The CyberWire Daily Podcast 3.7.16
Ep 50 | 3.7.16

Looking back at RSA. "Transparent Tribe" and "Pawn Storm" expand target sets. Mac ransomware found, blocked. Apple's amici.


Dave Bittner: [00:00:03:12] Proofpoint finds "Transparent Tribe," an active cyber espionage campaign against Indian diplomatic targets. BlackEnergy's role in the Ukrainian grid hack still isn't fully explained. Pawn Storm spreads to Turkey. Ransomware hits Macs, but for now seems brushed aside. Apple collects more friends-in-the-court. And the University of Maryland's Jonathan Katz discusses what we need to know about SSL security in our web browsers.

Dave Bittner: [00:00:29:00] This CyberWire Podcast is made possible by the generous support of Cylance, offering revolutionary cybersecurity products and services that proactively prevent, rather than reactively detect, the execution of advanced persistent threats in malware. Learn more at

Dave Bittner: [00:00:49:04] I'm Dave Bittner in Baltimore with your CyberWire summary from Monday March 7, 2016.

Dave Bittner: [00:00:55:01] Proofpoint finds an active cyber espionage campaign targeting Indian diplomatic and military personnel. "Transparent Tribe," as they're calling it, seems most active against Indian missions to Saudi Arabia and Kazakhstan. Several Pakistani IP addresses are said to be involved in the campaign, which uses a mix of phishing and water hole attacks to distribute the MSIL/Crimson remote access Trojan. There's no attribution offered in the reports beyond the circumstantial implication of the Pakistani IP addresses.

Dave Bittner: [00:01:24:23] The correlation of BlackEnergy espionage malware with December's attacks on the power grid in Western Ukraine is well-known. But what causation might lie behind that correlation remains obscure. The likeliest link would still appear to be BlackEnergy's involvement in credential theft.

Dave Bittner: [00:01:41:04] Macs have so far enjoyed a degree of immunity to ransomware. No more. The legitimate BitTorrent application Transmission has become enmeshed in what appears to be the first ransomware campaign directed against Mac users. The strain is being called "KeRanger". Palo Alto Networks reported the attacks to Apple last week, and Apple took quiet steps at week's end to interdict the ransomware. Once those measures were in place, Palo Alto made a more general disclosure.

Dave Bittner: [00:02:07:19] Trend Micro has identified another new form of ransomware, "CERBER" . They say it speaks English - literally. It repeats "Attention! Attention! Attention! Your documents, photos, databases and other important files have been encrypted!" in a robotic female voice. But Anglophone or not, it's being sold as crimeware in the Russian underground. CERBER offers payment instructions in the form of images, which suggests its authors are taking a page from the old Reveton playbook. TrendLabs says CERBER looks easily configurable by criminal users, and thus that we can expect to be seeing more of it in the future.

Dave Bittner: [00:02:44:12] Observers marvel, with varying degrees of informed surprise, at last week's announcement by US Defense Secretary Ashton Carter that the Americans have offensive cyber weapons and intend to use them, at least against ISIS. In DoD descriptions that use has sounded a lot like jamming, adapted and updated for use against Internet-based command, control, and communications. Some of the worries are of the potential for collateral damage, but the comparisons to and contrasts with the early years of the nuclear age seem overheated.

Dave Bittner: [00:03:14:06] Apple draws more industry support in its dispute with the US FBI over unlocking the San Bernardino jihadist's iPhone. As tallied by Apple Press Info, seventeen amicus briefs and three letters to the court have been filed in sympathy with Apple's case.

Dave Bittner: [00:03:29:02] And you may have heard that the San Bernardino District Attorney weighed in last week on the side of the FBI, expressing his fears that the phone in question contained a "lying dormant cyber pathogen" designed to infect the county's networks. He's since clarified, Ars Technica reports, that it's a claim unconnected with any particular evidence. The DA would just like to be sure there's nothing to it.

Dave Bittner: [00:03:51:09] From time to time, we like to share new products that catch our eye here at the CyberWire. Packet monitoring can be an important part of protecting a network, but higher speeds and fatter pipes can make long term storage of packet data impractical. Savvius has launched a product called Vigil 2.0, which they tell us allows you to capture suspicious packets from before and after an alert. Jay Botelho is Director of Product Management at Savvius.

