The CyberWire Daily Podcast 4.27.18
Ep 587 | 4.27.18

Crimeware kits, ransomware, and source code breaches. The Internet conduces to organic radicalization. Russia in Finland. Snooper's Charter notes. Crypt armistice or just key escrow?


Dave Bittner: [00:00:03:21] Rubella hits the shelves of the criminal black market; it's the crimeware kit, not the German measles. Necurs gets shifty by going retro. iPhone unlocking specialists endure an apparently minor breach. The sad story of structural extremism on the Internet. Finland says the Russians are coming there, too. Snooper's Charter setback. A proposed bill would make it easier for DHS to clean US Federal networks. And the latest Crypto Wars agreement is said to be just key escrow.

Dave Bittner: [00:00:38:12] Time to take a moment to tell you about our sponsor, Recorded Future. Recorded Future is the real-time threat intelligence company whose patented technology continuously analyzes the entire web developing cyber intelligence that gives analysts unmatched insight into emerging threats. At The CyberWire, we subscribe to and profit from Recorded Future's Cyber Daily as anyone in the industry will tell you, when analytical talent is as scarce as it is today, every enterprise owes it to itself to look into any technology that makes your security teams more productive and your intelligence more comprehensive and timely. Because that's what you want, actionable intelligence. So sign up for the Cyber Daily email where every day you'll receive the top trending indicators Recorded Future captures crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP address and much more. Subscribe today and stay a step or two ahead of the threat. Go to Recorded to subscribe for free threat intelligence updates. That's Recorded And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:56:12] Major funding for The CyberWire podcast is provided by Cylance. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday April 27th, 2018.

Dave Bittner: [00:02:08:17] Flashpoint describes a cut-rate crimeware kit, "Rubella," that offers some "point-and-click builder functionality" and generates malicious payloads for spam. It's not sophisticated, but skid criminals can rent it for just 40 bucks a month. Rubella, the crimeware, not the German measles, is another symptom of the ongoing commodification of what's being sold in the criminal-to-criminal black market.

Dave Bittner: [00:02:34:00] The venerable Necurs botnet, whose masters control millions of compromised machines they use to pump out spam, has gotten a little more evasive by going a little retro. Necurs has been emailing archive files that unzip to a file with a .url extension that opens a page directly in a browser. It's old-school, but on the other hand email scanners that hunt for more complicated new school infection chains are liable to miss it. It will take a little time for many scanners to readjust, which opens a window of opportunity for the bad guys.

Dave Bittner: [00:03:08:02] Grayshift, the iPhone unlocking specialists who've sold their GrayKey to law enforcement agencies, has been the victim of code theft. Unknown parties apparently got the source code snippets from a customer site where Grayshift's user-interface was briefly exposed to the Internet. The hackers demanded ransom, which Grayshift refused. The company thinks the software that was lost, judging from what the hackers have posted, is just code used to show messages to a user. Thus it seems unlikely that the underworld will soon be unlocking iPhones left, right, and center. Still, like any data breach, this one is at least mildly upsetting.

Dave Bittner: [00:03:48:09] A piece about online inspiration in the New York Times concludes that by their nature social media tend to breed extremism. "attention, praise and a sense of importance and agency" are easy to come by online. And who wouldn't want those, especially if you're young, frustrated, and feeling no 'count? And worse yet, the algorithmically discerned rate of engagement is self-reinforcing, serving more like-minded messages until the recipients come to believe that what they're reading is good, normal, mainstream, common sense, even if that common sense has induced them to seriously consider ramming a car into a crowd of people the driver is convinced are enemies of all that's good, normal, and mainstream. It seems a pity that the old US State Department "think again, turn away" campaign was widely derided as ineffectual before its abandonment. Think again and turn away seems exactly what one would hope for, but the good, normal, mainstream common sense on the Internet said that whole slogan was nothing more than just tired, warmed over "just say no." That's what we read, anyhoo.

Dave Bittner: [00:04:55:23] We might add to the observations in the Times the strange disinhibition that grips people when they get behind a keyboard. That disinhibition is on display right now, as the arrest of the alleged Golden State Killer after decades of futile investigation shows. One is happy indeed that police in California finally collared a man who is alleged to have been an unusually vicious serial killer with crimes going back to the 1970s. What's beyond unfortunate is the troupe of amateur detectives who are hounding the accused man's family with preposterous accusations of complicity. This is so much easier online than it would be in person, but increasingly the ground separating cyberspace and physical space looks depressingly like a slippery slope. All we can advise is, think again; turn away.

