The CyberWire Daily Podcast 4.2.19
Ep 813 | 4.2.19

Ransomware deletes dupes. Exodus scandal grows in Italy. Election reports from Ukraine and Israel.


Dave Bittner: [00:00:03] A ransomware strain deletes duplicates, but you know that just keeping a duplicate on the same drive isn't a secure backup, right? Right? Exodus spyware, now ejected from Google Play, is becoming a significant scandal in Italy. Influence operations meet campaigning in India and Israel - fair or unfair seems to be in the eye of the campaigner. In Ukraine, there's just so much disinformation. OpIsrael hacktivists are expected back this weekend and more on below-the-belt selfies.

Dave Bittner: [00:00:41] Now a moment to tell you about our sponsor, ObserveIT. The greatest threat to businesses today isn't the outsider trying to get in. It's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. In fact, a whopping 60 percent of online attacks today are carried out by insiders. Can you afford to ignore this real and growing threat? With ObserveIT, you don't have to. See, most security tools only analyze computer, network or system data, but to stop insider threats, you need to see what users are doing before an incident occurs. ObserveIT combats insider threats by enabling your security team to detect risky activity, investigate in minutes, effectively respond and stop data loss. Want to see it in action for yourself? Try ObserveIT for free; no installation required. Go to That's And we thank ObserveIT for sponsoring our show.

Dave Bittner: [00:01:45] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, April 2, 2019. BleepingComputer reports some unusual behavior in a ransomware strand, vxCrypter. The malware finds and deletes duplicate files on victim devices. Why it does so is unclear. It may be a simple step in the malware's evolution. It may be a means of increasing the speed of the malware's functioning. It may be something done out of a finicky sense of proper order, tidying up as BleepingComputer muses. It wouldn't be an attempt to clobber protective backups - the single best way of preparing recovery from ransomware - because no one would think that making a second copy of a file and depositing it on the same drive would usually constitute a secure backup, right? I mean, right?

Dave Bittner: [00:02:38] Anywho (ph), the why may be mysterious, but the how isn't mysterious at all. As researcher Michael Gillespie tweeted in response to researcher Lawrence Abraham's observations about vxCrypter, quote, "it does a SHA256 of the file, and if it has already encrypted a file with that hash before, it deletes it so any files that are a duplicate are just deleted" - end quote. The discovery of lawful intercept tools concealed in apps available in Google Play may be on its way to becoming a major scandal in Italy. Google has removed the Trojanized applications from its store. The 25 apps affected contain spyware called Exodus that researchers believe may have been produced by Italian security company eSurv. As SecurityWeek notes, eSurv has been difficult to contact about the matter. The company's web pages appear to have been taken down. At any rate, we've been unable to find them this afternoon. eSurv, by the way, should not be confused with similarly named companies and organizations. The company in question is an Italian security software company not English surveyors or makers of opinion survey tools. Motherboard says that prosecutors in Naples have opened an investigation into eSurv. The company's offices were apparently raided three weeks ago, and the police are looking for four individuals in particular. At least two of whom are or were eSurv managers.

Dave Bittner: [00:04:04] A number of media outlets, SecurityWeek among them, have observed that one disturbing thing about the whole affair is that Google's screening didn't catch the Exodus spyware before it was made available in Google Play. Disturbing that may be, but it's neither new nor particularly surprising. Android apps are a pretty wide open field, and while Google Play is a kind of walled garden, its fence is chain-link and serpents have crawled in before. And they will again. With 2019 well underway, the investment opportunities in cybersecurity startups continue to attract the attention of venture capitalists on both U.S. coasts and around the world. We checked in with Hank Thomas, CEO of Strategic Cyber Ventures, for his take on the market.

Hank Thomas: [00:04:51] 2018 was a record year for investing in cybersecurity. It doesn't correlate directly to maybe sort of the bubble that was forming in the dot-com boom, but there is record numbers of investment going into cybersecurity companies worldwide.

