The CyberWire Daily Podcast 4.21.16
Ep 83 | 4.21.16

Australia's new cyber strategy, Dorkbot's old; CryptXXX is new.


Dave Bittner: [00:00:03:11] Cyber criminals (and some apparent state actors) show some old tricks and some new ones and all of them are working. Crypto legislation being considered by the US Congress gets very little love from industry. ISIS expands its information campaign in Africa, as the US gets more active and open in cyber operations against the extremists. Australia announces a big science push for more cyber capability and says it has and will continue to develop an offensive cyber capability.

Dave Bittner: [00:00:34:08] This podcast is made possible by the Economic Alliance of Greater Baltimore, helping Maryland lead the nation in cyber security with a large, highly qualified workforce, 20,000 job openings, investment opportunities and proximity to key buyers. Learn more at

Dave Bittner: [00:00:57:01] I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday April 21st, 2016.

Dave Bittner: [00:01:03:20] Cyber crime eclipses hacktivism at midweek, with examples of both novel malware and old, well-known threat working damage.

Dave Bittner: [00:01:11:15] Criminals being nothing if not opportunistic, as Chip-and-Pin cards are adopted more widely in the US, the cyber gangs are making a last-minute push to compromise legacy magnetic strip swipe systems before they're superseded in the very large American retail market. FireEye and its recently acquired iSight unit are tracking the familiar carding gang FIN6, which is more active than usual in attacking vulnerable point-of-sale systems and selling paycard data on black market carding sites.

Dave Bittner: [00:01:41:15] Proofpoint is continuing to report on the circulation and behavior of CryptXXX ransomware in the wild. This recently discovered strain of malware came to the notice of researchers only last week. The crypto-currency community is particularly concerned with CryptXXX since the ransomware is particularly well positioned to extort payment in Bitcoin.

Dave Bittner: [00:02:04:07] If CryptXXX represents the new, then Dorkbot can represent the old, and serve as a reminder that it can take some time for old cyber-mob soldiers to fade away. The Dorkbot worm's infrastructure was taken down last December, after roughly five years of activity. Unfortunately, when crimeware infrastructure gets whacked, it doesn't go down as fast as Sonny Corleone, and Dorkbot is back in circulation, crippled but not eliminated. ESET warns that Dorkbot is being used in attacks on bank accounts and to lock systems in order to hold them for ransom.

Dave Bittner: [00:02:38:08] You may be fairly confident that you've got your own network locked down, but what about your third party vendors? They may have legitimate reasons for needing access to your network, but according to Jason Lewis from Lookingglass they can also be a vector for vulnerability.

Jason Lewis: [00:02:52:12] The best example is the Target breach. It happened last year, their network was pretty secure but it turns out one of their vendors which is an HVAC company had access to the network. So the attacker gained access to the HVAC company and then used that access to get on Target's network and then from there they were treated just like the third party vendor. So they were trusted and the next thing you know they're uploading malware to the point-of-sale systems and just collecting credit cards.

Dave Bittner: [00:03:21:11] Lewis says that much of the increased attention to third parties is being driven from the top down.

Jason Lewis: [00:03:27:06] The ones who are the cutting edge, are the ones that are making a lot of money, so financials, banks, those folks. They know those risks and they're starting to address them. I think we're reaching that stage now, where they're starting to bring up these teams that are dedicated to looking at third parties and as those big banks start to implement those things, it impacts everyone else. So when that gas station staff with the credit card suddenly can't get access and they can't sell gas, they may put some money into trying to make sure the network is more secure.

Dave Bittner: [00:03:55:23] As for prevention, Jason Lewis offers this practical advice.

Jason Lewis: [00:04:00:11] It really boils down to, you have to be looking for those things to be able to do anything about them. So step one is you lock down your network. If a partner doesn't need to have access to corporate email or corporate file servers then you don't give them access, you limit it that way. And then from there you need to be logging like with IDS or scanners for malware and those kind of things. So the minimum is make sure that you're looking for things that are anomalies on your network and then from there you focus on those third party connections and make sure that traffic is legitimate.

