The CyberWire Daily Podcast 5.12.16
Ep 98 | 5.12.16

US-CERT warns of SAP issues. Business disruption big criminal business. A talk with IBM about Watson.


Dave Bittner: [00:00:02:24] Onapsis and US-CERT warn that some old SAP vulnerabilities are back to bite you. Pawn Storm is also back and it's interested in Germany's CDU. As stolen data drops in black market value; criminals turn to business disruption. We hear advice on what you should with a dodgy-looking email and we have a talk with IBM as it sends Watson off to college; they sure grow up fast, don't they?

Dave Bittner: [00:00:28:14] This CyberWire podcast is brought to you by Recorded Future, the real-time threat intelligence company whose patented web intelligence engine continuously analyzes the entire web, to give information security analysts unmatched insight into emerging threats. Sign up for a free daily threat intel updates at

Dave Bittner: [00:00:52:17] I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday, May 12th, 2016.

Dave Bittner: [00:00:58:22] US-CERT warned yesterday that enterprises may have exposed themselves to attack by the way they've configured their SAP business applications. Onapsis, which did the research that led to the warning, found that at least 36 enterprises are vulnerable to exploitation of a bug discovered, and patched, back in 2010. But it was up to organizations to enable the security upgrade in their SAP implementation. US-CERT says the problem arises from abuse of the Invoker Servlet, a built-in functionality in SAP NetWeaver Application Server Java systems. Out-of-date or misconfigured SAP instances should be checked and fixed. Onapsis had noticed "common similarities" in its scans of customer systems and further investigation revealed that old indicators of compromise "had been quietly sitting in the public domain for several years at a digital forum registered in China." The company explicitly says it has no reason to conclude that there's a state-sponsored or otherwise organized campaign to exploit the vulnerabilities, but it does call what it's found so far "the tip of the iceberg." So SAP users should look to their systems as we stand by for more of that iceberg.

Dave Bittner: [00:02:09:04] Pawn Storm is back, out and about, and as vigorous as ever. It's probing critics of the Russian government. According to Trend Micro, Pawn Storm's current interest is Germany’s Christian Democratic Union, the political party of Chancellor Merkel.

Dave Bittner: [00:02:23:06] Proofpoint says Locky ransomware is evolving. Not only is it being widely distributed by Dridex, but researchers are observing some new behavior, including: "Increasingly convoluted JavaScript obfuscation." "Additional junk files to help evade detection." "Mangled “Content-Type” headers to help evade detection." and the "Use of RAR instead of Zip compression of JavaScript." These collectively make Locky harder to detect. The ransomware is also now using an intermediate loader, named "RockLoader," which waits until it replaces itself with Locky proper.

Dave Bittner: [00:02:56:05] IBM has published a look at Dogspectus, the Android ransomware discovered and described by Blue Coat. Dogspectus represents a disturbing new approach to ransomware coding in that it requires minimal user interaction to achieve infection: it downloads automatically when a user visits a malicious website. Researchers have found that devices running Android versions 4.0.3 through 4.4.4 can be infected. It's worth noting, however, what IBM calls "good news": Dogspectus doesn't encrypt data, it merely locks the victim device. Thus it may be possible to access and copy data saved in both internal memory and attached storage, and then remove the infection with a factory reset. Dogspectus aside, email remains a common malware infection vector. We spoke with Johns Hopkins University's Joe Carrigan about what to do when you get a suspicious email. We'll hear from him after the break.

Dave Bittner: [00:03:49:09] Business disruption has clearly become a major cyber criminal profit center. Specialized hackers, "stressers" as they're sometimes called, offer booter services that function effectively as DDoS-as-a-service. And there's a market for their services, too: they are said to easily pull in $300 to $500 a day. Many of them tell themselves, and presumably others, that they're really pentesters, not really hoods, and so on, but few observers are willing to take them at their self-estimation. We note that Lizard Squad was an early entrant into this criminal market.

Dave Bittner: [00:04:23:07] The other prominent form of business disruption is, of course, ransomware. Palo Alto Networks describes how cyber extortion, while requiring some technical sophistication, can be both a relatively low-cost and highly targeted form of crime.

Dave Bittner: [00:04:37:07] Market forces are playing a role in this criminal cultural shift: as stolen data becomes increasingly commodified, activity shifts from earlier capers like carding to higher payoff exploits involving extortion.

Dave Bittner: [00:04:49:06] These days, when we mention artificial intelligence, you might think of Siri on your iPhone or Cortana on android, having our spoken questions answered by computers is fairly routine these days, but just a few years ago, back in 2013, the notion that a computer could compete and win against top human players on the TV game show, Jeopardy, was mind-blowing. That machine was IBM's Watson.

Alex Trebek: [00:05:13:19] Watson, who is Franz Liszt, you are right. What is violin. Good. Who is the Church Lady? Yes. Watson, what is narcolepsy? You are right and with that, you move to $36,681.

Dave Bittner: [00:05:29:19] Caleb Barlow is Vice President for security with IBM.

Caleb Barlow: [00:05:33:17] Since winning the Jeopardy competition, Watson, we've been looking at cognitive computing in a variety of ways, everything from what recipe might you make based on the ingredients in your fridge, to harder world-changing challenges like trying to solve cancer.

