The CyberWire Daily Podcast 6.26.18
Ep 628 | 6.26.18

Romania, UK, warn of Russian cyber ops. International norms of cyber conflict. Bronze Butler's USB drives. Too-smart batteries not smart enough. Industry notes. Game cheater gets jail time.


Jack: [00:00:00] Dad, I go to the pool all the time. And Mom won't let me leave the house unless I'm slathered with sunscreen. So I would appreciate it if you would stop using me for your CyberWire Patreon so you can get more patrons, yeah -

Dave Bittner: [00:00:23] Warnings of Russian cyber operations from Romania and the U.K. Recent attempts at developing international rules of conduct - and conflict - in cyberspace. Bronze Butler's naughty USB drives. FireEye says it never hacked back. Smart batteries may be too smart for their users' good. A new venture fund lends credibility to cryptocurrency and blockchain startups. And the Overwatch hacker gets jail time.

Dave Bittner: [00:00:55] A few words from our sponsors Cylance - you've probably heard of next-generation anti-malware protection. And we hope you know that Cylance provides it. But what exactly is this next generation? And why should you care? If you are perplexed, be perplexed no longer because Cylance has published a guide for the perplexed. Sure, they call it "Next-Generation Anti-Malware Testing For Dummies." But it's the same principle - clear, useful and adapted to the curious understanding. It covers the limitations of legacy anti-malware techniques and the advantages of artificial intelligence and why you should tested for yourself, how to do the testing and what to do with whatever you find. You can check it out at That's "Next-Generation Anti-Malware Testing For Dummies." That's Cylance. And we thank them for sponsoring our show.

Dave Bittner: [00:01:53] Major funding for the CyberWire podcast is provided by Cylance. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, June 26, 2018. Romanian Defense Minister Mihai Fifor says the NATO member is under, more or less, continuous Russian cyberattack. In the U.K., GCHQ's National Cybersecurity Center Director Ciaran Martin offered a similar warning to Parliament yesterday - noting, quote, "a consistent rise in the appetite for attack from Russia on critical sectors," end quote. The comments will surprise few. Romania is geographically close to Russia - even closer now that Russia has seized Crimea from Ukraine - and shares the Black Sea with Russia. It also represents a NATO partner whose proximity to the Russian border would tend to arouse the bear's ire.

Dave Bittner: [00:02:46] And London has long experienced tension with Moscow, heightened by Russian intelligence services' attempted assassination of a former GRU officer and his daughter in a nerve agent attack conducted in Salisbury. Note that GCHQ emphasized the risk of attacks on critical infrastructure - the sort of operation both U.K. and U.S. intelligence agencies have said they've seen in preparation.

Dave Bittner: [00:03:12] The United Nations' recent attempts at developing norms of cyber conflict - having so far amounted to little more than nonbinding statements of principle - good as far as they go, but falling short of the bar set by the Geneva Conventions or the Hague Rules. Lawfare has an interesting roundup of private-sector contributions to emerging international norms of behavior in cyberspace. Lawfare finds these particularly worth attention - Microsoft's Digital Geneva Convention and Cybersecurity Tech Accord and recommendations of the Global Commission on the Stability of Cyberspace, Siemens Charter of Trust and the Carnegie Endowment's Norm Against Manipulating Financial Data. International rules of cyber conflict remain very much a work in progress, and these four private sector efforts are worth a look.

Dave Bittner: [00:04:02] There's a bit of mildly alarmist reporting on Palo Alto Networks discovery that a Chinese cyber-espionage group, Tick, also known as Bronze Butler, has been working to infect secure USB drives produced in South Korea with SymonLoader malware. The activity has been widely reported as an attack on air-gapped systems, which in a sense it is but not by any particularly exotic new method. Mounting a malicious payload on a USB drive is an old technique that's been used by many organizations for some time. The malware Palo Alto describes affects only systems running Microsoft Windows XP or Windows Server 2003. And the researchers don't believe the infections form part of any active campaign. The discovery - while apparently not of any urgent concern - does serve as a useful warning of supply chain risk and, of course, a useful reminder not to plug just any old thing into your devices.

Dave Bittner: [00:05:02] Speaking of supply chains, here's a rule of thumb - if something is smart, then it's risky. A team of researchers from Technion, the University of Texas, and the Hebrew University have found a potential problem with smart batteries for mobile devices - the kind of battery that's designed to improve responsiveness and battery life. They call the problem interference attacks by malicious batteries on mobile devices, which somehow sounds like the kind of caper Felix the Cat would foil when he went up against the Master Cylinder. The researchers have demonstrated that sampling the phone's power trace from the battery can reveal a surprising amount of information. They've also demonstrated the possibility of establishing a covert channel from the battery to a command-and-control server. It's all proof of concept, of course, but this kind of risk is best handled earlier rather than later. The researchers, by the way, give their paper the title "Power To The Peep-All."

