The CyberWire Daily Podcast 5.29.18
Ep 608 | 5.29.18

Rebooting routers against VPNFilter. Canadian banks compromised? Cobalt gang is back. 51% attacks on blockchains. "Courvoisier" sentenced. NATO looks at Russia's weaponized jokes.


Dave Bittner: [00:00:03:17] The FBI says reboot your routers. Data extortion hits Canadian banks. The Cobalt Gang is back. 51% attacks fiddle with cryptocurrencies. The BackSwap banking Trojan is tough to detect. Coca-Cola discloses data theft by a former employee. Courvoisier, gets ten years, that's the hacker not the cognac. Facebook continues to work on it's content moderation, and Papua New Guinea may block the platform for a month of study. And NATO studies humor very seriously.

Dave Bittner: [00:00:42:02] And now some notes from our sponsor Cylance. You've heard a lot of warnings about Russian cyber operators and their threat to the power grid in the UK, North America and elsewhere. Ever wonder how they get in? Sure there's phishing and spear phishing, those can never be discounted. But here's a twist. Cylance has determined that one of their ways into the grid is through routers. They've found that the bears are using compromised core routers to hit government agencies and organizations in the energy, nuclear and commercial facilities, water, aviation and manufacturing sectors. That's a bigger haul than a fishnet could catch don't you think? Go to and check out their report on energetic DragonFly and DYMALLOY Bear 2.0. You'll find it interesting and edifying. That's And we thank Cylance for sponsoring our show.

Dave Bittner: [00:01:46:04] Major funding for the CyberWire podcast is provided by Cylance. From the CyberWire studios at Data Tribe, I'm Dave Bittner with your CyberWire summary for Tuesday, May 29th, 2018.

Dave Bittner: [00:01:59:07] The FBI has issued a formal warning against VPNFilter, the Russia-linked campaign that's affecting routers. The Bureau advises everyone to reboot their routers. Their warning is short and to the point. "The FBI recommends any owner of small office and home office routers reboot the devices to temporarily disrupt the malware and aid the potential identification of infected devices". "Owners are advised to consider disabling remote management settings on devices and secure with strong passwords and encryption when enabled. Network devices should be upgraded to the latest available versions of firmware". So there you have it, direct from the Feds.

Dave Bittner: [00:02:42:11] In what appears to be an extortion attempt, pay up, or everybody gets to see your customers' data, two Canadian banks were hit by hackers over the weekend. The Bank of Montreal and the Simplii Financial direct banking brand of the Canadian Imperial Bank of Commerce are believed to have been affected. Some 90 thousand customers' data was apparently accessed by the attackers. The information exposed included both personal and financial information. In both cases the hackers contacted the banks Sunday and told them they'd stolen the data. The motive appears to be extortion; the hackers have threatened to release the date online. The affected banks are working with law enforcement agencies.

Dave Bittner: [00:03:27:05] The Cobalt gang is back at work despite its leaders arrest in Spain two months ago. Researchers at security firm Group-IB have found spearphishing emails from the thieves pretending to be alerts from Kaspersky Lab. Employees of Russian and and Eastern European banks are being targeted. The email is nicely, if bogusly, branded. It tells the victim that they've detected unspecified illicit activity from the victim's machine and it threatens the victim with actions that will be taken against their employer's online resources. If they don't click the link provided and explain themselves within forty-eight hours. Needless to say, clicking the link is not a good thing to do. It will install the CobInt Trojan.

Dave Bittner: [00:04:14:16] A wave of attacks hit Cryptocurrencies Verge, Monacoin and Bitcoin Gold last week, inflicting more than £20 million dollars in damages. The incidents are said to have been 51% attacks. In a 51% attack against a blockchain, the attackers are a miner or a group of miners who have obtained control of more than half of a network's mining hashrate. Doing so gives them ability to reverse transactions, and thus to double-spend coins. Motherboard notes that the attacks came shortly after the airing of an episode of the TV show Silicon Valley, in which the character's fictional cryptocurrency PiedPiperCoin not only flopped its ICO but sustained a 51% attack as well. This is either a coincidence, simultaneous invention, or inspiration, a case of life imitating art.

