The CyberWire Daily Podcast 3.26.18
Ep 563 | 3.26.18

Persona non grata, Ivan Ivanovich. Grid threat worries. Data scandal updates. Malware notes. Reaction to Iranian indictments. Alleged Carbanak kingpin collared.


Dave Bittner: [00:00:04:01] Sixty Russian diplomats are now persona non grata in the US. It's the largest retaliation so far for the Russian nerve agent attack in Salisbury, England. Fear of a Russian response against Western power grids remains high. Cambridge Analytica was raided over the weekend in the continuing Facebook data scandal. Facebook faces more difficulties over Android data collection. Notes on malware circulated in the wild. Iran objects to US indictments. And the alleged Carbanak "mastermind" is arrested in Spain.

Dave Bittner: [00:00:40:11] It's time for a message from our sponsor Recorded Future. You've heard of Recorded Future. They're the real time threat intelligence company. Their patented technology continuously analyzes the entire web, to give info sec analysts unmatched insights into emerging threats. We subscribe to and read their Cyber Daily. They do some of the heavy lifting in collection and analysis that frees you to make the best informed decisions possible for your organization. Sign up for the Cyber Daily email, and every day you'll receive the top results for trending technical indicators that are crossing the web. Cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. Subscribe today and stay ahead of the cyber attacks. Go to and subscribe for free threat intelligence updates from Recorded Future. It's timely, it's solid and the price is right. It's And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:46:19] Major funding for the CyberWire podcast is provided by Cylance, from the CyberWire studios at DataTribe. I'm Dave Bittner with your CyberWire summary for Monday, March 26th, 2018.

Dave Bittner: [00:01:58:17] The US this morning expelled 60 Russian diplomats in response to Russia's nerve-agent assassination attempt in Salisbury, England. The UK had expelled 23 Russian diplomats last week. Other countries doing the same in solidarity with the UK include Germany, France, and Poland, expelling four diplomats each. Lithuania, with three expulsions, and bans on visits from 44 Russian nationals, and Ukraine with 13 Russians being declared persona non grata. Other NATO and European Union countries are expected to follow suit. The moves come during a period of heightened fears of cyberattack, especially Russian cyberattacks against vulnerable power grids.

Dave Bittner: [00:02:41:16] Enforcement officers from the UK's Information Commissioner's Office raided Cambridge Analytica's London headquarters late Friday night, tossing the place until three o'clock Saturday morning. Cambridge Analytica acting CEO Alexander Tayler, standing in for the suspended Alexander Nix, said the company believed the data they obtained had been gotten in accordance with both Facebook's terms of service and applicable data protection laws. He made this public statement: "I am sorry that, in 2014, SCL Elections, an affiliate of Cambridge Analytica, licensed Facebook data from a research company that had not received consent from respondents. The company believed the data had been obtained in line with Facebook’s terms of service and data protection laws. We are now undertaking an independent, third-party audit to verify that we do not hold any GSR data." GSR is the research firm that initially obtained the information. Tayler also said the whistleblower who was the source of the allegations against the company, Christopher Wylie, was no whistleblower at all, but a part-time contractor who worked for Cambridge Analytica for less than a year, and left in 2014.

Dave Bittner: [00:03:54:01] What the ICO officers found in their raid, if anything, is of course not yet known. The judge who issued the search warrant Friday is expected to explain his ruling this week. We do know that Cambridge Analytica and Facebook are in hot water in Chicago. Cook County, Illinois, charged them Friday with violations of Illinois anti-fraud laws for compromising users' privacy.

Dave Bittner: [00:04:17:20] Facebook disputes an Ars Technica report that Facebook indiscriminately collected Android data, including calls. The denial insists that in this case Facebook collected only data users gave it permission to collect. Ars Technica found that call logs were being collected and retained. The information collected is said to include numbers of contacts and the date, time, and duration of calls. Facebook's explanation is that "call and text history logging is part of an opt-in feature" for users of Messenger or Facebook Lite on Android. The company began to ask for explicit permission to access SMS and call data in 2016 after complaints that their previous way of obtaining opt-in was an "OK" button that approved "keeping all of your SMS messages in one place."

