The CyberWire Daily Podcast 6.20.18
Ep 624 | 6.20.18

Satellite communications suffer from Thrip(s). Zacinlo rootkit poses as a VPN. Insecure Firebase apps. EU copyright legislation. Kardon Loader. Bithumb robbed. #Opicarus2018. Bitcoin Baron jailed.


Dave Bittner: [00:00:00:09] Hey everybody, just a quick reminder that our new Hacking Humans podcast will be dropping a new episode tomorrow, that's Thursday. We will be running those on this feed through the end of June and, after that, it will be available on its own feed, so you might want to go over there right now and subscribe to Hacking Humans, wherever you subscribe to podcasts, that way. When it drops from this feed you will still get all the new episodes. Thanks very much.

Dave Bittner: [00:00:29:01] Chinese espionage group Thrip targets satellite communications operators and others in the US and Southeast Asia. Zacinlo rootkit hides inside a bogus VPN. Developers are leaving Firebase apps insecure. The EU's controversial copyright regulation advances from committee. Kardon Loader malware is in beta. Anonymous is back with Opicarus2018. And the Bitcoin Baron goes to jail.

Dave Bittner: [00:01:03:05] Now a moment to tell you about our sponsor ThreatConnect. With ThreatConnect's in-platform analytics and automation, you'll save your team time while making informed decisions for your security operations and strategy. Find threats, evaluate risk and mitigate harm to your organization. ThreatConnect offers a suite of products designed for teams of all sizes and maturity levels. Built on the ThreatConnect platform, the products provide adaptability as your organization changes and grows. Want to learn more? Check out their newest paper entitled More Is Not More. Busting the myth that more threat intel feeds lead to better security. It's a common misconception that a large quantity of threat intelligence feeds leads to more effective security. Unfortunately, threat feed overindulgence can lead to confusion, disorganization and inaccurate threat reports. Instead of adding more threat intel feeds, you should incorporate the feeds that provide the most value to your company's security operations. Find the paper or to register for a free ThreatConnect account, visit And we thank ThreatConnect for sponsoring our show.

Dave Bittner: [00:02:21:17] Major funding for the CyberWire podcast is provided by Cylance. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, June 20th, 2018.

Dave Bittner: [00:02:35:05] Symantec reported late yesterday its discovery of an extensive Chinese cyberespionage campaign targeting US and Southeast Asian satellite operators, telecommunications companies, and defense contractors. The researchers attribute the activity to Thrip, a Chinese threat group Symantec has tracked for the past five years. The infection of satellite communications systems was particularly noteworthy and troubling: much of the world's communications passes through communications satellites. The campaign's goal is interception of military and civilian communications. Symantec has notified the appropriate US authorities.

Dave Bittner: [00:03:16:24] According to Bitdefender, the Zacinlo rootkit is out in renewed form. This time concealed within a malicious VPN product, S5Mark. It affects Windows 10 machines, capturing screenshots and other data and reporting them back to its criminal controllers.

Dave Bittner: [00:03:36:08] Developers' failure to secure Google Firebase apps has resulted in more than three-thousand leaky apps. Appthority says more than one-hundred-million records have been exposed by inattentive development. In fairness to the developers, Firebase is among the most popular, widely used backend database technologies for mobile applications. Unfortunately, Firebase doesn't secure user data by default. Instead, developers must themselves secure their tables and rows of data. This is the sort of thing that gets overlooked, and so Firebase is an attractive place for attackers to come in search of unsecured data.

Dave Bittner: [00:04:17:14] In another instance of black markets behaving like legitimate markets, the proprietor of the Kardon Loader, whose nom-de-hack is "Yattaze," is soliciting beta-testing for their malware. Researchers at Arbor’s Security Engineering & Response Team, that's ASERT, say Kardon Loader allows users to build their own botshop, with potential for resale on the criminal-to-criminal market. Kardon remains a work in progress, but it will bear watching.

Dave Bittner: [00:04:46:05] The European Parliament passed a new copyright regulation out of committee. To call it controversial is an understatement. Critics—and the critics include coders, users, big tech firms, and Internet pioneers—well, they say it will turn the Internet into a surveillance and control tool. Particularly objectionable to critics are articles eleven and thirteen. Article 11 established a "neighboring right" for press companies that would require companies like Google and Microsoft to pay those publishers for displaying news snippets. Laws similar to Article 11 in Spain led Google News to exit the Spanish market. Article 13 established mandatory upload filtering that would require platforms to install filters that would block users from uploading copyrighted material without a license to display content. There's no sign of any mitigating fair-use reservation. If there's rent-seeking going on here, as there may well be, it would appear to be on behalf of big publishing houses. Critics note that the law would have a stifling effect on much Internet discourse. This is easiest to see in the case of memes, but it would have more widespread effects as well.

Dave Bittner: [00:06:00:00] Passing from committee is a first step, so this isn't EU law yet. It will have to be negotiated through the EU members' national authorities, and the law's opponents are unlikely to make that an easy process.

