The CyberWire Daily Podcast 1.22.18
Ep 519 | 1.22.18

Evrial and the Clipboard threat. SamSam ransomware recovery. Olympic hacking? Russian bots. Crime and punishment. Speculated origins of Bitcoin.


Dave Bittner: [00:00:00:18] Thanks again to all of our Patreon supporters. You can find out how you can become a supporter at

Dave Bittner: [00:00:11:08] The Evrial Trojan is interested in what's on your Windows Clipboard. The Healthcare sector continues it's struggle to recover from SamSam ransomware. People raise the possibility that Olympic timekeeping could be hacked. Russian trolls farms are barking at the US House Intelligence Committee and the Czech Presidential run-off election. Some notes on crime and possible punishment. And there are two new theories about Satoshi Nakamoto.

Dave Bittner: [00:00:41:11] It's time for a message from our sponsor Recorded future. You've heard of Recorded Future. They're the real-time threat intelligence company. They're patented technology continuously analyzes the entire web to give Infosec analysts unmatched insight into emerging threats. We subscribe to and read their Cyber Daily. They do some of the heavy lifting and collection and analysis that frees you to make the best informed decisions possible for your organization. Sign up for the Cyber Daily email and every day you'll receive the top results for trending technical indicators that are crossing the web. Cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today and stay ahead of the cyber attacks. Go to and subscribe for threat intelligence updates from Recorded Future. It's timely, it's solid and the price is right. It's and we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:48:01] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Monday, January 22nd, 2018.

Dave Bittner: [00:01:58:08] A new Trojan Evrial has been discovered. It can snoop through browser cookies and stored credentials which is unpleasant but not particularly novel when it comes to crimeware. But Evrial is different in that it also scans the contents of Windows clipboard and it not only scans but it can also identify and replace strings of interest in that clipboard. Criminals are using this functionality to replace strings with code that can redirect Bitcoin payments to their own wallets.

Dave Bittner: [00:02:26:20] MalwareHunter Team, one of the discoverers of Evrial, says that the code is being sold on Russian criminal fora for the low, low price of about $27. It's become a very popular offering in the criminal to criminal market. Why, one might ask is this useful in stealing Bitcoin? Here's why. Bitcoin addresses are difficult to type. They're complicated pieces of text. So the typical way people handle the addresses is to copy then paste them into the relevant app that's doing the sending. Since most people don't check their cutting and pasting, the impostor is likely to succeed.

Dave Bittner: [00:03:02:24] We've called the motive "Bitcoin Theft" but really Bitcoin stands for several other kinds of strings the crooks are interested in copying. Bleeping Computer in their useful account of Evrial, points out that the malware is configured to recognize strings that correspond to Bitcoin, Litecoin, Monero, WebMoney, Qiwi addresses and Stream items trade URLs. How Evrial is being distributed isn't clear yet. So the best advice out on protecting yourself is that old standby: practice good digital hygiene and be especially alert for phishing attempts.

Dave Bittner: [00:03:38:06] This month's wave of SamSam ransomware crests in the healthcare sector. Allscripts a leading electronic health record provider, continues it's recovery from the infestation disclosed last week. It's electronic prescriptions for controlled substances, EPCS for short, was restored Saturday. But other services remain only partially recovered. Allscripts is working closely with it's customers to bring their systems back on-line.

Dave Bittner: [00:04:09:03] Here's something to worry about, Olympic fans: in between the tear-jerking and inspirational stories of hardscrabble athletes and the obstacles they've overcome to reach the PyeongChang games, now you can wonder if all those wireless sensors that time bobsled runs to the hundredth of a second, are being manipulated by hackers to tilt the results one way or another. Or says an op-ed in USA Today by Betsey Cooper, executive director of the Center for Long Term Cybersecurity at the University of California-Berkeley. And it's used for bobsledding, but also Alpine skiing, speedskating, presumably luge and maybe skeleton too.