Dave Bittner: [00:05:06:15] Facebook has been clobbered in the market by the data scandal, losing, according to MarketWatch, $75 billion in market cap last week. For purposes of comparison, that's like losing a Raytheon plus two Booz Allens, which is a lot of market cap lost. Yesterday Facebook took out a big, full-page print ad in the Washington Post, the New York Times, the Wall Street Journal and six British papers. The ad apologizes for not better protecting users' data. Writing in the first-person singular, CEO Zuckerberg writes, "You may have heard about a quiz app built by a university researcher that leaked Facebook data of millions of people in 2014. This was a breach of trust, and I’m sorry we didn’t do more at the time. We’re now taking steps to make sure this doesn’t happen again." So, the company continues to frame the scandal as a relatively restricted app issue. Zuckerberg says, "Finally, we’ll remind you of which apps you’ve given access to your information, so you can shut off the ones you don’t want anymore," and he closes with a "Thank you for believing in this community. I promise to do better for you."

Dave Bittner: [00:06:16:19] It's worth noting that the ad ran in papers, that is, in dead-tree, legacy media. The irony is obvious, and the ad campaign has already prompted a Twitter hashtag: "# print is the new privacy app." Other, similar hashtags will surely follow. Here's one we suggest, as officials consider election security, how about hashtag, "# paper is voting's killer app." It's catchy, hm?

Dave Bittner: [00:06:41:23] Several relatively new strains of malware are being tracked in the wild. Here's a quick rundown. Late last week the gang behind the "Rapid" ransomware released version 2.0. It's little changed from the original, but with one significant alteration, it will not execute on a victim machine if it detects Russian locale settings. MalwareHunterTeam, which found Rapid 2.0, sees signs it may have been released prematurely. Its source code wasn't packed.

Dave Bittner: [00:07:09:18] MalwareHunterTeam has also described AVCrypt ransomware, remarkable for its attempt to uninstall security software before it begins encrypting files on a victim machine. It may be a wiper, since it offers no instructions for paying the ransom. And like Rapid 2.0, AVCrypt's source code also wasn't packed.

Dave Bittner: [00:07:29:11] "DiskWriter" or "UselessDisk" is a master boot record bootloader that Bleeping Computer thinks may also be a wiper, since the criminals leave no way of paying the $300 ransom they demand. Webroot reports that the TrickBot banking Trojan has received a new module that can lock an infected system to hold it for ransom.

Dave Bittner: [00:07:49:07] SophosLabs found six malicious apps in Google's Play Store. Five posed as QR readers, the sixth as a "smart compass." All have been reported and removed, but not before attracting half a million downloads.

Dave Bittner: [00:08:03:14] Trend Micro has found Monero cryptominers installed in Linux servers via an old vulnerability in the Cacti "Network Weathermap" plugin.

Dave Bittner: [00:08:13:01] Iran has expressed outrage over the US indictment of nine hackers working for the Mabna Institute. Their long-running cyberespionage campaign began by phishing universities, then pivoting to corporations and government agencies. Interestingly, universities in the US seem not particularly concerned about the campaign. The Chronicle of Higher Education reports that the academy seems blasé about the whole affair, regarding it apparently as more geopolitics than, well, IP theft that might affect spin-offs, and so forth.

Dave Bittner: [00:08:46:10] The alleged leader of the Carbanak financial-services hacking gang has been arrested in Spain, collared in a collaborative effort involving at least five nations. Europol was in on the bust, as were the FBI, and police in Spain, Belarus, Taiwan, and Romania. The gentleman's identity has not yet been made public, he's just being referred to as "leader," "mastermind," and so forth, but he'll no doubt receive his day in court, and then we'll all know. Europol thinks the arrest likely to amount to a decapitation of the gang. Ukrainian police also arrested one of the gang's principal developers, a resident of Kiev.

Dave Bittner: [00:09:29:06] And now a word from our sponsor, LookingGlass Cyber Solutions. An open letter from the malicious botnet on your network.

Dave Bittner: [00:09:39:08] So, here we are. It's just you and me at this godforsaken hour. You're looking right at me too. I'm on the second monitor to the left. Had you seen me, you would have realized I compromised computers in your organization, and they work for me now. Even if you had spotted me, your current process is too slow to catch me. You update your network rules sets once a week. I'll be in Cabo by then working on my tan. I love getting to know your company, by the way: your financial data, personal records. I've got a piece of unsolicited advice for you, check out what LookingGlass Cyber Solutions is doing. They've got some kick butt technology that thins off cyberthreats like me, data breaches, ransomware and stolen credentials in real time. Be a hero with the Looking Glass scout shield threat intelligence gateway. See the video at

Dave Bittner: [00:10:46:12] And joining me once again is Daniel Prince. He's a senior lecturer in cybersecurity at Lancaster University. Daniel, welcome back. We wanted to talk today about risk management, specifically the way that people talk about cybersecurity risks and the effect that has on the industry. What can you share with us with this?

