The CyberWire Daily Podcast 4.16.19
Ep 823 | 4.16.19

Fraud will follow fire, alas. Wipro compromise. DDoS in Ecuador. Brazil’s hacker underground. Selling a keylogger. Facebook and data. EU copyright law. Huawei’s prospects. Fact-checkin’, fer real.


Dave Bittner: [00:00:03] Condolences to the city of Paris and the people of France. And alas, expect fraud to follow fire. A compromise may have turned a company's networks against its customers; denial of service in Ecuador; a look at Brazil's cybercriminals; selling a keylogger, complete with terms of service; Facebook's attitude toward data; the EU finalizes its controversial copyright law; Huawei's prospects. And what did the algorithm know, and when did the algorithm know it?

Dave Bittner: [00:00:39] And now, a word from our sponsor ExtraHop, the enterprise cyber analytics company delivering security from the inside out. Prevention-based tools leave you blind to any threats inside your network. By adding behavioral-based network traffic analysis to your SOC, you can find and stop attackers before they make their move. ExtraHop illuminates the dark space with complete visibility at enterprise scale, detects threats up to 95 percent faster with machine learning and guided investigations that help Tier 1 analysts perform like seasoned threat hunters. Visit to learn why the SANS Institute calls ExtraHop fast and amazingly thorough, a product with which many SOC teams could hit the ground running. That's And we thank ExtraHop for sponsoring our show.

Dave Bittner: [00:01:37] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, April 16, 2019. Yesterday's fire at the Cathedral of Notre Dame in Paris was tragic, and we offer our condolences to the people of France, who now stand bereaved. We should note that while at this stage of any investigation, all conclusions should be regarded as provisional. The fire looks like an accident that occurred in the course of renovation work and not like an act of terror, whatever any claims or speculations may be out there. And as with any prominent disaster or misfortune, we should expect to see online scammers working to take advantage of the tragedy. Don't rise to their bait.

Dave Bittner: [00:02:21] KrebsOnSecurity reported yesterday that IT outsourcing and consulting firm Wipro had been compromised, and its networks turned against some clients. Computing this morning said the company acknowledged sustaining a successful phishing attack, is investigating and that the attacker may have been a nation-state.

Dave Bittner: [00:02:42] Ecuador has come under a large number of attacks, AFP reports - most of them apparently distributed denial-of-service attacks - since its revocation last week of asylum for WikiLeaks' Julian Assange. The attacks look like hacktivism. The U.S. District Court in Alexandria, Va., has released the affidavit. U.S. federal prosecutors submitted to obtain the indictment. It's interesting for the large volume of chats intercepted between what appears to be Mr. Assange and then-Specialist Manning. It's also interesting in that, as many observers have noted, it doesn't give much indication if the computer break-in the two are alleged to have conspired in was successful.

Dave Bittner: [00:03:24] Recorded Future's Insikt Group this morning released a report on Brazil's criminal hacker community. The findings concerning this large underground community are interesting. Its targets are almost invariably domestic - other Brazilians - which may be why these particular hoods often fly below the international radar. They tend to be opportunistic, out for the quick score and to be dynamic in their operations, with no strong allegiance to any particular platform. They use a lot of spam and, disturbingly, they're not intimidated by two-factor authentication.

Dave Bittner: [00:03:59] Researchers at Cisco Talos have noticed a shift in the underground market for malware. At best a grey market shading to black, one of the recently hot commodities traded there is HawkEye, a malware kit that offers keylogging and information theft functionality. HawkEye has been upgraded periodically since at least 2013. It's now undergone a change in ownership, with the new proprietors being CerebroTech, their name apparently an homage to the device developed by Professor Charles Xavier in "X-Men" No. 7, published in 1964, or it could just be the Portuguese word for brain. But we're betting on the Professor X reference.

