The CyberWire Daily Podcast 5.16.18
Ep 600 | 5.16.18

Spyware campaigns: phishing and watering holes. Signal patches (fast). DHS cyber strategy. Russian election hacking. Cyber Investing Summit. Do smart people pick better passwords?


Dave Bittner: [00:00:03:20] A spyware campaign centered on Pakistan comes in two variants: one for Android, the other for iOS. Vietnam is said to be phishing in a compromised Phnom Penh Post website. Signal patches across-site-scripting issue very rapidly. The US Department of Homeland Security releases its cybersecurity strategy. The Cambridge Analytica whistleblower talks to the Senate Judiciary Committee. The Senate Intelligence Committee concludes that the Russians didn't like Hillary Clinton. Investigation of Vault 7 leaks continues. We've got notes from the Cyber Investing Summit. And if you're so smart, how come your password is "Ninja?"

Dave Bittner: [00:00:46:08] Time to take a moment to tell you about our sponsor, Recorded Future. Recorded Future is the real time threat intelligence company whose patented technology continuously analyzes the entire web, developing cyber intelligence that gives analysts unmatched insight into emerging threats. At the CyberWire, we subscribe to and profit from Recorded Future's cyber daily. As anyone in the industry will tell you, when analytical talent is as scarce as it is today, every enterprise owes it to itself to look into any technology that makes your security teams more productive and your intelligence more comprehensive and timely, because that's what you want; actionable intelligence. So sign up for the cyber daily email where every day you'll receive the top trending indicators Recorded Future captures crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today and stay a step or two ahead of the threat. Go to to subscribe for free threat intelligence updates. That's And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:02:04:10] Major funding for the CyberWire podcast is provided by Cylance. From the CyberWire studios at DataTribe. I'm Dave Bittner with your CyberWire summary for Wednesday, May 16th, 2018.

Dave Bittner: [00:02:16:23] Researchers at Lookout describe two extensive Pakistani cyber espionage campaigns: Stealth Mango, which targets Android devices, and Tangelo, which works against iOS. The targets were diplomatic, military, and governmental personnel in India, the UAE, and Afghanistan, with strong interest shown in collecting against Pakistani dissidents as well. Some Australian, US, and German officials were apparently swept up in the campaigns, thought to be run by Pakistan's military and using convincing spoof sites including bogus app stores, in conjunction with phishing to net the victims.

Dave Bittner: [00:02:56:18] A Vietnamese state-directed group has compromised Cambodia's Phnom Penh Post website to infect Vietnamese dissidents and Cambodian human rights activists with spyware. The watering hole was established shortly after ownership of the paper changed.

Dave Bittner: [00:03:13:02] Signal, the secure messaging app, gets high marks for quick response to responsible disclosure. Last Thursday, researchers told the app's developers about the cross-site scripting issue they'd found. Signal had a patch ready within about four hours of notification.

Dave Bittner: [00:03:30:13] The US Department of Homeland Security has released its long-anticipated strategy. The plan has these major goals: better risk identification; improved reduction of both threats and vulnerabilities; better attack mitigation; reduction of threats and vulnerabilities; mitigating the consequences of cyberattacks; developing infrastructure resilience and improving management of the Department's cyber portfolio.

Dave Bittner: [00:03:57:05] Cambridge Analytica and Facebook data scandal whistleblower Christopher Wylie is testifying before the US Senate Judiciary Committee today. He tweeted yesterday that Cambridge Analytica was "the canary in the coal mine," and that he hopes Facebook and others will be held accountable to users.

Dave Bittner: [00:04:16:11] The US Senate Intelligence Committee said today that they essentially concur with the Intelligence Community's assessment that Russian interference in the 2016 Presidential Campaign aimed to both "undermine public confidence in the US democratic process" and damage candidate Clinton's electability and potential presidency, eventually coming to express a preference for the rival Trump campaign.

Dave Bittner: [00:04:41:23] In other election-hacking related news, Google's corporate parent Alphabet will offer its Jigsaw distributed denial-of-service protection for free to political campaigns during this year's midterm elections.

Dave Bittner: [00:04:55:13] DDoS attacks themselves may be growing more difficult to defend against. Attackers are using a known vulnerability in the UPnP, Universal Plug and Play protocol to mount harder-to-track DDoS attacks. Researchers at security firm Imperva say the port-obfuscated amplification attacks are more stubborn because they render source IP and port information less reliable for traffic filtering. The attacks are thus harder to shut down.

Dave Bittner: [00:05:23:23] Joshua Schulte, a former CIA employee whom US Federal prosecutors suspect in the Vault 7 disclosure of CIA hacking tools to WikiLeaks, is being held in Manhattan on unrelated charges of storing child pornography. There's apparently insufficient evidence to charge him in the Vault 7 case, but he remains under investigation.

Dave Bittner: [00:05:46:23] If you do work with the US Federal Government or are a cleared contracting facility, you're likely aware of risk management framework compliance. Michelle Maitland is a Senior Cyber Security Analyst at SecureStrux and she joins us with the details.