Dave Bittner: [00:05:48:14] The advantage of a system like Watson, according to IBM, is its ability to interpret data that's traditionally been hard for computers to handle.

Caleb Barlow: [00:05:55:15] Most of the data that we apply today in the world of cyber security is in the form of structure data; things that are machine readable. But about 80% of the data that we really want to get access to is in an unstructured form; it's blogs, Wikis, videos, the latest research report or the transcript from the latest seminar on security.

Dave Bittner: [00:06:15:18] Watson maybe an ace when it comes to answering questions on Jeopardy, but when it comes to cyber security, it's still got a lot to learn.

Caleb Barlow: [00:06:22:13] Much like human learning, it has to learn the language of security, it needs to learn what's an attack, what's a target, what's a victim, what is malware, what is a ransomware. Starting with one of our engineers and Watson thought ransomware was a city and why I'm not really completely sure, I'm sure there must be a city somewhere called Ransom. So obviously it's a little bit humorous but also much like human learning, it learns by making mistakes. We had to go back and say, "No Watson, this is in fact not a location, it is actually an attack methodology and it's that type of grading process, along with the intonation, that helps the system actually learn.

Dave Bittner: [00:07:04:15] IBM is partnering with colleges and universities, to get Watson up to speed, ultimately they hope it helps provide enhanced protection against cyber threats.

Caleb Barlow: [00:07:13:10] Your average enterprise receives over 200,000 security events every single day. Now, most of those are false positives, we're looking for that needle in the stack of needles and it becomes very difficult for human beings to find that on their own, they need some help and that's what Watson can do. He can help to weed out those false positives, but also identify that needle, if you will, not in the haystack, but in a stack of needles.

Dave Bittner: [00:07:40:18] That's Caleb Barlow from IBM. By the way, I always had a soft spot for HAL, from 2001, A Space Odyssey. HAL, care to say a few words?

HAL: [00:07:50:15] I'm sorry Dave, I'm afraid I can't do that.

Dave Bittner: [00:07:55:08] And yet, you just did.

Dave Bittner: [00:08:02:20] This CyberWire podcast is brought to you by Recorded Future, the real-time threat intelligence company whose patented web intelligence engine continuously analyzes the entire web to give information security analysts unmatched insight into emerging threats. Sign up for free daily threat intel updates at

Dave Bittner: [00:08:28:05] Joining me once again is Joe Carrigan from the Johns Hopkins University information security institute. Joe, you recently had an email that came with some links that you thought were suspicious, why don't you tell us that story.

Joe Carrigan: [00:08:39:11] That's right, I got an email, the first thing that tipped me off was the grammar in the email wasn't well done and then there was a link to a domain I had never seen, but it talked about tolls and I had just incurred a massive amount of tolls going up to New York and coming back about a week ago.

Dave Bittner: [00:08:55:20] These are traffic tolls?

Joe Carrigan: [00:08:56:05] Traffic rolls, right, like the E-ZPass system. But actually it was referencing a trip back in February that I took, but I wasn't entirely sure this was a legitimate email. I have on my machine, something called VMware Workstation, which allows me to fire-up virtual machines and I've talked about virtual machines here before, they're essentially machines that run as virtualized machines and they only exist in software on your host machine, which would be your hardware that you have.

Dave Bittner: [00:09:25:09] So it's kind of a self-contained way, or an isolated machine that's only running in software on your machine?

Joe Carrigan: [00:09:31:17] Well, it's only running in software on your machine, but it's not truly isolated, it has some interfaces to the outside world, but if I change something on a virtual hard drive, I don't change something on my real actual physical hard drive.

Dave Bittner: [00:09:44:02] I see.

Joe Carrigan: [00:09:44:23] Virtual Box, which is a free product and VMware Workstation that I use, both have the capability to take these things called snapshots, which is a state of the machine as it is right now. So I go ahead and I take a snapshot, now if I'm going to execute a link that's malicious, I can just go back to that snapshot and it's like I never executed the link and I pasted the link into a browser in my virtual machine and executed the link and it turned out actually to be some tolls from a trip I took in February and they're just now sending me the email that has the invoice for them.

Dave Bittner: [00:10:15:08] So it was a legitimate link.

Joe Carrigan: [00:10:16:10] It was.

Dave Bittner: [00:10:17:23] But better safe than sorry.

Joe Carrigan: [00:10:19:03] Exactly.

Dave Bittner: [00:10:19:12] Alright, virtual machines can be your friend. Joe Carrigan, thanks for joining us.

Joe Carrigan: [00:10:23:19] My pleasure.

Dave Bittner: [00:10:27:05] And that's the CyberWire. For links to all of today's stories, along with interviews, our glossary, and more, visit Thanks to all of our sponsors who make the CyberWire possible. And if you're interested in reaching a global audience of security influencers and decision makers, well, you've come to the right shop. Visit, to learn more, don't forget to review us on iTunes, like us on Facebook and follow us on Twitter. The CyberWire is produced by Pratt Street Media. The editor is John Petrik. I'm Dave Bittner. Thanks for listening.