The CyberWire Daily Podcast 5.14.18
Ep 598 | 5.14.18

Unauthorized banking transfers in Mexico? A lifeline for ZTE. Iranian cyber op-tempo rises. Russian troll farm's ad buys. Reining in apps. Cell tracking. Anonymous is back.


Dave Bittner: [00:00:00:14] A quick reminder that there are several ways you can help support the CyberWire podcast. You can visit our Patreon page at, and find out how you can make a monthly contribution to our show. You can also visit iTunes, and leave a review and a rating for the CyberWire podcast. That's one of the best ways you can help new people find our show. Thanks so much.

Dave Bittner: [00:00:23:11] Mexican banks may have sustained unauthorized funds transfers. Presidents Trump and Xi seem willing to toss a lifeline to drowning ZTE. Some researchers report an uptick in Iranian cyber operations. Russia's premier troll farm bought Facebook and Instagram ads targeting American teenaged girls. Apple, Facebook, and Twitter tighten their grip on apps connected to their stores or services. Police cell-tracking receives scrutiny, and Anonymous is back.

Dave Bittner: [00:00:57:10] It's time for a message from our sponsor, Recorded Future. You've heard of Recorded Future, they're the real-time threat intelligence company. Their patented technology continuously analyzes the entire Web to give infosec analysts unmatched insight into emerging threats. We subscribe to, and read their Cyber Daily. They do some of the heavy lifting and collection and analysis that frees you to make the best informed decisions possible for your organization. Sign up for the Cyber Daily email, and every day you'll receive the top results for trending technical indicators that are crossing the Web, cyber news, targeted industries, thread actors, exploited vulnerabilities, malware, suspicious IP address, and much more. Subscribe today, and stay ahead of the cyber attacks. Go to and subscribe for free threat intelligence updates from Recorded Future. It's timely, it's solid, and the price is right. We thank Recorded Future for sponsoring our show.

Dave Bittner: [00:02:04:15] Major funding for the CyberWire podcast is provided by Cylance. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire Summary for Monday, May 14th, 2018.

Dave Bittner: [00:02:16:06] At the end of last month there was an attempted raid on Mexico's banking transfer system. Mexico's central bank now says that it appears there may have indeed been successful unauthorized transfers through the country's interbank SPEI system.

Dave Bittner: [00:02:31:24] Three banks were initially said to have been affected: Banco del Bajio SA, Bancomext, and Grupo Financiero Banorte. Those three and two other financial institutions were asked to move to a backup connection to the central bank after experiencing difficulties connecting through SPEI, the country's interbank electronic transfer system. The attack seemed at the time of the initial announcement to have been contained as the banks shifted their connections to an alternative contingency system.

Dave Bittner: [00:03:03:12] Since then, however, more than 25 financial institutions have also moved to backup systems. Mexico's central bank says that it appears there may have indeed been unauthorized transfers through the country's interbank SPEI system. At least one bank experienced an incident last week. The story continues to develop.

Dave Bittner: [00:03:24:02] In a surprising development over the weekend, US President Trump seems willing to toss ZTE some sort of unspecified lifeline to keep them in business. ZTE has been subject to US sanctions that effectively barred it from using US software and components in its products. The company last week announced it had stopped its major operations. The US beef with ZTE centered on the company's flouting of sanctions imposed on Iran, and then lying about it. That's the offense that prompted the Commerce Department to impose sanctions.

Dave Bittner: [00:03:58:18] There had been other concerns about ZTE and its bigger sister, Huawei. Some of those concerns involved security. The Chinese companies had been widely viewed with suspicion by security analysts who thought them likely to operate closely with China's security and intelligence services. Those fears have been given recent voice in the US by Representative Adam Schiff, a Democrat of California and ranking member of the House Intelligence Committee. They're also figuring prominently in Australian debates over telecommunications service providers use of equipment from ZTE and Huawei. Australia had earlier blocked Huawei equipped undersea cable service over concerns about Chinese surveillance. This week sections of the Australian press are excoriating ZTE as corrupt, in the course of objecting to the possibility that the company will become a major player in 5G telephone service.

