The CyberWire Daily Podcast 9.9.19
Ep 923 | 9.9.19

BEC attack pulls millions from car parts company. Wikipedia DDoS. NERC and FERC on grid hacking. Trolling Pyongyang. Mike Hammer goes to the DMV.


Dave Bittner: [00:00:00] Hey everybody. Dave here with a quick reminder that if you enjoy our podcasts, there are a number of ways you can help support us. You can, of course, contribute directly via our Patreon page, and we thank all of you who continue to do that. You can let our sponsors know you heard about them on the CyberWire, which helps them know they're getting good value from their ads. And you can help spread the word to your friends and co-workers to introduce them to the CyberWire and share that it's something you consider a valuable part of your day. We do appreciate all of the support. Here's today's show. 

Dave Bittner: [00:00:34]  A big email scam extracts more than $37 million from a major automotive parts supplier. Wikipedia suffers a DDoS attack in Europe and the Middle East. NERC and FERC get to work. Thrip may really be Billbug, and that's attribution, not etymology. Was U.S. Cyber Command trolling North Korea on the DPRK's national day? And what does the Department of Motor Vehicles do with all the data they collect on drivers? In some U.S. states, it seems they sell it to private eyes. 

Dave Bittner: [00:01:11]  It's time to take a moment to tell you about our sponsor Recorded Future. Recorded Future is the real-time threat intelligence company whose patented technology continuously analyzes the entire web, developing cyber intelligence that gives analysts unmatched insight into emerging threats. At the CyberWire, we subscribe to and profit from Recorded Future's Cyber Daily. As anyone in the industry will tell you, when analytical talent is as scarce as it is today, every enterprise owes it to itself to look into any technology that makes your security teams more productive and your intelligence more comprehensive and timely because that's what you want, actionable intelligence. Sign up for the Cyber Daily email, and every day you'll receive the top trending indicators Recorded Future captures crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today and stay a step or two ahead of the threat. Go to to subscribe for free threat intelligence updates. That's And we thank Recorded Future for sponsoring our show. 

Dave Bittner: [00:02:21]  Funding for this CyberWire podcast is made possible in part by Bugcrowd, connecting organizations with the top security researchers, pen testers and white hat hackers in the world to identify 10 times more vulnerabilities than scanners or traditional pen tests. Learn more about how their award-winning platform provides actionable insights like remediation advice to help fix faster while methodology-driven assessments ensure compliance needs are met at 

Dave Bittner: [00:02:49]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, September 9, 2019. At the end of last week, Toyota Boshoku Corporation, an automobile component manufacturer and a member of the Toyota Group, disclosed that a European subsidiary lost more than $37 million when it fell for a business email compromise attack. The incident itself took place on August 14. Toyota Boshoku has said in its disclosure that the loss occurred when the company followed, quote, "fraudulent payment directions from a malicious third party" end quote. The loss was a heavy one, and it highlights the risk of business email compromise even to well-established companies that can be expected to have sound procedures in place. Little more than these bare facts are known at this time. Toyota Boshoku says it's inhibited from saying more because of its participation in the ongoing police investigations. It does say it's working to recover the funds its subsidiary lost, and it asks for everyone's understanding its decision not to offer more information at this time. 

Dave Bittner: [00:03:59]  Also over the weekend, Wikipedia sustained a cyberattack that took it offline in several countries. Computing calls the outage the result of a large distributed denial-of-service attack affecting Europe and the Middle East. The Wikimedia Foundation said Saturday that bad faith actors of the sort it tends to attract were responsible. Wikipedia is working to restore normal operations. The foundation declined in its post to speculate about attribution. 

Dave Bittner: [00:04:27]  The North American Electric Reliability Corporation, NERC, an industry group, has released a report on the March 5, 2019 incident that affected the U.S. power grid. According to E&E News, this cyberattack generated the first formal report of a cyber incident from the utilities to the Department of Energy. NERC's report of lessons learned downplays the severity of the attack as affecting a low-impact control center, and it cites a basic lapse in cyber hygiene, namely failure to patch a firewall, as the enabling cause. NERC recommends that utilities follow a set of familiar best practices - patch management, network segmentation, network monitoring and so on. Coincidentally or not, The Wall Street Journal observes that the Federal Energy Regulatory Commission - FERC, a U.S. government regulatory body - is considering revising its rules to include public identification of electric utilities that fail to follow rules designed to ensure the grid's physical and cyber security. 

Dave Bittner: [00:05:31]  CyberScoop reports that Symantec thinks a recently discovered Chinese government hacking group, Thrip, may actually be another manifestation of the long-active Billbug or Lotus Blossom unit. Thrip, like Lotus Blossom, has concentrated on military organizations. It's also particularly interested in satellite communications, media and education targets. The geographical focus has been Southeast Asia. 

