The CyberWire Daily Podcast 11.1.18
Ep 717 | 11.1.18

Wi-Fi access point zero-day reported. US Cyber Command on the offensive. Transparency is tougher than it looks. GandCrab not paying out as much—good. PIPEDA takes effect. Soulmate spyware.


Dave Bittner: [00:00:04:01] Bleeding Bit flaws leave Wi-Fi access points open to war drivers and other malefactors within a hundred meters of your equipment. US Cyber Command continues its attempts to dissuade foreign influence operations against midterm elections. Social networks have difficulty identifying who's buying ads. Canada's data privacy law takes effect today. GandCrab crooks take a million-dollar bath, and if you go to Soulmates in Google Play, you're looking for love in all the wrong places.

Dave Bittner: [00:00:41:02] Now a moment to tell you about our sponsor ObserveIT. It's 2018. Traditional data-loss prevention tools aren't cutting it anymore. They're too difficult to deploy, too time-consuming to maintain, and too heavy on the endpoint. They are high maintenance, and require endless fine-tuning. It's time to take a more modern approach. With ObserveIT, you can detect insider threats, investigate incidents quickly, and prevent data loss. With its lightweight agent and out-of-the-box insider threat library, ObserveIT is quick to deploy and far more effective at stopping data from leaving your organization. That's because ObserveIT focuses on user behavior. It's built to detect and respond to insider threats, and it's extremely difficult, even for the most technical users, to bypass. Bring your data loss prevention strategy into the modern era with ObserveIT. Learn more at That's And we thank ObserveIT for sponsoring our show.

Dave Bittner: [00:01:44:24] Major funding for the CyberWire podcast is provided by Cylance. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, November 1st, 2018.

Dave Bittner: [00:01:57:16] A major flaw in Wi-Fi chips has been discovered. The Israeli security firm Armis reports finding two zero-day flaws in Texas Instruments' Bluetooth Low-Energy chips. These are widely used in Wi-Fi access points, including enterprise access points like those manufactured by Aruba, Cisco, and Meraki.

Dave Bittner: [00:02:18:16] Armis is calling the issue "Bleeding Bit." The first of the two flaws involves flipping the highest bit in a Bluetooth packet, thus causing a memory overflow, causing the memory to "bleed." Once the device is in that condition, it's possible for an attacker to run malicious code on an affected device. This problem affects Cisco and Meraki equipment.

Dave Bittner: [00:02:39:23] The other bug exploits the device's failure to properly authenticate apparent trusted firmware updates. This problem affects Aruba devices. The absence of proper checks could enable an attacker to install malicious firmware.

Dave Bittner: [00:02:54:11] This sounds like, and has been characterized as, a remote code execution vulnerability but, as TechCrunch points out, technically that's not true, since it can't be exploited over the Internet. An attacker would have to be within Wi-Fi range, which is typically 100 meters or less - that's roughly 300 feet, for those of us who continue to bucket along with the English system of weights and measures. The range can be greater with a good directional antenna, but 100 meters is plenty range for a wardriver parked outside your office building. Once connected, an attacker can gain access to any network using the Wi-Fi access point.

Dave Bittner: [00:03:32:00] Texas Instruments and the device manufacturers have issued patches since the vulnerability was disclosed to them in July. Texas Instruments has criticized Armis, which hasn't published exploit code, for allegedly exaggerating and misrepresenting the issue, but Texas Instruments has nonetheless patched.

Dave Bittner: [00:03:50:19] The chips are used in a wide variety of devices, not just Wi-Fi access points, so expect further alerts and updates.

Dave Bittner: [00:03:59:11] With midterm elections set for next week, and early voting having been in progress for some weeks, US National Security Advisor Bolton acknowledged that the US was engaged in offensive cyber operations designed to deter information operations directed against the electorate. According to the Washington Post, Bolton characterized the operations as falling below the level of armed conflict - that is, it isn't producing kinetic effects - and so did not require the sort of high-level authorization the use of military force or declaration of war would need.