Dave Bittner: [00:04:54:03] The other issue surrounding the Chinese device manufacturers is economic. The US has long been concerned over Chinese IP theft, and the two countries have been at loggerheads over their respective shares of the coming 5G market.

Dave Bittner: [00:05:09:07] Returning to Iran, and heightened tension between that country and the US, security firm CrowdStrike says it's already discerned an increase in Iranian cyber operations against US targets. The company's researchers say they saw the uptick begin within 24 hours of the US announcement that it would withdraw from the Iran nuclear deal. Other observers are reporting a heightened interest in cryptocurrencies on the part of Iranians looking for some sort of cushion against conflict-driven austerity.

Dave Bittner: [00:05:38:24] Among Facebook and Instagram ads purchased by the Russian troll-farm Internet Research Agency were several promoting a problematic Chrome extension, FaceMusic. FaceMusic catered to several demographics but was most successful among American girls ages 14 to 17. The extension collected Facebook and web-browsing information. It also messaged the "friends" of those who installed it.

Dave Bittner: [00:06:04:22] Facebook's on-going review of data-collecting apps has resulted in suspension of about 200 of them. In Facebook's case the review has been prompted by widespread concerns over data harvesting and use by the now-defunct Cambridge Analytica. Apple, is also reviewing apps, but in that company's case it's a matter of cleaning its Store in preparation for GDPR. It's seeking out and purging apps that inappropriately gather information, especially in ways that will invite sanctions under GDPR, which takes effect in less than 2 weeks.

Dave Bittner: [00:06:37:08] Twitter is also tightening its grip on how it makes data available. The company announced late last year that User Streams, an API widely used by analytics and market research companies, would be deprecated this June. Over the weekend, one of the earliest Twitter analytics companies, Favstar, announced that it would shut down on June 19th. Favstar says that Twitter hasn't given it enough details about the Account Activity API, including enterprise pricing, and that "Favstar can't continue to operate in this environment of uncertainty."

Dave Bittner: [00:07:10:19] US Senator Ron Wyden, a Democrat from Oregon, is asking the FCC and telecommunications companies what they know about Securus, a service that enables law enforcement agencies to track cell phone locations. He's also told the Department of Homeland Security that he wants details on various unattributed Stingray phone trackers in Washington before he'll vote to confirm Christopher Krebs as Undersecretary of the National Programs and Protections Directorate.

Dave Bittner: [00:07:39:07] Anonymous is back in the news, twice.

Dave Bittner: [00:07:43:08] Russia's blocking of Telegram prompted self-described Anonymous hackers to deface websites belonging to the Federal Agency for International Cooperation. Among remarks denouncing censorship, the defacements called media regulator Roskomnadzor, "a handful of incompetent brainless worms." This seems unlikely to change many minds in Moscow, but commentators who dislike Russian censorship seem to like the moxie the message displays.

Dave Bittner: [00:08:11:05] Last Thursday in the US state of Ohio the FBI arrested one James Robinson, 32, from Akron. Mr. Robinson, who went by the nom de hack of "AkronPhoenix420," allegedly DDoSed the Akron Police Department and a city website. He associated himself with Anonymous, down to the Guy Fawkes mask, but apparently de-anonymized himself by connecting to his Twitter account from his home IP address. That Twitter timeline was filled with lots of Guy Fawkes goodness. And so OPSEC again runs afoul of the human drive to say, hey, look at me.

Dave Bittner: [00:08:55:03] Now a bit about our sponsors at VMware. Their trust network for Workspace ONE can help you secure your enterprise with tested best practices. They've got eight critical capabilities to help you protect, detect and remediate. A single open platform approach, data loss prevention policies, and contextual policies get you started. They'll help you move on to protecting applications, access management, and encryption. And they'll round out what they can do for you with micro-segmentation and analytics. VMware's White Paper on A Comprehensive Approach to Security Across the Digital Workspace will take you through the details, and much more. You'll find it at See what Workspace ONE can do for your enterprise security. We thank VMware for sponsoring our show.

