia. University researchers at Swansea and California tracked the activity and found that it included some "genuine commentators," but also a very large number of bots and what they called "cyborgs"; semi-automated bots that operate with a degree of human involvement. A different research team, this one from Oxford and City University, found much activity from 30 "highly automated" social media accounts in late June.

Dave Bittner: [00:09:27:01] An Atlantic Council expert told the Times of London that in his view the content is typical Russian troll factory output: As the Council's Ben Nimmo put it, “Pro-Russian, pro-Assad, pro-Ukraine rebels, anti-Clinton, anti-NATO, anti-White Helmets, anti-EU. The question is whether it’s pro-Kremlin or actually Kremlin-run. That’s something which only Twitter can answer definitively.”

Dave Bittner: [00:09:51:21] As has typically been the case with Russian information operations, the goal seems to have been inflammatory rather than programmatic. It didn't matter much whether Brexit or Bremain won, as long as the legacy of the vote was enduring mistrust and embittered partisan feeling.

Dave Bittner: [00:10:08:02] It's worth reminding ourselves that not all Russian information operations show comparable focus and discipline. The stuff that comes from the Ministry of Defense, as opposed to the intelligence and security organs, is frequently clumsy. Last week, the Russian Ministry of Defense published images and commentary which it claimed showed the US providing air cover to ISIS in Syria. The larger claim, of course, is that the US is playing a double game, and is complicit with Islamist terrorism.

Dave Bittner: [00:10:35:18] Implausible on the face of it, the MoD's claim was quite specific, claiming to show US coverage of an ISIS convoy fleeing the Syrian town of Abu Kamal on November 9th. But, as independent news organization and habitual Moscow gadfly Bellingcat pointed out, the screenshot displayed was in fact captured from the video game AC-130 Gunship Simulator: Special Ops Squadron. This was probably a goof, since the Russian MoD took the story down soon after exposure, but one wonders: Who's the audience? Are they likely to buy it anyway, at least for awhile? If your audience is gullible and their attention span short, AC-130 Gunship Simulator: Special Ops Squadron is good enough for the checkout line tabloid market.

Dave Bittner: [00:11:23:04] Finally, is North Korean Supreme Leader Kim Jong-un a fan of 80's soft rock? We're asking for a friend. Someone - apparently a hacktivist, but it's difficult to be sure - is also hacking around North Korean radio. They got into the feed of a DPRK short-wave station, regarded as a "numbers station" and occasional broadcaster of provocative Juche inspiration, and they played Europe's 1986 hit, "The Final Countdown." The American patriotic hacktivist "Jester" has been tweeting his approval of the unknown hacker. As Jester Actual puts it: "A god among us has hijacked 6400kHz and is playing the Final Countdown."

Dave Bittner: [00:12:04:14] We're wondering, because this sounds like a hack, but you never know. Supreme Leader Kim has been known to hang with Dennis Rodman, and once you've chilled with the Worm it's tough to know what to expect. Mr. Rodman has said that Mr. Kim like to listen to the themes to the movie Rocky and the TV show Dallas. No mention of Swedish rock. Still, it's not out of the question. And, Mr. Kim is also said to be into karaoke. Better mic than missiles, we say. Make karaoke, not kilotons, Mr. Kim; and may Mr. Rodman be a force for good in your life.

Dave Bittner: [00:12:43:15] Now I'd like to tell you about some research from our sponsor, Cylance. Good policy is informed by sound technical understanding - the cryptowars aren't over. Cylance would like to share some thoughts from ICIT on the surveillance state and censorship, and about the conundrum of censorship legislation. They've concluded that recent efforts by governments to weaken encryption, introduce exploitable vulnerabilities into applications, and develop nation-state dragnet surveillance programs, will do little to stymie the rise in terrorist attacks. These efforts will be a detriment to national security, and only further exhaust law enforcement resources, and obfuscate adversary communiqués with a massive cloud of noise.

