The CyberWire Daily Podcast 4.7.16
Ep 73 | 4.7.16

Panama Papers, privacy, & financial transparency. MedStar ransomware incident update. Current scams.


Dave Bittner: [00:00:03:17] MedStar has hired Symantec to clean up its recent ransomware infestation. The hospital chain's not saying much, but it has denied the incident can be traced to failure to patch. The FTC warns us not to believe anyone calling from something called the Global Privacy Enforcement Network. The IRS again warns everyone that they'll never email us and tell us to "click a link." The Panama Papers bring down Iceland's government, but other than that most of those so far named in dispatches are celebrities from sports and entertainment. The Los Angeles Times is hacked. The Philippines' voter database is leaked, and the Italian government revokes Hacking Team's export license.

Dave Bittner: [00:00:42:01] This CyberWire podcast is made possible by the generous support of Cylance, offering revolutionary cybersecurity products and services that proactively prevent rather than reactively detect, the execution of advanced persistent threats and malware. Learn more at

Dave Bittner: [00:01:04:16] I'm Dave Bittner, in Baltimore with your CyberWire summary for Thursday, April 7th, 2016.

Dave Bittner: [00:01:10:17] Investigation into the recent MedStar hack continues. MedStar itself isn't saying much, beyond that it has hired Symantec to find the problems and fix them. The hospital chain has, however, told the Baltimore Sun that it categorically denies an AP report's assertations (derived from an anonymous source) that the incident can be traced to failure to pass known JBoss web application server vulnerabilities. JBoss maintainer Red Hat patched those vulnerabilities in 2007 and 2010. MedStar says that none of the known JBoss vulnerabilities were factors in the attack. The hospital chain isn't answering other questions, Ars Technica reports, but it has pointed out that it restored operations rapidly, and that it has found no evidence that patient or staff data were compromised.

Dave Bittner: [00:01:55:16] According to research recently published by mobile security provider, Skycure, medical practitioners are particularly vulnerable to attacks, in no small part because medical records are particularly valuable. Four times more valuable than credit card information, they say, the problem according to Skycure's Verun Kohli is insecure devices.

Verun Kohli: [00:02:15:04] What we saw was the attack can come through the mobile device from three different places. Number one, around 4.21% of all android devices had high risk malware on it. The other finding that we had was network exposure, so around 22% of all the doctors' devices that doctors were using to assist with their day to day practice were exposed to a network attack in the very first month. And this number rose up to 39% over the next three months.

Verun Kohli: [00:02:56:03] The last thing that I want to talk about is the vulnerability. There were around 11% of the devices that had stored patient data and were vulnerable to high severity vulnerabilities because they were not on the latest version of the operating system.

Dave Bittner: [00:03:16:05] Skycure's website is

Dave Bittner: [00:03:20:22] Akamai reports that the Bill Gates/bot family of malware is being used in the criminal underground to facilitate distributed denial-of-service attacks. Obviously, there's no connection between the malware and either Mr. Gates or Microsoft beyond the lowbrow satire implicit in the name. Attackers using the malware, which seems to have an Asian origin, are for the most part using SSH brute forcing for root login credentials.

Dave Bittner: [00:03:46:08] The US Federal Trade Commission has warned of phone calls coming in from the vaguely official-sounding but quite bogus "Global Privacy Enforcement Network." The calls seek to convince victims to give up their online credentials. The con job is a variant of the old tech support scam, but in this case the "Global Privacy Enforcement Network" tells the mark that their email has been compromised, that their account is distributing fraudulent messages, and that the "Global Privacy Enforcement Network" will take legal action unless the mark lets the Network take control of their computer to "fix" it. It's a scam. Hang up.

Dave Bittner: [00:04:20:18] The US Internal Revenue Service has also warned of a spike in tax-themed phishing targeting residents of Maryland, Virginia, and the District of Columbia. The phishing emails, which purport to be from the IRS, tell the victim to "verify the last four digits of their social security number" by clicking a link. Again, don't. It's not the IRS.

Dave Bittner: [00:04:41:02] Poking through the wreckage of the Mossack Fonseca breach, people reading the Panama Papers so far seem to be turning up more celebrities than political figures, although Iceland does have a new prime minister, and will have to call early elections. Mossack Fonseca, which isn't getting a lot of media love, points out that the only clear crime here was the hack itself, and that the shell companies it establishes are perfectly legal. They may be right; in any case, they've filed a complaint with Panamanian prosecutors. The leak was, they insist, "definitely an outside job."

