The CyberWire Daily Podcast 3.8.16
Ep 51 | 3.8.16

RSA retrospective. RoK accuses DPRK of hacking. KeRanger updates. Cyberwar investments.


Dave Bittner: [00:00:03:11] South Korea accuses the North of cyber espionage as tensions on the peninsula continue. A sophisticated bit of Android malware targets banks in Turkey, New Zealand, and Australia. Apple appears to have contained KeRanger ransomware, but ransomware continues to increase its criminal market share. Brazilian coders stay busy crafting cross-OS malware. That "cyber pathogen" the San Bernardino DA was worried about? Turns out to be nothing at all. Really - nothing. And the University of Maryland's Markus Rauschecker assesses the progress of social media companies in the struggle with ISIS.

Dave Bittner: [00:00:39:08] This CyberWire Podcast is made possible by the generous support of Cylance, offering revolutionary cybersecurity products and services that proactively prevent, rather than reactively detect, the execution of advanced persistent threats and malware. Learn more at

Dave Bittner: [00:00:59:08] I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, March 8th, 2016.

Dave Bittner: [00:01:05:20] As the US and South Korea conduct joint military exercises and shore up collaborative defenses against cyber threats, the Republic of Korea's National Intelligence Service accuses North Korea of a systematic campaign of hacking senior South Korean officials' smartphones. The objectives seem to be those of conventional espionage, but the incidents come at a difficult time of heightened sensitivity to Pyongyang's nuclear capabilities and aspirations.

Dave Bittner: [00:01:30:08] ESET reports a new and unusually sophisticated form of Android malware. Spy.Agent.SI is currently most active against banking targets in Turkey, New Zealand, and Australia. The malware poses as a version of Adobe Flash Player, which alone ought to be sufficient to put warier users on alert, and then locks an Android device's screen until the user enters the passcode, which, obviously, the malware goes on to steal. Android phones are widely used in two-factor authentication - come to think of it, one of our stringers uses his phone for practically nothing else - and it therefore seems that Spy.Agent.SI is being used to compromise two-factor authentication by capturing the authentication codes banks send out.

Dave Bittner: [00:02:12:19] In addition to being wary of things that pretend to be Adobe Flash Player, but ain't, another good way to protect yourself is not to download apps from places other than the Google Play Store. So far, at least, the impresarios of Spy.Agent.SI haven't been able to get themselves into Google Play.

Dave Bittner: [00:02:29:11] The post-mortem on the KeRanger Mac ransomware continues. Apple clapped a stopper over it relatively quickly after being tipped off by Palo Alto, and it's thought that only some seven thousand devices were affected. KeRanger takes a number of pages from the well-established Windows ransomware playbook: it offers a bogus tone of customer support, including a FAQ, along with its extortion instructions, and gives infected users a deadline for payment, in this case it appears to be 72 hours. KeRanger was distributed via a legitimate BitTorrent service, and it's still out there in the wild, so take care. Users should be aware that this ransomware won't cause a pop-up dialog box to appear, nor does it require root access to encrypt files. The best protection, experts say, is to run anti-virus protection on your Mac, and, as always, to regularly back up your files.

Dave Bittner: [00:03:19:00] Observers see KeRanger as confirmation of the increasingly important role ransomware plays in the criminal economy. And, of course, older, familiar, ransomware variants remain active. One new infestation is bothering users of the restaurant review service, Burrp. Visitors are directed to the Angler exploit kit, which in turn serves up a big helping of TeslaCrypt ransomware.

Dave Bittner: [00:03:40:12] Kaspersky notices a troubling development in Brazil. Black market coders are busily at work on cross-OS malware. It's being distributed as Java JAR executables that will function equally well on Windows, Mac OS, and Linux systems. Right now the proofs-of-criminal-concept are functioning as malware droppers, but Kaspersky researchers predict that we'll soon see full-fledged banking Trojans emerge from development.

Dave Bittner: [00:04:05:03] In patch news, Google issues two security fixes for Android Mediaserver. This makes more than two dozen patches for Mediaserver since the Stagefright vulnerability was disclosed in August of last year.

Dave Bittner: [00:04:16:08] In industry news, Secure Logic has acquired Computer Room Solutions for a reported $40 million.

Dave Bittner: [00:04:22:18] Analysts look at IBM's recent acquisition of Resilient Systems. They think Resilient's incident response system will give IBM the ability to compete against market leader FireEye, and that it will also give IBM an integrated, end-to-end security operation and incident response offering.