Dave Bittner: [00:13:24:24] Backdoors for the good guys means backdoors for the bad guys, and it's next to impossible to keep the lone wolves from hearing the howling of the pack. Go to and take a look at their blog for reflections on surveillance, censorship, and security. And we thank Cylance for sponsoring our show.

Dave Bittner: [00:13:49:08] And joining me once again is Ben Yelin. He's a senior law and policy analyst at the University of Maryland's Center for Health and Homeland Security. Ben, welcome back. You know, Section 702 of the FISA Act - the Foreign Intelligence Surveillance Act - is getting ready to expire, and there are some legislators who have put forth some new legislation to perhaps take care of some of the items in 702. Can you just fill us in? What's going on here?

Ben Yelin: [00:14:13:21] Sure. So this law, which was enacted in 2008, and key details about it were uncovered with the Snowden disclosures in 2013. It's going to expire at the end of this year, on December 31st, so there is an effort to both renew the law and revise it. The Trump administration supports renewing the law in full, not making any changes to protect civil liberties, and members of Congress in both parties, I think, find that outcome to be unacceptable and are proposing a bunch of changes.

Ben Yelin: [00:14:45:17] So the program is designed to collect information from the communications of foreigners who are not located in the United States. The problem, of course, is that it ends up incidentally encapsulating the communications of many US persons, because if I'm making a call to somebody on a terrorist watch list, then that call is eligible for interception. And if I say something on that call that might implicate me in some kind of crime, the government can use that to arrest and prosecute me. And that's a warrantless search. I mean, it kind of runs afoul of our Fourth Amendment Principle, that you shouldn't be able to search my stuff, search my communications without some sort of warrant or prior authorization. And that's why opponents refer to this as a sort of backdoor search of US persons.

Ben Yelin: [00:15:34:08] The reform proposal that was passed by the House Judiciary Committee, and it was passed in a bipartisan manner, is it would require a search warrant to search records of US persons for evidence of a crime, or the, the commission of a crime. Now, civil liberties advocates, I think, are disappointed because it doesn't go further; it still allows warrantless searches of that information for other purposes, like for foreign intelligence purposes, or even to just do some investigatory work. There was an amendment proposed in the committee by a Democrat and a Republican that would have strengthened that provision to crack down on backdoor searches, and it was defeated, mostly because the House leadership said that the bill would not pass with that amendment included.

Ben Yelin: [00:16:21:24] So, I think there's a good chance that the House will pass that reform legislation. The Senate's bill is much weaker in terms of protecting civil liberties than the House's bill, and they're going to have to reconcile all of this by the end of the year. So, I think that's a major battle to watch out for.

Dave Bittner: [00:16:40:01] And what, what's your money on? Do you think 702 is merely going to expire, or will they renew it? Or will one of these new laws replace it?

Ben Yelin: [00:16:50:01] I think that the most likely option at this point is that the clock is going to run out because of the legislative backlog that Congress has, and they're going to force--be forced to do some sort of temporary renewal, maybe for six months, or for another year. I think there's enough disagreement in Congress about the particulars of a, of a reform bill that they wouldn't be able to get it done in the, you know, six remaining weeks that we have in 2017 - especially since Congress is only going to be in session for I think maybe three of those weeks. So I think it's mostly a, a time issue. I would guess at some point in 2018, we'll see something pretty similar to the House bill where there'll be a reform effort - better than the status quo, but not something that some of the civil liberties groups, like the Electronic Frontier Foundation or ACLU are going to be particularly enthralled with.

Dave Bittner: [00:17:39:17] All right. Ben Yelin, thanks for joining us.

Dave Bittner: [00:17:45:05] And that's The CyberWire. For links to all of today's stories, along with interviews, our glossary, and more, visit Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using Artificial Intelligence, visit

Dave Bittner: [00:18:02:10] Thanks to all of our supporters on Patreon. And if supporting us on Patreon is just beyond your means, well, we understand, but we hope you'll take the time to leave us a review on iTunes. It's another way you can help support the show, and it really does help people find us.

Dave Bittner: [00:18:16:07] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.