The CyberWire Daily Podcast 3.28.16
Ep 65 | 3.28.16
Ransomware and hospitals. Why random numbers matter. Stolen certificates.

Dave Bittner: [00:00:02:22] The indictment of seven Iranians in the Rye dam hacking case suggests that the attackers used Google-dorking to find a vulnerable system. The Dark Web apparently isn't the best place for propaganda; it's just too slow and user-unfriendly to serve as a mass medium. If you use Zen Cart for your online customers, update it to the latest version. Stolen SHA-2 certificates are turning up in banking Trojans. A new strain of ransomware is out and we hear why hospitals seem susceptible to this form of attack. And we'll learn a bit more about why random numbers matter.

Dave Bittner: [00:00:36:22] This CyberWire podcast is made possible by the generous support of ITProTV, the resource to keep your cyber security skills up to date with engaging and informative videos. For a free seven day trial and to save 30% visit and use the code CYBER30.

Dave Bittner: [00:00:59:00] I'm Dave Bittner in Baltimore with your CyberWire summary for Monday, March 28th, 2016.

Dave Bittner: [00:01:05:14] Details of how hackers allegedly got into the control system of that dam in Rye, New York, emerge from the US Justice Department's indictment of seven Iranians. They're said to have found the dam's vulnerable systems by Google-dorking, and then working their way through there.

Dave Bittner: [00:01:20:17] "Google-dorking," which name, by the way, shouldn't be taken to imply any nefarious intent or negligence on the part of the Mountain View search giant, is a technique of searching for poorly protected or exposed systems online. It's a form of pre-attack reconnaissance that uses search parameters somewhat more complex than typical searches. A common parameter might be "filetype," which would return files with certain specified extensions such as "doc," "pdf," "xls" or so on. Another parameter might be "site," which would return files located on a particular website, or on a particular domain. An insecurely configured network is likely to expose its vulnerabilities to Google-dorking. Once the hackers located a vulnerable system, the Bowman Street dam, it was a matter of applying an exploit. And Rye can take much comfort as it may in realizing that their flood control dam was just a target of opportunity.

Dave Bittner: [00:02:11:22] ISIS is said to be responding to reverses on the ground by, first, conducting increasingly violent propaganda-of-the-deed outside its core territory. This it celebrates online and ISIS received some sad competition this Easter from its jihadi rivals in the Pakistani Taliban who claimed responsibility for a massacre targeting Christian parents and children in a Lahore park on Sunday. Second, within territory still under ISIS control, the Caliphate seems to be withdrawing from the Internet, using more easily controllable legacy media to spread and reinforce its message. So inspiration stays online, but operations seem cellular and locally controlled, and much recruiting in the West appears to have moved into prison populations.

Dave Bittner: [00:02:55:08] Interestingly, ISIS appears not to be particularly active in the often-discussed, much-feared dark web, those precincts of the Internet not indexed by standard search engines. The dark web, as Defense One points out, is proving, quote, "too slow and annoying for terrorists," end quote. A study conducted at King's College, London, found relatively little jihadi activity on the dark web. Apparently the dark web is good for running black markets, so you'll find a criminal presence there but as far as propaganda and communications go, the dark web just isn't well-adapted to getting the word out. After all, if you want the curious and the impressionable to find your message, it's much better if they can just Google your inspiration.

Dave Bittner: [00:03:35:01] Trustwave researchers describe a cross-site scripting vulnerability in the widely used open source online shopping cart app, Zen Cart. Zen Cart has patched the problems Trustwave disclosed to them and users of the app are advised to upgrade to the latest version of Zen Cart 1.5.5. Note that it's the sellers, not the buyer, who are ones needing to upgrade.

Dave Bittner: [00:03:56:24] SHA-1 may be on its way out and SHA-2 on its way in, especially after Microsoft updated its crypto libraries in favor of SHA-2 last year. But as all of us adapt to newer hashing systems, so do the criminals. Symantec researchers are finding that the authors of the Carberp banking Trojan are now signing their code with stolen SHA-2 certificates. The lesson for users is to not trust certificates blindly. Consider the file's source and take other precautions. And while you're at it, safeguard your own certificates against theft, too.

Dave Bittner: [00:04:28:23] Researchers at Carbon Black are warning of a new ransomware strain, "PowerWare," which is fileless and written in the Windows PowerShell scripting language. Word documents crafted to induce victims to disable the Word preview sandbox and execute malicious macros are the vectors. Hospitals are particularly affected.