Dave Bittner: [00:06:13:05] News broke yesterday of reported sabotage by an insider at Tesla with an email to employees from CEO Elon Musk stating that the employee had made changes to the code in manufacturing systems and had sent highly sensitive data to unknown third parties. Musk wrote, "His motivation is that he wanted a promotion that he did not receive. In light of these actions, not promoting him was definitely the right move." So how do these revelations affect Tesla from a risk perspective? We checked in with Chris Pierson, CEO of Binary Sun Cyber Risk Advisors for his take on the matter.

Chris Pierson: [00:06:51:20] The risks here are actually quite interesting. I mean, first of all they're dealing with an intellectual property risk. The theft of potentially intellectual property from them could not only serve to fuel other competitors globally or, like I said, other governments in terms of a race for self-driving autonomous vehicles - so that's quite important there. From a product side, if there are vulnerabilities or flaws, you now have some type of potential cybersecurity risk which could be seen into these vehicles. You also have massive legal risk. I mean, once again, a material cyber risk is something that they would have to report if this is an occurrence that met that threshold of being something that investors should know about, shareholders should know about. I also think there's an enormous reputational risk, even on top of the cybersecurity risks and this is how do you trust the underlying operating system that's within the vehicles? How do you trust the operating systems, the manufacturing plant? How do you actually look at those? So I think there are a few different risks there. It's definitely one of those things that is, perhaps, around ones and zeros but just goes home to prove the point that, look, at the end of the day, Tesla is an IT company in terms of the autonomous machines that they are potentially creating and looking towards creating, but they are an IT company first and foremost and a vehicle company and energy company second and third and fourth.

Dave Bittner: [00:08:23:07] I'm curious what your thoughts are on the regulatory side of things? In the past manufacturers have had trouble with any number of things that auto manufactures have had to do recalls for. But it seems like, when the ratio of software to steel in a car continues to shift towards software, it's a new world.

Chris Pierson: [00:08:47:01] Yes, it definitely is. I think that Tesla's lucky in that regard in terms of the automated updates and the pushing of updates that they have. They've shown quite consistently over the years that they're able to go ahead and fix items, patch items, do massive updates to their vehicles. So if there were something in there-- let's just say there are a hundred lines of code that have been replaced or there's something that's vulnerable-- I think they have a patterned history of showing that they can and will push massive updates to their vehicle fleets. So I think that really mitigates things there. One of the risks here, quite honestly, I mean, when we look at Elon Musk, when we look at the books and the articles and the speeches, a lot of what he does and a lot of what he talks about is culture. It is possible, and this is the thing I'd be a little worried about, that this amount of theft could cause some type of shift in terms of trusting employees, trusting insiders. That may be more damaging longterm in terms of the types of controls that are implemented, if there's as much free sharing with employees, if there's as much trust with employees as a result of this. Once again, one bad apple shouldn't make a massive change for the whole environment but I bet their security teams are actually looking at how do we think about insiders and employees as on the team, but maybe with a few tighter controls and a few tighter barriers there.

Dave Bittner: [00:10:13:05] That's Chris Pierson from Binary Sun Cyber Risk Advisors.

Dave Bittner: [00:10:19:16] Cryptocurrencies fell today on news that another South Korean exchange, Bithumb, was looted of about $31 million. Coming less than two weeks after the theft at Coinrail, which lost a reported $37 million, the loss has shaken confidence in cryptocurrency markets. While speculators will continue to pursue alternative currencies, and while they've established a place for themselves in financial markets, investors might apply the same risk-reward calculus they would use, for example, when investing in a highly speculative growth stock. As High-Tech Bridge CEO Ilia Kolochenko put it in an email, "Users who entrust their digital coins to third parties should be prepared to never see them again. This is the reality of modern Bitcoin Klondike."

Dave Bittner: [00:11:06:06] Bithumb is a not inconsiderable exchange, although it's not the largest. Webroot senior threat research analyst Tyler Moffitt said, "To be hacked is a huge deal in the crypto world and will definitely have an impact on this speculative market." He sees Bithumb's offer to cover lost funds from its own reserves as a kind of silver lining—at least the customers won't take a bath—and he notes that Bithumb has moved its remaining coins to an offline cold wallet. Moffitt notes that it's important to understand that this was loss of access to the private keys of online wallets, not the hacking or manipulation of the blockchain itself. So it's analogous to the sort of credential loss that has become the norm for all manner of cybercrime. Moffitt pointed out "Anyone who has these private keys is going to be able to withdraw funds as if they were the legitimate owner. Storing these keys on a computer or cloud backup, especially in plain text, is just asking for trouble." In his view, hardware wallets are a better option for holders of cryptocurrencies.

Dave Bittner: [00:12:10:15] Akamai notes the declarations of #Opicarus2018 emerging from the hive-mind of Anonymous. The anarcho-syndicalist collective's calls to action threaten and inspire attacks on financial institutions between the 21st and 28th of June. The operation includes or subsumes several other ops: #OpPayBack, #OpIcarus, #DeleteTheElite, and #SosNicaragua. Anonymous ops have tended to fizzle badly over the last several years, and it's been a long time since Anonymous has counted any meaningful coup, but the declared targets would do well to be on heightened alert over the next week or so.