Dave Bittner: [00:04:34:11] It's been widely reported that US Cyber Command continues to reach out to individual Russian trolls to deter more extensive information operations aimed at US elections. This direct, unconcealed approach is thought to be disconcerting enough to give individual operators, if not the Russian government, pause. The US Government knows you, and where you are, and what you do, and it won't forget. How effective the approach will prove remains to be seen, but it's clear that the US Government wants hackers to know that they're on the radar.

Dave Bittner: [00:05:09:01] Dueling bots and fake news sites continue to push rival versions of the murder of Jamal Khashoggi, journalist and frequent critic of the Saudi regime. Turkish prosecutors have released more information on the killing, although the victim's body has yet to be found. The killing has strained relations between Saudi Arabia and its many allies of convenience.

Dave Bittner: [00:05:32:24] Bots and fake accounts remain the principal matters of concern to those who fear the corrosive effects of disinformation on civil societies.

Dave Bittner: [00:05:41:07] Despite efforts to screen accounts for coordinated inauthenticity, social networks continue to find that denying information operations and their bot's access to social media is harder than it looks. Vice News tested Facebook's new commitment to transparency by sending them political ads that falsely represented themselves as being paid for by 100 US Senators. That's all the Senators there are, for those of you unfamiliar with the American Constitutional system of two Senators per state. There are 50 states, which makes, let's see, ten, 20, 50, an even 100 Senators, and most of them aren't even up for reelection anyway, they do serve a six-year term. At any rate, Facebook approved all of the ads, despite its attempt to see through phony accounts and ad buys. This doesn't necessarily mean that Facebook is either negligent or uncaring, it does mean that this kind of screening presents an inherently hard problem.

Dave Bittner: [00:06:39:20] Privacy and data breach regulations are an evolving area of public policy, with the EU's GDPR having a major impact on the industry. Here in the US, several states have implemented privacy regulations, and there's much speculation as to how this will make its way across the country, or take hold at the federal level. Tara Combs is Information Governance Specialist for Alfresco.

Tara Combs: [00:07:03:05] Well, all 50 states have actually passed data breach notification laws, so they have to notify constituents or people if there's been a data breach notification. And so Uber actually was just fined $148 million because they had a breach back in 2016, and they paid basically the hackers $100,000 to delete the data that they got and keep the breach quiet, rather than report the incident. So, the fact that all 50 states have passed that this year, Alabama being the last one to do that, shows you that people are now taking it seriously. California has just now enacted a Data Privacy Act that's very similar to the general data protection regulation over in Europe. That goes in effect in 2020. So, people are taking this very, very seriously now.

Dave Bittner: [00:08:00:07] Now, one of the points that you make is that this notion of having immutable records can be helpful with organizations trying to get a handle on this. First of all, can you describe to us what are we talking about when we say "immutable records"?

Tara Combs: [00:08:13:21] Well, the first thing that, when you're managing privacy data, is you actually have to understand where that data is stored. So, most organizations have, I call it "data in the wild", right? You have various systems in your organization, and you have to understand, do you have privacy data in with those systems? So, the first thing that you'd have to do is what I call a data analysis, because you have records in every one of those systems, and those records could contain privacy data.

Tara Combs: [00:08:44:07] The immutable records are the concepts of records that can't be altered, and that's where blockchain is coming in these days. So, at a state level, what we're seeing is states like Delaware, when businesses are being incorporated, they're actually registering those on the blockchain, so they've become an immutable record. The way the blockchain works is there's several servers, and they actually register those Articles of Incorporation across all of those servers and, as each article is registered, until there's a consensus among those servers that all of them are registering the same transaction, it's not agreed upon that it's a transaction.

Tara Combs: [00:09:31:10] So, let's say that we had seven servers, and we registered that Article on all seven of them. When there's an agreement that it's registered on all seven, then you have your immutable record of incorporation.

Dave Bittner: [00:09:44:07] Now, what are your recommendations for companies to prepare themselves for this? If there's a general agreement that, that there is going to be some sort of regulatory change coming, how can organizations be prepared?