Dave Bittner: [00:04:39] Anywho, CerebroTech is now offering an upgraded version of HawkEye, HawkEye Keylogger-Reborn version 9. It's described as an advance monitoring solution, perhaps to lend a patina of legitimacy, although advanced monitoring solution would've been better. It's sold on a licensing basis in 90, 100 and 365-day increments. If you buy now, as the advertising invites you to do, this won't set you back much - $27, $37 and $47, respectively. So the 365-day license looks like the best deal. HawkEye Keylogger-Reborn comes complete with terms of services.

Dave Bittner: [00:05:20] Terms of service would've been better. That primly informs the licensee that you must have permission from owner's PC to keylog their system. All our products are provided for educational purpose only. Parents may key long their child's computer but under 14 years old. It also cautions you not to scan the product with any A.V. tools or to share samples online, which strikes Cisco Talos as suspicious. If you do scan or share, you'll lose your license and will be permanently banned from the store. No excuses, adds CerebroTech, to show you they're serious.

Dave Bittner: [00:05:56] Now, if you've been listening and you're shouting, I'm convinced. Where do I go to surrender? I've got to act now. Pause before reaching for that credit card or yanking on your Altcoins blockchain. This deal sounds more like something Factor Three would come up with and not the leader of the X-Men. Cisco Talos is watching HawkEye like a hawk and will no doubt keep us updated. They've already noticed that improvements are underway, and they have more reasons than we have time to discuss why HawkEye Keylogger-Reborn is bad news. See the Talos intelligence blog for advice on how to keep HawkEye out. And please don't buy a license, even for educational purposes.

Dave Bittner: [00:06:36] NBC News says on the basis of leaked documents that Facebook's public assertions of commitment to privacy have long been, at best, an afterthought to the social network's monetization of personal data - at worst, entirely disingenuous. The documents come, NBC News says, from the period of 2011 through 2015. The company allegedly explored different ways of monetizing the data, including direct payment and advertising, but eventually settled on a sort of system of favors in which data were given to various corporate friends. Facebook denies wrongdoing and hasn't been charged with any crime in the matter, NBC News notes.

Dave Bittner: [00:07:16] The folks at Kenna Security have been working with the Cyentia Institute on a series of reports titled "Prioritization to Prediction." Volume 3 focuses on "Winning the Remediation Race." Ed Bellis is chief technology officer at Kenna Security.

Ed Bellis: [00:07:31] We looked at something called remediation rates, or remediation velocity, where we looked at the survival rates of vulnerabilities and different types of vulnerabilities where we either divided it up by Common Vulnerability Scoring System scores, or we divided them up by - did these vulnerabilities have exploits in the wild? And then we looked at things like the actual metadata about the customers themselves. What industries were they in? How big were they, et cetera.

Ed Bellis: [00:07:59] We found out a lot of interesting things. But actually, one of the things that was probably a little bit of a surprise to me where we looked at the ratio of open to closed vulnerabilities on a monthly basis, and we looked at everybody and top performers. And there's a few things there that really kind of stood out to me.

Ed Bellis: [00:08:17] One of the biggest surprises that I saw was whether or not you're an SMB with just a couple of hundred assets, or you're a Fortune 10 enterprise with tens of millions or more of assets, the number of vulnerabilities on a ratio basis that you remediate is roughly about the same. Everybody out there, regardless of size and amount of resources that they have, along with the number of assets that they have, is roughly remediating on average about 1 in 10 vulnerabilities. There were a few standouts and top performers, which were considerably better. But almost everybody across the board, regardless of size and complexity, was fixing about 1 in 10 vulnerabilities, which really kind of surprised me.

Ed Bellis: [00:09:00] But to me what was the surprising factor is that it was so incredibly consistent across the board regardless of size of company, right? So when you looked at the speed or the velocity of that remediation, the smaller companies definitely remediated faster than the larger ones. So that complexity was certainly trumping capacity when it came to velocity of your remediation.

Dave Bittner: [00:09:25] And do you suppose that's just the simple fact that it takes longer to steer a battleship than a sailboat?

Ed Bellis: [00:09:32] I think that that - a lot goes into that, right? And not only is that battleship big, but I would say even more so that battleship is complex - right? - and there's a lot of different things going on and a lot of different things that you have to navigate in an org of that size.

