The CyberWire Daily Podcast 12.11.17
Ep 492 | 12.11.17

Al Qaeda tries its hand at inspiration. MoneyTaker cyber bank robbers. Dark web database holds a billion credentials. Bitcoin speculation and Bitcoin fraud.


Dave Bittner: [00:00:01:01] Just a quick note to let you know that most of our ad inventory for 2018 is already sold out, but we do have a few slots that just opened up. So if you have a product or service that you'd like to share with our audience of cybersecurity professionals and enthusiasts, reach out. Let's see if we can get you on our schedule. Check it out at:

Dave Bittner: [00:00:21:21] Al Qaeda works on ISIS-style inspiration. The MoneyTaker gang has been raiding banks quietly for about a year and a half. HP fixes an inadvertent keylogger in its laptops. 4iQ finds a huge database of aggregated credentials from many breaches for sale on the dark web. Bitcoin and other cryptocurrencies attract scams and hackers. Why? That's where the money is. An ICO scam artist is in the SEC's crosshairs, but they'll have to wait until Québec is through with him.

Dave Bittner: [00:00:56:11] Time for a message from our sponsor, the good folks over at Recorded Future. You've heard of Recorded Future - they're the real-time threat intelligence company. Their patented technology continuously analyzes the entire web, to give infosec analysts unmatched insight into emerging threats. We subscribe to, and read their Cyber Daily. They do some of the heavy lifting in collection and analysis, that frees you to make the best informed decisions possible for your organization. Sign up for the Cyber Daily email, and every day you'll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. Subscribe today and stay ahead of the cyber attacks. Go to: so subscribe for free threat intelligence updates from Recorded Future. It's timely, it's solid, and the price is right. We thank Recorded Future for sponsoring our show.

Dave Bittner: [00:02:00:08] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Monday, December 11th, 2017.

Dave Bittner: [00:02:09:16] Borrowing from the ISIS playbook, al Qaeda goes online as it seeks to inspire attacks in response to the US embassy's relocation to Jerusalem. So far such attacks have been less widespread than have been predicted, but there have been incidents in both Jerusalem and New York, and authorities are on alert. No successful hacktivism has so far been reported, beyond the minor website defacements noted Friday.

Dave Bittner: [00:02:34:07] Group-IB reports finding a Russian-speaking gang, "MoneyTaker," that's looted as much as $10 million from Russian and US banks. They've also hit targets in the UK. Russian institutions seem more heavily hit than banks in other countries. MoneyTaker has been active for about a year and a half, and it's concentrated on card processing systems, especially in Russia, and on the SWIFT money transfer system, especially in the US. Law firms and financial software vendors have also been targets. Among their tools are the familiar Citadel and Kronos Trojans.

Dave Bittner: [00:03:10:11] Some 460 models of HP laptops are found to contain a keylogger pre-installed with their Synaptics Touchpad driver. Affected models include the EliteBook, ProBook, Pavilion, and Envy series. HP has issued fixes for the devices, saying that neither HP nor Synaptics has received access to customer data through the bug. This indeed seems to be the case. ZwClose, the researcher who found and responsibly disclosed the problem, described HP's response as "terrifically fast." It appears that the keylogger was in origin a debug trace inadvertently left behind in the software. HP has a full list of the affected devices, and the steps you can take to fix them, at its Customer Support site: Search for Synaptics Touchpad Driver Potential and see their remediations.

Dave Bittner: [00:04:04:02] Dark web souks continue to draw researchers' attention. Some of the material found there is surprising. 4iQ reports that it's found a single file on the dark web that hosts 1.4 billion clear text credentials to various sites. It's an interactive, aggregated database that pulls together a lot of old, known breaches collected in the and AntiPublic credential dumps, as well as more than 100 other, newer breaches. The stuff is for sale, but 4iQ can't determine who the sellers are. Whoever they may be, they've set up Bitcoin and Dogecoin wallets to accept payment.

Dave Bittner: [00:04:42:03] Bitcoin continues its rapid rise in value and receives commensurate criminal attention. Fortinet reports observing a phishing campaign that pretends to be marketing the Bitcoin trading application "Gunbot." Gunbot is a real, if new, trading tool, but the payload the bogus emails deliver is the malicious Orcus RAT.

Dave Bittner: [00:05:01:11] SANS says it's seen adult-content spam email distributing a cryptocoin miner. The less said about which the better, and what are you doing opening mail like that, Internet Storm Center? The payload was carried in a zip archive named "See-my-triple-x-photo," something obviously calculated to contribute to the delinquency of a Bitcoin miner.

Dave Bittner: [00:05:27:20] It's not just phishbait and surreptitiously installed miners. Just as you can get a cheap knock-off Gucci purse on certain streets in New York and Washington, so too you can buy a knock-off Bitcoin wallet inside, shockingly enough, the walled garden of the Apple store. Buyer beware.

Dave Bittner: [00:05:45:23] We find we've had a lot to say about Bitcoin and other cryptocurrencies lately. It's worth noting, lest anyone come away with the wrong impression, that there's nothing inherently criminal or even shady about cryptocurrencies. So it's not that Bitcoin or other cryptocurrency is automatically by its very nature a cyber risk. Still less is blockchain technology itself riskier or more dangerous than anything else out there.

Dave Bittner: [00:06:10:17] Bitcoin futures themselves are now being traded on the CBOE, parent of the well-known Chicago Board Options Exchange, and the world's largest futures trading exchange. So that's surely legit, and even regulated by the Securities and Exchange Commission. CBOE opened these futures for trading yesterday - the ticker symbol is XBT - and the speculators are free to speculate away. Training began yesterday at 5:00 PM US Central Time, and CBOE says the futures posted a "strong start."

