The CyberWire Daily Podcast 2.25.19
Ep 787 | 2.25.19

Another warning of DNS hijacking. B0r0nt0k ransomware is out and about, and in too many servers. Whitelisting a controversial CA. Blockchain security. Bots get on the consular calendar.


Dave Bittner: [00:00:03] ICANN warns of DNS hijacking and urges DNSSEC adoption. Security firms see Iran as a particularly active DNS hijacker. A B0r0nt0k ransomware outbreak infests Linux servers, but Windows users might be at risk as well. A request for white-listing in the Firefox certificate store arouses controversy. Technology Review raises questions about blockchain security. Bots keep people from getting consular appointments, and people don't like that - and telling Minotaurs from unicorns.

Dave Bittner: [00:00:42] Now I'd like to share some words about our sponsor Akamai. You're familiar with cloud security, but what about security at the edge? Akamai's edge security defends your business, your customers and your users from threats by deploying defense measures closer to the point of attack and as far away from your people, applications or infrastructure as possible. Security at the edge is dynamic and adaptive. With the world's only intelligent edge platform, you can surround and protect your users wherever they are - at the core, in the cloud or on the edge and everywhere in between. If you're going to RSA this year, visit Akamai in the North Hall, booth 6153, to take part in their crack the code challenge for an opportunity to win a new 3D printer. Akamai - intelligent security starts at the edge. Learn more at Akamai - that's That's And we thank Akamai for sponsoring our show. The CyberWire podcast is made possible in part by RSA Conference, taking place March 4 through the 8 at the Moscone Center in San Francisco. The CyberWire is a proud media sponsor of RSA Conference, where the world talks security. Learn more and register today at

Dave Bittner: [00:02:09] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, February 25, 2019.

Dave Bittner: [00:02:18] The Internet Corporation for Assigned Names and Numbers - that's ICANN - warned Friday that the Domain Name System, DNS, is dangerously vulnerable and urges swift and widespread adoption of DNSSEC, Domain Name System Security Extensions. ICANN explains DNS hijacking is an attack in which unauthorized changes to the delegation structure of domain names are made, replacing the addresses of intended servers with addresses of machines controlled by the attackers.

Dave Bittner: [00:02:48] While DNSSEC is, as ICANN is careful to point out, no panacea, deploying it would thwart this kind of attack. But as ICANN's CTO, David Conrad, told AFP, there is no single tool that will defeat what he characterized as an assault on the internet's infrastructure, as such. Both the U.S. Department of Homeland Security and Britain's National Cyber Security Centre warned last month of a surge in DNS hijacking, so ICANN is far from alone in expressing concerns.

Dave Bittner: [00:03:21] Some of the DNS hijacking of the last few months appears to be state-directed. SecurityWeek quotes security firm FireEye as attributing a significant fraction of such activity to Iran, with Tehran taking a particular interest in Middle Eastern website registrars and ISPs. The typical, immediate goal of such attacks appears to be credential theft. SecurityWeek heard a similar assessment from security firm CrowdStrike.

Dave Bittner: [00:03:48] Bleeping Computer's online forum is discussing an outbreak of B0r0nt0k ransomware. Details are sparse, and analysts are, as of this writing, still looking for samples, but the infestation is known to have appeared on Linux-based servers. Windows users may also be susceptible. The ransom demands are running at about $75,000, payable in bitcoin, although there are indications that the hoods are open to negotiation. The words Vietnamese hacker appear in the payment site source code, but this, like the .uk top-level domain used, means very little, so it would be unwise to jump to any attribution.

Dave Bittner: [00:04:28] Bleeping Computer says it's reached out to the extortionists to find out what they're up to, and we'll share whatever they learn. There are already some suggestions in circulation on other sites about how to get rid of B0r0nt0k infection, but regard them with caution, and consult a security expert before jumping to use the techniques. Better to prepare for recovery, should you sustain this or any other form of ransomware attack, by regular, secure backup.

Dave Bittner: [00:04:56] UAE-based security firm DarkMatter has asked Mozilla to white-list DarkMatter certificates into Firefox's certificate store. The request, as ZDNet points out, is controversial. On one hand, DarkMatter is known as a vendor of surveillance tools, and so the Electronic Frontier Foundation and others warn against giving the company what could amount to an ability to intercept traffic without triggering errors in some Linux systems. As the EFF puts it on their blog, quote, "DarkMatter has a business interest in subverting encryption and would be able to potentially decrypt any HTTPS traffic they intercepted," unquote. On the other hand, as ZDNet observes, DarkMatter does seem to have a clean record as a certificate authority, and therefore the company asks, why should we be treated differently from any other CA?