Dave Bittner: [00:05:58]  What is trolling? It's a word with a complicated history. Its root meaning is a technique of fishing from a slow-moving boat, often with multiple hooks. It came to be used in the 1990s as a description of certain forms of online behavior designed to elicit a response from people looking at the internet. Soon, people who trolled - that is, people who tried to engage others with distracting, often off-topics posts or comments - came to be known as trolls because trolling sounded like something mythical Scandinavian beings might do, maybe from beneath a bridge. So would trolling count as a kind of information operation? Well, sure. Why not? 

Dave Bittner: [00:06:40]  U.S. Cyber Command seems to have been trolling Pyongyang by releasing samples of DPRK malware on North Korea's national holiday. Axios think so, anyway. September 9, which is today on the Baltimore side of the international dateline but yesterday on the Sinuiju side, is the day of the foundation of the republic. It's a big day in the DPRK, like the Fourth of July in the United States only with more flag teams and rhythmic applause than fireworks and grilled hot dogs. We should note that the North Korean government has been telling the rest of the world that, contrary to the slanders being mouthed by the Yankee puppets on the U.N. Security Council, they don't hack stuff or rob banks or jackpot ATMs or any of that stuff. 

Dave Bittner: [00:07:26]  At any rate, between midnight and 1 in the morning yesterday, Cyber Command released some hidden Cobra code for the benefit of researchers. Axios asked them if the timing was deliberate, if they were messing with Mr. Kim's head. Cyber Command said, in effect, no comment. Quote, "we do not discuss details about the malware samples in CNMF team posts," end quote, is how their public affairs representative put it in a statement that doesn't even amount to a non-denial denial. As one tweeter observed, it's old stuff, and at this point on this day, Cyber Command is just being mean. On the other hand, it couldn't happen to a nicer guy, right, Mr. Kim? 

Dave Bittner: [00:08:09]  And finally, what do Departments of Motor Vehicles do with all that information they collect about drivers? In the U.S. and elsewhere, driver's licenses can amount to a de facto national identification system, and the DMV asks a lot of questions about you. A recent visit by one of our people to the DMV on the north side of Baltimore this weekend required birth certificates, marriage licenses, W-2 tax forms, a recent credit card statement and a recent utility bill, which is quite a grab bag of PII. So what did they do with all that stuff? Make sure you're you, of course, for one thing, but according to an investigation published by Vice, a lot of state DMVs are selling the data to third parties for some serious dough, enriching the state coffers to the tune of tens of millions of dollars. Who's buying? Some of the purchasers strike Vice as more or less legit, like towing outfits and insurance companies. Others, however, seem, as Vice puts it, more nefarious, notably private investigators. And unlike Philip Marlowe, these gumshoes are happy to do divorce work. Several of the DMVs told reporters that they drew the line at selling the photos on the licenses, so we've got that going for us, I guess. 

Dave Bittner: [00:09:30]  And now a word from our sponsor ObserveIT. The greatest threat to businesses today isn't the outsider trying to get in. It's the people you trust, the ones who already have the keys, your employees, contractors and privileged users. Sixty percent of online attacks are carried out by insiders. To stop these insider threats, you need to see what users are doing before an incident occurs. ObserveIT enables security teams to detect risky user activity, investigate incidents in minutes and effectively respond. With ObserveIT, you know the whole story. Get your free trial at That's, and we thank ObserveIT for sponsoring our show. 

Dave Bittner: [00:10:26]  And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute, also my co-host on the "Hacking Humans" podcast. Joe, great to have you back. 

Joe Carrigan: [00:10:35]  Hi, Dave. 

Dave Bittner: [00:10:36]  I got an interesting story from The Verge, and this is about an update that Google made to Gmail for iOS users. 

Joe Carrigan: [00:10:43]  Right. 

Dave Bittner: [00:10:43]  What's going on here? 

Joe Carrigan: [00:10:44]  So what they've done is they've finally given Gmail users on iOS the option of blocking images from being loaded when you open an email. 

Dave Bittner: [00:10:54]  OK. 

Joe Carrigan: [00:10:54]  Right? 

Dave Bittner: [00:10:55]  Is this some - you're an Android user. 

Joe Carrigan: [00:10:56]  I am an Android user. 

Dave Bittner: [00:10:57]  Is this something you could - already had that capability over on Planet Android? 

Joe Carrigan: [00:11:02]  It would seem so... 

Dave Bittner: [00:11:03]  OK. 

Joe Carrigan: [00:11:03]  ...Although until this story came across, I didn't change the settings. But I was able to go in and quickly change the settings for all my accounts. Now, it's account per account basis, so the setting is attached to the account, not your Gmail client in general. 

Dave Bittner: [00:11:19]  I see. 