Ed Bellis: [00:09:45] Kind of the next step for us is to take a look at all of the attributes about those top performers - kind of pluck those out - and maybe some of the low performers and then the average and say what makes them different? Why are these folks remediating 1 in 4 versus everybody else at 1 in 10? Or why are these folks so quick and so fast at remediating the high-risk vulnerabilities, where these folks are a little slower but maybe a little bit more persistent and they get to more?

Ed Bellis: [00:10:14] So what we're doing now is actually starting to look at the attributes of those companies, of those programs - what they have in place, what it is exactly that they're doing, and we're hoping to answer a lot of those questions in the next volume.

Dave Bittner: [00:10:27] That's Ed Bellis from Kenna Security. The report is titled "Prioritization to Prediction." This is Volume 3, "Winning the Remediation Race." You can find it on their website.

Dave Bittner: [00:10:39] The European Union has finally passed its controversial copyright reform law. Nineteen of 28 member countries voted to ratify the European Parliament's action. European Commission President Jean-Claude Juncker said yesterday, quote, "With today's agreement, we are making copyright rules fit for the digital age," end quote, which is one way of looking at it. Critics see the law's Articles 11 and 13 as particularly objectionable. Article 11 establishes a link tax to pay owners of copyrighted content, and Article 13 makes platforms legally liable for any infringing material their users post.

Dave Bittner: [00:11:17] More European governments, including those of Belgium and Germany, have declined to ban Huawei, although many also acknowledge security risks associated with the company's hardware. This may not represent as much of a victory for Huawei and a defeat for some of the Five Eyes' concerns about supply chain integrity as it first appears. The U.S. intends to continue to nudge its allies toward restricting Huawei gear at upcoming meetings in Prague. Bloomberg observes that close regulation of 5G networks in Europe seems very likely and that such regulation will probably significantly pick away at Huawei and its market share, a little like being nibbled to death by ducks.

Dave Bittner: [00:11:58] So what are these algorithms people keep talking about? Here's a quick and dirty definition. An algorithm is a defined, finite set of steps for performing a calculation. It moves through well-defined stages and produces a final result. We mention this because the algorithms used in artificial intelligence have been the subject of a lot of picture-thinking. We're encouraged to think of them as being something like Commander Data from the old "Star Trek" show - you know, smart but maybe just a touch emotionally naive.

Dave Bittner: [00:12:29] Well, here's a picture to counter that one. Don't think about Commander Data. Think about Mickey Mouse's broom in the "Sorcerer's Apprentice," the one that just kept carrying pails of water. Maybe that's a little unfair to the artificial persons, but we offer it as a kind of counterweight to the pervasive Roddenberriana (ph).

Dave Bittner: [00:12:47] Well, the algorithm was in the news again. YouTube yesterday flagged live-streamed video of the tragic Notre Dame fire as possible misinformation and ran an explanatory box below such streams that offered to fill in viewers to the truth by displaying images and information about the 9/11 attacks. According to TechCrunch, YouTube says the algorithm did it and that they're sorry that the algorithm made the wrong call. The algorithm was unavailable for comment.

Dave Bittner: [00:13:21] Time for a message from our sponsor, KnowBe4. It can take a hacker to know a hacker. Many of the world's most reputable organizations rely on Kevin Mitnick, the world's most famous hacker and KnowBe4's chief hacking officer, to uncover their most dangerous security flaws. You might ask, hey, where can I get the skinny on the latest threats? And where could I find out what would Kevin do? Well, at KnowBe4's webinar - that's where. Kevin and Perry Carpenter, KnowBe4's chief evangelist and strategy officer, give you an inside look into Kevin's mind in this on-demand webinar. You'll learn more about the world of social engineering and penetration testing by listening to firsthand experiences and some disconcerting discoveries. You'll see exclusive demos of the latest attack ploys, find out how they could affect you and learn what you can do to stop them. Go to to register for the webinar. That's And we thank KnowBe4 for sponsoring our show.