Michelle Maitland: [00:06:02:15] So the government has been following this policy since about 2010 and it's basically a methodology for figuring out what type of data you have and how to protect your data, the different kind of settings and documentation in order to make sure your data is protected. There was a regulation that has started to roll out recently to commercial companies that work with the Federal Government and who are forced to follow this new framework. Therefore, it is a new policy for them, they are not used to having to follow this methodology, and it has given people a lot of heartburn, especially smaller businesses because this methodology tends to work really well for enterprise but it doesn't necessarily scale down to smaller companies very well. That is one of the big difficulties that people have had, especially for small businesses. One new process and two new processes seem to be overly complicated when you have 14 employees.

Dave Bittner: [00:06:59:01] Take us through exactly what's involved with this

Michelle Maitland: [00:07:01:20] You figure out what type of data you are protecting and you walk through a couple of steps on how to do that. You essentially assign a series of important indicators of how to protect that data; it is called the CIA Triad: Confidentiality, Integrity, Availability. Confidentiality is what we're used to dealing with. Protecting my personal data and making sure that it doesn't fall into the wrong hands or protecting company data, making sure it doesn't fall into the wrong hands. Integrity is new to some businesses. It's making sure that data is protected from accidental or intentional modifications so banking industry, things like that, which deal with high integrity data all the time. Availability is making sure that you maintain access to the data in the event something happens, so hospitals and things like that. In the event they lose power, they are still going to need to have their systems up and running so that would be a high availability system.

Michelle Maitland: [00:07:57:08] Based on the type of data that you're protecting, you have different level indicators for each of these - high, medium, low essentially - based on those three indicators it walks you through the different requirements on how to document and protect that data.

Dave Bittner: [00:08:12:10] So for a small company who is trying to make their way through this, what are some of the challenges that they face?

Michelle Maitland: [00:08:17:14] Generally, most companies, you know, the people wear many, many hats. Security is one where it's seen as an overhead function - it doesn't necessarily make a profit unless you're in the business of doing security explicitly, so nobody really wants to spend and have a large budget on security, so most of the people that I work with are not IT people, they're not security people, they do other things in the company and they have to do this on the side. Not having that background and only doing it part-time when they have time to do it seems to be pretty much the greatest challenge I would think.

Dave Bittner: [00:08:50:08] So in terms of your advice, if people find themselves having to deal with this, what do you advise them for the best way to get going and make sure that they're in compliance?

Michelle Maitland: [00:09:00:13] Google essentially is your friend. There are a lot of resources out there that can help you step through the process if you get stuck. What seems to be the hardest thing, which the framework does not fully explain, is the action plan - I take the training but how do I do this? That is where outside sources can help you out through the process, so there are several help sites where you can take free training but if you go through and you follow the guide, it should walk you through things but you may need supplemental assistance. The internet has a treasure-trove of things to help walk you through. When you start a company, if you're actually doing it and you're in the weeds every day, you might not have the time necessarily to step back and think of the picture holistically, and I think that that is what the risk management framework does in general. It will focus you to step back and look at the bigger picture and help address any gaps that you may have missed in your normal day-to-day operation.

Dave Bittner: [00:10:00:18] That is Michelle Maitland from SecureStrux.

Dave Bittner: [00:10:05:08] The third annual Cyber Investing Summit was held yesterday in Lower Manhattan's financial district. Dave DeWalt, co-founder and CEO of Momentum Cyber and a managing director of AllegisCyber, delivered a keynote that set the terms of discussion by drawing the history of what he called the "perfect cyber storm." He traced that history since 2000, noting that 29 countries now have declared offensive cyber capabilities. 64, he said, have declared defensive capabilities, and these 64 at least probably also have unavowed offensive capabilities.

Dave Bittner: [00:10:41:24] As the storm has grown, so too has the cybersecurity market. Worth $3.2 billion in 2000, this year it's reached some $96.3 billion. DeWalt sees the biggest opportunities in that market where there are the biggest gaps: "drones and domes," the drone economy and the security infrastructure it will necessarily require, "industrial and IoT," which are increasingly pervasive, "social and satellite," with just a handful of companies specializing in social media security, and satellites assuming an increasingly bigger share of communications infrastructure, and "cloud and crypto." especially with respect to identity management and advanced cryptography.

Dave Bittner: [00:11:25:02] DeWalt emphasized that companies in this space must know their go-to-market window, always narrower and more fleeting than they assume. He advised investors to "look for management teams who can figure out go-to-market."

Dave Bittner: [00:11:40:01] The Summit also saw the release of the Cybersecurity 500 list. We'll have more notes on the Summit tomorrow and Friday. But it's worth noting what venture investors seemed to think were hot, and what left them cold. Data science is pretty hot, but endpoint protection and threat intelligence have cooled off.