Joe Carrigan: [00:11:20]  So I have, like, five Gmail accounts on my phone. 

Dave Bittner: [00:11:23]  Right. 

Joe Carrigan: [00:11:23]  What was interesting is, in the article, it says that iOS for Gmail users will now let you do it, but if you use G Suite, you cannot block images from loading, right? 

Dave Bittner: [00:11:34]  So the corporate users... 

Joe Carrigan: [00:11:35]  Corporate users cannot... 

Dave Bittner: [00:11:37]  ...Can't do it. 

Joe Carrigan: [00:11:37]  ...Can't do it, but corporate users can do it on Android because I have a corporate email account from G Suite on my phone. I was able to change the setting for loading images on loading the email. 

Dave Bittner: [00:11:48]  Now, let's review here. What's the significance of being able to turn off loading images? 

Joe Carrigan: [00:11:53]  OK, so there is actually a privacy and security risk with this. Somebody can attach or put in - embed in the HTML of an email because now - for years now, for decades now - email has been using HTML. I can create a unique file name for every email I send out and have that file loaded when someone opens the email, and the HTML engine of either the email client or the web page notices that there is a link for an image. It goes and it requests the image, but because it requested an image with a unique name, I know who has opened that email, when they open the email, and I may actually know where they are. 

Dave Bittner: [00:12:38]  So this is the whole tracking pixels thing. 

Joe Carrigan: [00:12:41]  Right. It's a tracking pixel, essentially. 

Dave Bittner: [00:12:42]  Right. 

Joe Carrigan: [00:12:42]  It could be a very small white image that you'll never see. 

Dave Bittner: [00:12:45]  And I look at - I open an email in my email client. This tracking pixel gets summoned. 

Joe Carrigan: [00:12:51]  Right. 

Dave Bittner: [00:12:51]  And you know that I've opened the email. 

Joe Carrigan: [00:12:53]  Correct. 

Dave Bittner: [00:12:54]  Right. Now, I actually have a plugin for Chrome that I use... 

Joe Carrigan: [00:13:01]  Right. 

Dave Bittner: [00:13:01]  ...That blocks tracking pixels. It's called Ugly Email. 

Joe Carrigan: [00:13:05]  Ugly Email... 

Dave Bittner: [00:13:05]  Ugly Email - and one of the things I like about it is that it puts up a little icon next to messages that contain tracking pixels. 

Joe Carrigan: [00:13:15]  So it knows before you open it. 

Dave Bittner: [00:13:17]  Correct. And one of the things I like about this is that it just lets me know who's trying to track me. 

Joe Carrigan: [00:13:26]  That's good information to have, I think. 

Dave Bittner: [00:13:28]  It is, and it's very interesting. I mean, obviously, you know, here at the CyberWire, we get lots of email from PR folks. PR folks love to know if you've opened their emails or not. 

Joe Carrigan: [00:13:38]  Yes, they do. 

Dave Bittner: [00:13:39]  So, you know, and this also blocks that, so they don't know if you've opened their emails or not. So, you know, that can be helpful. So yeah, interesting... 

Joe Carrigan: [00:13:49]  It's a good party - a good third-party solution on your web browser, but what about your phone? Now Google is allowing you to do this on your Google account, your Gmail accounts, but not on your G Suite accounts. I think they need to go ahead and allow G Suite users to go - to do this as well. 

Dave Bittner: [00:14:05]  All right, well, it's a good capability. I guess I could say, what took you so long? 

Joe Carrigan: [00:14:09]  Right. 

Dave Bittner: [00:14:10]  But... 

Joe Carrigan: [00:14:11]  I'll say that for you, Dave. 

Dave Bittner: [00:14:12]  OK. Right. 

Joe Carrigan: [00:14:13]  Why haven't you done it for G Suite users? That's what I'd like to know. 

Dave Bittner: [00:14:15]  Yeah. 

Joe Carrigan: [00:14:16]  On iOS - I mean, I can do it on my Android phone, but it seems like it's a fairly simple fix. 

Dave Bittner: [00:14:20]  Yeah. All right, well, good to know, and if this is something you think concerns you, definitely worth going in and checking those settings. Maybe it's something you want to turn on. 

Joe Carrigan: [00:14:30]  Yep. 

Dave Bittner: [00:14:31]  All right. Joe Carrigan, thanks for joining us. 

Joe Carrigan: [00:14:32]  My pleasure, Dave. 

Dave Bittner: [00:14:38]  And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leaving insider threat management platform. Learn more at 

Dave Bittner: [00:14:51]  Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the "Recorded Future" podcast, which I also host. The subject there is threat intelligence, and every week, we talk to interesting people about timely cybersecurity topics. That's at 

Dave Bittner: [00:15:19]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Tamika Smith, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe and I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.