Dave Bittner: [00:05:12:21] Various governments are calling for renewed emphasis on transparency in business transactions and privacy of data. Panama has called for the formation of an international panel to address transparency in offshore financial operations, and UK Prime Minister David Cameron characterized his late father's use of the offshore and untaxed accounts as "a private matter." Legalities aside, there's no easy way of avoiding the bad optics here. Edward Snowden, of whom listeners may have heard, has been ladling out a series of sauce-for-the-gander tweets on Mr. Cameron.

Dave Bittner: [00:05:47:10] Mossack Fonseca may well have a point about legality and victim-blaming, but most pundits at least seem to see the affair as exemplifying Michael Kinsley's adage: "the scandal isn't what's illegal; the scandal's what's legal."

Dave Bittner: [00:05:59:15] In industry news, Italian lawful intercept shop Hacking Team has lost its export license. Italian authorities have revoked the company's authorization to sell its intercept tools outside the European Union.

Dave Bittner: [00:06:12:06] The US FBI says the tool it bought to unlock the San Bernardino jihadi's iPhone will work only on the iPhone 5c. It's still widely believed the Bureau retained the services of Cellebrite in the case. Other US Federal law enforcement agencies that are Cellebrite customers include the Drug Enforcement Agency and the Department of Homeland Security's Immigration and Customs Enforcement.

Dave Bittner: [00:06:34:11] The Los Angeles Times has apparently sustained a criminal cyber attack. Shell access to the paper is being offered for sale online. According to a statement issued by the paper, hackers seem to have exploited a vulnerability in the Times' WordPress installation. The paper uses WordPress to manage its subdomain.

Dave Bittner: [00:06:53:22] Personal information belonging to some 55 million voters in the Philippines has been exposed after the entire database of the Philippines’ Commission on elections was leaked online. This is bigger than the US OPM data breach, but only if you restrict your count to just the 20 million people whose security clearance forms were lost, and exclude all the other acquaintances and references those 20 million listed in their forms. If you add in those others, then, well, the US is still probably number one. So, American listeners, you can still feel free to chant "USA! USA!" in the general direction of OPM, should you be so inclined.

Dave Bittner: [00:07:35:04] This CyberWire podcast is made possible by the generous support of ITProTV, the resource to keep your cybersecurity skills up to date with engaging and informative videos. For a free seven day trial, and to save 30%, visit and use the code cyber30.

Dave Bittner: [00:08:00:13] Joining me once again is Joe Carrigan, he's from the Johns Hopkins Information Security Institute, one of our academic and research partners. Joe, you and I both had the privilege of attending the Women in Cybersecurity Conference last week in Texas. I thought it was a great event, what was your take on it?

Joe Carrigan: [00:08:15:21] I also thought it was a great event. There was a lot of energy. I spent most of my time in the exhibit hall trying to recruit new undergrad students into our master's program that we have at the Information Security Institute and I got to meet a lot of great people.

Dave Bittner: [00:08:27:19] You actually had one of your grad students there with you. What was her take on it?

Joe Carrigan: [00:08:32:00] She enjoyed it greatly. She thought it was a great learning experience. She actually got to learn a lot of technical information and be exposed to different ways of learning it. It was a great networking experience for her as well.

Dave Bittner: [00:08:44:24] I really thought there was an amazing energy to that conference. Well attended, about 750 people, and you could really tell walking around that it was just one of those events where everyone seemed to really enjoy being there.

Joe Carrigan: [00:09:00:04] Yes. And you and I were definitely in the minority there.

Dave Bittner: [00:09:03:24] I know, right. Who better to talk about the Women in Cybersecurity Conference than you and I, two men.

Joe Carrigan: [00:09:07:24] Two men.

Dave Bittner: [00:09:10:23] Well I'll take the opportunity to tease the fact that we will be releasing a special edition of our podcast which will have coverage of the Women in Cybersecurity event, so look for that. Joe Carrigan, thank you once again for joining us.

Joe Carrigan: [00:09:22:05] My pleasure.

Dave Bittner: [00:09:25:09] And that's the CyberWire. For links to all of today's stories, visit the and, while you're there, subscribe to our popular daily news brief. Our editor is John Petrik, I'm Dave Bittner. Thank you for listening.