Dave Bittner: [00:04:43:17] That's Jason Lewis from Lookingglass. Their website is

Dave Bittner: [00:04:50:24] The spread of encryption most recently in WhatsApp suggests that technology may soon render the ongoing round of crypto wars moot.

Dave Bittner: [00:04:58:22] Legislation mandating various forms of decryption in the service of law enforcement is still being considered in the US Congress. It's attracted few fans outside relatively narrow law enforcement precincts. Microsoft, Facebook and Google are all publicly opposed to the measures and American bankers running an op-ed series characterizing the proposed legislation as nothing less than an attack on online banking. To be fair, we must note that the law enforcement agencies who favor some sort of legislative support of decryption in response to a warrant are neither ill-informed, provincial, nor technically clueless. They include both the US Secret Service and the FBI. We heard some Secret Service criticism of widespread strong and effectively unbreakable encryption at SINET ITSEF yesterday, where we also heard some equally well presented counterpoint from the Electronic Frontier Foundation.

Dave Bittner: [00:05:49:10] Australia announced its national cyber strategy yesterday. It features a strong commitment to applied cyber research and development of a world class domestic security industry. Interestingly Australia also joined two of the other Five Eyes, the US and the UK, in openly declaring that it has and will continue to develop an offensive cyber capability.

Dave Bittner: [00:06:11:07] Finally, remember that report last year that something happened at Australia's Federal Bureau of Meteorology, a hack or an outage, something like that? Well, it turns out Prime Minister Turnbull said yesterday, that yes, it was indeed a cyber attack as was widely reported at the time. We'd say, looking at that conformation coming in tandem with an avowal of offensive cyber capabilities, that the forecast down under may be a little bit stormy.

Dave Bittner: [00:06:48:09] This podcast is sponsored by SINET, the security innovation network, connecting the cyber security community, innovators, investors and customers, business and government. Learn more at

Dave Bittner: [00:07:07:20] I'm joined once again by Dale Drew. He's the Chief Security Officer at Level 3 Communications.

Dave Bittner: [00:07:12:10] Dale, I think it's natural for many companies to like to keep their findings close to their vest, but you think collaboration is important.

Dale Drew: [00:07:20:23] I do. We've seen a trend in the industry where threat intelligence data is becoming a for-profit business. And as a result, information about attackers and attack techniques become salable items and therefore, become very difficult for these companies to distribute freely. We really think that sharing of this information quickly is going to allow the security industry to be adaptable to identifying and stopping security threats faster than the bad guys are able to create capability.

Dave Bittner: [00:08:00:00] Can you give me some examples of where collaboration has led to good things happening to new discoveries?

Dale Drew: [00:08:05:21] It's our viewpoint that security infrastructure operates at different levels of the ecosystem. Some security infrastructure protects applications, some protect data, some protect network assets. When you're able to share threat data across all of those ecosystems, then each of those security infrastructures can better protect the higher infrastructure as opposed to just single layers of the infrastructure. We've identified recently, as an example, a network based attack of a very sophisticated and emerging credit card scam that was starting out in Europe. We shared that information with the industry, the moment we detected it. Not only did we block it on the backbone, we also shared the signature with the industry and the industry was then able to take that data, put it into their product portfolio and prevent that credit card scam from becoming the next block POS attack.

Dave Bittner: [00:09:04:03] So what's your advice to companies who are maybe a little bit skittish about sharing their information?

Dale Drew: [00:09:09:18] We really believe that the industry needs to focus on sharing threat information as opposed to today, people are sharing information that demonstrates the identity of the customer or the attacker. So we think that sharing information about the actual threat itself will really alleviate a lot of the concerns that people have about identifying themselves as a victim or the source of an attack.

Dave Bittner: [00:09:37:10] Dale Drew, thanks for joining us.

Dave Bittner: [00:09:40:24] And that's the CyberWire. For links to all of today's stories, visit And while you're there, subscribe to our popular daily news brief. Our editor is John Petrik. I'm Dave Bittner. Thanks for listening.