The CyberWire Daily Podcast 3.4.16
Ep 49 | 3.4.16

RSA wraps up. Naikon disappears, BlackEnergy is scrutinized, and mobile threats get sophisticated.


Dave Bittner: [00:00:03:11] RSA has wrapped up. Researchers see increasingly sophisticated campaigns targeting mobile devices. More discussion of the Ukrainian grid hack. France's parliament moves to preempt The Apple FBI dispute from reappearing in France. And as healthcare threats rise, we learn about that sector's threat models from the University of Maryland's Markus Rauschecker.

Dave Bittner: [00:00:24:20] This podcast is made possible by the economic alliance of Greater Baltimore, helping Maryland lead the nation in Cyber security with a large, highly qualified workforce, 20,000 job openings, investment opportunities and proximity to key buyers. Learn more at

Dave Bittner: [00:00:44:22] I'm Dave Bittner, back in Baltimore with your CyberWire summary for Friday, March 4th, 2016.

Dave Bittner: [00:00:51:02] RSA wrapped up yesterday. We're working through the interviews we conducted and we'll be publishing several special retrospective reports on the conference's trends and tendencies next week. For today, we'll simply note that the Department of Justice seems to be occupying an increasingly lonely position in its dispute with Apple over the jihadist iPhone. Former senior officials from intelligence and homeland security agencies seem to be trending, perhaps surprisingly, toward team Apple. And even current senior officials from the US Department of Defense showed strong encryption, and with it, the commercial cyber security industry, a whole lot of love.

Dave Bittner: [00:01:26:04] Turning from RSA to the big world outside the Moscone Center, we see that Kaspersky reports that the "Naikon" threat group, active for more than a year in Southeast Asia, seems to have ceased operations, or at least dropped from sight.

Dave Bittner: [00:01:39:09] The US has taken an increasingly aggressive approach to ISIS in cyberspace. Senior US officials have repeatedly promised over the week that American cyber attacks will substantially degrade ISIS capabilities. ISIS appears to be earning money through various forms of currency manipulation. While this isn't exclusively being done online, it certainly touches the Internet at many points. One wonders whether the renewed US cyber offensive against ISIS communications, which according to several reports is having some effect, will eventually turn to interdiction of monetary remittance systems.

Dave Bittner: [00:02:12:04] The attack on Western Ukraine's power grid last December attracts further analysis. The attacks were apparently Russian, but whether state-sponsored, state-inspired, or freelance criminal remains up for dispute. Recorded Future compares its sources on BlackEnergy and related - or at least correlated - attack traffic. It notes that suspiciously small subnets seem to be an interesting indicator that there's something untoward going on. Tripwire also takes a look at the attack on the Ukrainian grid and draws a general lesson: most control systems, in power generation, power distribution, and elsewhere, would prove vulnerable to similar attacks.

Dave Bittner: [00:02:48:08] The Triada Trojan currently afflicting Android devices is, according to researchers at Kaspersky Labs, "as complex as any Windows malware." Kaspersky sees the growing complexity and sophistication of mobile malware as a reflection of criminals diverting their attention toward relatively poorly protected mobile systems. The researchers suggest that increasingly well-protected desktops and laptops may be driving criminals toward softer targets. But this is far from clear, and the phenomenon may well be over-determined. The dramatic increase in mobile usage would seem equally well accounted for on familiar Willie-Suttonesque grounds: you go after mobile devices because that's where the money is.

Dave Bittner: [00:03:29:10] Cisco updated its switches Wednesday. Among the fixes was removal of weak static credentials.

Dave Bittner: [00:03:35:09] In industry news, observers are struck by a growing degree of cooperation among companies one might normally expect to have a purely competitive relationship.

Dave Bittner: [00:03:43:24] In the continuing dispute between Apple and the FBI over Government OS, Apple has, as we've seen, picked up a surprisingly large number of partisans among former senior US intelligence and security officials. The Department of Justice is hanging tough, but it's occupying an increasingly lonely position. The French parliament, however, seems closer to team DoJ. The National Assembly is moving forward with legislation designed to punish companies who provide encryption that blocks, slows, or otherwise impedes police investigations.

