The CyberWire Daily Podcast 11.27.18
Ep 732 | 11.27.18

Rotexy Trojan gets worse. Bad apps in Google Play. Backdoor for crypto-wallets. Facebook goes before Parliament. Pegasus spyware versus journalists. Russian hybrid war. Too-smart devices.


Dave Bittner: [00:00:00] Hi, everybody. It's Dave. And, you know, lots of people like our show. One of the great things is we have a lot of fans. And we are very appreciative of all the reviews that you leave for us over on iTunes. But not everyone is a fan. Here's a recent review. It says, the overview of what's going on in the cyber world is great, but the delivery is so freaking boring. Jeez, it almost feels intentional that they're trying to be as boring as possible. Please just speak normally - please and thank you. And there's another one-star review that just says, poorly researched.

Dave Bittner: [00:00:32] So these are the first things that people are seeing right now when they go on over to iTunes to check out our show. It would be great if we had some positive reviews from (laughter) some of you who listen to and appreciate the show and enjoy it. So do me a favor. Head on over to iTunes. And if you could find the time to leave us some positive reviews over there, well, it would be much appreciated. It would go a long way towards getting us some new listeners. So thanks. Here's the show.

Dave Bittner: [00:01:00] The Rotexy Trojan evolves into phishing and ransomware. Bad apps are found in Google Play. An open-source library used in cryptocurrency wallets had a wide-open backdoor. Facebook goes before Parliament, which seems in a pretty feisty mood. Pegasus spyware is found to have been deployed against journalists in Mexico and elsewhere. Russia escalates its hybrid war against Ukraine. Do people care if their smart speakers eavesdrop? What about their smart lightbulbs?

Dave Bittner: [00:01:36] And now a word from our sponsor ObserveIT. (Singing) It's the most wonderful time of the year. Well, sort of. We're talking about budgeting season. Most cybersecurity professionals agree that they need more budget. Unfortunately, many organizations wait until a costly incident occurs to provide the budget their security teams need. A case in point, insider threats cost organizations on average $8.76 million per year, according to a Ponemon Institute survey. But 34 percent of cybersecurity professionals named lack of budget as a major barrier to establishing an effective insider-threat management program. So how do you ask for the budget you need to proactively detect and stop insider threats? The latest guide from ObserveIT gives an in-depth look at insider threat budgeting, including determining top cost centers, evaluating your organization's risk and especially making the case to management for a dedicated insider-threat management line item. Visit and check out ObserveIT's "Guide to Budgeting for Insider Threat Management" today. That's And we thank ObserveIT for sponsoring our show.

Dave Bittner: [00:03:03] Major funding for the CyberWire podcast is provided by Cylance. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, November 27, 2018. Researchers at Kaspersky Lab have been following the evolution of the Rotexy mobile malware. It emerged as an SMS spyware Trojan in 2014, but it's now boasting additional features in a wave of recent attacks, some 70,000 between August and October. Most of Rotexy's targets are located in Russia.

Dave Bittner: [00:03:38] The malware has retained what Kaspersky calls its staple and unique feature, a three-headed command-and-control combination that includes conventional servers, SMS messaging and the Google Cloud messaging platform. The current version spreads by SMiShing. And as soon as it launches, it requests admin rights on the victim device. It checks to ensure that the device is located in Russia, looks for signs that it's running in an emulator and then moves on from there.

Dave Bittner: [00:04:07] Rotexy has retained its familiar spyware functionality but added a ransomware capability and a phishing page that goes after pay card details. And it's not naive, either. Rotexy checks to ensure that the pay card details the victim enters are genuine. Kaspersky says there are some mitigations available, but they caution that they may not work for long. Rotexy's operators have shown a disposition and ability to adapt.

Dave Bittner: [00:04:36] Several malicious apps have been found in Google Play. Eight of them, according to researchers at Idaho-based security firm Kochava, are ad fraud fronts, which Kochava suggests are associated with two Chinese firms that also operate in the U.S., Cheetah Mobile and Kika Tech. And Trend Micro is also reporting ad fraud apps posing as Android voice apps. They suggest that this foreshadows the formation of a significant botnet. Some, but not all, of the malicious apps have been taken down.

Dave Bittner: [00:05:09] Some unknown hoods succeeded in surreptitiously insinuating a backdoor into the widely used EventStream JavaScript library. Warned by a researcher on GitHub last week, project manager NPM issued a warning yesterday. It appears that the backdoor was designed to steal from Bitcoin wallets prepared by the vendor Copay. Copay says the infected code was deployed in versions 5.0.2 through 5.1.0. Users should assume their keys were compromised, and they should move their funds to new wallets upgraded to version 5.2.0.

Dave Bittner: [00:05:48] Facebook is in front of a parliamentary inquiry in the U.K. today. An interesting feature of this particular inquest is MP Damian Collins' threat to release internal Facebook emails obtained through what are being called unprecedented parliamentary powers. Those unprecedented powers involved, according to The Telegraph, the House of Commons' sergeant-at-arms intercepting a traveling executive from a company that's been involved in litigation with Facebook.