Dave Bittner: [00:05:48] MIT Technology Review reports that blockchains can in fact be hacked. The theoretical possibility wasn't unforeseen. It's the long-discussed 51 percent attack in which an actor gains control of a majority of a network's mining power and forks the blockchain to defraud other users. The 51 percent attack, as we've heard it discussed by various blockchain experts, was a known issue - as the help desk would put it - but, at least in the early days of blockchain adoption, had usually been mentioned as a kind of marginal case, practically too difficult to amount to a realistic threat. But that may have been whistling in the dark.

Dave Bittner: [00:06:26] Since the latter part of 2018, Verge, MonaCoin, Bitcoin Gold, Vertcoin and Ethereum Classic have sustained 51 percent attacks facilitated by hash rate black markets where attackers can rent computing power. Smaller cryptocurrencies proved more susceptible. Security flaws and ancillary systems, notably, smart contracts, have also been exploited. None of this should be taken to mean that the blockchain is a fraud or fundamentally flawed, but rather that it's a technology with its distinctive strengths and weaknesses. The story should serve as a reminder that cybersecurity, like war, is waged against a thinking human adversary who sees, reacts and will find any vulnerability they can.

Dave Bittner: [00:07:11] Cryptocurrencies - and these are still the most widely used blockchain applications - of course, continue to attract broad interest and support. The cyberattacks on Malta's Bank of Valletta, disclosed on February 13, prompts the Bitcoinist to see in the incident proof of the need for decentralized and stable alternatives to traditional banks and the fiat currencies they deal in.

Dave Bittner: [00:07:36] TASS is authorized to disclose that Russia's embassy in Vienna has sustained cyberattacks evidently aimed at disrupting consular services. Bots booked appointments which inevitably became no-shows, bots being bots and not natural persons. And so a bot couldn't show up at the cashier's window even if the bot wanted to. This, of course, prevented actual, natural human beings from getting appointments. Actual, natural human beings being actual, natural human beings, they got mad when they couldn't get in to do their business. The automated requests originated from IP addresses in Iraq, Thailand, Indonesia and a few other countries. But that means little for attribution. The embassy says it's purged the bots and restored consular services to normal.

Dave Bittner: [00:08:23] And finally, how can you tell a unicorn from a minotaur? And, no, this isn't anything to do with fantastic beasts. It's commerce, kids. So you know the difference won't be in, say, niceness or number of horns. No. A unicorn is a company valued at $1 billion. But a minotaur, as they're now saying in Silicon Valley, is a company that's actually attracted $1 billion in venture capital. If you're a "Shark Tank" watcher, here's one way to frame the distinction. A unicorn's valuation is what the sharks use to figure out if they're getting a good deal on the proffered investment. A minotaur's value is the actual amount Mr. Wonderful has decided to pony up. No, no. This isn't about fantastic beasts - Bowtruckles, Nifflers or otherwise. It's commerce. But still, Newt Scamander, call your office.

Dave Bittner: [00:09:17] And now a word from our sponsor, LookingGlass Cyber Solutions. Cyberthreats are a risky business. Criminals are taking bigger risks than ever before to acquire your organization's sensitive data. As pressure increases, you need a partner to help manage and control your digital business risk. Slide into LookingGlass's booth, number 2327, in the South Hall at RSA Conference 2019 to hear how you can better manage your organization's risky business by leveraging their 20-plus years of investment and tradecraft for an outside-in view of your security posture. Or step away from the hectic expo floor for a demo tailored to your business needs in the LookingGlass meeting suites at the Marriott Marquis. Reserve your demo and learn more about LookingGlass at RSA Conference or visit their website, That's And we thank LookingGlass for sponsoring our show.

Dave Bittner: [00:10:25] And I'm pleased to be joined once again by Rick Howard. He's the chief security officer at Palo Alto Networks, and he also heads up Unit 42, which is their threat intel team. Rick, great to have you back. At Palo Alto Networks, you recently made some important decisions as to how you were going to choose to run major infrastructure there. Take us through what you chose and why you did it.