Dave Bittner: [00:12:52:08] And finally, speaking of alt-coins and Anonymous, there's a minor harmonic convergence of the twain in the world of crime and punishment. Infosecurity Magazine reports that the Bitcoin Baron of Apache Junction, Arizona, has received a sentence of twenty months for charges related to his online activity. Randall Charles Tucker, 23, was convicted of organizing a distributed denial-of-service attack against the city of Madison, Wisconsin. His motives remain unclear, possibly because those motives themselves lack clarity, but the best bet is that he saw himself as an idealistic hacktivist in the Anonymous mould. Mr. Tucker has a bit of a track record. The Madison DDoS might have been prompted by a police shooting, but on the other hand Mr. Tucker is also said to have hacked a children's hospital with inappropriate images of children. Why is he called the Bitcoin Baron? Don't know, but it's the title he gave himself. Like a less effectual version of Star Lord from the Guardians of the Galaxy. Probably poorer taste in movies and music, too. Mr. Tucker's claims of idealism have therefore prompted either skepticism or a so-much-the-worse-for-idealism reaction among observers. It's sad, really when you can't trust the discretion, the target selection, and the aim of an anarcho-syndicalist and alt-coin speculator. Well who can you trust in this veil of tears?

Dave Bittner: [00:14:20:17] And now a bit about sponsors at VMware. Their trust network for Workspace ONE can help you secure your enterprise with tested best practices. They've got eight critical capabilities to help you protect, detect and remediate. A single open platform approach, data loss prevention policies and contextual policies get you started. They'll help you move onto protecting applications, access management and encryption and they'll round out what they can do for you with microsegmentation and analytics. VMware's white paper on A Comprehensive Approach To Security Across The Digital Workspace will take you through the details and much more. You'll find it at See what Workspace ONE can do for your enterprise security. And we thank VMware for sponsoring our show.

Dave Bittner: [00:15:22:09] Joining me once again is Awais Rashid. He's a Professor of Cybersecurity at University of Bristol. Welcome back, Awais. We want to talk today about the importance of real world experimentation. Getting out of the lab, with your research and practice, what do you have to share with us about that today?

Awais Rashid: [00:15:40:01] I think the challenge we are going to face is that, within the next few years, the number of devices connected to each other and the Internet will outnumber humans by, depending on whose estimate you believe, something like five to one. These systems of connected devices will underpin everything from health care to transport to energy and finance. The way we communicate and share information with each other will change, so we are really talking about really large scale hyperconnected systems. So, as a result, we need to ensure that what we develop in the lab actually works in the real world and, as a result, the way to test any kind of security solution in our connections has to be deploy them in the wild and understand what are the implications of that.

Awais Rashid: [00:16:29:08] However, that is very very challenging because, of course, you can't deploy cryptypical solutions on production environments because, of course, they may not necessarily be fit for purpose or scale very well. So we really do need large scale experimental infrastructures that are close enough to the real world to be able to do that and that's a big challenge.

Dave Bittner: [00:16:53:17] There's that old saying from warfare that, "No battle plan survives contact with the enemy" and it seems like that could apply here as well.

Awais Rashid: [00:17:01:23] Absolutely. That's exactly the reason. Normally what happens is, we develop things, they are developed with rigor and with all good intentions by researchers and practitioners, but usually we test them on small scale things in the lab or in an experimental setting and then, when they are deployed in real world infrastructures, they don't always scale. I'm not saying that they never scale. They don't always scale. That's why we need to think about how we might be able to do this. There are a number of academic and industry organizations that run test beds and I think there is a good argument for us to try and link some of these test bed infrastructures together so that we do have economies of scale, but also that really large scale environment that would represent the realistic setting in which security takes place in the real world.

Dave Bittner: [00:17:52:04] I'm thinking of the rigorous testing that takes place when it comes to pharmaceuticals. Is that not a good example? Is it simply too expensive to do something at that scale?

Awais Rashid: [00:18:04:02] I think it's not a case of expense. It's how you may deploy and test something and the pharmaceutical industry is an interesting example because the trials only move onto large scale clinical trials once they have gone through smaller scale testing and then an increasing level of confidence is built up. I think we do need to be able to do something very, very similar, but the question is how do we test in the wild? For example, would you be willing to deploy an experimental security solution on, say, a power grid or a nuclear power plant or a transportation system? I think you would have to have a lot of confidence and then a lot of fail safes built into it and I think we need to develop those kind of protocols. Other disciplines have developed those protocols and I think we are a little bit further from that at this point in time.

Dave Bittner: [00:18:52:22] Awais Rashid. Thank you for joining us.

Dave Bittner: [00:18:59:15] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you using artificial intelligence, visit And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire. And thanks to our support sponsor VMware. Creators of Workspace ONE intelligence. Learn more at The CyberWire podcast is proudly produced in Maryland out of the start up studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe and I'm Dave Bittner. Thank you for listening.