The CyberWire Daily Podcast 4.6.16
Ep 72 | 4.6.16

Panama Papers count coup. Trojanized Android apps found.


Dave Bittner: [00:00:03:18] The Panama Papers' fallout continues to fall, and it's fallen hardest in Iceland. Avast warns of a malicious SEO campaign. A Trojan finds its way into Android apps on the Google Play Store, and Google also boots a dodgy (but popular) Chrome extension. We learn about ransomware and HIPAA, and we hear of a highly personalized ransomware spear phishing campaign. We'll share a quick report on what we learned at the Billington CyberSecurity International Summit, and we remember that more Panama Papers are said to be out there.

Dave Bittner: [00:00:35:07] This CyberWire podcast is made possible by the generous support of Cylance, offering revolutionary cybersecurity products and services that proactively prevent rather than reactively detect, the execution of advanced persistent threats and malware. Learn more at

Dave Bittner: [00:00:57:21] I'm Dave Bittner, in Baltimore with your CyberWire summary for Wednesday, April 6th, 2016.

Dave Bittner: [00:01:03:23] Exactly how the Panama Papers leaked remains unclear. The Papers, of course, are that trove of documents obtained under obscure circumstances from Panamanian law firm, Mossack Fonseca, and published earlier this week by Süddeutsche Zeitung. They allegedly constitute evidence that some high-profile public figures around the world have been systematically hiding very large amounts of money in offshore caches, and that Mossack Fonseca facilitated the offshoring. Mossack Fonseca told Reuters, in a brief statement, that its email server was hacked, and that the exfiltration of documents was definitely not an inside job. But "email server hack" leaves a great deal unexplained, and to the imagination.

Dave Bittner: [00:01:45:17] The Australian firm Nuix says that the Süddeutsche Zeitung and its collaborators in the International Consortium of Investigative Journalists used the Nuix big data analytical tool Investigator Workstation to help develop the story. That story has been in process over the better part of a year.

Dave Bittner: [00:02:02:09] What if any laws were broken remains under investigation, that is, investigation in at least seven countries, but the scandal counted its first coup yesterday when Iceland's Prime Minister resigned in the midst of public outrage over allegations that members of his family sought to conceal large amounts of money in offshore accounts. Russian President Putin's name has also surfaced in the documents, but Moscow pooh-poohs this as a bunch of resentful American disinformation.

Dave Bittner: [00:02:30:17] Security industry observers see the Panama Papers as a clear instance of two trends. First, the enormous quantity of highly sensitive information law firms hold, and, second, the relatively porous defenses with which these firms surround that information.

Dave Bittner: [00:02:45:16] In other hacking news, Avast warns that a malicious search-engine-optimization (SEO) campaign is attacking vulnerable WordPress and Joomla installations.

Dave Bittner: [00:02:57:10] More serpents emerge in the Google Play Store's walled garden. Security firm Dr. Web found that one hundred four Android apps available for download were infected with an information-stealing Trojan. Dr. Web is calling the Trojan Android.Spy.277.origin. Dr. Web disclosed the problems to Google, which is removing the apps.

Dave Bittner: [00:03:19:02] Google has also given the heave-ho to the popular Chrome extension Better History, which users complained has been hijacking browser sessions and redirecting them to unwanted ad pages.

Dave Bittner: [00:03:31:01] Ransomware retains its position as the current criminal approach of choice, although DDoS is also not forgotten. Proofpoint researchers report a new development, customized ransomware, which calls its intended victims by name and it's made its appearance in the wild, turning up in spear phishing campaigns.

Dave Bittner: [00:03:48:16] With so much ransomware targeting the healthcare sector recently, we spoke with the University of Maryland's Ben Yelin on ransomware and HIPAA. We'll hear from him after the break.

Dave Bittner: [00:03:58:21] We attended Billington CyberSecurity's inaugural International Summit in Washington yesterday. You'll find a complete account of the conference on our website, but some interesting themes are worth mentioning. We were struck by the extent to which the speakers saw voluntary, self-organizing collaboration for cyber defense and security as not only positive and productive, but as practically inevitable. And this view crossed not only sector boundaries, but national boundaries as well.

Dave Bittner: [00:04:24:19] When organizations, whether military or civilian, government or private, find themselves in situations where they need to cooperate to succeed, they typically find ways of doing so. Several speakers advocated a pragmatic, experiential approach to developing effective policies and procedures for cyber security. Cooperation is more important than technology, they tended to believe, and they thought that leaders might well seek to create conditions under which positive spontaneous organization can occur.

Dave Bittner: [00:04:53:01] It was also noteworthy how many of the speakers found unclassified, open-source information to be of very great value. There was a general consensus that over-classification was a problem that needs to be addressed, and an obstacle to effective cooperation. But it was also striking how many thought progress could be made simply by attending to, and using, the vast amount of unclassified information that can already be freely shared.

Dave Bittner: [00:05:17:15] US NSA Director, Admiral Michael Rogers, appeared before Congress this week. He named Russia and China as the leading threats to the US in cyberspace, but warned that Iran was gaining ground as well. He reignited an old roles-and-missions debate by recommending that US Cyber Command be designated a Combatant Command.

Dave Bittner: [00:05:37:23] Finally, we noted earlier that the Panama Papers represent the outcome of an investigation that's been underway for at least the better part of a year. And this suggests one interesting line of reasoning. Journalists seem better at keeping secrets than at least some law firms, and perhaps some government agencies. There are apparently more revelations to come, at least according to the Süddeutsche Zeitung. The German newspaper said, in response to questions about why there didn't seem to be prominent citizens of some prominent countries on the list of those named in dispatches, that there's a lot more to come. Stay tuned.

Dave Bittner: [00:06:16:01] This CyberWire podcast is made possible by the generous support of ITProTV, the resource to keep your cybersecurity skills up to date with engaging and informative videos. For a free seven day trial and to save 30 percent, visit and use the code, cyber30.

Dave Bittner: [00:06:41:03] I'm joined once again by Ben Yelin, he's a senior law and policy analyst at the University of Maryland's Center for Health and Homeland Security, one of our academic and research partners. Ben, there was an article in Forbes recently that was questioning whether or not a ransomware attack on a healthcare provider constituted a HIPAA violation.

Ben Yelin: [00:06:59:04] So just for a little background, HIPAA is a Federal law that has some reporting requirements. Hospitals are required to report data breaches to individuals who are affected, and if more than 500 individuals are affected, they're required to report it to the media and also there are general reporting requirements to the Department of Health and Human Services.

Ben Yelin: [00:07:18:19] There was this ransomware attack that occurred recently here in Maryland at a health group called Medstar Health, which is one of the biggest providers in Maryland, and there's a question as to whether that breach would require some sort of notification. So generally notification is only required for a "protected health information" or PHI. When you have a ransomware attack, it's unclear whether there's actually a breach of that data. The reason is, sometimes the ransomware attackers will simply surround the data, hold it hostage for some sort of ransom, but that data's never actually penetrated or released to the public in any capacity.

Ben Yelin: [00:07:59:02] So there's no legal reporting requirement if that data isn't breached. Now hospitals,for publicity reasons, may want to report both to their own patient and to the media for other reasons, but it is interesting that without that protected health information being penetrated, there may not be a legal reporting requirement to HHS under the terms of HIPAA.

Dave Bittner: [00:08:23:09] Ben Yelin, thanks for joining us.

Dave Bittner: [00:08:27:16] And that's the CyberWire. For links to all of today's stories, visit and while you're there, subscribe to our popular daily news brief. Our editor is John Petrik. I'm Dave Bittner. Thanks for listening.