Dave Bittner: [00:04:38:21] The US cyber war against ISIS is widely expected to boost what the newspapers are inevitably calling "the cyber-industrial complex." Observers see in the Pentagon's plans a $7 billion "windfall" for cybersecurity companies and the big integrators with whom those companies work.

Dave Bittner: [00:04:55:15] A senior official of the UK's GCHQ considers the return on investment of the one billion pounds they've spent on cyber over the past five years and concludes that the return on investment has been disappointing. Reliance on cooperation and information sharing haven't worked, Alex Dewedney told RSA last week, and it might be time for what he calls a "more interventionist" policy.

Dave Bittner: [00:05:18:01] In the US, the Federal Trade Commission looks at what it considers a rising tide of identity theft and warns that it may consider heavier regulatory oversight of data security. The Federal Aviation Administration is working on cybersecurity regulations for aircraft manufacturers, and the Department of Health and Human Services is looking for healthcare professionals willing to serve on its healthcare cybersecurity panel.

Dave Bittner: [00:05:40:19] And finally, you may have heard some mention over the past few days of a devastating "dormant cyber pathogen" thought by some - or at least by the San Bernardino County District Attorney - to be lodged in the San Bernardino jihadist's phone. No one really knew what that meant, and the DA has "distanced" himself from the remark, although he has said it wasn't entirely fear-mongering. But the trade press isn't calling it fear-mongering. It's calling it hooey.

Dave Bittner: [00:06:09:09] This CyberWire Podcast is made possible by the generous support of Cylance, offering cybersecurity products and services that are redefining the standard for enterprise endpoint security. Learn more at

Dave Bittner: [00:06:29:03] I'm joined once again by Markus Rauschecker, from the University of Maryland's Center for Health and Homeland Security, they're one of our academic and research partners. Markus, Washington has tried to enlist Silicon Valley in the fight against, what they call, extremism, and Facebook and Twitter have responded by blocking or otherwise interdicting some accounts associated with ISIS. How effective do you think this is going to be?

Markus Rauschecker: [00:06:50:07] We all know that terror groups are using social media to conduct propaganda and also to recruit new members. It seems to be very effective for them to use social media to accomplish those goals, so we see companies like Facebook and Twitter shutting down those accounts that they see as threatening or promoting terrorist acts. Facebook and Twitter have done a fairly good job of this. Since 2015, Twitter has reportedly suspended over 125,000 accounts that use threatening language or promote terrorist acts. So we see Facebook and Twitter do a lot to try to get rid of those accounts that are used by terrorist groups, but, of course, it can be thought of as a game of whack-a-mole, where Twitter and Facebook will close down one account, but ten others will pop up spreading the same message as the one that was just shut down. So it's definitely a hard fight for Facebook and Twitter and other social media providers to try to shut down these accounts that terror groups are using, but it doesn't mean that Facebook and Twitter's actions aren't successful to a certain extent because whenever an account is shut down it does limit the messaging that some of these terror groups can put forth. So we're seeing Twitter and Facebook shutting down these accounts, which of course is a good thing, but we're also seeing that new accounts are popping up. So we'll see this continue on and on, but ultimately, I think, this is probably the extent of what Twitter and Facebook and other social media sites can do in terms of shutting down some of these social media accounts.

Dave Bittner: [00:08:29:20] And of course ISIS has put Facebook and Twitter on notice, saying that they can expect retaliation. Do you think that they should be worried about that. Up to now, ISIS hasn't exactly shown a whole lot of proficiency at hacking.

Markus Rauschecker: [00:08:42:20] What we see from ISIS, when it comes to cyber attacks, is usually some sort of attack on a social media account. We don't see any really sophisticated attacks, up to this point. But that isn't to say that they couldn't get that capability from somewhere else. They could purchase that capability, perhaps, or they could actually recruit some technical experts who would be able to conduct more sophisticated attacks. So it's important to stay vigilant, obviously, Facebook and Twitter have to keep vigilant against potential ISIS threats, but, at this point in time, it doesn't seem like Facebook and Twitter have too much to worry about.

Dave Bittner: [00:09:22:10] Markus Rauschecker, thanks for joining us.

Dave Bittner: [00:09:27:24] And that's the CyberWire. A special shout to Jason and Brian from the "Grumpy Old Geeks" Podcast for sending people our way, we appreciate it. For links to all of today's stories, along with interviews, our glossary, and more, visit The CyberWire podcast is produced by CyberPoint International. The editor is John Petrik. I'm Dave Bittner. Thanks for listening.