Rick Howard: [00:10:50] Palo Alto Networks announced that we would be delivering our security services from the Google Cloud. We have decided that instead of building our own infrastructure in data centers to support our customers in the future, we will use the Google Cloud to do it. I can't even say that. It's a tongue twister.

Dave Bittner: [00:11:07] It's a hard word to say. Yeah.

Rick Howard: [00:11:09] I thought it was interesting that a security vendor like us had gone through the same evaluation and thinking process that every other type of organization has gone through or is going through about cloud deployments.

Dave Bittner: [00:11:20] All right. Well, take us through. What made you decide that you didn't want to build out your own infrastructure?

Rick Howard: [00:11:25] Yeah, so let me set the stage a little bit. So besides the hardware firewalls that our customers deploy in their physical environments and the software firewalls that they deploy to protect their Amazon, Google and Microsoft cloud environments and the software firewalls that they deploy in their data center virtual environments, we also have a complete set of intrusion kill chain security tools that are delivered to those hardware and software firewalls from our own maintained and operated cloud environment. That's a lot of stuff I just said there. Now, we store the data in the cloud and process the data looking for bad guys in the cloud. Once we find them, we send in (inaudible) decisions to our customers' firewalls and endpoints, both hardware and software.

Dave Bittner: [00:12:07] Right.

Rick Howard: [00:12:07] Now, most people think of us as a hardware company, which we are. But with all that virtual software running in the cloud, we consider ourselves to be a SaaS company.

Dave Bittner: [00:12:16] OK.

Rick Howard: [00:12:17] All right. So - now, not three years ago, we were busy building our own data centers in multiple locations around the world so that we could better service our customers in those localized regions. And what we discovered was we couldn't build them fast enough. We could just get one operational, and some other country would want their very own, also. And to build them right took time and resources, and they are expensive to maintain. And we also discovered that this mean potatoes effort, this building and maintaining data centers does not scale, and it distracted us from building better security products.

Rick Howard: [00:12:48] You know, we consider ourselves a security provider, not an infrastructure provider. And then it dawned on us, like it has dawned on everybody else. We don't have to be an infrastructure provider. There are at least three infrastructure companies - Google, Microsoft and Amazon - who sell infrastructure, and they are really good at it. In fact, they are so good, they are light-years ahead of the rest of us who are not infrastructure for companies and who are stumbling along, trying to do it the way they do it. All right. It just made sense for us to choose one of those to deliver our service as grown.

Dave Bittner: [00:13:17] So take me through that decision-making process. Like you said, there are choices out there. What made you decide and settle on Google?

Rick Howard: [00:13:26] Well, for lots of technical and financial reasons that - I don't want to bore the listeners on here, OK - it made sense for us to use Google as our cloud provider for service delivery. Suffice it to say that each of these big three have strengths and weaknesses for cloud services. For what we were trying to do at Palo Alto Networks, it made sense to go with Google. That does not mean that Google is the right choice for everybody.

Rick Howard: [00:13:47] The bottom line here is that even security vendors go through the same thought process about cloud deployments that every other kind of organization goes through. The network defender community has been saying for at least five years now that the cloud is inevitable. It is just a matter of time. Some are moving to the cloud faster than others. We decided to go now.

Dave Bittner: [00:14:06] Take me through the process of establishing, in your own mind, your ability to trust an outside vendor with these things that are obviously very important for you. I mean, security is the name of the game here, so I suppose there's the whole matter of reassurances. It's sort of a trust and - trust but verify thing, perhaps.

Rick Howard: [00:14:26] Well, exactly. And I think some of the hesitation from the community is that we're not sure how secure those environments are, right? But we are able to put our own security product into all of those big cloud providers. All right. So it's virtual, for sure, but it operates the same way that a hardware platform does back behind your perimeter and in your data centers. So we have no concerns that it's somehow less secure because we're in a cloud environment than it is in - back in your perimeter. We are using the same security controls in all of those locations, though that was not a big consideration for us.

Dave Bittner: [00:15:01] All right. Rick Howard, thanks for the information. Thanks for joining us.

Rick Howard: [00:15:05] Thank you, sir.

Dave Bittner: [00:15:10] And that's the CyberWire.

Dave Bittner: [00:15:11] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security, Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the Recorded Future podcast, which I also host. The subject there is threat intelligence. And every week, we talk to interesting people about timely cybersecurity topics. That's at

Dave Bittner: [00:15:51] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.