The CyberWire Daily Podcast 7.18.19
Ep 887 | 7.18.19

TrickBot’s new tricks. Poisoning the ad supply chain. Clouds get schooled. Novel phishing tackle, but stale bait. Cyberwar powers. Election interference. FaceApp fears. Bad macro suspect arrested.


Dave Bittner: [00:00:03] TrickBot gets some new tricks. Poisoning the advertising supply chain. Hessian schools will shy away from American cloud services. A novel phishing campaign is technically savvy but gives itself away with broken English phishbait. Congress would like to see Presidential cyberwar instructions. Microsoft warns of foreign attacks on elections. FaceApp looks suspicious. And a suspect is collared in a malicious macro case. 

Dave Bittner: [00:00:34]  It's time to take a moment to tell you about our sponsor Recorded Future. Recorded Future is the real-time threat intelligence company whose patented technology continuously analyzes the entire web, developing cyber intelligence that gives analysts unmatched insight into emerging threats. At the CyberWire, we subscribe to and profit from Recorded Future's Cyber Daily. As anyone in the industry will tell you, when analytical talent is as scarce as it is today, every enterprise owes it to itself to look into any technology that makes your security teams more productive and your intelligence more comprehensive and timely because that's what you want - actionable intelligence. Sign up for the Cyber Daily email, and every day you'll receive the top trending indicators Recorded Future captures crossing the web - cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today and stay a step or two ahead of the threat. Go to to subscribe for free threat intelligence updates. That's And we thank Recorded Future for sponsoring our show. Funding for this CyberWire podcast is made possible in part by ExtraHop - providing cyber analytics for the hybrid enterprise. Learn more about how ExtraHop Reveal(x) enables network threat detection and response at 

Dave Bittner: [00:01:59]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, July 18th, 2019. Deep Instinct sees a new capability in TrickBot - email credential harvesting. They're tracking TrickBooster, a new module that's able to infect email accounts, use them to send spam and then delete the spam from the sent email box. There's potential in such an approach for what Barracuda calls, in a new report, lateral phishing. This technique uses hijacked accounts to send malicious spam to its victims, counting on their familiarity with the apparent sender to induce them to open the email. 

Dave Bittner: [00:02:39]  Researchers at Confiant have found that a Hong Kong actor is trafficking in malvertising that effectively poisons the online advertising supply chain. The actor, fiber-ads or ClickFollow, is engaged in familiar kinds of ad fraud. Their activity also poses a risk of directing victims to landing pages that infect visitors with malware or at least unwanted programs. German schools, at least in the Land of Hessen - the central German state where Frankfurt and Darmstadt are located - will no longer use cloud offerings from Microsoft, Google and Apple. There are two issues here - data sovereignty and data privacy. If the data were stored in a properly bounded German cloud, that would be acceptable. But storing them in a European cloud that's, in principle, accessible to U.S. authorities won't fly. 

Dave Bittner: [00:03:32]  Data privacy is problematic because of the difficulty, perhaps the effective impossibility, of determining what data exactly the services collect. Consenting to collection is no solution because, Hessian authorities point out, it's impossible to give real consent when you can't tell what's being collected. Naked Security and others report this as a German policy, but it's worth noting that this is so far a matter for Hessen. Darmstadt's writ doesn't run in Stuttgart or Munich any more than, for example, the states of Texas and New York would necessarily feel compelled to knuckle under to a California rule. Or, heaven forfend, even a Pennsylvanian policy. But it does seem likely that the Hessian decision will prove a bellwether for policy in the Federal Republic as a whole. 

Dave Bittner: [00:04:20]  MimeCast recently published their third state of emails security report. Our own Carole Theriault spoke with MimeCast's Michael Mador (ph) about the report and some of the specific attacks they're tracking. 

Carole Theriault: [00:04:32]  Michael, thank you so much for coming on the show. Really appreciate the time. So Michael, talk to me about impersonation attacks. What exactly is that? 