Dave Bittner: [00:05:08:22] SentryLink recently released their 2018 threat report, sharing the insides they've gained from their perspective as a major telecommunications company and provider of security services. Mike Benjamin is Senior Director of Threat Research at SentryLink.

Mike Benjamin: [00:05:24:06] The report that we developed looks broadly at threats across all categories. Goes beyond botnets and DDoS. And it really tries to break down the trends we've seen in terms of geographies in volume of attacks on the Internet. And, so we were able to track through it at 2017 a 195,000 threats per day. So, threatening hosts in the Internet that we tagged as malicious some manner. We saw them interacting with over 104 million unique victims. It's a pretty massive impact to the overall global Internet and it comes as no shock but it's important for everyone to be reminded that the top source of the malicious traffic was the United States and so a lot of folks tend to believe that the maliciousness comes from places with maybe less stringent laws and other things and it maybe that the people with their fingers on the keyboards were in those locations. The actual servers infrastructure endpoints doing the attacking, we saw coming from the United States as the top origination point.

Dave Bittner: [00:06:28:07] Was this surprising to you all or did this reflect the type of things that you track every day?

Mike Benjamin: [00:06:33:14] Yes, it was in line with the data that we've been collecting for a number of years. And so a very consistent where we see large economies with large infrastructures of available footprints and a lot of bandwidth to be able to support a reliable attack infrastructure so to speak.

Dave Bittner: [00:06:48:17] And in terms of trends from the reports, this is not your first year doing this report. Are you seeing any shifts, any evolution in the way that these are being spun up?

Mike Benjamin: [00:07:01:12] With the focus on IOT DDOS attacks this time, we're able to share quite a bit granularity invisibility into that threat area and what we saw from a trend perspective was actually a very interesting trend around which now were families were utilized. If you were to read what's going to publish and what people are sharing you'd see a lot based on the MIRA Malware. And, interesting enough we actually saw more comenic control of these botnets sourced on the Gaffget Malware. We found that it was in some cases easier for the malicious actors to deploy. Quicker for them to stand it up and of course as we worked to take them down and impact them, the actor has wasted less time standing it up before we forced them to go on and stand up another one.

Dave Bittner: [00:07:49:03] Now, in terms of people's ability to defend themselves against DDOS where do we stand with that? Is DDOS still the serious threat that it was in the past few years?

Mike Benjamin: [00:07:58:23] So yes and no. DDOS attacks and even a small scale can impact certain infrastructures. We tend to look at it both from our customer perspective as well as the Internet as an overall infrastructure. And we'd be happy to report that from the IOT botnet perspective the work we've done, along with a number of other partners to impact and track these botnets, they haven't grown to the scale that we've seen in the past in order to knock down critical parts of the Internet, as we saw in the multi Terabit attacks.

Mike Benjamin: [00:08:29:17] However, the sort of overall spectrum of DDOS attacks also includes spoofed attacks or reflected attacks. They may not be sourced from these particular botnet types. So we saw just recently the spring attacks that were based on the UDP reflection and amplification vector with memcached D. A number of people reasoned their lightweight caching service as part of their web app development they were left exposed to the Internet and they had a sizable amplification vector and we saw well over a Terabit attack launched through that vector, taking down 'Get Home'. And so, still a sizable impact to the Internet that can be sourced by DDOS attacks. But, we are happy to say that at least from the IOT DDOS botnet perspective we, along with the broader community, have been able to minimize the impact that that has had.

Dave Bittner: [00:09:17:04] That's Mike Benjamin from SentryLink.

Dave Bittner: [00:09:21:18] Security firm ESET warns of a new harder to detect banking Trojan 'Backswap'. It works entirely within the Windows graphical user interface and avoids the more usual browser process injection.

Dave Bittner: [00:09:37:01] Coca-Cola disclosed that it's sustained a data breach. A former employee took a hard drive containing about 8000 employees' records. The incident happened in September of 2017, but Coca-Cola delayed disclosure and notification of affected persons at the request of the law enforcement agencies who were investigating.