Dave Bittner: [00:06:15] Ted Kramer, who founded U.S. app maker Six4Three, was given two hours to hand over the emails. When he refused, he was frog-marched to Parliament and threatened with fines and imprisonment, which brought him around to Westminster's way of thinking. So Commons now has the emails and says they can dox Facebook if they please as a matter of parliamentary privilege. Six4Three sued Facebook when the House of Zuckerberg changed its privacy policies in ways that drove Six4Three to shut down one of its apps, Pikinis. Until Facebook fessed up to what was going on and decided it was all in poor taste and probably going to wind up in litigation somehow, users could employ Pikinis to search for pictures of their Facebook friends who were wearing bikinis.

Dave Bittner: [00:07:07] A European Commission, joined by Britain, France and Belgium, is also interested in talking to Facebook about privacy, and they've warned Mr. Collins not to release the emails, which are under seal by the state of California. Mr. Collins says that's for the Commons to decide.

Dave Bittner: [00:07:24] Both Facebook and Google have come in for criticism recently in Europe - the former for alleged data abuse and fake news, the latter mostly for alleged monopolistic practices. Paradoxically, GDPR has seemed to work in the two companies' favor, as the EU Data Protection regime may have suppressed upstart competitors.

Dave Bittner: [00:07:47] Organizations in the federal space have their own unique set of cybersecurity challenges, and many of them have come to rely on open-source solutions to meet their needs. Shaun Bierweiler is vice president of U.S. public sector at Hortonworks, and he joins us to provide some perspective.

Shaun Bierweiler: [00:08:05] They are probably one of the leading vectors of having data being populated every day, from sensors and their missions, and just being able to store that and access it. One of the biggest challenges that they have is they have very antiquated legacy systems that were developed for very specific missions and very specific use cases at a time when data was much more predictable. You knew exactly what a cell was going to contain, and it would always contain that specific structure. And so an anomaly was easy to detect.

Shaun Bierweiler: [00:08:41] Fast-forward to today, where you've got significant different producers of data and varying formats coming at rapid paces, and the expectations for that information are growing exponentially as well. So not only do you have much more complicated information, data coming from different directions, but users have much greater expectations both from a use case as well as a response, right? They expect real-time information from that data.

Dave Bittner: [00:09:11] And so you're advocating that open-source solutions help break down some of those silos. Take us through what leads you to that conclusion.

Shaun Bierweiler: [00:09:20] When you look at the innovation of technology, open source has been a prevailing enabler of that. The approach, the culture, the ways that you have various groups coming together to help continue to advance technology is undeniable. Those cultural enablers are not limited to specific technologies. They can also be applied to the cyber landscape when you think about threat detections and various anomalies that are being detected. And so that open approach of promoting sharing, collaboration, interoperability is one of the reasons why you see the greatest technical advancements happening in that open, collaborative environment.

Dave Bittner: [00:10:07] And so what are your recommendations for those who are in the federal space, in the public space in terms of approaching this? What's the best way that they can get started if they want to integrate some of these open-source tools?

Shaun Bierweiler: [00:10:19] Well, I think the No. 1 step is first taking a step back and identifying what your requirements are and acknowledging that a holistic data approach is necessary. You know, all too often, we have these very quick Band-Aids that we put on solutions that may solve a specific problem but effectively create more problems tomorrow.

Shaun Bierweiler: [00:10:43] Second is, you know, look for the right partners that are able to harness the power of the open-source community and package it in an enterprise consumable fashion. We don't do everything, but we have a very vast and broad community, and we're able to bring the strength of numbers to customers and partners alike to be able to address potential concerns, potential requirements. You know, one of the great things about the community is that if a capability or a feature doesn't exist currently, you're able to get that into the road map and develop it and push that innovation forward.

Dave Bittner: [00:11:17] Are there any things that people need to look out for? Are there any downsides to taking this approach that people should be cautious of?

Shaun Bierweiler: [00:11:25] Well, it's important for every customer to understand their specific requirements and the timelines that come with them. I don't think any approach is a silver bullet, one-size-fits-all for anybody. But I certainly think, generally speaking, that an open architecture and an open, collaborative approach to addressing those requirements has limited downside in any application.

Shaun Bierweiler: [00:11:49] I think it's important for customers to truly understand what it is they're trying to accomplish, their specific constraints and their priorities and requirements, and then to find the right partners to address them.

Dave Bittner: [00:12:02] That's Shaun Bierweiler from Hortonworks.

Dave Bittner: [00:12:06] Citizen Lab reports that associates of slain Mexican journalist Javier Valdez Cardenas received texts carrying NSO Group-manufactured Pegasus spyware. Cardenas was murdered in 2017, apparently by the drug cartels he investigated. Citizen Lab notes that Mexico's government has been a customer of NSO Group.

Dave Bittner: [00:12:30] Russia's guttering war against Ukraine erupted in naval attacks against Ukrainian ships in the Sea of Azov. Ukraine says Russia's intent is to consolidate its control of Crimea and ultimately establish sovereignty over the Black Sea as a whole. Ukraine has declared martial law. Expect an escalation in the cyber operations that have marked this hybrid conflict.

