The CyberWire Daily Podcast 3.9.16
Ep 52 | 3.9.16

DPRK attempt on RoK rail ICS? Ransomware updates. US tax season cyber issues.


Dave Bittner: [00:00:03:18] South Korea accuses the North of more cyber espionage, this time against railroads. FireEye says it thinks advanced governments around the world may have built vulnerabilities into industrial control systems. Maybe, it could happen. Criminal gangs ramp up their use of ransomware and get more agile in distributing it. Tax season phishing rises, and the IRS seems to have another problem with knowledge-based authentication. And there's concerns about the Internet of things persist; we hear from Accenture's Malek Ben Salem, who tells us about embedded device security.

Dave Bittner: [00:00:36:05] This CyberWire podcast is made possible by the generous support of Cylance, offering revolutionary cybersecurity products and services that proactively prevent, rather than reactively detect, the execution of advanced persistent threats and malware. Learn more at

Dave Bittner: [00:00:56:11] I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, March 9th 2016.

Dave Bittner: [00:01:03:00] The Republic of Korea issues another complaint about North Korean cyber operations: an attempt to access South Korean railroad workers' email. The goal was unclear, but the DPRK is thought to have been out to compromise transportation control systems.

Dave Bittner: [00:01:17:06] This is an old-school approach to an attack on industrial control systems (although such old-school approaches to credential-harvesting can apparently work, witness the much-discussed attack on Ukraine's power grid back in December). But FireEye has raised a more disturbing possibility: the prospect that advanced cyber powers have already built latent vulnerabilities into industrial control systems with a view to holding them in reserve for future exploitation. As presented this is more a possibility than a conclusion based on specific evidence, and so should no doubt be partially discounted as FUD, but on the other hand it is a disturbing possibility.

Dave Bittner: [00:01:54:14] A study of the success ISIS continues to enjoy with respect to information operations, and in particular, with its messaging, suggests that the claim to control and govern territory is central to that success. The Institute for the Study of War sees a high degree of coordination in ISIS messaging, and given the Caliphate's concentration on inspiration, its relatively primitive technical cyber chops matter not a rap.

Dave Bittner: [00:02:18:14] IBM mulls the significance of JavaScript-based ransomware as seen in Ransom32. Attackers can use this approach to achieve significant infections without needing to reach the underlying operating systems. But the trend is disturbing in two respects. First, it constitutes a cross-platform threat, although Ransom32 has so far been observed only in Windows machines, that situation can't reasonably be expected to persist. Second, it's being offered as a service, and it can be used by criminals with only minimal technical ability, which suggests easy proliferation. And there will always be plenty of soft targets available for attack.

Dave Bittner: [00:02:55:06] One of the reasons the KeRanger Mac ransomware is attracting so much more attention than the damage it's done or the risk it poses, would seem to merit, is that KeRanger demonstrates the black market's turn toward platforms that had previously been immune to ransomware attacks. Or if not immune, then at least overlooked.

Dave Bittner: [00:03:12:13] Webroot's discussion of the trend toward polymorphic malware, inherently much more difficult to detect by legacy signature-based approaches, would also seem to bear out the growing sophistication of cyber criminals. It also suggests that the trend on the part of security vendors to offer detection based on behavior is probably well-founded on current threat realities.

Dave Bittner: [00:03:32:15] A study by Damballa shows other ways criminals are evading legacy detection techniques, the gangs are becoming increasingly mobile with respect to their infrastructure. Damballa found, in an eight-month study of Pony Loader malware, that the controllers used "281 domains and more than 120 IPs spread across 100 different ISPs."

Dave Bittner: [00:03:54:18] It's tax season in the US, and the news isn't particularly good. But then tax news rarely is good news, right? At any rate, the Internal Revenue Service sustained a major breach last year, and part of its attempt to make the victims whole was assigning them "Identity Protection PINs" to be used as an additional layer of security when filing tax returns. Unfortunately, the system that distributed the PINs has also been compromised, and the IRS has taken it offline. Some 800 stolen PINs have been used to file fraudulent returns.

Dave Bittner: [00:04:24:04] Phishing of companies for tax information also continues. Snapchat, Seagate, Mansueto Ventures, and Rightside have all been targeted.