Dave Bittner: [00:04:46:23] Why would someone cheat like this? Well, to speculate, there's always national pride as a motive, not to mention the prospect of lucrative commercial endorsements post-games. But here's an obvious motive: why not just transpose anger at the Olympic Committee to an effort to discredit the whole process? It's happened with anti-doping doxing. So let the official timekeepers look to the security of their particular IoT. The games open on February 9th.

Dave Bittner: [00:05:14:23] Twitter continues to notify users that they've interacted with the bots from the Internet Research Agency, the now-famous St. Petersburg troll farm. This is part of Twitter's response to concerns about the platform's role in spreading fake news. If you know it's a bot, the thinking goes, you're less likely to credit what it's telling you. Twitter has pegged just over 3800 accounts as Internet Research Agency trolls and it's contacting people to let them know that they either followed or re-tweeted stuff from them. US Senator John Cornyn, Republican of Texas, is among those who received a notice and he's tweeted what they told him, with full approval, that social media are "finally, waking up to manipulation of public opinion by our adversaries."

Dave Bittner: [00:06:00:00] In any case, Russian bots show no sign of scuttling into the darkness to avoid the light being shined on them. In fact they appear to have shown a new flurry of activity over the weekend. Tweeting toward Washington, the bots called for the release of a FISA memorandum prepared by House Intelligence Committee staff. The memo said by the bots and others, to be "explosive" and perhaps good government would be served by it's release, but that's not what they're interested in around Moscow and St. Petersburg. The Committee Chair Representative, Devin Nunes, Republican of California, is being asked to release a classified memo on alleged FISA abuses.

Dave Bittner: [00:06:39:24] Social media trolling is also on the upswing in the Czech Republic as the Czechs conduct their presidential run-off elections, between challenger Jiri Drahos and incumbent Milos Zeman. Radio Liberty says the trolls have for the most part been snapping at Drahos with a wide mix of scurrilous and outlandish accusations.

Dave Bittner: [00:07:00:22] In news of cyber crime and punishment, we'll take College Cut-ups for 100, Alex. And the answer is "the former history professor at Adrian College accused of hacking the college president's and vice president's email accounts." The question is, "who is former Jeopardy champion Stephanie Jass?" Ms Jass, charged in December with "unauthorized access to a computer, program and network and using a computer to commit a crime," waived a preliminary examination and will appear for a pretrial hearing in Michigan on February 28th.

Dave Bittner: [00:07:34:13] There's also news of the Crackas With Attitude, those madcap hacktivists with a pro-Palestinian bent, who succeeded in compromising a lot of email accounts belonging to senior officials in the US Intelligence Community. The FBI popped two of the Stateside alleged conspirators back in 2016 - they're Californians - but the alleged British ringleader was British. Kane Gamble, the alleged Head Cracka, was also arrested in 2016, but he was in England. Mr. Gamble, who was only 15 years old at the time of his arrest, appeared in Leicester Crown Court last week and described how he was able to impersonate former US Director of Central Intelligence, John Brennan, to access highly classified information. Mr. Gamble's counsel argues that the defendant is on the autism spectrum and apparently they'll be offering a reduced capacity defense.

Dave Bittner: [00:08:26:18] Finally we turn to what may be the fever swamps of wild conspiracy theory, or are they? Sputnik News reports that Natalya Kaspersky, Eugene's ex and co-founder of their eponymous security company Kaspersky Lab, has said she knows who the real Satoshi Nakamoto is. He is, Ms Kaspersky says, no single person, but rather a crew of crypto experts working within the US Intelligence Community. They created Bitcoin as "dollar 2.0" she said, the better to advance the Five Eyes' interests around the world. Crazy, no? Or is it? Other people have a different theory from another part of the fever swamp, roughly that part that maintains that NASA Goldstone, is an entry portal for an underground network of caves used by Gray aliens. This theory holds that Satoshi isn't even human and that Bitcoin is the work of a rogue AI.

Dave Bittner: [00:09:23:17] So take your pick, it seems that Satoshi Nakamoto was either Jim Clapper or Skynet. Unless those are the same person! Come to think of it, we've never seen the two of them in the same place. But that's a coincidence, right? Or is it?