Tara Combs: [00:09:58:09] So, the first thing you need to do is you need to have a plan. So, you have to understand what privacy obligations your organization is subject to. Do you have existing privacy risks? So, understanding, you know, what systems you have in place, and do those consistent systems contain privacy data.

Tara Combs: [00:10:20:12] Most organizations are actually appointing a Data Privacy Officer now, so that they've got someone in place that can actually put policies in place on how that data is going to be handled, who should, in that organization, have access to that data. You need to implement those policies. You need to measure how your program's performance against those policies are doing, and then you also have to be able to respond to those requests. Because part of all these Acts is, if a consumer makes a request to know what type of data that you have on them, or to opt out of you having their data - it's called "the right to delete" - you have to be able to respond to all of that, and you have to be able to measure how well you're responding. Because, typically, for California, it's 45 days. GDPR also has a date set on that as well. So, you need to have a program in place that addresses all of this.

Dave Bittner: [00:11:24:08] That's Tara Combs from Alfresco.

Dave Bittner: [00:11:28:23] Today marks the day Canada's data privacy law goes into effect. The Personal Information Protection and Electronic Documents Act, three years in the making and known by its acronym PIPEDA, is now in force. It imposes a requirement on private sector organizations to disclose breaches and potential exposure of personal information to unauthorized parties. Violators of the Act could be fined up to $100,000 per affected individual, so in principle the penalties could be very heavy indeed.

Dave Bittner: [00:12:01:01] CTV News, however, reports a widespread belief up north of the border that vague language, poorly resourced enforcement, and a suspected disinclination to take action against offenders will combine to render the law less severe than it seems to be.

Dave Bittner: [00:12:17:06] In contrast with the better known GDPR, for example, which places sharp deadlines on disclosure requirements, Canada's law is full of language that vaguely requires disclosure "as soon as feasible," when there's "real risk" of "significant harm." Maybe "as soon as feasible" might be in a decade or so. And who's to say what risks are realer than others, eh?

Dave Bittner: [00:12:41:17] All questions aside, however, the law is another sign that governments are increasingly inclined to regulate data privacy.

Dave Bittner: [00:12:49:22] Some good news on the ransomware front. Bitdefender's free decryptor for GandCrab ransomware is thought to have deprived the crooks of about a $1 million in ill-gotten revenue. That's not a death-blow to GandCrab, of course, but nonetheless, bravo Bitdefender.

Dave Bittner: [00:13:07:17] And finally, all of you who hope to find love online, there's another reason to beware. Zscaler has found that the matchmaking app Soulmates, found on Google Play, is actually spyware. Maybe you'll meet someone nice, maybe, but for sure you'll be installing spyware. Soulmate listens in on incoming and outgoing calls, it intercepts SMS messages, it rifles through your contacts, and it tracks your current and last location. There's more, but that's enough for us. We've lost that loving feeling.

Dave Bittner: [00:13:47:17] It's time to tell you about our sponsor, ManTech. The cyber threat is growing, and so is the cyber talent gap. By 2019, ISOC predicts a two million global shortage of skilled professionals to meet demands. ManTech has the answer.

Dave Bittner: [00:14:03:14] They've been designing, building and staffing Department of Defense cyber ranges for more than 10 years. With ManTech's Advanced Cyber Range Environment, or ACRE, organizations of any size can develop their own core of cyber professionals. ACRE uses more than a dozen proprietary tools, techniques and processes to emulate any network environment, regardless of size or complexity. Train, evaluate tools, conduct security architecture testing, and undergo live-fire exercises on an exact replica of your own network environment, and do it with instructors who understand both offensive and defensive cyber. ManTech helps you think like your adversary and out-maneuver them. This is advantage ManTech. See how ManTech can work to your advantage. Go to today. That's, and we thank ManTech for sponsoring our show.

Dave Bittner: [00:15:10:01] And joining me once again is Johannes Ullrich. He's from the SANS Institute, and he's also the host of the ISC StormCast podcast.