Daniel Prince: [00:11:04:24] So, for, for a very long time, I've been really interested in cybersecurity risk management, and that really stemmed from a lot of the work that I was doing around teaching this as part of the Master's degree, and then also a lot of the work that I was doing working with, with companies, and just observing the way that they all had different approaches to, not just the risk management systems that they had in place, but also the kinds of conversations they were having with each other. And so I just started then wondering, do we really have a really strong handle on what it means to have a really good cybersecurity risk management approach, that is robust for organizations, that really enables positive outcomes, rather than slightly more defensive conversations that we typically have in, in this particular domain.

Dave Bittner: [00:12:00:08] And so what is your take on that? How are organizations doing well and falling short when it comes to their risk management?

Daniel Prince: [00:12:07:10] So I had an opportunity to work with a large, very large organization in the UK, as they established a new approach to cybersecurity within, within their organization. They were setting up a brand new organizational structure, specifically to deal with cybersecurity. And what was interesting is around how they actually did that. Unlike a lot of organizations where the cybersecurity function is rolled into, say for example, the IT function, or a, a, a specific risk function, there information security group was actually separate from all of that, but sat underneath the chief operating officer, and, and had the chief information security officer had the same sort of status as the chief information officer.

Daniel Prince: [00:12:54:16] And what that really meant was, that unlike if, say for example, an information security group is part of the IT group, they could actually have sort of almost separate conversations. They could have a much better advisory conversations, because they weren't then the ones responsible for implementing the security solutions, or marking whether they'd done the security solutions right. There was a completely separate sort of group within the organization. And that meant that the business unit owners could have, what I perceived to be, much more open and free communications with the information security group, because they could come in and say, well here are what the risks we have, we think you have as part of your day to day business, and this is what we think you should do, but it's up to you to go away and make sure that you get that implemented as part of your operational risk approach, and commission those types of service from the internal security group. And they were having much more open and frank conversations around risk and what the hazards were, hazards were to that, that particular business unit.

Daniel Prince: [00:14:00:08] And what I perceive was, a much more positive response from those business units. Unlike where you do have, often times information security groups as part of the IT group, where, you know, it's really somebody coming in and telling you what you should be doing, why you're doing it wrong, and then also being responsible for implementing that solution and then marking it. So it's a very, very different approach to have that separation, and I believe to be a much more positive approach. And then from that, I started to ask questions around sort of consent within organizations. Do you, when you're trying to inform people about information security challenges, do you actually have the appropriate levels of consent with the people that you're talking to?

Daniel Prince: [00:14:47:12] And then I started to pull in ideas around the original concept of policing within the UK. So, Sir Robert Peel is sort of the father of policing in, in the UK. He established the first police force, and one of his key tenets of, of policing was, you, you cannot police unless you have the consent of the population. I started to ask questions around, do we really have the organizational structures and the risk managements approaches to foster that consent and foster that permission for the information services teams to really be able to support the rest of the organization to deliver very positive security outcomes for the organization.

Dave Bittner: [00:15:29:22] That's fascinating, so rather than being adversarial, it sounds like this leads toward collaboration.

Daniel Prince: [00:15:36:00] Yeah, and I think that's one of the sort of my, one of my big things over the last 15 years has been that I, I firmly believe that cybersecurity is a business enabler. It's not a thing that you have to do to protect your business. If you do cybersecurity right, it's about being able to drive your organization forward in a much more positive way. And so, that fits with my overall ethos, that actually collaborating, rather than getting that adversarial approach, which seems to be a lot of, a lot of the approaches that, that, that are out there at the moment, actually enables you to drive forward the organization in a positive way, rather than it's just a task that you have to do to kind of meet regulatory requirements.

Dave Bittner: [00:16:19:09] Daniel Prince, thanks for joining us.

Dave Bittner: [00:16:25:13] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you, through the use of Artificial Intelligence, visit And thanks to our supporting sponsor E8 Security. Follow the behavior, find the threat. Visit to learn more.

Dave Bittner: [00:16:47:03] Don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment called "Security Huh?" I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find Grumpy Old Geeks, where all the fine podcasts are listed, and check out the Recorded Future podcast, which I also host. The subject there is Threat Intelligence, and every week we talk to interesting people about timely cybersecurity topics.

Dave Bittner: [00:17:12:10] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our show is produced by Pratt Street Media. With editor John Petrik. Social media editor Jennifer Eiben. Technical editor Chris Russell. Executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.