The CyberWire Daily Podcast 11.28.18
Ep 733 | 11.28.18

DNSpionage. Cobalt Dickens’ unwelcome return. iOS spyware may be more widespread than believed. Governments move toward content moderation. Small towns, big problems.


Dave Bittner: [0:00:00] Hi, everybody. Yesterday, I put the call out asking you to give us some iTunes reviews. And boy, did you step up. So thank you, everyone, for taking the time, leaving us some great reviews over on iTunes. Much appreciated.

Dave Bittner: [0:00:17] A tool going by the name DNSpionage hits Middle Eastern targets. Iran's Cobalt Dickens returns to pester universities. Lawful intercept vendors receive more scrutiny, and that scrutiny suggests iOS might not have escaped their attention as much as many had assumed. Facebook gets grilled in London. Nine Western countries issue a joint communique resolving to control false and misleading content on the Internet. And a lesson from small towns.

Dave Bittner: [0:00:52] And now a word from our sponsor, ObserveIT. (Singing) It's the most wonderful time of the year. Well, sort of. We're talking about budgeting season. Most cybersecurity professionals agree that they need more budget. Unfortunately, many organizations wait until a costly incident occurs to provide the budget their security teams need. A case in point - insider threats cost organizations, on average, $8.76 million per year, according to a Ponemon Institute survey. But 34 percent of cybersecurity professionals named lack of budget as a major barrier to establishing an effective insider threat management program. So how do you ask for the budget you need to proactively detect and stop insider threats? The latest guide from ObserveIT gives an in-depth look at insider threat budgeting, including determining top cost centres, evaluating your organization's risk and, especially, making the case to management for a dedicated insider threat management line item. Visit and check out ObserveIT's "Guide to Budgeting for Insider Threat Management" today. That's And we thank ObserveIT for sponsoring our show.

Dave Bittner: [0:02:20] Major funding for the CyberWire podcast is provided by Cylance.

Dave Bittner: [0:02:24] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, November 28, 2018.

Dave Bittner: [0:02:32] Cisco's Talos Group is tracking a threat actor running what Talos calls DNSpionage malware against Middle Eastern targets. Lebanon and the United Arab Emirates have attracted the most attention. At least two espionage campaigns are in progress. One phishes victims with bogus job listings that induce the users to open malicious Microsoft Office documents. The other redirects the DNS of legitimate domains. Talos, which regards the unknown threat actor as painstaking and focused, has been unable to draw connections with other known threats. The malware the malicious documents are dropping in these campaigns is, as Talos puts it, an undocumented remote administration tool. It supports DNS tunneling as a command and control channel. The malicious DNS redirection the attackers used affected sites belonging to Lebanon's finance ministry, Middle East Airlines - a Lebanese carrier - and the United Arab Emirates Police and Telecommunications Regulatory Authority.

Dave Bittner: [0:03:35] What the actors behind DNSpionage were after is unclear. But whoever they were, they were persistent and capable and clearly devoted some attention to preliminary reconnaissance. The lesson the researchers at Talos drew for the rest of us is the obvious one, that endpoint and network protection should be as strong as possible. As Talos warns, quote, "this is an advanced actor who obviously has their sights set on some important targets, and they don't appear to be letting up anytime soon," end quote.

Dave Bittner: [0:04:07] Another threat actor, this one known and indeed familiar, is back. The Iranian threat group Cobalt Dickens is actively prospecting targets in universities. Secureworks' Counter Threat Unit says they are after credentials, and that they're using familiar social engineering tactics. The universities Cobalt Dickens is after are found in Malaysia, Australia, Canada, China, Israel, Japan, Switzerland, Turkey, the United Kingdom and, especially, the United States. The threat group, which is linked to the Iranian government and its Revolutionary Guard, figured prominently in the news this past March, when the U.S. Justice Department indicted nine individuals and a contractor, the Mabna Institute, for an earlier Cobalt group campaign against universities.

Dave Bittner: [0:04:53] There's no shortage of online private messaging systems that offer claims of end-to-end, fully encrypted communications, promising their users invulnerability to prying eyes. Law enforcement likes to remind us that these particular capabilities are often attractive to folks who are up to no good. Dutch police recently revealed a campaign to thwart criminals hiding behind encrypted communications. Our U.K. correspondent Carole Theriault has the story.