Dave Bittner: [00:09:50:06] And now a message from our sponsors at E8 Security, we've all heard a great deal about artificial intelligence and machine-learning in the security sector. And you might be forgiven if you've decided that maybe they're just the latest buzz words. Well, no thinking person believes in panaceas, but AI and machine-learning are a lot more than just empty talk. Machine-learning for one thing, is crucial to behavioral analytics. You can't recognize the anomalies until you know what the normal is and machines are great at that kind of base lining. For a guide to the reality and some insights into how these technologies can help you, go to and download E8's free white paper on the topic. It's a nuanced look at technologies that are both future promise and present payoff in terms of security. When you need to scale scarce human talent, AI and machine-learning are your go-to technologies. Find out more at E8 Security, follow the behavior, find the threat. And we thank E8 for sponsoring our show.

Dave Bittner: [00:10:57:03] And I'm pleased to be joined once again by Malek Ben Salem, she's the R&D Manager for Security at Accenture Technology Labs. Malek, welcome back. We wanted to talk today about some of the challenges when it comes to deploying some of these next generation crypto technologies.

Malek Ben Salem: [00:11:13:15] Yes, so there's a lot of talk about first quantum cryptography and the need for developing new quantum-safe crypto algorithms, crypto systems. NIST is working on that, their call for new algorithms, and so there's a lot of talk among the community and a lot of focus on developing those algorithms that are quantum-safe and full tolerant. But there's less discussion about the journey that it will take to deploy these algorithms once they exist. Once NIST publishes it's standards for those quantum crypto systems, how long would it take us to deploy this? I think based on prior crypto deployments, we can definitely assure that this will take a very long time. Probably a time by which quantum computers will be able to break a lot of the existing crypto systems that we have today.

Dave Bittner: [00:12:12:16] So when you say take a long time, what kind of timescale are we talking about?

Malek Ben Salem: [00:12:16:07] So it's hard to predict but, a recent study about deployment of HTTPS for example, just shows that we're not there yet. If you think about HTTP over a TLS that protocol, the TLS protocol has been out there since the late nineteen nineties. SSL has been published in the early nineteen nineties. But according to the study, only 69% of the top 100 websites do offer https and only roughly about 50% of them offer it by default. If you look at the top 1 million websites, that number drops down to probably half of that. So we have a long journey before we adopt these secure protocols.

[00:13:13:03] The same applies to DNSSEC, so DNS security extensions. In the early 1990s, Steve Bellivan identified a problem with the DNS protocol and there was an RFC published in the mid 1990s, but a recent study has also looked at the use of DNSSEC and they identified that it's still rather limited. For instance, while a lot of the big domains apply it, so over 90% of the top level domains or TLDs, and 47% of the country code TLDs, are DNSSEC enabled, the use of it is not deployed properly. A lot of these domains produce records that cannot be validated due to missing or incorrect records. So even if the technology exists, what I'd like to caution about is that we need to work on the processes to deploy the technology. We need to work on training the individuals deploying this technology. So it's really time to start building awareness about the change that needs to happen once we have these first quantum crypto algorithms and standards.

Dave Bittner: [00:14:39:13] And it's not a matter of if, it's a matter of when.

Malek Ben Salem: [00:14:42:04] Exactly.

Dave Bittner: [00:14:44:14] Alright good stuff as always. Malek Ben Salem, thanks for joining us.

Dave Bittner: [00:14:49:15] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can protect you through the use of artificial intelligence, visit And thanks to our supporting sponsor, E8 Security: follow the behavior, find the threat. Visit to learn more.

Dave Bittner: [00:15:12:18] The CyberWire podcast is proudly produced in Maryland out of the Start Up Studios of DataTribe where they're co-building the next generation of cyber security teams and technology. Our show is produced by Pratt Street Media with editor, John Petrik, Social media editor Jennifer Eiben, technical editor, Chris Russell, executive editor Peter Kilpe. I'm Dave Bittner. Thanks for listening.