Michael Madon: [00:04:42]  Yeah. So it's - an impersonation attack is an attack where you get, for example, an email from your boss that says, hey, Michael, it's Lucy. As you know, I'm on traveling this week. I really need to close this deal. I'm speaking to a client. And I need you to send the account informations to me so I can close this deal with the client, ASAP; typically comes in the form of an email that's literally impersonating someone you know. Typically, it's someone in - a boss. It could be a colleague. It could be someone in finance. But it's an attack that asks you, at the end of the day, to provide some sort of compromise - information that will open your company, or you, up to attack. 

Michael Madon: [00:05:35]  Now, this also can be, for example, through phone, right? It could be through a text. It doesn't just have to be through email, but email is the most common form of impersonation attack. 

Carole Theriault: [00:05:44]  Right. And so you guys have just put out a report called "State of Email Security." This is your third report of this kind. And you have findings saying they're on the rise? 

Michael Madon: [00:05:55]  You know, we looked at more than 1,000 global IT decision-makers, and so the report is really comprehensive. And yeah, the attacks are on the rise. At the same time, confidence in defenses is falling, right? So, for example, I think roughly 60% of the respondents believe it's likely or inevitable that they'll suffer a negative business impact from an email-borne attack. And 54% saw phishing attacks increase and then 67%, close to 70, saw impersonation fraud increases, right? So it's absolutely on the rise because it's - these attacks, again, as I said, are getting increasingly more sophisticated - seemingly more sophisticated. Again, what's - I think what's really happening is these very sophisticated hackers are moving downstream to easier targets. 

Carole Theriault: [00:06:46]  Gotcha. OK, and so are they basically - is this called email spoofing? Is this another name for it? 

Michael Madon: [00:06:54]  It can be. I mean, it is technically. I mean, there's so many (laughter), you know - we're about to have - so yes, it's spoofing an email, but it's a specific type of spoofing. It's a spoofing where you're pretending to be someone you're not. And then there's a huge - these are very, very impactful. 

Michael Madon: [00:07:11]  For example, if I sent you a spoofing email for, you know, let's just say Amazon email, you might look at that and then just delete it. But if I sent you an email and I'm a hacker, and I sent an email from your boss saying, hey, I need this - and you're in finance - right? - and I said, I need this transaction to happen now. You need to send it to me. Well, that's a very, very different type of spoofing attack. So impersonation falls under spoofing because it's a type of spoof, but it's very, very targeted. And 73% of impersonation attacks have a direct loss. 

Carole Theriault: [00:07:47]  Gotcha. 

Michael Madon: [00:07:47]  I mean, people are extremely vulnerable. And the reason is this - they're just really busy. Like, security is not what 99.9% of normal people think about, right? What people are thinking about is doing their jobs. Getting up, going to work, picking up their kids from day care, you know, making sure they get the memo to their boss. And when they get a screening email from someone they - that they think is really important, they want to respond to it. So these impersonation attacks are so, so incredibly effective because they really get at the psychological nerve of a person. And the person wants to do good and respond. 

Michael Madon: [00:08:28]  There's two ways to address this, really - really only two ways, right? Way No. 1 is you need a good product to stop the vast majority of these impersonation attacks, and that specifically has features within their product specifically for impersonation, right? That's one. And then two - you have to better train your employees so that they're more aware, so that they know - right? Right? Ninety-five percent of all breaches involve human error - 95%, right? So whatever most companies are doing today in terms of awareness training, it's not working. It's about engaging the employees - right? - why security is important, not just for their company, but for their own jobs and their own personal lives. 

Carole Theriault: [00:09:17]  Michael Madon, thank you so much for talking with us today. This was Carole Theriault for the CyberWire. 

Dave Bittner: [00:09:24]  Cofense warns that there's a novel phishing campaign in progress against a familiar group of targets - American Express customers. The phishing emails use a base HTML tag to split up the malicious URL into two pieces. This technique may succeed in bypassing email gateway filtering services. As is so often the case with phishing, user awareness can help the intended catch spit the hook. The email is rife with the sort of clumsy English grammar and syntax that so often disfigure the criminal come-on. What are they after? The usual - the crooks want user credentials. 