Dave Bittner: [00:06:00] David Sanger's new book "The Perfect Weapon" reports that Mandiant, now a unit of FireEye, hacked back into APT1's computers, gained access to the cameras on the attackers' laptops and so observed them hacking in real time. FireEye says the account is based on a misunderstanding. Mandiant never hacked back at anyone. And everything it learned about APT1, the watershed private-sector investigation of Chinese espionage, was obtained by, quote, "consensual security monitoring on behalf of victim companies," end quote.

Dave Bittner: [00:06:35] The VPNFilter malware continues to attract attention as more devices are found vulnerable to infection. Conservative estimates have put the number of infected devices at over half a million worldwide. Vikram Thakur is technical director at Symantec, where they've been tracking the issue.

Vikram Thakur: [00:06:53] So what's really helped over the last few weeks is the message about the malware itself, reaching out to many people and the instructions from the FBI, as well as the private sector, telling users to just go ahead and restart their routers. So that's really resonated. We can see the effects already. The restarting is taking the malware out of control from the attackers' perspective.

Vikram Thakur: [00:07:21] Then comes the much longer-term solution of making sure that these routers are no longer susceptible to such kind of attacks. That's a process which is likely to take one year, maybe even a couple years. And that is a little bit more involved from the user perspective as well as the manufacturers' and the messaging perspective because it requires a little bit more technical assistance to make sure that the router is safe from such acts in the future. So that process is ongoing, and it will take time.

Dave Bittner: [00:07:55] I think there was a little bit of confusion when the FBI made the announcement for folks to restart their routers that that would take care of things completely. But there is the possibility of some of the - some components of the malware surviving that reboot.

Vikram Thakur: [00:08:09] So that's actually true. Think of it as the attacker was able to plant a piece of code on the router. And that piece of code periodically reached out to the attacker and said, hey, do you want me to do something?

Vikram Thakur: [00:08:26] What the FBI did was the FBI went and intercepted that communication legally. And now the routers are only configured to reach out to the FBI server and say, hey, do you have any instructions for me? Do you have any instructions for me? Naturally, the FBI is not going to be sending any instructions to the router. They're just using the information to understand how many people in what geography are compromised with this malware.

Vikram Thakur: [00:08:55] But by restarting the device - by restarting your router, users' routers were confirmed to move away from the attackers' control of the router to now communicating with the FBI. So the malware still resides on the router, except it's not going to receive any instructions to perform anything, whether good, bad, ugly, because the FBI is on the other end of the communication channel.

Dave Bittner: [00:09:23] Are we dealing with a situation where we have hardware that could, perhaps, be obsolete? You know, there are no updates for it, and folks should be thinking about cycling that hardware through, getting newer hardware in there.

Vikram Thakur: [00:09:35] That's always a problem in our industry, whether it comes to, even, laptops, computers and especially home routers. Home routers are such an out-of-sight device there. First time you move into a house, you speak with your internet provider in the locality. You get that little box. They've told you to plug it in, and it just starts working and just goes out of sight, and people never, ever look at it.

Vikram Thakur: [00:10:02] So that is the huge challenge in this situation, and that's exactly what the attackers took advantage of. They look at a device just connected to the internet and the fact that nobody's ever going to be updating it, or nobody's ever going to be restarting it. And that's what they leveraged to their advantage out here.

Vikram Thakur: [00:10:20] Yes, our advice is go out and upgrade some of these devices, or call someone who's technically capable of logging in to these devices and updating the firmware on them. But we understand that there's a cost associated for end users with this. And end users are not going to be naturally shelling out more money to upgrade a device which, from their perspective, continues to operate. So it's a tough situation for consumers. We understand that. But our recommendation is to spend the effort and spend the money required to either upgrade the device or switch it to something a little bit more secure that you can easily purchase at your local IT store.

Dave Bittner: [00:11:05] That's Vikram Thakur from Symantec.

Dave Bittner: [00:11:10] In industry news, Silicon Valley venture capital firm Andreessen Horowitz has opened a new fund. This one is dedicated to supporting startups working on cryptocurrencies and the blockchain, which should instantly provide some capitalist street cred to the somewhat-battered sector.

Dave Bittner: [00:11:28] And a new company has emerged from stealth and announced not only a quantum network but $10 million in Series A funding. Bethesda, Md.-based Quantum Xchange announced this morning that it had launched, quote, "the first quantum fiber optic network in the United States and commercial Quantum Key Distribution service for quantum-safe data protection," end quote. New technology ventures led the funding round.

Dave Bittner: [00:11:54] Finally, if you're playing Overwatch, don't cheat, and especially don't sell the cheats you come up with. This is news you can particularly use if you're within reach of the long arm of the Republic of Korea's law. The Incheon District Court has sentenced a 28-year-old man to a year in prison and two years of probation.

