The CyberWire Daily Podcast 4.13.16
Ep 77 | 4.13.16

Dogs still not barking in Panama. (But ransomware bites.)


Dave Bittner: [00:00:03:08] More speculation on what happened at Mossack Fonseca, much of it turning on social engineering and buggy software.

Dave Bittner: [00:00:09:19] Victims may be prematurely paying ransomware extortion demands.

Dave Bittner: [00:00:13:16] Patch Tuesday addresses the much-feared Badlock bug, which turns out to be bad enough, but not exactly devastating.

Dave Bittner: [00:00:20:09] Researchers take a look at the current state of the cyber criminal black market.

Dave Bittner: [00:00:23:19] And the FBI may have hired a small crew of white and gray hats, to crack the San Bernardino iPhone.

Dave Bittner: [00:00:33:09] This CyberWire podcast is brought to you by SINET, (ITSEF) The IT Security Entrepreneurs Forum, meeting in Mountain View, California. April 19th-20th, 2016. Bridging the gap between Silicon Valley and the Beltway, by bringing together the innovators, entrepreneurs, investors and policy-makers, who are shaping the next generation of security solutions. Learn more at:

Dave Bittner: [00:01:01:15] I'm Dave Bittner in Baltimore, with your CyberWire summary for Wednesday, April 13th, 2016.

Dave Bittner: [00:01:08:15] The Panama Papers' unnamed but widely looked for dogs-in-the-night still haven't barked. But speculation about how the leak happened continues, with social engineering of email server credentials, "buggy" WordPress plug-ins, and an outdated Drupal instance heading the list.

Dave Bittner: [00:01:25:14] Ransomware attacks are still popular, proving easy to execute, and many corporate victims are ponying up the ransom than fighting through to get their assets. But not everyone caves in. After all, MedStar seems to have recovered without paying its extortionists. White hat researchers continue to release decryption tools as they develop them.

Dave Bittner: [00:01:45:01] It's good to remember, in this context, that criminal coders aren't perfect, and they don't have to be. They only have to succeed a fraction of the time for their crimes to pay. In some respects, ransomware recovery tools tilt the familiar attackers' advantage toward the good guys. If the criminals' encryption has a flaw, crypto flaws can be exploited for good as well as evil.

Dave Bittner: [00:02:06:01] A large malvertising campaign has hit nearly 300 popular sites in the Netherlands. Fox-IT saw the attack developing in its early stages Sunday, and the campaign has now affected some of the country's largest media sites. Recovery is underway.

Dave Bittner: [00:02:20:20] Distributed-denial-of-service attacks also retain their popularity. Many of these are conducted by hacktivists for political reasons, as we've seen this week in the Baltic. The United States, by the way, has just eclipsed Turkey atop the DDoS leaderboard, according to the score Nexus guard is keeping. But they also affect businesses, which see service disruption as one of the principal risks they face, and the insurers who cover those businesses tend to agree.

Dave Bittner: [00:02:46:16] Marc Gaffan, Imperva's vice president and general manager for the company's Incapsular product line, commented on this threat: "DDoS tools are inexpensive and widely available, and can cause great damage to organizations," he said. "Once a new technology is widely adopted, legal or not, it becomes a fact of life much the way online piracy and identity theft continue to thrive. The growth of market stressors is here to stay."

Dave Bittner: [00:03:12:16] Observers of the black market continue to see an increasing professionalization of cyber criminals, who are finding ways of offering their services for hire. The individual hoods seem not to be getting rich doing this. Their secret would appear to be volume, to judge from the price lists that have emerged from the dark web this week. But the bosses are making money, and that's a familiar freakonomic lesson about criminal markets generally considered.

Dave Bittner: [00:03:36:20] Hewlett Packard Enterprise researchers have an interesting insight into the black market. Credit card theft is serving as a kind of angel investment for Eastern European, especially Russian, cyber gangs. There's an extensive criminal supply chain of reseller fraud, in which items are purchased with stolen credentials, dropped, then re-sold and re-shipped to places where Western, especially American companies won't do business, precisely because of the high rates of credit card fraud.

Dave Bittner: [00:04:04:18] Yesterday, of course, was Patch Tuesday, and Microsoft released a baker's dozen of fixes - what Threatpost calls a "lucky thirteen." Among the updates is a patch for the much-feared - some complain much-hyped - Badlock vulnerability, which turns out to be less catastrophic than its logo may have suggested. Samba also addressed Badlock.

Dave Bittner: [00:04:25:05] So what is Badlock, beyond the much-hyped, screaming red logo that branded the mysterious bug about a month ago? Essentially it's a serious flaw in the Distributed Computing Environment/Remote Procedure Call (DCE/RPC). It affects both Windows and Linux machines - indeed, any platform using DCE/RPC is vulnerable. Most worrisomely the bug could permit an attacker to gain access to Active Directory.

