The CyberWire Daily Podcast 11.5.19
Ep 964 | 11.5.19

Ransomware in Spain. Pegasus in India. TikTok on the Huawei highway? Booz Allen predicts! And good dogs sniff out bad data.


Dave Bittner: [00:00:03] Ransomware hits Spanish companies. Pegasus continues to excite controversy in India. TikTok applies for Big Tech's good citizen Club but has apparently so far been blackballed. Booz Allen offers nine predictions for 2020. And good dogs go after bad guys' data storage devices. 

Dave Bittner: [00:00:27]  And now word from our sponsor, ObserveIT. The greatest threat to businesses today isn't the outsider trying to get in. It's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. Sixty percent of online attacks are carried out by insiders. To stop these insider threats, you need to see what users are doing before an incident occurs. ObserveIT enables security teams to detect risky user activity, investigate incidents in minutes and effectively respond. With ObserveIT, you know the whole story. Get your free trial at That's And we thank ObserveIT for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee, security built by the power of harnessing one billion threat sensors from device to cloud, intelligence that enables you to respond to your environment and insights that empower you to change it. McAfee, the device-to-cloud cybersecurity company. Go to 

Dave Bittner: [00:01:39]  From the CyberWire studios at DataTribe, I'm Dave Bittner, with a little bit of a cold, with your CyberWire summary for Tuesday, November 5, 2019. Ransomware has hit Spain. Reuters reports that a ransomware attack hit the country's largest radio station, Cadena SER, yesterday. National service was disrupted, but local broadcasting continued without interruption. It's unknown what strain of ransomware was involved in the attack. SER is working toward recovery. Spain's national security department said that other unspecified companies were affected by similar attacks. The agency said that SER had disconnected its major systems from its networks, and it recommended that other organizations similarly affected do likewise. Bleeping Computer says it's obtained a leaked copy of a ransom note that confirms that NTT Data subsidiary Everis was one of the officially unnamed companies that were also hit. 

Dave Bittner: [00:02:37]  One of Spain's larger managed service providers, Everis is thought to have been infected with a variant of Bitpaymer ransomware. The extortionists have asked the MSP for just under $836,000 in ransom, reports. Other enterprises are concerned about the possibility of downstream attacks flowing from those affecting the widely used MSP. Bleeping Computer cites an anonymous source close to those investigating the incident as saying that the extortionists may have exploited the BlueKeep vulnerability in their attack. But the grounds for this suspicion may be circumstantial. The advice to disconnect systems is being read by more than a few observers as an indication that there's a worm involved, and the wormhole of the day is, of course, BlueKeep. 

Dave Bittner: [00:03:25]  The list of those WhatsApp warned of possible Pegasus infections strikes many in India as suggesting that the spyware was distributed by the government. India's government, the BBC reports, denies any such involvement in the incident. The Scroll describes the activists, lawyers and scholars whose devices were affected. WhatsApp's litigation against NSO Group is proceeding in a U.S. court, but Reuters reports that an activist lawyer has petitioned India's supreme court to direct the country's counterterrorism agency to open an investigation into not only NSO Group but also WhatsApp and its corporate parent, Facebook. One of the matters at issue is said to be a claim that the app's encryption isn't up to snuff. 

Dave Bittner: [00:04:08]  The Chinese-owned social media app TikTok remains the subject of a U.S. security investigation, and the Defense Department is considering how to educate military personnel about the risks the app might pose, Military Times reports. TikTok seems destined for the Huawei/ZTE treatment from Washington, and it's displaying the kind of preemptive good corporate citizenship the two hardware giants used in their own charm offensives. In TikTok's case, the social medium has applied to join the Global Internet Forum to Counter Terrorism, a club to which Facebook, Microsoft, Twitter, YouTube, Pinterest, Dropbox, Amazon, LinkedIn and WhatsApp currently belong. The Hill says that the forum has so far declined to admit TikTok, probably over concerns surrounding the company's data collection and censorship practices. But you can't blame 'em for trying. 