Dave Bittner: [00:14:34] And joining me once again is Emily Wilson. She's the VP of research at Terbium Labs. Emily, it's great to have you back. You all recently published a report. This is called "Fraud Guides 101

Emily Wilson: [00:14:52] So we recently obtained just over 30,000 of these fraud guides from dark web markets. And when I say fraud guide, what I mean is instruction manuals or guide books on how to commit different types of fraud or how to pursue different types of cybercrime.

Emily Wilson: [00:15:10] We pulled in all of these guides, and we did some analysis on them to answer a few different questions. You know, what sort of data is most valuable? What data has the most intrinsic value? How do financial data types compare to personal information data types? What can we learn from these? How do these all break out? And it's been a real labor of love, but I'm excited to see it - I'm excited to see it come out.

Dave Bittner: [00:15:32] So this is something where I would go and buy these guides?

Emily Wilson: [00:15:36] If you were an enterprising criminal, you could go and buy these guides. They are available - widely available - on dark web markets. And you know, you can search by whatever sort of scheme you're looking for. If you're looking for a guide on how to open a fraudulent bank account or how to commit tax fraud, how to do account takeover, how to bypass certain controls - for example, if you want to figure out how to access an email account that has 2FA set up, how do you get around that?

Dave Bittner: [00:16:08] All right, well, take us through, and what are some of the key findings here?

Emily Wilson: [00:16:12] So one of the most interesting findings - I was looking - I mentioned the question about what's the most intrinsically valuable data type? What is the data type that stands alone in these reports - or in these guides, rather? If you're looking at these guides, you know, what data type can - you can get there an entire guide with just a mention of one data type. I thought it would be payment cards. Going into it, I absolutely assumed it would be payment cards because they're the easiest thing to use. You don't have to have any other information. You can just go and make a transaction. And so I thought that would be what stood alone. Turns out it was email addresses.

Dave Bittner: [00:16:47] How come? Go on.

Emily Wilson: [00:16:48] Email addresses are widely available in the market, both for sale as part of credentials or contact lists. They're also leaked very widely. And so it could speak to the volume of data in the ecosystem, right? You want to write guides about what's most widely available, about your most plentiful resource.

Emily Wilson: [00:17:06] The other thing is that email addresses are tied back to every form of a digital identity or certainly most forms of a digital identity. If you are signing up for an account, if you are placing an order, if you are following news or information, all of these things tie back to an email address, and then eventually tie back to a real person. And so I think it speaks to the ubiquity of the email address in the digital age. And email addresses are tied to financial accounts. They're also tied to a variety of other accounts, which means fraudsters can use them to cash out but also to run longer schemes.

Dave Bittner: [00:17:45] I guess, in some ways, it's that versatility of an email account that provides some of the value as well.

Emily Wilson: [00:17:51] It is versatile. It's - you know, it's also something that links not only an account to an individual but can also be present across a wide variety of accounts because, for most people, it's not as though you're using a different email address for your bank account and your retail accounts and your insurance accounts and your whatever else accounts.

Emily Wilson: [00:18:13] You know, you have a centralized email address - personal and professional - for a reason, which means that - you know, fraudsters work with what's in front of them. And if an email address is in front of them, they're probably going to use it for, you know, whatever it's tied to if it's leaked or sold as part of a financial account. But there's nothing stopping them from saying, OK, where else is this email address used? Are they using the same password or a similar password? How far can I run with this one person?

Dave Bittner: [00:18:39] Yeah. All right, well, there's much more in the report. It's called "Fraud Guides 101: Dark Web Lessons on How to Defraud Companies and Exploit Data." Emily Wilson, thanks for joining us.

Dave Bittner: [00:18:54] And that's the CyberWire. For links to all of today's stories, check out our CyberWire daily news brief at

Dave Bittner: [00:19:01] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at

Dave Bittner: [00:19:12] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell. Our staff writer is Tim Nodar, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.