Carole Theriault: [0:05:20] Rarely do you get a behind-the-scenes explanation as to how cybercops track the bad guys. It makes sense - if the strategy is working, why blow its cover by blabbing about it? So it was rather exciting when Dutch police announced that they had been eavesdropping on a secret messaging service used by cybercriminals. This was a pretty big operation, as you shall see. But what was the most interesting thing was why in the world did the Dutch police come clean about their secret source?

Carole Theriault: [0:05:50] I managed to get a few extra juicy details from my "Smashing Security" podcast co-host Graham Cluley, who had written an article on this very topic for Bitdefender.

Carole Theriault: [0:05:59] Graham, thanks for joining us on CyberWire.

Graham Cluley: [0:06:02] My pleasure. Nice to be here.

Carole Theriault: [0:06:03] Now, can you give us some inside information? What's going on here? Why have the Dutch police announced this if they had tabs on all these suspected criminals?

Graham Cluley: [0:06:13] Well, it's fascinating, isn't it? So what they managed to do is they managed to hack into what should have been a securely encrypted method for the criminals to communicate with each other, something that criminals had been using for months and months and months. And you have to ask, well, why would they now have blown their own whistle, as it were, and revealed that those messages are compromised? And the reason is that the police got wind of the fact that some of the criminals were actually planning to kill one of their fellow criminals, believing...

Carole Theriault: [0:06:43] Whoa, whoa, whoa, whoa. We have murder here?

Graham Cluley: [0:06:46] Well, exactly. They believed that it was one of their fellow criminals who was snitching to the police and revealing the secrets. So the police had to say, actually, we've been looking at all of your communications for some time. It's not one of you who's actually blown the whistle on yourselves.

Carole Theriault: [0:07:03] There's a lot of encrypted messaging services out there, such as Telegram or Signal. Which one were these guys using?

Graham Cluley: [0:07:10] They were using one called IronChat. So IronChat comes as part of a package that you can purchase from a company whose website has now been shut down - they've also been arrested - called BlackBox Security. And what BlackBox Security will do is they will sell you a subscription to their service. If you pay them $1,500, that will give you a six-month subscription. You get an Android phone which has particular apps installed upon it, including this IronChat secure communication application. It's a remarkably ugly app, as well.

Carole Theriault: [0:07:45] (Laughter).

Graham Cluley: [0:07:45] It's got probably the worst and least attractive user interface you could ever have imagined.

Carole Theriault: [0:07:52] But basically, it's a secure phone with a secure messaging service.

Graham Cluley: [0:07:56] Yes, that's right. But it was using BlackBox Security's own server as part of the communication. And one way or another - and we don't know the precise details - the police managed to compromise that system, or take it over, and they were able to see the messages which were being sent. Over a quarter of a million messages between criminals were being monitored practically live by the police.

Carole Theriault: [0:08:17] Well, that must give them a lot of insight into how to arrest these guys.

Graham Cluley: [0:08:23] Well, yes. As a result their surveillance, law enforcement agencies in the Netherlands have seized automatic weapons. They've seized large quantities of hard drugs - cocaine and MDMA - 90,000 euros in cash. And they dismantled a drugs lab as well.

Carole Theriault: [0:08:38] And they had to blow up this whole surveillance scam because someone was at risk?

Graham Cluley: [0:08:44] Yeah. Well, they've blown their own cover. The website's down, the application won't work anymore. So any criminals who use it now are going to have to switch to something else. Obviously, the police, ideally, wouldn't have wanted that. They would have wanted to watch for as long as possible. But I think they realized it's actually getting dangerous now because criminals were being arrested. People were wondering, in the criminal underground, how are the police gathering this information? As I say, there was a plot to kill one of the criminals because they believed that he may have been talking to the police. And so the police said, actually, no, we know all of this stuff. We've been watching you for a while.

Carole Theriault: [0:09:17] Graham, that's excellent. This was Carole Theriault for the CyberWire.

Dave Bittner: [0:09:20] It's like a mini-episode of "Smashing Security." Kind of nice.