Dave Bittner: [00:04:32:07] Point-of-sale malware remains a problem, particularly in the hospitality sector. Rosen Hotels and Resorts discloses that it's discovered a malware infection that has affected card processing over the past seventeen months. The Florida-based chain is notifying its customers.

Dave Bittner: [00:04:47:04] Yesterday was Patch Tuesday, and many major companies issued fixes to issues in their software. The list of those patching includes, of course, industry leader Microsoft, and also Google, Adobe, Mozilla, Facebook, and SAP. Admins face their customary busy time of the month, and observers have begun to wonder whether patching has begun to outgrow most enterprises', and even more so most users' ability to keep up with it.

Dave Bittner: [00:05:12:06] IBM says that its anticipated layoffs are by no means going to be as extensive as some companies interested in recruiting spooked IBM workers are leading people to believe.

Dave Bittner: [00:05:22:05] The Apple-Department of Justice dispute in the US continues to have fallout for parties not directly concerned. Despite Secretary of Defense Carter's strongly expressed support for strong encryption and equally strongly expressed aversion to backdoors, observers see Silicon Valley as still spooked by invitations to cooperate with the Department of Defense. It's worth noting that one of the other Five Eyes, Britain's GCHQ, has echoed the US NSA's similar position on encryption and backdoors; one watches for this declaration's effect on British industry.

Dave Bittner: [00:05:53:17] In the matter of the FBI's call for a Government OS to unlock the San Bernardino jihadist's iPhone, Apple has ramped up its PR offensive by claiming that acceding to the FBI's request would place much else at risk, including power grid control systems.

Dave Bittner: [00:06:08:09] The Department of Justice has appealed a related decision in a New York case in which the presiding magistrate rejected its request under the All Writs Act for similar assistance in unlocking a phone.

Dave Bittner: [00:06:18:16] And, finally, if you've ever wondered which US states distribute the most spam, Comodo will tell you what it sees as it blocks. Numbers One and Two are no surprise, they are, respectively, populous and coastal California and New York. But Number Three is in the heartland: Utah. Who knew?

Dave Bittner: [00:06:38:19] This CyberWire podcast is made possible by the generous support of Cylance, offering cybersecurity products and services that are redefining the standard for enterprise endpoint security. Learn more at

Dave Bittner: [00:06:58:14] Malek Ben Salem is the R&D Manager for security at Accenture Technology Labs, one of our academic and research partners. I know some of the research that you all are doing has to do with embedded device security and some of the unique challenges with embedded devices.

Malek Ben Salem: [00:07:12:13] Absolutely, as you know, especially with the advance of the Internet of things, embedded devices are becoming increasingly connected. They're being deployed in remote areas where they're exposed to tampering by adversaries and it's hard to protect them using the traditional mechanisms of protection that we rely on, where we assume that the adversary does not have physical access to the device. This is particularly important in the healthcare sector, so think about a hospital, anybody could go in pretty much and they can go into any patient's room, they have access to the medical devices deployed there and, if they have a malicious intent, they may be able to modify what the medical device does and introduce significant damage to the patient.

Dave Bittner: [00:08:05:22] So if someone has an IV pump that's giving them some dose of medication, someone could alter that machine and cause serious trouble.

Malek Ben Salem: [00:08:13:24] Absolutely.

Dave Bittner: [00:08:15:08] Tell us about some of the work that you are doing in that area.

Malek Ben Salem: [00:08:18:00] In order to protect against those types of attacks and tampering with devices, we've partnered with John Hopkins University with their healthcare security institute and we tried to come up with security mechanisms that would detect any tampering with the devices. It relies on profiling how a security device works in a particular mode and we build a control flow graph that's dynamically built while that device is operating in that mode. Then in real time, we detect if the device starts behaving differently, you know, basically deviates from the profile that we built for that device and, if we detect such deviation, we can either alert the security administrator or in emergency cases we can stop the device from working. When we built our prototype, we were focused on an infusion pump but you could apply this to pretty much any embedded security device.

Dave Bittner: [00:09:29:06] Malek Ben Salem from Accenture Labs, thanks for joining us.

Dave Bittner: [00:09:35:18] And that's the CyberWire. Later today, we'll be publishing another of our RSA special editions; this one covering emerging technologies. For links to all of today's stories, along with interviews, our glossary and more, visit The CyberWire podcast is produced by CyberPoint International. The editor is John Petrik. I'm Dave Bittner. Thanks for listening.