Dave Bittner: [00:15:17:19] Johannes, there is something that, I have to admit, leaves me scratching my head, and that is seemingly benign files, things like image files, you know, JPEG images, things like that, and the ability for folks to hide malware in those sorts of files. Can you take us through and explain what's going on here?

Johannes Ullrich: [00:15:36:14] Yeah. There's really sort of a couple of interesting parts to this, but what it comes down to is that the bad guys are getting very creative in how they deliver malware to a system without necessarily delivering an executable file to you. So, one example is that they're using HTML archive. Internet Explorer, for example, you have the option to save a web page as a file, if you want to review it later. Now, what Internet Explorer does, it essentially creates one file with the HTML content, all the JavaScript files and images that can be easily loaded into Internet Explorer again.

Johannes Ullrich: [00:16:17:02] These files are often not considered as malicious by your anti-virus filter, so they're not really scanned for anything. So it's very easy for an attacker, for example, to hide malicious JavaScript inside these files, trick the user into opening it, and then of course the malicious JavaScript is executed and infects the system.

Johannes Ullrich: [00:16:40:00] Now, images, on the other hand, there are a couple ways we have seen them being used. In a simple case, they basically just attach the malware to the image. So, you have a normal image file, but then as part of the file at the end of the file, that you have the malware. This will not run, but what then happens is that you, for example, have some fairly standard, benign JavaScript that downloads an image, and then the JavaScript will strip off that image part, and just save the executable. But again, anti-malware may not consider the image malicious, so it will not look at it, will not scan it. So, that's some of the options that attackers have to essentially sneak malicious content by anti-malware. In particular, if you're using, for example, web proxies and such to do filtering before the malware actually hits the system.

Dave Bittner: [00:17:34:23] Now, what about hiding code within images, using the actual image content to, to hide your own content within?

Johannes Ullrich: [00:17:44:15] There are a couple options for that, and the way this is usually done is, for example, JPEG images. They have something called Exif data. Exif data are comments, essentially, and you may have seen this. For example, mobile phones use that quite a bit where they embed things like coordinates and such in the image. But you can embed whatever text you would like in the image, so, this is often used to embed code.

Johannes Ullrich: [00:18:11:15] The way this can be used maliciously is, there's sort of a, a really interesting effect here, where one file could be recognized as different file types, depending on what software looks at it. So, if you use an image viewing program to look at this file, well, it recognizes it as an image, because it sees the normal image there. But let's say you're loading this in a PDF reader. PDF's signatures don't really have to start the beginning of the file, they can be somewhere in the middle of the file. So, inside the image, I can then embed a PDF, and that PDF may be malicious. And if you're loading this image file in a PDF reader, it pretty much ignores that there's supposed to be an image. It just pulls out that PDF content, and again, may run a malicious code.

Dave Bittner: [00:19:00:24] Now, are there effective ways to protect yourself against this?

Johannes Ullrich: [00:19:04:03] Well, a better scanning for these artifacts. But it's really tricky to protect yourself against this, because as far as the JPEG standard, for example, is concerned, these may be 100% valid images. They just happen to have an odd comment in there. There is software that can strip out all of these comments but, then again, in some cases, you may actually want, need these comments for your image processing.

Dave Bittner: [00:19:30:08] Right, right. Alright, well, it's good information as always. Johannes Ullrich, thanks for joining us.

Dave Bittner: [00:19:38:18] And that's the CyberWire. For links to all the stories mentioned in today's podcast, check out our Daily News Brief at

Dave Bittner: [00:19:47:00] Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit And Cylance is not just a sponsor, we actually use their products to help protect our systems here at the CyberWire.

Dave Bittner: [00:20:05:05] And thanks to our supporting sponsor, VMware, creators of Workspace ONE Intelligence. Learn more at

Dave Bittner: [00:20:14:00] The CyberWire podcast is proudly produced in Maryland out of the start-up studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology.

Dave Bittner: [00:20:23:19] Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe, and I'm Dave Bittner. Thanks for listening.