Dave Bittner: [00:10:01]  The U.S. House Armed Services Committee has asked to see, quote, “all National Security Presidential Memorandums relating to Department of Defense operations in cyberspace," quote. This sounds more sweeping than in fact it is - the document they’re particularly interested in seeing is National Security Presidential Memorandum 13, a classified instruction generally believed to have loosened restrictions on offensive cyber operations. Some such operations would constitute the kind of persistent engagement U.S. Cyber Command tested last month in exercise Cyber Flag 2019. Members of Congress say they’ve received briefings on the direction the Defense Department received in NSPM 13. Some of them are content with that, but others want to see the document itself. 

Dave Bittner: [00:10:48]  Microsoft says it's detected a lot of state-directed cyberattacks over the past year, most of them originating from Russia, Iran and North Korea. Redmond hints darkly that much of the activity represents an assault on democratic process. USA Today sees the warning as a sales pitch for election security tools. In fairness to Microsoft, they’re already offering election security tools to campaigns for free, and there’s nothing necessarily cynical about promotions and loss leaders. And besides, if you’re selling a hammer, you’re going to point out the various nails sticking up in the customer’s house. 

Dave Bittner: [00:11:23]  NBC News’ Frank Thorp tweeted yesterday afternoon that Senator Schumer, Democrat of New York, has asked the U.S. Federal Trade Commission to open an investigation into FaceApp. At issue is what the Senator characterizes as FaceApp's requirement that users give it full and irrevocable access to their images and associated data. He sees the Russian-developed app as posing a threat to both privacy and national security. As usual, the devil is in the details of the EULA. 

Dave Bittner: [00:11:50]  FaceApp’s privacy policy gives the company the right to publish or use any content shared with its app, including usernames and real names, and to do so without providing further notice or compensating the users in any way. That does indeed seem pretty open-ended. And FaceApp stores the data it collects in Russia, which is enough to give anyone the heebie-jeebies nowadays. The Democratic National Committee has already warned its candidates not to use FaceApp, but it’s a safe bet, people being the way they are, that some have already used it. So here’s an alternative - if you really feel a need to see what you’d look like older or younger or, for that matter, vegetable or mineral, get yourself a box of Crayolas and a pad and do a few imaginative self-portraits. Crayons and pads are already on sale - cheap as back-to-school items - so act now. 

Dave Bittner: [00:12:43]  And finally, we close with some good news. The High Tech Crime Unit of the Dutch National Police have collared a suspect in connection with the production and sale of malware. If you’ve run across malicious macros in Word or Excel files built from Rubella, Cetan and Dryad, you’ve seen some of his work. The 20-year-old suspect is so far unnamed, but he's known to live in Utrecht. So bravo to the high-tech crimes unit, and bravo to industry partner McAfee that provided them with important help. McAfee had been tracking the Rubella toolkit for some time, and the company provided the Dutch National Police with important support during their investigation. So bravo McAfee and to the Dutch National Police - good hunting. 

Dave Bittner: [00:13:31]  And now, a word from our sponsor KnowBe4, the experts in new-school approaches to defeating social engineering. You ever wonder how hackers and con artists know so much about their targets? Basically, there's more information out there on everyone than you'd like to believe. There's even a name for it - open-source intelligence - OSINT. Kevin Mitnick, KnowBe4's chief hacking officer, can show you what the bad guys can find out about you. Go to and register for a free webinar with people who know a thing or two about mind-blowing underground OSINT secrets that you need to know. That's And we thank KnowBe4 for sponsoring our show. 

Dave Bittner: [00:14:26]  And joining me once again is Jonathan Katz. He's a professor of computer science at the University of Maryland and also director of the Maryland Cybersecurity Center. Jonathan, it's great to have you back. I saw an interesting security advisory come by from the folks who make the Yubico keys, which are used to help secure devices. And they found themselves in a situation where, I guess, some of their random number generation wasn't as random as they hoped it was. Give us some insights. What's going on here? 

Jonathan Katz: [00:14:55]  Well, as you know, it's critically important when using cryptography that the keys that you choose - and actually, all the random values you use in the course of implementing cryptography - have to be truly random. And a lot of times in the real world, security vulnerabilities arise due to improper randomness in cryptographic protocols. 