Dave Bittner: [00:09:58:06] Facebook continues to struggle with content moderation. Motherboard publishes guidelines the platform has given its content moderators on how to handle postings that feature alt-right appropriated cartoon character Pepe the Frog. Pepe in a SS-uniform? Nein, danke.

Dave Bittner: [00:10:18:06] Papua New Guinea is considering blocking Facebook access across the country as it looks into Facebook's reach, influence and operations, and tries to get a handle on the platform's possible use to disseminate fake news.

Dave Bittner: [00:10:33:03] Finally, did you hear the one about the NATO staff that looked into humor as a tool for information operations? They found it in the janitor's closet, it's a subversive buffer.

Dave Bittner: [00:10:45:03] Well, okay sorry that's a lousy punch line, but then we've just read the study and we weren't around for the research that was doubtless conducted at the Chuckle Hut in Riga the Latvian City where the Atlantic Alliances Strategic Communications Center of Excellence is located. We often have occasion to talk about information operations and humor is a subtopic whose time has come. So, take the Center of Excellence, please.

Dave Bittner: [00:11:13:03] When you're on the NATO staff every joke looks like aggression, incongruity or arousal-safety. Seriously, it's an interesting study but it's totally devoid of any actual jokes. And trust us, our joke desk has been through all 156 pages without a snort or a guffaw. Western readers unfamiliar with Russian TV might be surprised to learn of the Russian proclivity for situation comedy and late night talk show zingers. Not to mention the Uncle Vanya drive-time talk radio, but come on Riga, toss us a bone. The analytic framework is great, but hows about some laughs?

Dave Bittner: [00:11:50:12] This reminds us, as so many things do, of the history of philosophy. There's a long tradition of looking at jokes along the Baltic coast. It goes back to the great East Prussian Philosopher Immanuel Kant, who shared a bunch of groaners in the chapter on humor in his Critique of Judgment. Kant was so East Prussian that his hometown, Koenigsberg, is now the Russian city of Kaliningrad. Here's one of the knee-slappers Kant included in his book. So here's this guy who's hiring mourners to weep in a funeral procession, but they're not looking mournful enough and he's worried he won't get his money's worth of hired grief. So desperately, he says, "Look guys you've gotta cry more convincingly." He takes out his wallet and says, "Look here, I'll even up your fee," and hands over some additional cash. But, wait for it, that just makes the hired mourners happier and they can't hardly cry at all no more. Oh man, I'm dying here. That one gets me every time.

Dave Bittner: [00:12:55:04] So, see NATO? Be like Immanuel Kant. Don't let the joke gap get any yuger than it is. It's not that hard. It wouldn't kill you to toss a few knock knock jokes our way. It wouldn't break your budget and besides they'd arguably be more combat effective than an F-35. Just kidding, Air Force. In the meantime, we'll go back to watching Russian sitcoms.

Dave Bittner: [00:13:25:01] Time to take a moment to tell you about our sponsor Comodo. Here's the bad news. There is no way you will ever be able to stop malware from entering your network. The good news is Comodo renders malware useless, that's why Comodo customers can click on anything. Over 120 million new pieces of malware were created in 2017. So, even at 99 percent, you're still a target for 1.2 million pieces of malware. If you do the math that's still over 3000 problems per day that current solutions cannot solve.

Dave Bittner: [00:13:56:08] Comodo doesn't settle for 99 percent and neither should you. They put those 3000 daily problems into a lightweight colonel level container where the malware's rendered useless. With Comodo's patented auto containment technology they bulletproof you down to our zero every time, solving the malware problem. So with Comodo you can say with confidence, I got 99 problems, but malware ain't one. Go to to learn more and get a free demo of the platform. That's We thank Comodo for sponsoring our show.

Dave Bittner: [00:14:40:16] And joining me once again is Ben Yelin, he's a Senior Law and Policy Analyst at the University of Maryland Center for Health and Homeland Security. Ben, welcome back. Interesting story we've got to talk about here today. This came up on Forbes. The title of the article is "Yes, cops are now opening iPhones with dead people's fingerprints."