Dave Bittner: [00:04:14:22] A party that's been quiet, so far, in public debate about the relative merits of the Apple and FBI cases, is NSA. Beyond its Director's recent encryption-friendly remarks, the agency has stayed on the sidelines. The Intercept speculates that NSA has four reasons for doing so: one, "the NSA tried to help, but it couldn’t," two, "the NSA could help, but doesn't want to," presumably for fear that helping would disclose capabilities it would prefer foreign governments remain unaware of, three, "the NSA isn't allowed to help," or finally, "the FBI doesn't want the NSA's help" - presumably because the Bureau would prefer setting a precedent.

Dave Bittner: [00:04:52:01] And, finally, another online dating site, the service is "Mate1," according to Motherboard, and they suffered a breach with a hacker selling twenty-seven million account passwords in a dark web black market. So far we've not seen reports of blackmail, but there are some technical, not-necessarily-adulterous similarities with Ashley Madison in the episode. Passwords were poorly constructed and protected, and the service itself was, reports say, a familiar kettle of catphish. Lovelorn boys and girls, beware. Especially you boys. Why do you fall for this stuff?

Dave Bittner: [00:05:28:22] This Podcast is made possible by the economic alliance of Greater Baltimore, helping Maryland lead the nation in cyber security with a large, highly qualified workforce, 20,000 job openings, investment opportunities and proximity to key buyers. Learn more at

Dave Bittner: [00:05:48:09] Joining me is Markus Rauschecker from the University of Maryland's Center for Health and Homeland Security. They're one of our academic and research partners. Markus, we hear a lot about safety and security in the healthcare industry, but there's been talk recently that those in healthcare are looking at the wrong threat model, that they're focused on the protection of patient data, rather than patient safety.

Markus Rauschecker: [00:06:07:04] I think everyone knows by now that the healthcare sector is a prime target for cyber attacks and they're very vulnerable. But now we're seeing that there's a real risk to overall patient healthcare because of all the medical devices that are being used to help patients, and these devices are connected to the network, so these devices that we're seeing are certainly very helpful in treating patients, but they're also very vulnerable. So there's a real risk there that these devices that are being used are going to be attacked and could ultimately harm the patient.

Dave Bittner: [00:06:43:03] So are you seeing healthcare providers responding to these recommendations?

Markus Rauschecker: [00:06:46:24] We're seeing that the healthcare industry is taking note of this issue and this risk. We are also seeing that others are trying to help the healthcare industry address this problem. The Food and Drug Administration, for example, recently came out with guidelines on protecting medical devices, and users of medical devices could turn to these guidelines and use them to help put forth a better risk strategy and to better protect the devices that they're using. Of course, the problem is that these guidelines are voluntary, so we'll have to just hope that the users of the medical devices will end up taking note of these guidelines and implementing them. We're also seeing that in the recent Cyber Security Act of 2015, while everyone talks about the information sharing aspect of that law, there was also a section in there that establishes a healthcare sector working group. This working group is going to be studying the problem in the healthcare sector when it comes to cyber security, and will hopefully put forth some guidelines and recommendations that the healthcare sector can use to improve its cyber security. Part of what the law also does is require that a voluntary framework, just like the framework that we've seen come out of NIST for this critical infrastructure sector, a voluntary framework will be created for the healthcare sector specifically, and this will also put forth standards, guidelines and best practices that should be implemented by the healthcare sector to really get a more comprehensive approach to cyber security within the sector.

Dave Bittner: [00:08:24:24] Markus Rauschecker, thanks for joining us.

Dave Bittner: [00:08:31:10] And that's the CyberWire. For links to all of today's stories, along with interviews, our glossary, and more, visit The CyberWire podcast is produced by CyberPoint International. The editor is John Petrik. I'm Dave Bittner. We're back from RSA today, of course, and we enjoyed the expo tremendously. The highlight for us was the opportunity to meet and chat with so many of our listeners and readers. Thanks for stopping by. And thanks to so many of the international members of the cyber community, so to all of you - from Seoul to Ottawa, via London, Cologne, and Tel Aviv - cheers, and as always, thanks for listening.