Jay Botelho: [00:04:14:24] Vigil knows what is suspicious based on - usually - systems that customers already have in place. So they have an intrusion detection system, or an intrusion prevention system, and they are looking for known threats. And what Vigil does is, Vigil monitors all of those alert feeds and, in addition, it is always capturing packets. So it has storage of packets. So when it sees an alert then Vigil goes into the buffer, extracts the packets that it's already saved around that conversation and then continues to save packets for that conversation for the configured period of time. That's one of the key elements is, you know, not only are we able to do it for a long period of time, but we're able to actually get the packets from before the alert was actually triggered. And that's quite important because there's just a lot of processing delay in these alerts. The alerts see something of importance, but by the time that processing is done, the real packets that caused the alert would have already gone by. But with Vigil, we've captured those so that we can go back and get that important data that was really the data that triggered the alert in the first place.

Dave Bittner: [00:05:23:14] There is more information about Vigil 2.0 at

Dave Bittner: [00:05:28:13] We'll be taking a look back at RSA this week. We'll have three special reports on the conference, beginning tomorrow, when we discuss what we heard about cyber threat intelligence. This will be followed later in the week with reports on emerging technologies and on trade and investment. In the meantime, see the links in the RSA section of our Daily News Brief for late-breaking announcements and retrospective takes on the conference.

Dave Bittner: [00:05:50:12] Finally, a hail and farewell to Ray Tomlinson, the "godfather of email," who passed away Saturday at the age of 74. Tomlinson implemented the first email program on ARPANET back in 1971, selecting the "at" sign to separate user from host. Our thanks to him, and our condolences to his family and friends. Remember Ray Tomlinson whenever you use the "at" symbol, and think of a life well led.

Dave Bittner: [00:06:17:05] This CyberWire Podcast is made possible by the generous support of Cylance, offering cybersecurity products and services that are redefining the standard for enterprise endpoint security. Learn more at

Dave Bittner: [00:06:37:07] Jonathan Katz joins me once again. He's the Professor of Computer Science at the University of Maryland and he's the Director the Maryland Cyber Security Center, they're one of our academic and research partners. Jonathan, SSL browsing, I think most people, when they see the little lock icon on their browser, they see that and they assume that they're safe. How accurate is that assumption?

Jonathan Katz: [00:06:55:16] It's a complicated question actually. The protocol itself at a high level is pretty secure, it’s been cryptographically vetted in various ways, and the components at a high level are now pretty well understood. The challenge with SSL is that there's this entire ecosystem around it and there are so many different points at which things could go wrong, unless you're completely sure about what's being implemented both on your browser, as well as what's being implemented on the other end on the server, and checking for this lock icon on your computer, you do run the risk that something can go wrong.

Dave Bittner: [00:07:31:02] So let's dig in a little bit on that. What kind of things can go wrong?

Jonathan Katz: [00:07:34:09] Well, just as an example, the SSL of protocol is supposed to ensure that you, the computer user, know for certain that you're speaking to the entity at the other end - let's say Google - and the fundamental piece of information that lets you verify that is an authenticated copy of Google's public key. So you have this entire public key infrastructure that's developed around making sure that you, the computer user, are able to obtain an authentic copy of Google's public key. One of the issues with that is that current browsers, shipped with these hard coated public keys for certification authorities, that are supposed to vouch for the validity of other people's public keys, like Google, but in reality, if you look at the set of verification authorities that are included in modern browsers, they include all kinds of companies from all kinds of countries, including outside the US, that we know really nothing about. We don't know anything about their security practices, we don't know how easy it would be to coerce them or bribe them to issue a fraudulent certificate. And ultimately, if they are able to be subverted in that way, and that you end up as the user getting an incorrect copy of Google's public key, then all bets are off and even the best protocol in the world won't protect you.

Dave Bittner: [00:08:48:06] Obviously, browsing securely is better than not, but how safe should we feel?

Jonathan Katz: [00:08:52:16] Well, I think that the modern browsers do a reasonably good job. They're very good also about fixing any flaws that are identified by security researchers. Like I mentioned earlier, the user does have to check and make sure that they're accessing a site by HTTPS and not by HTTP. The user, of course, also has to verify that they're accessing the site that they intended. A lot of phishing scams rely on just changing one character in the name of a well known website, and then, if you're not careful, and say you go to a website with G-zero-zero-g-l-e, rather than G-O-O-G-L-E, then you might be accessing a site and authenticating them and you believe that they're who they say they are, but in fact you're not authenticating to Google, you're authenticating to another company. But, I think overall, the average user is safe.

Dave Bittner: [00:09:36:10] Jonathan Katz, thanks for joining us.

Dave Bittner: [00:09:41:20] And that's the CyberWire. For links to all of today's stories, along with interviews, our glossary, and more, visit The CyberWire podcast is produced by CyberPoint International. The editor is John Petrik. I'm Dave Bittner. Thanks for listening.