Dave Bittner: [0:09:25] Citizen Lab have recently drawn attention to apparent abuse of NSO Group's Pegasus tool by various governments. Kaspersky has now noticed that another company, government vendor Negg, seems to offer an iOS implant. Negg, which is based in Rome, had been known for its Android intercept tools. It appears also to have done much the same with iOS. This suggests to Kaspersky that iOS spyware may not be as rare as hitherto generally believed.

Dave Bittner: [0:09:55] Facebook's transatlantic grilling proceeds. Company emails Westminster seized from a third party indicate that the social network knew about and investigated Russian data harvesting in 2014, two years before publicly acknowledging Moscow's interest in election meddling. The big sit down in London has provided the occasion for the immodestly titled International Grand Committee inquiring into disinformation to release its declaration on the Principles of Law Governing the Internet. The committee's nine nations want tech companies fully answerable to organs of representative democracy. The way they see it, the deliberate spreading of disinformation and division is a credible threat to the continuation and growth of democracy and a civilizing global dialogue.

Dave Bittner: [0:10:44] Tech firms need to recognize, as Spiderman's Uncle Ben taught us, that with great power comes great responsibility. We note that Uncle Ben was obviously a student of the great 19th century theorist of international law, Francis Lieber. Social media companies, in particular, quote, "should be held liable if they fail to comply with a judicial statutory or regulatory order to remove harmful and misleading content from their platforms and should be regulated to ensure they comply with this requirement," end quote. The signatories include Argentina, Belgium, Brazil, Canada, France, Ireland, Latvia, Singapore and the United Kingdom.

Dave Bittner: [0:11:23] It's not just international grand committees, industrial titans, world powers, wealthy elites and the like who worry about the internet. No one's too small to escape the ministrations of bad actors. In compact, crowded New Jersey, police and other officials in the small town of Rockaway Township are working to recover from a ransomware attack. It began on November 22, with a partial recovery of some systems this Monday. The police are still offline, and township officials say they're in the dark about the extent of what happened. The late mayor's phone and laptop have gone missing since Mayor Michael Dachisen died on August 15. The township council thinks it possible that someone stole the devices and used them to work their mischief on municipal systems.

Dave Bittner: [0:12:11] Meanwhile, up in sprawling, thinly-populated Alaska, the Matanuska-Susitna Borough Assembly voted to appropriate a million dollars to pay for recovery from a ransomware attack the local government sustained in mid-July. They declined to pay the ransom and bit the financial bullet to upgrade their security and resilience. The newly appropriated $1 million comes on top of $2.1 million the borough has already spent on recovery and remediation. The neighboring city of Valdez, nearby by Alaskan standards, was also hit. But Valdez took a gamble and paid the ransom, so they got off with just $27,000. As painful as it is, conventional wisdom says that Mat-Su, as the borough is locally known, probably made the wiser call.

Dave Bittner: [0:13:06] And now a word from our sponsor, Edgewise. If you've been following cybersecurity news in the past year, you've probably heard the phrase zero-trust security more than once. The TL;DR of zero trust is to never trust and always verify every connection in your environment. That all may sound well and good, but the next questions are, how, why and where to begin. If you're in search of a guide to help you get from zero to zero trust, Edgewise Networks has you covered. They recently published "Zero Trust Security for Dummies" to help organizations like yours understand what zero trust security is and how it can prevent breaches in your cloud or data center. "Zero Trust Security for Dummies" has the answers to all your zero-trust questions. And the book is available for free. You can download it at That's And we thank Edgewise for sponsoring our show.

Dave Bittner: [0:14:17] And joining me once again is Ben Yelin. He's a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security. Ben, it's great to have you back. We had an article come by from Forbes - this was penned by Thomas Brewster - and it's all about Google's Nest unit and how they've handed over data to the government a few hundred times.

Ben Yelin: [0:14:38] Yeah, I mean, I think that number is rather eye-popping. Most of the data was handed over either voluntarily or via subpoena. So in the vast majority of cases, the government didn't really establish probable cause to search these devices. And, you know, if the government has reasonable suspicion, they can get a subpoena to collect that information. What fascinates me about Nest's devices and, really, all smart home devices is it sort of presents a clash in Fourth Amendment principles.