Dave Bittner: [00:09:56:09] I'm pleased to be joined once again by Justin Harvey. He's the Global Incident Response Leader at Accenture. Justin, we recently had the news that President Trump pulled the United States out of the Iran nuclear deal. What are we expecting here? Folks are on-guard when it comes to cyber attacks.

Justin Harvey: [00:10:15:03] We're definitely all hands on deck at this point. For right or wrong, agree or disagree, it does appear that the United States is going to be exiting the Iran Nuclear Agreement. I think that what we have seen historically is, when there are two nation states that are involved in a conflict there's always going to be some sort of espionage that accompanies that. And usually on the backs of some sort of negative action, or negative reaction, there is a propensity for the wounded nation to amp-up their espionage activities. And just like they've done it historically over the last few hundred years, or nations have done this over the last few hundred years, for regular human espionage, I think the same could be said for cyber espionage. I think that the levels of Iran state-sponsored cyber espionage, I wouldn't characterize them as all-time lows, but they've definitely been a lot quieter than they have been, particularly after Obama negotiated that agreement.

Justin Harvey: [00:11:21:22] Now that that agreement is being stripped, or at least the United States leaving, what incentive is there for Iran not to conduct their own operations, either for military purposes, to create that check and balance, perhaps with our critical infrastructure, in addition to retribution for not receiving the goods. Think about, for instance, the Boeing deal - Boeing is losing $20 billion worth of airplane sales to Iran. Iran may want to either retaliate, or they may want to conduct some espionage operations in order to further their own goals in the region commercially.

Dave Bittner: [00:12:02:07] Do you suspect that we'll see some testing from Iran? Will they be walking right up to that line, to see how far they can go?

Justin Harvey: [00:12:09:20] I think most nation states are doing that, they're really testing the waters to see where that red line is, if you will. Just how far can a nation push the United States until there's either a kinetic or a cyber counter-action. Because we live in a free society, it's very easy for us to see the other nation's point of view, and seeing that they are all wounded and that they have complaints. You never hear about our own US cyber command operations and other countries. It's kind of like, if you don't hear about the SEAL team, the SEAL team is doing their work. So, while I'm confident that cyber command has their operations under control, I do believe that we will start to see more and more Iranian-based cyber espionage, or cyber attacks.

Justin Harvey: [00:13:00:21] One other sub-bullet to that is, it may not always be readily obvious. What I mean by that is, we've also seen an uptick in nation states working through proxy groups. So, if I were a nation state, why would I want to attack critical infrastructure with either malware or tactics techniques and procedures that are associated with Iran? I would want to adopt another nation state and to conduct the same operation, so, if and when I did trip that red line, and the US said, uh-uh-uh, we got you, it's better to have the finger pointing at someone else than your own nation.

Dave Bittner: [00:13:38:08] Right. Well time will tell. Certainly something worth keeping an eye on. Justin Harvey, thanks for joining us.

Justin Harvey: [00:13:44:19] Thank you.

Dave Bittner: [00:13:49:16] That's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you, using artificial intelligence, visit Cylance is not just a sponsor, we actually use their products to help protect our systems here at the CyberWire. And, thanks to our supporting sponsor, VMware, creators of Workspace ONE Intelligence. Learn more at:

Dave Bittner: [00:14:18:19] Don't forget to check out the Grumpy Old Geeks podcast where I contribute to a regular segment called Security Ha! I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find Grumpy Old Geeks where all the fine podcasts are listed. And check out the Recorded Future podcast, which I also host. The subject there is Threat Intelligence, and every week we talk to interesting people about timely cybersecurity topics. That's at

Dave Bittner: [00:14:46:09] The CyberWire podcast is proudly produced in Maryland, out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our show is produced by Pratt Street Media, with editor, John Petrik, social media editor, Jennifer Eiben, technical editor, Chris Russell, executive editor, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.