The CyberWire Daily Podcast 11.16.17
Ep 477 | 11.16.17

Revisions to the US VEP (and comparisons to China's). DPRK hacking. Laurel mole hunt. BlueBorne is back. Snakes in the Play Store. Can you sound like a child?


Dave Bittner: [00:00:00:00] A special thanks to all of our Patreon supporters at If the CyberWire is a valuable part of your day and helps you do the work you do, we hope you'll become a supporter. Check it out at Every little bit helps. Thanks.

Dave Bittner: [00:00:17:22] An update to the US Vulnerabilities Equities Process promises more transparency and accountability in handling zero-days; a look at China's equivalent doesn't. Worries about North Korean hacking. Mole hunting at Fort Meade. BlueBorne bugs in home assistants. More malware in Google Play. And how to get around that pesky voice recognition software.

Dave Bittner: [00:00:45:00] It's time to take a moment to tell you about our sponsor Recorded Future. Recorded Future is the real time threat intelligence company whose patented technology continuously analyzes the entire web, developing cyber intelligence that gives analysts unmatched insight into emerging threats. At the CyberWire, we subscribe to and profit from Recorded Future's Cyber Daily. As anyone in the industry will tell you, when analytical talent is as scarce as it is today, every enterprise owes it to itself to look into any technology that makes your security teams more productive and your intelligence more comprehensive and timely; because that's what you want, actionable intelligence.

Dave Bittner: [00:01:20:19] Sign up for Recorded Future's Cyber Daily email, and every day you'll receive the top-trending indicators Recorded Future captures crossing the web: cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. Subscribe today and stay a step or two ahead of the threat. Go to, to subscribe for free threat intelligence updates. And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:54:13] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Thursday, November 16th, 2017.

Dave Bittner: [00:02:06:00] The US released publicly revisions to the Vulnerabilities Equities Process - VEP - the policy that governs when and under what circumstances US agencies will disclose zero-days they discover. This means the intelligence community, for the most part, especially NSA.

Dave Bittner: [00:02:23:10] The principal effects of yesterday's White House announcement, which has received generally positive reviews, are said by cybersecurity coordinator, Rob Joyce, to be greater transparency, more accountability and better stakeholder representation in the process.

Dave Bittner: [00:02:38:14] A large number of agencies are represented in the process. The intelligence community members aren't surprising; they're generally thought to collect zero-days and develop them into tools, or produce counter-measures against foreign organizations that might do so. And these include the Office of the Director of National Intelligence, the Department of Justice, the FBI, the National Security Agency, US Cyber Command, other Department of Defense agencies, and the Central Intelligence Agency.

Dave Bittner: [00:03:06:00] Other organizations represented in the process are less commonly thought of. The Office of Management and Budget, which represents the defense security interests of government systems; the Treasury Department, there for the banks; the Energy Department, looking out for the power grid; the Commerce Department, which is there to represent the private sector including tech companies; the State Department, which keeps foreign interests in mind; and the Department of Homeland Security, not only for the security of the domain, but for critical infrastructure generally.

Dave Bittner: [00:03:37:17] As noted, the response to the announcement has been generally positive, at least on the part of those one would expect to advocate for transparency and accountability. Both the Mozilla Foundation, which you'll associate with the Firefox browser, and the Center for Democracy and Technology's Freedom, Security and Technology Project were favorably impressed. They appreciated the role of non-IC agencies, and the promise of regular reports on the VEP.

Dave Bittner: [00:04:04:06] In fairness to the previous Administration, Joyce's predecessor as cyber czar, Mitch Daniels, had always insisted publicly that whole-of-nation equities were represented in the process and that the default was disclosure. And Joyce, in his discussion, said that the announcement represented continuity as much as it did change, and that the US Government really hadn't been in the business of stockpiling zero-days. But what those who applauded the announcements, like the Center for Democracy and Technology, found appealing was the public formal description of the process, which they regard as a significant advance in transparency and accountability.

Dave Bittner: [00:04:42:02] Past criticism of the VEP have come from two sides. Some, suspicious of the potential for government overreach, thought the process too closed and likely to be too biased in favor of surveillance operations. Others were shocked by how leaky WannaCry and the Shadow Brokers showed highly secure agencies to be.

Dave Bittner: [00:05:01:14] On the other side of the issue, critics said that the VEP amounted to almost a kind of unilateral disarmament, and that in any case it was no part of Fort Meade's job to become a free quality control shop for the likes of Microsoft, Google and Apple. We shall see how the newly revised process plays out; but for now, the reviews seem good.

Dave Bittner: [00:05:22:22] So how does the competition do business? A report published this morning by Recorded Future took a look at how China manages its National Vulnerability Database. The researchers found that China's Ministry of State Security, the MSS, seems to call the shots in a fairly unchallenged way. As they put it in their executive summary, quote, "Recorded Future analysis has uncovered evidence of a formal vulnerability evaluation process at CNNVD," that's the National Vulnerability Database, " which high threat CVEs," Common Vulnerabilities and Exposures, "...are likely evaluated for their operational utility by the MSS before publication." End quote.The useful vulnerabilities are exploited then, while the State slow-rolls their disclosure.