Dave Bittner: [00:05:00]  Booz Allen today released its predictions for the major threat trends of 2020. They call out nine of these. First, the global balkanization of technology, by which they mean such government policies as Roskomnadzor's movement toward creating an autarkic Russian internet and Moscow's offers to create similar national internet infrastructures for the BRICS nations - Brazil, Russia, India, China, and South Africa - as well as an alternative domain name system. Second, they see the clones and counterfeits posing a growing threat to supply chains. Third, the swiftly increasing rates at which automobiles generate data will prove, they say, irresistible to cybercriminals. They expect the hoods to work hard at stealing information from cars and monetize that information as they have other categories of data. And a similar development, the proliferation of drones as business tools, will, in Booz Allen's fourth prediction, increase many businesses' attack surfaces. A lot of Bluetooth exploits, for example, work only if you're close to the targets. And drones will, they say, make for a new generation of war driving. 

Dave Bittner: [00:06:08]  Fifth, since satellites are becoming more enmeshed with terrestrial IT, the study predicts more cyberattacks against satellites. Consider the ubiquity of GPS and the arrival of satellite constellations, like Starlink, that will deliver the internet to users on the ground. Sixth, nation-states can be expected to use more of the same attack tools and techniques, and attribution, already difficult, will get tougher. Seventh, threat actors will continue their efforts to interfere with elections by the trolling of opinion by disinformation and by direct attack on election infrastructure. Cyber operations will continue their integration with conventional kinetic military operations. Sometimes, that will offer nation-states a nonlethal option. But - and here's their eighth prediction - at other times, cyberattacks can be expected to prompt kinetic retaliation. And ninth and last, next year, the world will come to Tokyo for the Olympic Games. There won't be any medals in cyber, but the competition can be expected to be fierce. Ourselves, we're pulling for Team Japan on this one. 

Dave Bittner: [00:07:15]  Finally, the New Yorker this week takes a quick look at how dogs help investigate cybercrime. No, you can't learn to code at obedience school. But on the principle that any cyberspace badness has to manifest itself in some hardware sometime, somewhere, police agencies are training dogs to sniff out electronics to help them find the servers, flash drives, SD cards, GPS units, bitcoin hardware wallets and so forth on which criminal evidence can be found. 

Dave Bittner: [00:07:43]  These things are often hidden away, like other contraband, inside file cabinets, walls, fire extinguishers and the like. The specialty is called electronic storage detection, ESD, and the dogs are trained to sniff out triphenylphosphine oxide, commonly used to coat memory chips. The handlers train their canine assistants with treats, and, says one trainer, that's why they tend to favor labs because labs have big appetites for snacks, even by dog standards. So if you're up to no good, the dogs will sniff you out - or at least your triphenylphosphine oxide. 

Dave Bittner: [00:08:25]  And now a word from our sponsor, ThreatConnect. Designed by analysts but built for the entire team, ThreatConnect's intelligence-driven security operations platform is the only solution available today with intelligence, automation, analytics and workflows in a single platform. Every day, organizations worldwide use ThreatConnect as the center of their security operations to detect, respond, remediate and automate. With all of your knowledge in one place, enhanced by intelligence, enriched with analytics, driven by workflows, you'll dramatically improve the effectiveness of every member of the team. Want to learn more? Check out their newest book, "SOAR Platforms: Everything You Need to Know about Security, Orchestration, Automation, and Response." The book talks about intelligence-driven orchestration, decreasing time to response and remediation with SOAR, and ends with a checklist for a complete SOAR solution. You can download it at That's And we thank ThreatConnect for sponsoring our show.

Dave Bittner: [00:09:38]  And joining me once again is Ben Yelin. He's the program director for Public Policy and External Affairs at the University of Maryland's Center for Health and Homeland Security. Ben, always great to have you back. This story came by on Motherboard, written by Joseph Cox, and the title is "AT&T Says Customers Can't Sue the Company for Selling Location Data to Bounty Hunters." What's going on here? 