Dave Bittner: [00:06:41:10] It's more a case of fresh meat drawing flies, and we're not talking about the kind of flame-broiled meat associated with the high-flying Russian cryptocurrency Voppercoin, available at Burger King in the Arbat and elsewhere.

Dave Bittner: [00:06:54:13] There's clearly a lot of cryptocurrency speculation going on out there. Just look at the impressive rise of Bitcoin values; we see that this afternoon one Bitcoin is trading about $16,000. And any speculative bubble will draw crooks and fraudsters. Just recall the dotcom boom of the late 1990s, when companies touching the then-novel e-commerce market drew very overheated speculation. Some of those companies are with us today, others have vanished, along with their corporate fitness centers, foosball tables, and stadium naming rights.

Dave Bittner: [00:07:28:15] There are also out-and-out con artists playing in the cryptocurrency space. One such conman, Dominic Lacroix, we've heard about before. He's the impresario behind that PlexCoin ICO the US Securities and Exchange Commission found objectionable. Monsieur Lacroix has been convicted of fraud in his native Québec, where a court handed him two months in prison and a fine of 10,000 loonies. Justice Marc Lesage said, "greed at the expense of investors who are promised unmatched interest rates remained the only goal of the defendants."

Dave Bittner: [00:08:03:16] Monsieur Lacroix isn't exactly flavor of the month either north or south of the border. The US SEC, you'll recall, last week froze his assets and told a Federal court in Manhattan that Lacroix's claims about PlexCoin were a bunch of hooey. US prosecutors will have their crack at him, probably, but only after he finishes the sabbatical Judge Lesage has just granted him. A bientot, Monsieur Lacroix.

Dave Bittner: [00:08:31:00] Now I'd like to share a message from our sponsor, Nehemiah Security. Fellow cybersecurity leaders, when your CEO asks department heads for a status update, do you envy your colleagues, like the VP of Sales, or CFO, who only have to pull a report from a single system? Instead of deploying a team of people to check multiple systems, and then waiting for them to report back, do you wish you had a single place to get the information you need to communicate with the CEO? Nehemiah Security is here to put that power in the hands of the cybersecurity leader. It's time for a quick solution that allows you to go to one place to get the security information you need, quickly and in business terms your CEO can understand. Nehemiah Security gives cybersecurity leaders the ability to report cyber risk in terms of dollars and cents. Visit: to learn more and get a free customized demo, just for CyberWire listeners. Visit today. We thank Nehemiah Security for sponsoring our show.

Dave Bittner: [00:09:42:15] Joining me once again is Ben Yelin. He's a Senior Law and Policy Analyst at the University of Maryland Center for Health and Homeland Security. Ben, welcome back. We saw a story about some legislation that's been introduced - it's the IoT Cybersecurity Improvement Act of 2017. What are we talking about here?

Ben Yelin: [00:09:59:24] So a group of bipartisan senators - it's always good to see bipartisan measures on subjects like this - introduced a bill, called the IoT CyberSecurity Improvement Act, and I think it's really a response to what we've seen in terms of cyberattacks in recent years, both on Government systems and on private systems, especially as it relates to the Internet of Things and other connected devices. The Bill would leverage the Government's buying power, to set a basic level of security for these devices. So, for a Government Contract, any vendor or any provider of a connected device would have to abide by stricter cybersecurity standards.

Ben Yelin: [00:10:43:21] I think there are pluses and minuses to this approach, from the perspective of manufacturers of these devices. It could be a decent selling point. It could be a good business practice for some of these producers, because if you are meeting some sort of Government standard, that can be an asset in explaining why your product is secure against cyber threats. But, of course, it could be a major cost and burden during the course of production. I think what this article noted it would effect the time of the market and usability for some of these products. Again, it's not mandating anything, per se, from manufacturers - it's just giving them incentive to come up with stricter cybersecurity standards, if they want to contract with the Government. And, obviously, every company that manufactures one of these devices knows that the Government has immense buying power, particularly when we're talking about the Department of Defense, and some of our intelligence agencies.

Dave Bittner: [00:11:43:12] Could this be a matter of where manufacturers could slap a sticker on their product, that says that it's compliant with this Act?

Ben Yelin: [00:11:51:00] I would hope the legislation is going to be strict enough. Obviously a lot of the specifics are going to be delegated to Federal Agencies. My guess is that NIST would take a lead in helping to develop these standards. We would not want a situation where the Government is putting a rubber stamp on something when the product is not actually secure. We want this designation to have some sort of meaning, otherwise I think the law wouldn't be terribly effective. So I think, even if this legislation were to pass, and I think it has a decent chance of getting enacted, I think the leg work would be done at the administrative level - trying to figure out exactly what standards manufacturers would have to comply with.

Dave Bittner: [00:12:30:21] Ben Yelin, thanks for joining us.

Dave Bittner: [00:12:34:10] That's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you, using artificial intelligence, check out:

Dave Bittner: [00:12:47:01] The CyberWire podcast is proudly produced in Maryland, out of the start-up studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology.

Dave Bittner: [00:12:56:23] Don't forget that I'm part of security segment on the Grumpy Old Geeks podcast. You can find that wherever all the fine podcasts are hosted. And also, don't forget to check out the Recorded Future podcast - that's another one that I host. The topic over there is Threat Intelligence. We think it's worth your time, so check that one out as well.

Dave Bittner: [00:13:13:09] Our show is produced by Pratt Street Media. Our Editor is John Petrik. Social Media Editor is Jennifer Eiben. Technical Editor is Chris Russell. Executive Editor is Peter Kilpe. I'm Dave Bittner. Thanks for listening.