Dave Bittner: [00:05:06] And what do you suppose is driving that?

Hank Thomas: [00:05:08] Well, I think it's sort of a big begets bigger. So it's a race to gobble up market share for companies that are in a crowded space. So if you're an endpoint security company and you want to take up market share, the investors are going to want to put more and more money into that company to rev up that marketing engine to take up more of that market share and win the race to the top. You know, we've been hyper focused on things that are highly differentiated and maybe slightly over the horizon. But I think what most investors are focused on are things that they view as deficits for innovation in larger cybersecurity players. So there is many large cybersecurity players out there with large cash balance sheets. They take a review of what those deficits are for those larger players that struggle to innovate, and they generally push their investments in those directions.

Dave Bittner: [00:06:04] What's on the horizon in terms of risks for this particular market? Certainly, I know, you know, we're looking at a potential, I think here in the U.S. anyway, for some new privacy regulation. Is that going to affect things?

Hank Thomas: [00:06:16] I think it will. I think it will really depend on the security control. You know, some security controls require more aggregation of personal information. Ultimately, you know, when you have a global network of adversaries that are going to be working to kind of defeat security and cause a larger privacy concern to populations in various regions of the world, I think people are going to have to come to a conclusion that they're going to have to balance the need for some data aggregation, some personal data aggregation around cybersecurity with strong privacy laws.

Dave Bittner: [00:06:50] And what are you seeing in terms of the global big picture? I mean, things are still focused in the U.S. Where are you seeing some other strong players?

Hank Thomas: [00:07:01] In the U.S., the West Coast still kind of leads the way, although there has been an uptick in investing in - on the East Coast, which is where our company is located, and in the Midwest. And in sort of some non-traditional areas here in the U.S. you've seen an uptick in investing in cybersecurity. The West Coast still leads the way.

Hank Thomas: [00:07:19] China was really strong up until around 2017. Then we saw a big falloff. And I think that comes to the fact that most people were kind of whistling past the graveyard, most investors, as to the lack of demand for Chinese cybersecurity products - almost sounds like an oxymoron - in the global market. So you've seen a big drop-off in that. But Israel obviously continues to trend up rapidly and is surpassing - has surpassed the U.K., even, in investing in cybersecurity.

Dave Bittner: [00:07:50] What is your advice for that person who's out there who thinks they may have a product that they want to take to market - they think they built a better mousetrap. What are the types of things that they need to do to entract (ph) investors?

Hank Thomas: [00:08:03] Yeah. You know, so I think having a - looking at these things every week, I meet folks that have maybe a great idea and a PowerPoint slide to help explain it, but they haven't really thought through the product-to-market fit. They haven't thought through the strategy to get to break-even. If you don't want to become a bloated zombie floating in the sea of sameness in cybersecurity, you really need to have a differentiated product.

Hank Thomas: [00:08:30] And you really need to have studied the market to understand what's out there beyond what you - you know, it's just sort of publicly available because there's other people like you thinking about starting things up like this, and there are resources to figure out what they've done so far. And also look at other companies that have failed. There's plenty of research now that cybersecurity, while it's still a young industry, has been around for several decades now with a lot of investment going into it. Look at failures and figure out what went wrong there and try to obviously not do those things.

Dave Bittner: [00:09:03] That's Hank Thomas from Strategic Cyber Ventures.

Dave Bittner: [00:09:08] India's election season is in full swing. And according to the Wall Street Journal, government attempts to restrain fake news have yielded disappointing results. Politically loaded hoaxes are rampant on WhatsApp despite the Facebook subsidiary's attempts to control them. Much misinformation in India seems domestic in origin, pushed by rival parties and not really following the playbook set by the Russian intelligence services with trolling via inauthentic accounts. It's an interesting development, especially given the House of Zuckerberg's recent trial balloons about shifting more of its services to the sort of private messaging and small-group chitchat typified by WhatsApp. Whatever the virtues of such an approach as a commercial matter, it wouldn't appear to offer a royal road to the kind of clean and high-minded political discourse Mr. Zuckerberg suggested over the weekend he'd like to see the governments of the world regulate us into.