Ben Yelin: [00:14:59:12] Yes, I have to admit I didn't realize this was possible until I saw this article. But, apparently there have been one or two instances where a potential perpetrator of a criminal act or in one case a terrorist act, has been killed in an incident and then in order to gain more information for an investigation, they try and use that dead person's fingerprint to unlock an iPhone. So, obviously that might not work in all cases, I'm not an expert in the decomposition of the human hand, so I don't know whether the fingerprint actually is going to be able to open the phone. I think in this case, they weren't really able to get any valuable information. But, it does present a really interesting legal problem. So, once you die you don't really, as a dead person, have any expectation of privacy. Your body might be interred but you don't have the same sort of sense of protection that you do when you're alive.

Dave Bittner: [00:15:54:08] Who owns the remains?

Ben Yelin: [00:15:55:18] So, a relative or the next of kin might claim that they sort of own the reigns of your identify but then from a legal sense in terms of fourth amendment jury prudence, that person is not entitled to make a privacy claim about a dead person. In terms of somebody else opening the phone, you also forfeit your legal expectation of privacy if you've allowed somebody to access a device. So, even if you have no anticipation that you're going to be part of a criminal investigation, part of a terrorist investigation, and you die, if you've given your wife access to your phone via her fingerprints or via some other method, you've also forfeited your expectation of privacy and you lose control of that information. You know it potentially could be problematic in a scenario where there is protected information on a phone, it's the protected information of somebody that's still alive, but it was a dead person who actually gained access to that phone and that information could be compromised.

Dave Bittner: [00:16:56:04] Well let me ask you this, so suppose on my deathbed, I say to my lovely and talented wife, "No matter what happens, don't let anyone get access to this phone, you have access to it, you know the pass code, but no matter what happens to me, don't let anyone access this phone and I have willed this phone to you." So, now I die, and now the phone is my lovely wife's property, go Ben, what happens now?

Ben Yelin: [00:17:22:22] I would take the phone if I were your wife. And, because she probably could assert her own interests in some of the data stored on her phone, I would make sure it doesn't get into the property of law enforcement, because if law enforcement got the phone and wanted to find incriminating information on you or your wife, I don't see how they would not have legal authorization to use your fingerprints.

Dave Bittner: [00:17:44:19] Because the phone used to belong to me.

Ben Yelin: [00:17:47:03] Yes.

Dave Bittner: [00:17:47:12] And that's their interest?

Ben Yelin: [00:17:48:17] Yes. Now, by taking possession of the phone your wife now has a property interest in that phone. I think it would be far more reasonable to expect the government to need to get some sort of a warrant to operate the phone, especially because your wife now has some sort of proprietary interest, her information might be on the phone. But, if there's some sort of terrible accident, your wife's not there, nobody knows about her interest in the phone, in terms of your privacy interests as a dead person, those have been forfeited the moment that you die. So, it's sort of an absurd attemulation of the third party doctrine forfeiting a reasonable expectation of privacy through, of course, this could be complicated but generally not your choice. Although in one of these circumstances, I think it was a suicide bombing. But, there's generally no privacy for the dead, which I think is an exact quote in this Forbes article.

Dave Bittner: [00:18:47:03] Yes, interesting. All right, Ben Yelin, as always, thanks for filling us in.

Ben Yelin: [00:18:51:10] Thank you.

Dave Bittner: [00:18:57:00] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you using artificial intelligence, visit And Cylance is not just a sponsor, we actually use their products to help protect our systems here at the CyberWire.

Dave Bittner: [00:19:16:01] And thanks to our supporting sponsor VMWare, creators of Workspace ONE Intelligence. Learn more at The CyberWire podcast is proudly produced in Maryland out of the start up studios of DataTribe, where they're co-building the next generation of cyber security teams and technology.

Dave Bittner: [00:19:34:14] Our show is produced by Pratt Street Media, with editor John Petrik. Social Media editor, Jennifer Eiben. Technical Editor, Chris Russell. Executive Editor, Peter Kilpe and I'm Dave Bittner. Thanks for listening.