Dave Bittner: [00:06:10:12] Turning to a country where there's little pretense to disclosure. Observers see a recent increase in North Korea's cyber operational tempo and think this could represent a possible indication that Pyongyang is preparing to wage a wider cyberwar.

Dave Bittner: [00:06:24:23] And of course, questions about leaks from NSA, mostly those pedaled by the Shadow Brokers, are among the concerns that have produced controversy over the very notion of zero-day hoarding. Those leaks have also led to speculation about a mole, or moles, remaining on the payroll at Fort Meade.

Dave Bittner: [00:06:42:10] Kaspersky Lab, hardly a disinterested party, but not to be dismissed out of hand either, has released the results of an internal study, that suggest the much discussed NSA worker's laptop that was protected by Kaspersky software, was in fact riddled with other malware and that such malicious code, and not a Kaspersky security product, was the root cause of any compromise.

Dave Bittner: [00:07:05:07] This is unlikely to change many minds within the US Government over the expulsion of Kaspersky security products from federal systems.

Dave Bittner: [00:07:14:13] Targeted spear phishing attacks continue to grow in sophistication, taking advantage of the human factor to circumvent technical countermeasures. Roy Katmor is CEO at security firm enSilo, and he offers his views on social engineering.

Roy Katmor: [00:07:29:08] If you're looking at most of the attacks, they will start by a human intervention kind of triggering activity. There are similar malicious activities triggered by malvertising and what we call run-by malwares, but most of them, if you're looking at the major infections today, are triggered by a user interaction.

Dave Bittner: [00:07:50:16] And it seems like time and time again when these are described, that the HR Department seems to be a target. Can you take us through some of the types of attacks that people use when they're targeting HR?

Roy Katmor: [00:08:02:11] If you're looking into targeted phishing attacks as opposed to kind of just the spammers all over, you will find that the HR Department, and administration in general, are a fertile ground to be the target. And the reasons are very simple: making a very credible email is, is pretty simple when it comes to HR. I think that basically each and every company have their own public way of recruiting people. Recruiting is becoming a huge effort, especially in today's kind of ecosystem; and, and of course, their social media are becoming the best way to recruit fast, and spread the word.

Roy Katmor: [00:08:41:12] And by having some, it's going to be very easy for somebody to target an organization that is currently hiring, by sending a spear phishing email that will have the exact position, a résumé inside that could be, of course, include some kind of an exploited document encapsulated within a normal document with the right name, the right job application and, you know, overall it looks legit.

Dave Bittner: [00:09:07:06] Now, is this also an effective way for, for the bad guys to work around defense mechanisms that people might have in their corporate networks? I'm imagining, you know, if I'm trying to--pretending to try to recruit someone, I could say to that person, "Hey, I don't want to send this to you on your corporate email. Let me send it to you on your Gmail account." But then they may still download that attachment to a corporate computer. Yes?

Roy Katmor: [00:09:32:09] Very good point. Now think about that, you know, another point--so we mentioned why HR is such a nice target. So we said, first it's easy to sound credible, right? You've got the name, you've got the job, you've got the, you've got the, the entire relationship and, and social connections. That's one. And the second is, of course, the, the confidentiality around searching for a job. So a lot of people obviously don't want to use their corporate emails when they're applying for a job, or interested in listening to a job, and of course one of the first things to do is to get offline to a private email address. That makes it harder for, you know--one, if you have anti-spamming or other kind of filtering tools, it's going to work if you're going to go to your private. And obviously what the same thing is going to do that you're most likely going to work on the same device, which makes it easier to go through these filtering tools that are mail related.

Dave Bittner: [00:10:28:11] So what, what do you recommend? In terms of both policy and training, what are some of the best ways that companies can help prevent these sorts of things?

Roy Katmor: [00:10:36:06] So, three points. One, be aware. That's kind of education; make sure that you're getting the right intelligence from each and every one of them. Check their background. The second, patching. Keep your systems patched as much as you can. It may not help you in the first wave being patient zero, but it will definitely help you on the patient one in second, following waves that are going to come. And third, focus on the consequences. Where is your soft belly? What do you really need to protect against? Is it the infiltration, is it them being in? Or the consequences, the data related consequences that you need to prevent and protect in real time.

Dave Bittner: [00:11:16:02] That's Roy Katmor from enSilo.

Dave Bittner: [00:11:21:13] Armis Labs reports that Amazon Echo and Google Home are both susceptible to the Bluetooth vulnerability reported earlier this Fall as BlueBorne. Echo is vulnerable to remote code execution in the Linux kernel, and to information disclosure in the SDP server. Google Home has information leakage issues via Android's Bluetooth implementation. This bug can also be exploited to induce a denial-of-service condition.

Dave Bittner: [00:11:46:23] Google's Play Store has seen a wave of malicious apps that have succeeded in bypassing the safeguards Mountain View has put in place to protect the store. Dr.Web found a hidden browser that's used by hoods to goose their ad impressions. Malwarebytes discovered an SMS Trojan, targeted only at users in Asia, that subscribes them unwittingly and unwillingly to premium phone services. McAfee found over 140 applications infested with Grabos malware; which apparently serves a fraudulent pay-per-install app scam.