Dave Bittner: [00:10:06] The first round of Ukraine's presidential election is over, with a runoff between frontrunner Volodymyr Zelensky, television actor and political neophyte, and incumbent President Petro Poroshenko scheduled for April 21. TASS is authorized to disclose that Russia may decline to recognize the election results, citing widespread fraud and intimidation. A senator in the Duma offered this opinion, although he qualified it by saying that of course the final decision on any such matter would rest with President Putin. This seems more information operation than news. The Russian state media organs have for some time been warming up on the Ukrainian election with altruistic warnings of thuggery, intimidation, fraud and so on. Other observers saw no such problems. Preliminary remarks by observers from NATO and the Organization for Security Co-operation in Europe (ph) were pretty upbeat about the quality of the election.

Dave Bittner: [00:11:05] Israel's hotly contested election, in which incumbent Prime Minister Benjamin Netanyahu is being challenged by former IDF chief of staff Benny Gantz, has also seen accusations of illegitimate use of social media in the service of influencing the electorate. Most of these allegations have come from candidate Gantz's new party, Israel Resilience, and have been directed against Prime Minister Netanyahu's Likud. Likud says the network is organized to advance a political viewpoint and that it doesn't contain bots.

Dave Bittner: [00:11:37] Hacktivists of OpIsrael are expected to hit Israeli targets this Sunday in their annual protest against the Jewish state. The protest occurs this year shortly before the country's elections, which will be held on the 9. Anonymous, if you remember them, has been involved with OpIsrael since 2013. And the activity amounts at this point to online protest, not really having risen above a nuisance level. Over the weekend, Gavin de Becker, security adviser to Amazon founder Jeff Bezos, published the conclusions of his investigation of the selfie hacking dispute with the National Enquirer's owner, AMI. Mr. Bezos disclosed the matter with his now-famous and, if we might say so without an unseemly breach of objectivity, disarmingly witty blog post "No thank you, Mr. Pecker," in which he declined to negotiate with the National Enquirer over the publication or suppression of the ritualistic courtship images of Mr. Bezos they somehow obtained. Mr. de Becker summarizes his conclusion as follows - quote, "our investigators and several experts concluded with high confidence that the Saudis had access to Bezos' phone and gained private information. As of today, it is unclear to what degree, if any, AMI was aware of the details," end quote.

Dave Bittner: [00:12:56] The evidence he cites is admittedly circumstantial, but he and others think it compelling. Thus, attribution of the link to Mr. Bezos' boyfriend-in-law Michael Sanchez may have been more wolf meat or red herring than definitive explanation. The Saudis' presumed motive is retaliation for Washington Post reporting on the murder of Jamal Khashoggi in the Saudi consulate in Istanbul. Mr. Bezos, of course, has had a controlling interest in the post for some time. De Becker's investigation didn't name any vendors, but media speculation immediately turned to NSO Group, controversial provider of lawful intercept products to a number of governments. NSO Group preemptively issued a denial of involvement, stressing that its products are designed not to intercept U.S. phone traffic and insisting that they do appropriate target validation. More will surely emerge over time. But again, we'll leave you with this advice. When courting, just send flowers.

Dave Bittner: [00:14:02] Now a moment to tell you about our sponsor, ThreatConnect. Designed by analysts but built for the entire team, ThreatConnect's intelligence-driven security operations platform is the only solution available today with intelligence, automation, analytics and workflows in a single platform. Every day, organizations worldwide use ThreatConnect as the center of their security operations to detect, respond, remediate and automate. With all of your knowledge in one place, enhanced by intelligence, enriched with analytics, driven by workflows, you'll dramatically improve the effectiveness of every member of the team. Want to learn more? Check out their newest e-book, "SOAR Platforms."