Ben Yelin: [0:15:09] So we always think about the Fourth Amendment, first and foremost, protecting the home. It's somebody's fortress of personal privacy. We don't want the police coming into our house without a warrant. I think everyone would agree with that. But then we have this competing doctrine, really, this exception to the Fourth Amendment, called the Third-Party Doctrine, where, when we voluntarily submit information to a business, like Google, we lose our reasonable expectation of privacy in that information. And we're voluntarily giving private information to our smart homes all the time.

Ben Yelin: [0:15:45] Eventually, all federal courts and the Supreme Court is going to have to struggle with which Fourth Amendment doctrine is stronger here. Is it the doctrine about being protected in the fortress of your home? Because this is a smart home device. It's only recording things that happen in this very, very private place. Or do they take a third-party approach, which is about, even if this device is in your home, you are constantly feeding it information, voluntarily, and that information is fair game for the government to collect.

Ben Yelin: [0:16:17] You know, I think we can possibly find some guidance in the Carpenter decision, which you and I have talked about a lot. Even though that was about cell site location information, the reason Chief Justice Roberts said that the government would need a warrant to collect the information is because collection of cell site location information was so ubiquitous and was so deep and so broad, it sort of fell out of that third-party doctrine exception. And I think you can make an argument that smart home devices are even deeper and broader, especially when we know that it's recording at least snippets of, you know, our intimate conversations that we're having around the household.

Dave Bittner: [0:16:54] You know, there are a couple other interesting tidbits from this article. One of them was that Google said that they turned over less than 20 percent of the requests from the government. So it's not as though they just hand it over when the government asks.

Ben Yelin: [0:17:09] Yeah. I mean, you know, Google and, basically, all our internet service providers, technology companies, want to prove to their customers that they're doing their best to protect their personal information. And Google seems to be doing that here. They said they're analyzing every single request, even if it's done pursuant to a warrant, to make sure that the request is not overbroad, that it's appropriate, that Google is not releasing more personal information than it has to. And I think that's important. The customer itself is not going to be privy to this interaction between Google and the government. So we're entrusting Google or whoever owns our smart device with our personal information, and we're largely relying on them to fight on our behalf.

Dave Bittner: [0:17:53] Yeah, they also said that they had never received a national security letter, which is interesting because, as we've talked about, when you get a national security letter, you're not allowed to say that you get a national security letter (laughter), so it's kind of a canary - yeah.

Ben Yelin: [0:18:07] Yeah, it's the "Fight Club" of electronic searches.

Dave Bittner: [0:18:10] Right. Right.

Ben Yelin: [0:18:11] You are not allowed to talk about national security letters. It's funny. And this article mentioned that they've never received one of those. They've stated that affirmatively. But they wouldn't be able to state if they did receive one because of that gag order, which has been upheld as constitutional. So if we see this report next year, this annual report, and it doesn't mention national security letters, I think we can deduce that...

Dave Bittner: [0:18:33] (Laughter) Right.

Ben Yelin: [0:18:33] ...Google has gotten a request for a national security letter. What that means to me is the government might have evidence on every day, ordinary crimes gleaned from smart home devices, but at least, as it applies to Google, they haven't yet had a case where they're looking specifically for national security information from one of these devices. So, you know, that's going to happen eventually. There's going to be a reasonable suspicion that somebody's involved in international terrorism, and you know, they ask their smart home device where the nearest Home Depot is and whether they have explosives.


Ben Yelin: [0:19:09] What's your nearest home goods store?

Dave Bittner: [0:19:09] Right. Yeah. Go to the explosives aisle at Home Depot, right? (Laughter).

Ben Yelin: [0:19:14] Yeah, exactly. You know, so I think it's inevitable. It is interesting that it's not happened to this point, but I think the technology is still relatively new. So you know, I think that's something we'll see in the next couple of years.

Dave Bittner: [0:19:27] All right. Well, Ben Yelin, thanks for joining us.

Ben Yelin: [0:19:30] Thank you.

Dave Bittner: [0:19:35] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. Find out how Cylance can help protect you using artificial intelligence. Visit And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire.

Dave Bittner: [0:19:55] And thanks to our supporting sponsor, VMware, creators of Workspace ONE Intelligence. Learn more at

Dave Bittner: [0:20:03] The CyberWire podcast is proudly produced in Maryland, out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe, and I'm Dave Bittner. Thanks for listening.