Dave Bittner: [00:12:54] And finally, privacy - bleh. How many people are really as interested in it as one might think they ought to be? If Motherboard is right, if you've got a smart speaker, you're not particularly interested in keeping things to yourself. They reference a University of Michigan study that talked to 17 people, all of whom said, in effect, well, Amazon and those guys already know a lot about you. So what does it matter or Alexa or Samsung hear are a few conversations? The researchers find this disturbing enough to call it privacy nihilism. But we do note that 17 seems like a pretty small sample size. Maybe they tried to talk to a couple hundred who didn't want to answer a survey because they may be felt it would compromise their privacy. And not only may your smart speaker be spying on you, but that smart lightbulb could have its metaphorical eye on your data as well. In a demonstration by researchers at Checkmarx, they figured out a complicated method of using light from Bluetooth-connected bulbs to transmit data. You need a smartphone, a telescope and an uninterrupted line of sight through a window. But it could happen.

Dave Bittner: [00:14:10] And now a word from our sponsor Edgewise - if you've been following cybersecurity news in the past year, you've probably heard the phrase zero trust security - more than once. The TLDR of zero trust is to never trust and always verify every connection in your environment. That all may sound well and good. But the next questions are how, why and where to begin. If you're in search of a guide to help you get from zero to zero trust, Edgewise networks has you covered. They recently published "Zero Trust Security for Dummies" to help organizations like yours understand what zero trust security is and how it can prevent breaches in your cloud or data center. "Zero Trust Security for Dummies" has the answers to all your zero trust questions. And the book is available for free. You can download it at That's And we thank Edgewise for sponsoring our show.

Dave Bittner: [00:15:20] And joining me once again is Johannes Ullrich. He's the dean of research for the SANS Institute. He's also the host of the ISC "StormCast" podcast. Johannes, welcome back. Interesting topic you wanted to share today - we want to talk about DNS over HTTPS and what that does to network visibility. What do you have to share today?

Johannes Ullrich: [00:15:38] Yeah, so this is a relatively new development where browsers, formost Firefox, are adding the capability to send DNS requests over HTTPS. Up to now, DNS has really been sort of the one protocol that didn't really consider privacy. All your DNS queries are sent in the clear. And, of course, to visit any website, to do anything on the Internet, you need DNS. And you're leaving a footprint here.

Johannes Ullrich: [00:16:07] Of course, from a defensive point of view, that has also been really useful because with DNS you're able to check, for example, if people are connecting to known malware sites or, in general, if a software on your system is doing things it's not supposed to do - particularly of course, with everybody now using HTTPS and encrypting their web over to HTTP traffic. So this has been really big in the sense that it really sort of blinds network defenders. And it can actually be enabled by a user just by changing a browser configuration.

Dave Bittner: [00:16:47] Now, is this - all browsers are capable of this or just particular ones so far?

Johannes Ullrich: [00:16:52] Right now, it's really Firefox that has enabled this feature and makes it really easy to turn it on. Other browsers haven't really done it yet. But they have announced they may do it fairly soon. So you'll see it show up in browsers like Chrome, for example, which is a major browser, and it has a large market share. Also on mobile devices, CloudFlare, which is somewhat pushing the standard, has come up with a little app for iOS and Android. It allows you to very easily enable this feature on these devices.

Dave Bittner: [00:17:30] And so what's the upside here?

Johannes Ullrich: [00:17:33] The upside is privacy. So if you are traveling, if you're connected to a network that you don't necessarily trust, you're hiding this DNS traffic from this network. Now, there is an alternative. And that's DNS over TLS. DNS over TLS also provides privacy, but it's easily blocked by a network. So let's say you're connecting to a foreign network or from a foreign network that you don't trust. They could just block DNS over TLS. Blocking DNS over HTTPS is much more difficult because it just looks like any other HTTPS query. So it uses port 443 and really gets mixed in with all the other HTTPS traffic, which makes it very difficult to distinguish it and block it.

Dave Bittner: [00:18:22] So if I'm an administrator at an organization, what should my attitude towards this be?

Johannes Ullrich: [00:18:28] Well, you should be certainly careful about it because, like I said, you lose visibility. Your option is to either tell your users not to enable it or really to control your endpoints much more closely, which, of course, with bring your own device and as such, tends to be quite difficult. Like most of the time we are using network security tools - like monitoring DNS logs, like intruder detection systems - in order to make up for some of the lack of control you have on the endpoint.

Dave Bittner: [00:19:00] Well, it's interesting as always. Johannes Ullrich, thanks for joining us.

Johannes Ullrich: [00:19:03] Thank you.

Dave Bittner: [00:19:08] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsors Cylance. To find out how Cylance can help protect you using artificial intelligence, visit And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire.

Dave Bittner: [00:19:27] And thanks to our supporting sponsor VMware, creators of Workspace ONE Intelligence. Learn more at

Dave Bittner: [00:19:36] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're code co-building the next generation of CyberSecurity teams and technology. Our CyberWire editor is John Petrik. Social media editor, Jennifer Eiben; technical editor, Chris Russell; executive editor, Peter Kilpe. And I'm Dave Bittner. Thanks for listening.