Dave Bittner: [00:15:17] And joining me once again is professor Awais Rashid. He's a professor of cybersecurity at the University of Bristol. Awais, it's great to have you back. We wanted to talk today about dealing with cybersecurity at scale and specifically how do you go about training people to function in that environment. What do you have to share with us?

Awais Rashid: [00:15:36] I think the problem is that we are building increasingly more and more complex systems. If you look at - depending on whichever estimate do you believe, you know, there are going to be something like 25 to 50 billion connected devices around the world in the next, you know, five to six years. And there are also all sorts of estimates that, you know, global data traffic, for example, will reach an excess of 270 exabytes a month over the same period and can see a lot of this will filter through these various connected systems and devices.

Awais Rashid: [00:16:09] So the problem is that we are actually going to see systems and infrastructures at a scale that we have never really encountered before. We know how to deal with reasonable-scale systems, but they're often in the control of a single organization. If you think about a smart city where a number of different stakeholders come together to provide a range of services, and then, as a user, you're walking through the city and then interfacing with these services, so there aren't really always fixed boundaries of who is coming into contact with whom, and potentially both malicious and non-malicious actors actually operating in that kind of environment. So we are seeing a scale of complexity and connectivity that we haven't seen before.

Awais Rashid: [00:16:48] And the challenge that becomes is that it also has - is reflected in the scale of attacks and their impact. So you can think of potentially an attacker compromising smart refrigeration across an entire city, overloading the power grid, perhaps disrupting an essential service, and then you can foresee the impact of that. And that's really what I mean when I say that we need to sort of tackle security at scale because what we see currently is that a lot of systems are designed with smaller-scale systems in mind. And when they're - try to scale up to these kind of large-scale environments, they don't necessarily scale.

Dave Bittner: [00:17:20] Yeah. It's interesting. You know, I think about - people say, you know, when you have a big problem in front of you, try to break it down into some smaller pieces, and you can address those one at a time. And I wonder if that's even a possibility for some of these large installations.

Awais Rashid: [00:17:34] You're absolutely right. It's not so much that you don't want to break the problem into smaller portions. I think if you start by saying you are going to design something - let's say an intrusion detection system - for a much smaller-scale environment, then you don't really consider the requirements and constraints and the complexities that come from this large-scale setting. And what we ought to be doing is we ought to be teaching people and training people, whether in universities or industry, to start from looking at these kind of large-scale problems so that they understand where the challenges come from and then situate their thinking into those kind of problems because ultimately that is how we will address some of the skills gaps that we have by training people to think this way.

Awais Rashid: [00:18:17] Because, at the moment, we say to them, well, do this thing for a small-scale system and then try to scale it up. And my own experience is that when people first encounter these kind of systems, they go, oh, my goodness, these are on a scale that I never thought about. And we need to invert that perspective. We need to get people to think first and foremost about these large-scale problems so that they understand the requirements and constraints and that then informs their thinking. And then you can of course, you know, break down the issue into smaller problems because you will have different elements of the problem. But as long as those top-level requirements and constraints and challenges remain at the forefront of your thinking, then that would be particularly important.

Awais Rashid: [00:18:51] A key element, of course, of that is that because we build these large-scale infrastructures, and, you know, we always talk about security by design and privacy by design, we also have to think about these infrastructures are going to remain in operation for a very long time. So we have to think about how do we deal with security of data and information not as it is being created, but all across the lifetime of the system as attack scenarios change. New types of technologies may come online. And when, at some point, you have to decommission the system, what do you do? And all these considerations need to come into play. But we don't necessarily think of them up front, and that's why we see a lot of the problems we see today.

Dave Bittner: [00:19:29] Yeah. No, it's interesting insight. Awais Rashid, thanks for joining us.

Dave Bittner: [00:19:37] And that's the CyberWire. For links to all of today's stories, check out our CyberWire daily news brief at

Dave Bittner: [00:19:44] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at

Dave Bittner: [00:19:55] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell. Our staff writer is Tim Nodar, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.