Ben Yelin: [00:09:59]  So we saw some articles earlier in the year based on investigations by Motherboard and other entities that AT&T and other telecommunications companies were selling user location data to bounty hunters for a price. Once this information became public, AT&T and the other companies claim that they were not going to do this anymore, they're going to change their policies. And that is all well and good, but the people whose information was the subject of those sales, obviously, have some sort of legal grievance against AT&T. So they decided to file a class-action lawsuit in order to get themselves compensated for damages but also to halt AT&T from engaging in this practice in the future. And AT&T is saying that those users cannot instigate a class-action lawsuit because when they agreed to their terms of services, they agreed to resolve all disputes in arbitration proceedings. So it is a mandatory arbitration agreement. 

Ben Yelin: [00:11:01]  Now, pretty much every telecommunications company and pretty much any big business, for that matter, has these mandatory arbitration clauses. When you sign those terms and conditions, when you press, I agree to the 40 pages of terms and conditions that AT&T is presenting itself, when I just want to open my new iPhone, you are agreeing to these mandatory arbitration clauses. These are very disfavorable to users of the technology because generally AT&T picks the arbiters. See, the users themselves, once it gets into arbitration, generally do not have a good chance of winning at those proceedings. And you're cutting off all other avenues of judicial review. So this is, you know, I think, a public policy issue. If these technology companies are able to enforce these mandatory arbitration clauses, there's not sufficient recourse for users when AT&T and other telecommunications companies engage in questionable conduct. 

Dave Bittner: [00:12:07]  Now, interesting note in this article. They spoke to an attorney, Adam Gutride, I believe his name is. And he had sued AT&T over an incident involving roaming fees, and they persuaded a circuit court that the arbitration clause was unenforceable. What's going on there? 

Ben Yelin: [00:12:27]  So his claim is that because the arbitration clause would prevent consumers from obtaining what's called a public injunction, which is a way to stop the alleged illegal contact - conduct, that mandatory arbitration is not enforceable. I think this is an interesting argument. That was a decision made at the 9th Circuit U.S. Court of Appeals. So obviously, they've gotten themselves to the appeals court level. This has not been subject to review by the United States Supreme Court. I don't know if that argument will ultimately prevail, but that's probably the best chance users are going to get for some sort of equitable outcome. You know, the other option they mention this article for users is to opt out of the arbitration clause, which some telecommunications companies allow you to do while still agreeing to the majority of the terms and conditions. 

Ben Yelin: [00:13:24]  But I just think most laypeople never read the terms and conditions, probably have no idea what a mandatory arbitration clause is and would have no way of knowing that this was a potential option. So I think it's really a recourse in name only. The other recourse is to make changes in public policy, and that's actually what's happening at the congressional level right now. So the House passed a bill that would prohibit mandatory arbitration clauses. It was an acronym known as the FAIR Act. I don't know what this acronym was. 

Dave Bittner: [00:13:57]  I'm guessing the A stands for arbitration, but... 

Ben Yelin: [00:14:00]  Something like that. 

Dave Bittner: [00:14:01]  Yeah. 

Ben Yelin: [00:14:01]  Yeah. 

Dave Bittner: [00:14:02]  (Laughter). 

Ben Yelin: [00:14:02]  I'm pretty sure that's the case, but I don't know what they came up with for the other letters. 

Dave Bittner: [00:14:05]  Yeah. 

Ben Yelin: [00:14:07]  This is something that Democratic members of the House have been working on for a while. They see these mandatory arbitration clauses as unfair to consumers. It blocks the ability for consumers to get recourse in the event of bad behavior from big business. This bill is going nowhere fast in the United States Senate so it is not a policy that's going to be adopted in the near term. But this could be a preview of future federal action to curtail the use of these mandatory arbitration agreements. 

Dave Bittner: [00:14:39]  We'll keep an eye on it. Ben Yelin, thanks for joining us. 

Ben Yelin: [00:14:42]  Thank you. 

Dave Bittner: [00:14:47]  And that's the CyberWire. 

Dave Bittner: [00:14:49]  Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at 

Dave Bittner: [00:15:00]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.