Dave Bittner: [00:04:50:10] Craig Young, a researcher with Tripwire, offered this perspective. “If Badlock is successfully exploited, the attacker would be able to impersonate other users and subsequently retrieve password hashes, shutdown services, expose secrets from the Active Directory, manipulate file attributes and gain access to protected files."

Dave Bittner: [00:05:10:14] As most observers have noted, the vulnerability is likely to require either a malicious insider or a successful man-in-the-middle attack for exploitation. "While this may not be as severe as a remote code execution vulnerability," Young said, "the fact that an attacker on the local network can likely exploit it through well-known techniques such as ARP spoofing makes it a critical vulnerability."

Dave Bittner: [00:05:33:09] So admins, look to your defenses against man-in-the-middle attacks and, by all means, patch.

Dave Bittner: [00:05:39:01] Cyber security stocks are showing mixed results so far this week, with analysts divided over their prospects. There is one bit of M&A news: Optiv Security, itself formed from the merger of Accuvant and FishNet Security, has picked up identity and access management shop Advancive. What Optiv paid has not yet been disclosed, but the company says the acquisition aligns with their long-term strategy to position themselves as a leader in identity and access management.

Dave Bittner: [00:06:08:04] According to the Washington Post, the FBI didn't use Cellebrite to unlock the San Bernardino Jihadi's iPhone after all. The Post says they hired a small, mixed crew of white hat and gray hat hackers to do the job, and some people find the participation of gray hats disconcerting. For definitions of "white hat" and "gray hat," see the CyberWire's helpful definitions at our online glossary, the It's all there.

Dave Bittner: [00:06:34:08] Finally, we're struck by how many in the industry press seem disappointed that Badlock turned out to be less devastating than they'd feared. But we say, hey, settle down gang. There's plenty of gruesomeness out there to satisfy the most Hitchcockian digital ghoul. So be happy that bright red logo didn't, after all, turn out to be the destructor you all feared, or hoped for. In any case, do patch, and stay safe out there.

Dave Bittner: [00:07:05:12] This CyberWire podcast is brought to you through the generous support of Betamore, an award-winning co-working space, incubator and campus for technology and entrepreneurship, located in the Federal Hill neighborhood of downtown Baltimore. Learn more at

Dave Bittner: [00:07:28:06] Joe Carrigan joins me once again. He's from the Johns Hopkins University Information Security Institute, one of our academic and research partners. Joe, you had to help your Mom out a little bit with some computer problems recently yes?

Joe Carrigan: [00:07:40:23] That's right. I got a call from her last week where she said there was a message on her computer, and I didn't understand what that meant. And then she held the phone down and her computer was actually playing a sound file that said, "Your computer is infected, you need to call this number to have the infection removed." This is some kind of malware that she's managed to get installed on her machine that needs to be removed, but that actual malware is what's playing this file.

Dave Bittner: [00:08:11:03] So it really points to the fact that it's really easy to inadvertently stumble across one of these malware traps.

Joe Carrigan: [00:08:19:01] Yes, it is. If you go to the wrong site, have a drive-by download, click on an email attachment, or a malicious word file there's all kinds of vectors to get these things into your computer. A vector just means a way that the malware can be installed on your computer.

Joe Carrigan: [00:08:38:11] However, that's not the only fraudulent way that people are being exploited. Just last week there was also a phone message on my answering machine at home, saying that it was from Microsoft. It was an automated voice, and they were saying that all of your Microsoft products will be deactivated if you don't call this number. Now, of course, that's a fraudulent message as well. Microsoft doesn't make a habit of calling people and saying we're going to shut your Microsoft products off.

Dave Bittner: [00:09:05:19] We got one recently that said we were days away from having our electricity shut off for non-payment and if we called this number and paid right away, we wouldn't get it shut off. And, of course, we would pay on time every month and BGE usually doesn't call you with these sorts of things, they send you a letter.

Joe Carrigan: [00:09:23:24] That's right. And if you do get the message, then you should never call the number that they leave for you. You should call the number you can find either in a phone book, or on the company's website and call their billing department.

Dave Bittner: [00:09:36:00] Good advice. Joe Carrigan, thank you for joining us.

Joe Carrigan: [00:09:38:15] My pleasure.

Dave Bittner: [00:09:41:12] And that's the CyberWire. For links to all of today's stories, visit the And, while you're there, subscribe to our popular daily news brief. Our editor is John Petrik. I'm Dave Bittner. Thank you for listening.