Jonathan Katz: [00:15:14]  We've seen this before. We saw this a couple of years ago with generation of RSA keys by Reuters, and we're seeing basically the - a similar thing here again, where improper randomness is being used at boot-up time. And I guess, essentially, what's going on is that when the device is initially booted up - does some process that it goes through in order to try to generate randomness that's then used as part of a cryptographic algorithm, and it wasn't doing it properly for whatever reason. And so the user was essentially getting lower-quality randomness than what they expected. 

Dave Bittner: [00:15:45]  And this would open up the possibility of what? 

Jonathan Katz: [00:15:48]  Well, for - let me take a simple example, which doesn't really apply to the YubiKey, but it just gives an idea of what's going on. Imagine that you're trying to generate, say, a random 128-bit AES key, but 64 of those bits are not random for whatever reason. Let's even say that they're all set to zero. So now what that's going to do is that's going to make the job of an attacker who's trying to guess the key a lot easier because rather than having to try to enumerate over a 128-bit key, which is 2 to the 128 possibilities, now they only have to enumerate over a 64-bit key, which is 2 to the 64 different possibilities. And even though the difference between 128 and 64 might sound small, it's in the exponent here. 

Dave Bittner: [00:16:29]  Right. 

Jonathan Katz: [00:16:30]  And so 2 to the 64 is astronomically smaller than 2 to the 128. And so it's a huge difference from the point of view of the attacker. In the case of the YubiKey, they were actually looking at improper randomness for public key algorithms rather than private key algorithms, but the basic idea is the same. 

Dave Bittner: [00:16:45]  Yeah. You know, to take a little, brief trip down memory lane, since you and I are of a similar generation of having spent some time back in the 8-bit computer days, I remember, you know, back in the days of Apple IIs and TRS-80s that - we talk about random number generation at power-up. If you powered up your computer and called for a random number, it would be the same every single time. 

Jonathan Katz: [00:17:09]  (Laughter). 

Dave Bittner: [00:17:10]  And... 

Jonathan Katz: [00:17:11]  Well, the truth is it's not so easy to generate random numbers. If you think about it, computers are ultimately deterministic processes. And so a computer on its own can't really generate a random number. And so what they need to do is ultimately rely on some physical input in order to generate randomness. 

Dave Bittner: [00:17:26]  Yeah. 

Jonathan Katz: [00:17:27]  You know, on a desktop computer, you might use user mouse movements or keyboard typing speeds or things like that to generate random data. But on a YubiKey, there's not that much that you can rely on. And so I'm not even sure offhand what they're using to generate randomness, but you can imagine that it might be quite difficult and might take some bit of time in order to generate true high-quality random data. 

Dave Bittner: [00:17:48]  Yeah. Back in the day, we used, you know, press any key. And in between that, it was just, you know, internally generating random numbers, relying on the fact that, you know, not everyone would press any key at the same time. And... 

Jonathan Katz: [00:18:01]  Right. 

Dave Bittner: [00:18:02]  ...For what it was worth, it worked. 

Jonathan Katz: [00:18:03]  Right. Well, you know, we're not sure. I'm - I wouldn't count on it, to be honest. I think the... 

Dave Bittner: [00:18:08]  It will ruin everything, Jonathan. 

Jonathan Katz: [00:18:09]  But you know - but this... 


Jonathan Katz: [00:18:10]  But you're talking about computers from 35 years ago, and so... 

Dave Bittner: [00:18:14]  Right. Right. 

Jonathan Katz: [00:18:15]  I - it would not surprise me if they're vulnerable to the attacks of today (laughter). 

Dave Bittner: [00:18:19]  All right. Fair enough. Fair enough. All right. Jonathan Katz, thanks for joining us. 

Jonathan Katz: [00:18:23]  Great. Thanks again. 

Dave Bittner: [00:18:29]  And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at 

Dave Bittner: [00:18:42]  Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security, Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the "Recorded Future" podcast, which I also host. The subject there is threat intelligence, and every week, we talk to interesting people about timely cybersecurity topics. That's at 

Dave Bittner: [00:19:10]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Tamika Smith, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.