The CyberWire Daily Podcast 4.12.16
Ep 76 | 4.12.16

State hacking, state messaging. Crimeware evolution.


Dave Bittner: [00:00:03:05] The expected other shoes have yet to drop in the Panama Papers case, but investigations widen.

Dave Bittner: [00:00:08:22] The means by which Mossack Fonseca was hacked remain unknown, but there's some informed speculation out there.

Dave Bittner: [00:00:14:15] BAE warns of polymorphic Qbot malware, and Cisco's Talos researchers grimly predict the rise of "cryptoworms".

Dave Bittner: [00:00:21:21] We hear about the risks of physical loss, inattentive off-boarding, and legacy systems.

Dave Bittner: [00:00:26:19] And finally, remember Clippy? "It looks like you're listening to a podcast."

Dave Bittner: [00:00:33:23] This CyberWire podcast is brought to you by SINET ITSEF, the IT Security Entrepreneurs Forum, meeting in Mountain View, California, April 19th-20th, 2016. Bridging the gap between Silicon Valley and the Beltway, by bringing together the innovators, entrepreneurs, investors and policymakers who are shaping the next generation of security solutions. Learn more at:

Dave Bittner: [00:01:03:20] I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, April 12th, 2016.

Dave Bittner: [00:01:09:23] No major new developments in the Mossack Fonseca Panama Papers journalistic investigation, but reporters continue to hope for more names named and more information about how the leak was accomplished.

Dave Bittner: [00:01:20:19] British Prime Minister, David Cameron, strikes back in Parliament at what he characterized as the "deeply hurtful" inferences Fleet Street and Her Majesty's Loyal Opposition are drawing from the leaks, and Peru has joined El Salvador by raiding local Mossack Fonseca offices.

Dave Bittner: [00:01:36:22] And Russia Today teases with quotations from Süddeutsche Zeitung's discussion of the possibility that "secret agents" from the CIA and elsewhere used Mossack Fonseca's services to conceal their activity.

Dave Bittner: [00:01:49:17] Guy Guzner is from FireGlass, and he helps us organize some of the speculation surrounding the Panama Papers hack.

Guy Guzner: [00:01:56:04] People started to look at what could be the possible attack vectors here, and started to look at the public-facing sites of the company, and some of their interfaces and found some interesting things that may be related, or not related, to the breach itself but may tell something about their stance on cyber security. For example, it was found that their public facing website was using outdated versions of both WordPress and Drupal content management systems. In fact, it was found that the Drupal system wasn't updated for three years, and we know that there has been a number of different vulnerabilities that have been passed in that system. Obviously, therefore, they don't keep their system up-to-date and secure, which may apply to other places in their organization as well.

Dave Bittner: [00:02:58:18] That's Guy Guzner from FireGlass. Their website is:

Dave Bittner: [00:03:04:10] BAE warns that a new, polymorphic version of Qbot malware is circulating in the wild. Qbot shows an awareness of its surroundings that's enabling it to be unusually evasive and difficult to interdict, as polymorphic malware tends to be.

Dave Bittner: [00:03:18:06] Heimdal reports that Atmos, an evolution of the venerable Zeus malware, by way of Citadel, is actively targeting banks in France. Atmos is also being delivered in conjunction with Teslacrypt, which suggests that criminals are, as expected, combining attacks for their mutual misdirection.

Dave Bittner: [00:03:34:24] Ransomware itself continues to evolve in disturbing directions. Cisco's Talos Labs warns that "cryptoworms" appear to represent this class of malware's future. As the name suggests, cryptoworms are self-spreading, and require little or no user interaction to infect systems.

Dave Bittner: [00:03:51:20] In industry news, the first cyber IPO, indeed the first major tech IPO of the year, that of Dell's SecureWorks, has received its initial valuation. It appears likely to be $1.42 billion.

Dave Bittner: [00:04:05:16] Inadvertence and physical transfer continue to threaten data security. The US Federal Deposit Insurance Corporation (FDIC), sustained an "inadvertent breach" in February that affected the records of some 44,000 customers. In this case it wasn't hacking, but rather unfortunate off-boarding. A departing employee had inadvertently downloaded files into a personal storage device, then left with both device and data. Both were returned without evident theft or compromise. But there's a clear lesson: pay attention to your off-boarding procedures.

Dave Bittner: [00:04:37:15] Another lesson is to limit the use of portable storage devices, a step the FDIC says is in its plans. Such plans would figure into the general IT modernization initiatives, the US Administration proposed in its Cybersecurity National Action Plan. US CIO Tony Snow sees such modernization as important to security.