Dave Bittner: [00:12:14] The Republic of Korea has been interested in cracking down on gaming problems for some time. The country has earned a reputation as home to Overwatch cheaters. According to an article in Kotaku last February, it's not unusual for 20,000 or more South Korean players to be banned from Overwatch on a typical day. Those banned are usually able to hack their way back in short order. As Kotaku put it, quote, "cheating on the Asian Overwatch server is endemic and widespread. On the forums and Reddit, complaints about hacking South Korean players' too-accurate headshots, immediate gun-downs and even DDoS attacks against the winners in competitive mode are widespread," end quote.

Dave Bittner: [00:12:57] It's not only a national embarrassment, but it's also a practice that's fueled a burgeoning black market in game cheats. The cheater in this case - and he was selling his cheats for a pretty penny - was convicted under two Republic of Korea laws designed to curb misbehavior by online gamers, the Game Industry Promotion Law and the Information and Communication Technology Protection Law. His sentence might wind up being suspended, at least in part. But in any case, the sentence is unusually stiff. Violators usually get off with fines, but jail time is unusual. It's thought that the hacker's profit, some 200 million won - that's about $180,000 - disposed the court to go for justice as opposed to mercy. Take that, Hanzo. Boom.

Dave Bittner: [00:13:51] Now a few words about our sponsor, Invictus. We've all heard that cyberspace is the new battle space. Invictus International Consulting was founded by people who know a battle space when they see it. This premier cybersecurity company headquartered in Northern Virginia boasts an expert staff with decades of cybersecurity, technology solutioning and intelligence analysis experience. Its customers in the intelligence, defense and homeland security communities value Invictus and its work. As a service-disabled, veteran-owned small business, over 60 percent of Invictus' workforce is comprised of veterans.

Dave Bittner: [00:14:28] And it's not just in the government space. It delivers for commercial clients, too. An award-winning company recently named to 2018's Cybersecurity 500 list as one of the world's hottest and most innovative cybersecurity companies, Invictus has also won the Most Valuable Industry Partner award at the (ISC)² 15th annual Information Security Leadership Awards. So check them out at That's And we thank Invictus for sponsoring our show.

Dave Bittner: [00:15:10] And joining me once again is Daniel Prince. He's a senior lecturer in cybersecurity at Lancaster University. Daniel, welcome back. You wanted to touch today on this notion of cascading failures in complex systems. What can you share with us?

Daniel Prince: [00:15:25] So one of the things that I've been looking at is how digital systems effectively remove the friction within day-to-day activities. I mean, we design them like that so that we can actually have that reduction in friction because the reality is that it makes us much more productive. We can do more complicated things with less time.

Daniel Prince: [00:15:44] The problem is that within those large-scale distributed systems, we can start to combine different processes together in ways that we don't understand, creating complex systems. But because there is a lack of friction - the human interaction - in many of the systems, the automation part, the orchestration part means that when an incident happens, it cascades very quickly across the whole of the platform. And that can potentially create a significant risk within that system, which is an unintended consequence of that complexity.

Daniel Prince: [00:16:19] The example I like to use is around distributed ledger smart contracts. For me, you can orchestrate a smart contract environment in which multiple contracts are cascaded together to create that series of financial transactions. If you were buying a house, which can be a very complex process, the complexity of the chain of me selling a house to me buying a house and then the similar people on either side of me naturally becomes quite short. People don't like long chains because of the complexity of having to deal with multiple solicitors, multiple lawyers and other legal agencies that sit around that. But if I can do that in a smart contract, then it actually becomes easier to create incredibly long chains for exchanging contracts. That's great because we can do a very quick transaction. But if there was something wrong within that transaction, it becomes very difficult to potentially reverse.

Daniel Prince: [00:17:15] Now if we think about how that could happen in a very large scale with multiple microtransactions, you could potentially create a situation where you're launching, effectively, a financial denial-of-service attack against organizations, where multiple transactions - millions of cascading multiple transactions target one particular financial institution, which causes that system to, potentially, fail.

Dave Bittner: [00:17:41] Is it important that the people who are designing these systems, who are putting them together build in some sort of fail-safe so that - if there's a way to sense when something has, perhaps, spun out of control?

Daniel Prince: [00:17:53] So yeah. There's lots of systems theory about looking at these types of anomalous behavior, thinking about these sort of feedback mechanisms and being able to detect these failures. And I think it's something that we need to start thinking about - how large-scale systems could potentially cause these types of problems, because they're replacing systems which have traditional kind of inbuilt friction in kind of the bricks-and-mortar and the people. And that's a positive thing, but it causes this potential risk to build up within the overall system.

Daniel Prince: [00:18:27] How we actually go about doing that, I don't know. But actually, we need to start thinking about how we engage with the conversation to say, what is the larger problem here that could be caused by this entirely frictionless data exchange, financial exchange system that we're globally trying to build?

Dave Bittner: [00:18:48] All right. Daniel Prince, thanks for joining us.

Dave Bittner: [00:18:55] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor, VMware, creators of Workspace ONE Intelligence. Learn more at

Dave Bittner: [00:19:23] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik; social media editor, Jennifer Eiben; technical editor, Chris Russell; executive editor, Peter Kilpe. And I'm Dave Bittner. Thanks for listening.