Dave Bittner: [00:04:47:04] Ransomware does indeed appear to represent a growing threat to the healthcare sector. We talked about this with BUFFERZONE's CEO Israel Levi.

Israel Levi: [00:04:55:04] Given the fact that the information stored in-- on each and every computer in the hospital typically is very sensitive and is needed as much as a life threatening situation if you lose it, I believe attackers would go after this kind of information and encrypt it and try and blackmail the people holding it given the high price of not obtaining this information. Second thing is given the fact that some of the hospital, already they would release information about the fact that they had been attacked and the attack was regarded as successful, it may draw some other people to try and get to the same segment given the success of the initial attack. I think everyone experiences it but hospitals are more open about it.

Dave Bittner: [00:05:42:01] Levi says healthcare providers need to take a practical approach.

Israel Levi: [00:05:45:18] Our recommendation is, you know, address and, and map all your inflow of information to the company and make sure that you know where you have threats flowing in. Typically it would be your web browsers and your email attachments. So what you need to do is just segregate, separate, keep this information that's come from the outside world in a secured container and then once you decide you want it in, you need to have the means to bring it in in a way that will not allow the bad guys to get in.

Dave Bittner: [00:06:23:01] Bufferzone's website is

Dave Bittner: [00:06:28:15] In industry news, the insurance sector continues to approach offering cyber insurance with some caution. Premiums are high, but the lack of actuarial data still worries insurers. It's hard for them to be sure of how much risk they're actually assuming.

Dave Bittner: [00:06:42:19] Apple is apparently familiar with Cellebrite, the company widely believed to be helping the FBI open the iPhone implicated in the San Bernardino jihad case. Observers think the Bureau will eventually have to disclose how they got into that iPhone, assuming that the Bureau succeeds. The AP reports that Apple is a Cellebrite customer, using its products in some of its stores. But if Cellebrite's already in the Apple Store, how might that disclosure be news? So, listeners, belly up to your local Genius Bar and ask the geniuses on duty what they think.

Dave Bittner: [00:07:18:07] This CyberWire podcast is brought to you by the Digital Harbor Foundation, a non-profit that works with youth and educators to foster learning, creativity, productivity and community through technology education. Learn more at

Dave Bittner: [00:07:38:01] Joining me once again is Jonathan Katz. He's a professor at the University of Maryland and also a Director of the Maryland Cyber Security Center. Jonathan, when we were back at RSA, the no-- the subject of random numbers came up time and time again and the importance of random numbers. Why are random numbers so important to cyber security?

Jonathan Katz: [00:07:55:08] Well, random numbers turn out to be vital for various applications in cryptography and the easiest example of that is just the example of generating a cryptographic key. When you generate a cryptographic key that you're going to share with some other party, with whom you're going to communicate, you want that key to be random so that an attacker in particular won't be able to guess it and the less random your key is, the easier it will be for an attacker to guess it and once they guess it, of course all the security of your encryption or authentication or what have you is going to be lost.

Dave Bittner: [00:08:24:10] Are there methods for proving that a number or a string of numbers are truly random?

Jonathan Katz: [00:08:28:13] Well, that's interesting, that gets into the question of what it even means for something to be random, at least for the purposes of cryptography and the fundamental measure here is entropy which relates to exactly how hard it is for an attacker to guess the value of your random number. And so you want to make sure that any random number you're using for those purposes is really unguessable to the attacker. There have been some advances in the last couple of years actually on quantum mechanical methods for generating randomness where the device can be proven to output random numbers that are unguessable to within a particular degree.

Dave Bittner: [00:09:04:05] Now what about using a number, like an irrational number like pi as a source for a random number. Does that get you anywhere?

Jonathan Katz: [00:09:10:22] Yeah, that's kind of interesting, I hear that often and the problem is that it doesn't really give you the randomness that you need for cryptography. So there might be some notion of randomness or chaotic behavior and for example the digits of pi, but they're not all random because the digits of pi are public. So if you're gonna be picking your key based on some consecutive digits of pi and if an attacker knows that, then it would be trivial for the attacker to figure out exactly what your key is. So those kind of numbers would not be suitable for cryptographic purposes.

Dave Bittner: [00:09:39:22] Alright, Jonathan Katz, thanks for joining us.

Dave Bittner: [00:09:44:07] And that's the CyberWIre. For links to all of today's stories, visit and while you're there subscribe to our popular daily news brief. Our editor is John Petrik. I'm Dave Bittner. Thanks for listening.