Dave Bittner: [00:04:57:20] "A typical CIO in a typical agency spends a high percentage of his budget just keeping his systems running", Snow said, at a Passcode event in Baltimore this morning. Trying to keep legacy systems running involves a struggle against diminishing skill sets, the difficulty of getting parts, and so on. But agencies have a hard time replacing systems. As new requirements emerge and laws are passed, "we wind up piling more dirt on top of old, immovable objects," as Snow put it.

Dave Bittner: [00:05:26:00] Finally, while we're thinking about legacy code, and as we've been watching the recent travails of artificial intelligence - security travails, workplace travails, chatbot travails - Duo Security urges us to remember Clippy.

Dave Bittner: [00:05:39:01] Clippy was that small, bug-eyed paperclip Microsoft used to use as an intelligent user interface to offer you help as you did things in Office. "Looks like you're writing a letter." Clippy would observe from a corner of your screen, full of hope that you'd ask for its anthropomorphic help. Alas, few did ask, in part because too many people felt that Clippy was "leering at them" in an unwelcome, male-gazey kind of way. And also because he got to be kind of a pest, leering or not, well.

Dave Bittner: [00:06:06:13] Duo says it turns out Clippy was legacy code that also amounted to one big built-in backdoor. How big? Big enough to drive a truck full of malicious macros right into the old Vista operating system, the OS between Windows XP and Windows 7. That's how big. So those AI's, they come from good families, but sometimes they develop ways about them that just aren't right.

Dave Bittner: [00:06:29:11] Are we right Tay? "Looks like you're using legacy code." No, you don't need Clippy's help.

Dave Bittner: [00:06:40:19] This CyberWire podcast is brought to you through the generous support of Betamore, an award-winning co-working space, incubator, and campus for technology and entrepreneurship, located in the Federal Hill neighborhood of Downtown Baltimore. Learn more at:

Dave Bittner: [00:07:05:19] Joining me is Markus Rauschecker. He's the Cybersecurity Program Manager at the University of Maryland's Center for Health and Homeland Security, one of our Academic and Research Partners. Markus saw a story recently that, once again, the Justice Department wants Apple to help unlock an iPhone. This is not the iPhone in the San Bernardino jihadist's case, this is one in New York.

Markus Rauschecker: [00:07:27:00] Yes. So this issue between law enforcement and Apple continues. As you may recall, the iPhone in the San Bernardino case, was apparently cracked by the FBI through the help of a third party. The third party was able to offer a solution that helped the FBI gain access to that encrypted phone. But it looks like that solution is only applicable to the iPhone 5C model, which was the model in the San Bernardino case. Which means that, for other cases that involve different models of iPhones, the FBI will again need Apple's technical assistance to try to gain access to encrypted information on those phones.

Dave Bittner: [00:08:08:03] So this is a case in New York, and this is a case that's on appeal. Is that correct?

Markus Rauschecker: [00:08:12:06] Yes, so this was also a pretty high profile case. It involved a drug dealer who was using an iPhone. This drug dealer has actually pled guilty, but the FBI would still like to gain access to this person's phone which is encrypted. The phone does run an older version of the operating system. So the assistance that Apple would have to provide wouldn't be as extensive as it would have had to provide in the San Bernardino case. Apple would not have to build any new software, it would have a much easier time to help the FBI gain access to the phone.

Markus Rauschecker: [00:08:45:24] This case in New York also revolves around this legal issue of the All Writs Act. Again, the FBI is relying on the All Writs Act, to try to compel Apple to help them access the phone. In the initial decision by the judge in this New York case, the judge actually ruled in favor of Apple, and said that the FBI could not rely on the All Writs Act to compel Apple to break into the phone.

Markus Rauschecker: [00:09:09:15] Now the Department of Justice has appealed this case, and then Apple will file papers in opposition to them by April 15th, in a couple of days. We'll have to see how this progresses, but certainly this issue of law enforcement trying to compel a person, or private entity to assist it, pursuant to a court order, that issue is still open and we still need to get a final decision on that.

Dave Bittner: [00:09:38:02] Markus Rauschecker, thank you for joining us.

Dave Bittner: [00:09:42:15] And that's the CyberWire. For links to all of today's stories, visit the, and while you're there subscribe to our popular daily news brief. Our editor is John Petrik. I'm Dave Bittner. Thank you for listening.