Dave Bittner: [00:11:58:01] We also had an interesting conversation with Wells Fargo CISO Rich Baich. His team is making interesting use of cyber ranges in evaluating security products. Companies interested in selling to some of the bigger enterprises might well expect to have their wares put to realistic test on those ranges.

Dave Bittner: [00:12:16:16] And, finally, hey wise guy: if you're so smart, how come you aren't rich? Answer that one, umnitsa. It's an old question, first asked on the record of the Greek philosopher Thales, whose answer was that he could be rich if he wanted to, but that he just wasn't interested, and to prove he could do it he cornered the olive press market before a bumper crop came in. So there. He meant to be poor.

Dave Bittner: [00:12:42:06] But here's a less encouraging update, courtesy of Asia Pacific College in the Philippines: if you're so smart, how come you use such lousy passwords? Well, it turns out that, when you correlate percentages of compromised passwords with students' grade point averages, the honor student types didn't do significantly better than the students in the C-minus to D range. Everyone came in between around 12 and 20% compromised. Sure, the higher GPAs were at the higher end of that narrow range, but they're underachieving. The researchers call for a larger sample and a follow-on study to get more "definitive" results. Though, again, if you're so smart, how come you're still using a password that's listed in previous public breaches? Answer that one, Poindexter?

Dave Bittner: [00:13:34:03] And now a bit about our sponsors at VMware. Their trust network for Workspace ONE can help you secure your enterprise with tested best practices. They've got eight critical capabilities to help you protect, detect and remediate. A single open platform approach, data loss prevention policies and contextual policies get you started. They'll help you move on to protecting applications, access management and encryption. And they'll round out what they can do for you with micro-segmentation and analytics. VMware's white paper on a comprehensive approach to security across the digital workspace will take you through the details and much more. You'll find it at See what Workspace ONE can do for your enterprise security; And we thank VMWare for sponsoring our show.

Dave Bittner: [00:14:35:09] And joining me once again is Johannes Ullrich. He is the host of the Internet Storm Center Stormcast podcast. Johannes, welcome back. Certainly getting a lot of attention recently is this incident with the Efail. Bring us up-to-date here. What do we need to know about this?

Johannes Ullrich: [00:14:51:12] Efail is a really interesting vulnerability because it does show some of the risks that we take when we are sending html email. Html emails may contain external resources like, for example, style sheets or images. This has always been problematic, whether or not you are using email encryption or not, however, one of the Efail vulnerabilities really takes advantage of these external includes. The way it works is an adversary has gotten a hold of an encrypted email that you received. The next thing the adversary needs to do is they need to decrypt it. Therefore, what they will do is they will take that encrypted email and make it part of an image tag, so what they are sending to you is an html email essentially with an image tag where the image tag is the encrypted email.

Johannes Ullrich: [00:15:43:12] The next thing that happens is your email client receives the email, decrypts the email, because you know the key for that email, and then it tries to download that image. However, the image name is now the decrypted content of your email so the attacker who runs the web server this image is supposedly hosted at, will receive the decrypted content of the email. Pretty interesting but tricky vulnerability - that vulnerability is really more a problem with how the mail line passes these encrypted emails, how they deal with external includes like images and such. The second vulnerability with Efail is the more severe one in a sense. It allows the attacker to modify an encrypted email.

Johannes Ullrich: [00:16:33:14] Now, typically with encryption, when you modify stuff that has been recognized as being altered, the way PCHIP and S/Mime in particular - actually S/Mime more so than PCHIP, implement their encryption, they are not very careful about the email being modified in transit, so now an attacker could actually inject that image tag into the encrypted part of the Email. That would now cause data leakage no matter whether or not your email passes it. It is rather tricky but not all that difficult to pull off a method to have you decrypt the email and then send the response or the decrypted email back to the attacker.

Dave Bittner: [00:17:18:14] What is to be done right now to protect yourself against this?

Johannes Ullrich: [00:17:22:21] Since nobody really encrypts emails, I think what you really should do is you should configure your mail client to not load external resources. That is a bad idea no matter whether or not you encrypt emails or not. Lots are used for tracking. It can be used to modify the email after the fact. That is the first thing you should do. If you do use email encryption/decryption then you should configure it to not happen automatically, so you will be prompted, for example, for a passphrase so then you may make a decision on whether or not you actually want to decrypt the email. If you are more careful then just decrypt your emails offline. Save the email to a file and then decrypt it on the command line or in special software that you have to decrypt content. That way, again, you are preventing some of the data leakage.

Dave Bittner: [00:18:15:02] All right. Johannes Ullrich, thank you for joining us.

Johannes Ullrich: [00:18:17:17] Thank you.

Dave Bittner: [00:18:22:13] That is the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor, VMWare, creators of Workspace ONE intelligence. Learn more at

Dave Bittner: [00:18:50:21] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cyber security teams and technology. Our show is produced by Pratt Street Media with editor, John Petrik. Social media editor, Jennifer Eiben. Technical editor Chris Russell. Executive editor Peter Kilpe, and I'm Dave Bittner. Thanks for listening.