Dave Bittner: [00:12:18:10] Most of the apps infected by Grabos have been audio players or MP3 downloaders. And ESET has discovered some multi-stage evasive malware lurking in innocent-appearing apps. With all of these, the wall around the Play Store's walled garden is looking a lot like a chain-link fence; the snakes seem to be sliding right through.

Dave Bittner: [00:12:39:04] And finally, researchers at the University of Eastern Finland - which we think is close enough to the North Pole so that they should know a thing or two about how children sound when they talk to Santa Claus - report a way of defeating voice recognition software designed to keep known fraudsters from interacting with banks. The software amounts to a kind of blacklist, as in, we know that's you Harkonnen. You're not fooling anyone here, no sir. You've got to get up pretty early in the morning to put one over on us, et cetera. But you can get around those systems by making your voice sound like a little kid's. Like this.

Young Boy: [00:13:05:09] Alexa, please send me a Nintendo Switch.

Dave Bittner: [00:13:20:09] Well, the little guy's got a birthday coming up.

Dave Bittner: [00:13:26:11] Now I'd like to share some notes from our sponsor Cylance. We've been following WannaCry, Petya, NotPetya and other forms of destructive ransomware for months. Cylance would like you to know that they can prevent Petya-like ransomware from executing in your system, and they'd also like you to know that they've been doing that since October of 2015. How's that for getting ahead of the threat? Their success against NotPetya demonstrates the benefit of their temporal predictive advantage. Cylance Predicts stops both file and file-less malware. It runs silently in the background, and best of all, it doesn't suffer from the blind spots in legacy defenses that NotPetya exploited to such devastating effects.

Dave Bittner: [00:14:05:04] To learn more about CylancePROTECT and how it can defend your enterprise, head on over to and find out how their AI driven solution can predict and prevent the unknown unknowns from troubling you. And we thank Cylance for sponsoring our show.

Dave Bittner: [00:14:26:18] And I'm pleased to be joined once again by David Dufour. He's the Senior Director of Engineering and Cybersecurity at Webroot. David, welcome back. You know, something we talk about a lot is the importance of communication between folks on the board and folks on the technical teams. You've got some advice for people who might not be so technically minded, who want to talk tech.

David Dufour: [00:14:47:09] Yes. First of all, thank you for having me back David. With Equifax having recently happened, you see a lot of times where, where boards or senior executives aren't as plugged in as they should be on what's going on in terms of cybersecurity and how to prevent it. And what I see a lot - you know, I'm, I'm kind of in the middle there - I see, a lot of times the security professional, or, or the person they've hired to bring in, is so technically focused, and they're going to walk into a company and say, "I need $20 million to make us secure," and, you know, the company just made $30 million in profit last year, so they're not about to spend 20 million of it on implementing a cybersecurity solution.

David Dufour: [00:15:31:19] So, what I'm trying to help people understand and be aware of - and it's very common, very basic things - is you've got to identify a person inside of an organization that can help put messaging together that resonates both up to the executives, where there's potentially a plan on, "We're going to need to spend 20 million, but if you give me one million I can get us this far; which moves us towards our goal." And then also be able to communicate down to that person who comes up with these ideas that, "Hey, we've got to, we've got to approach this in bite-sized chunks. What's the most effective way that we can tackle things early on to make the biggest splash, to ensure we're driving towards our security goal?" It's all about communicating.

Dave Bittner: [00:16:17:19] Well, isn't a large part of it as well about being able to put it in terms of risk?

David Dufour: [00:16:22:09] You have said a mouthful with that sentence. I spend a lot of time with small businesses, large enterprises; you know, I'll be speaking to an MSP group and they're like, "Well we need to set up a SOC, and we need to do analysis." And I say to them, you know, if you are working with a customer as an MSP that supports a welder in Central Oklahoma, they probably don't need a Security Operations Center. What they probably need are solid back-ups and a good antivirus solution to protect their environment. And if there is an incident, like ransomware, because they don't want to pay that ransom, all you've got to do is restore from the back-up.

David Dufour: [00:17:05:23] And if you're worried about data exfiltration at a welding shop in Central Oklahoma, you're probably over-analyzing the security threat; because unless they're doing some type of new, you know, protected, patented welding technology, there's probably a lot they don't need to worry about short of having good back-ups and having a basic security posture.

Dave Bittner: [00:17:27:02] David Dufour, thanks for joining us.

David Dufour: [00:17:29:04] Thank you, David.

Dave Bittner: [00:17:32:05] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible; especially to our sustaining sponsor, Cylance. To find out more about how Cylance can help protect you using Artificial Intelligence, head on over to

Dave Bittner: [00:17:46:07] A reminder that I am also the host of the Recorded Future podcast; the subject over there is threat intelligence. There's lots of good information over there, so we hope you'll check it out. It's

Interviewer: [00:17:58:18] The CyberWire podcast is produced by Pratt Street Media. Our Editor is John Petrik, Social Media Editor is Jennifer Eiben, Technical Editor is Chris Russell, Executive Editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.