Dave Bittner: [00:05:47:04] Finland has joined the ranks of countries who've found state-directed cyber activity targeting their industrial and energy infrastructure. In its report for 2017, the Supo, Finland's security intelligence service, details widespread and ongoing attempts to infiltrate networks. Intellectual property is among the more sought after targets. The energy sector and its associated research and development activities are of particular interest to foreign intelligence services. Traditional espionage involving recruitment of Finns to deliver information also continues, and, as the Supo says, "Especially Russian intelligence organizations are active in Finland."

Dave Bittner: [00:06:29:08] The UK's Snooper's Charter suffered a setback at week's end, as the High Court directed that the law be revised to require prior independent review before it can access retained metadata. The Home Office has its take on the decision; they're pleased to note that the court has upheld the fundamental tenets of the law, and they'll be happy to make the minor adjustments the bench has asked for. The plaintiffs who challenged the law are also pleased. They see the decision as a significant blow to the surveillance state, albeit a far from lethal blow.

Dave Bittner: [00:07:02:04] The Federal Network Protection Act, S. 2743, would fast-track the US Department of Homeland Security's ability to pull compromised software and systems from Federal networks. This would enable DHS to rapidly exclude problematic products from Government use without going through protracted interagency review. The bill is currently before the Senate.

Dave Bittner: [00:07:25:12] We've seen a number of recent attempts to come up with an approach to encryption that balances legitimate security and law enforcement interests with fundamental rights to privacy. Experts who've reviewed Ray Ozzie's proposed modus vivendi in the Crypto Wars tend to conclude that it's a form of key escrow. Some compare it to the late Clipper chip; late, and largely unlamented. Ozzie's approach seems to have left the pro-encryption side of the Crypto Wars cold: they see it as just another species in the genus of weakened encryption.

Dave Bittner: [00:08:02:04] I'd like to give a shout out to our sponsor, BluVector. Visit them at Have you noticed the use of fileless malware is on the rise? The reason for this is simple. Most organizations aren't prepared to detect it. Last year, BluVector introduced the security market's first analytic specifically designed for fileless malware detection on the network. Selected as a finalist for RSA's 2018 Innovation Sandbox contest, BluVector Cortex is an AI driven sense and response network security platform that makes it possible to accurately and efficiently detect, analyze and contain sophisticated threats. If you're concerned about advanced threats like fileless malware or just want to learn more, visit That's B L U V E C T O And we thank BluVector for sponsoring our show.

Dave Bittner: [00:09:02:11] And I'm pleased to be joined once again by Dr Charles Clancy, he's the director of the Hume Center for National Security and Technology at Virginia Tech. Dr Clancy, welcome back. I wanted to get kind of a reality check from you when it comes to the 5G roll out. I think we're starting to see some of the marketing messages ramp up but what's your perspective on when we might actually start seeing things affect us in the real world?

Dr Charles Clancy: [00:09:28:00] I think it'll be a few more years before we really start to see 5G at scale. A lot of the marketing right now is around spectrum. So the FCC has identified here in the US a few different bands that could be used uniquely for 5G. But, honestly the standards aren't even finished yet much less implemented and developed. The standards basically fall into two components. There's the radio access network, which is known as new radio or NR. And the standards for that are mostly done, I would say at this point. The first thing we will see is a 5G cell tower talking to a 4G core network. And that will give you faster data rates but it won't let you take advantage of all the new features that are part of the 5G core.

Dr Charles Clancy: [00:10:15:15] The 5G core is gonna have all kinds of exciting new capabilities, specifically designed to support Internet-of-Things and other IoT use cases. So things like network slicing which allows you to create virtualized layers of the core networks specifically for different classes of IoT devices. Really exciting new capability, it takes software to find networking and network function, visualization to a whole new level in the cell phone network. But those standards are still at the early stages right now and probably still another couple of years before their finished, much less implemented and developed and rolled out.

Dave Bittner: [00:10:51:15] And so what kinds of security elements are we going to see baked into 5G?

Dr Charles Clancy: [00:10:56:14] Well, the 5G radio access network has very similar security properties I'd say of a 4G network. There are some interesting things that are being done to try and improve some of the vulnerabilities in 4G. One example would be the IMSI catchers that are able to act as a fake base station and cause your phone to provide the unique identifier off your sim card. Actually just last week there was a set of changes to the 5G standard that were approved that will now encrypt that identify before it is sent to the network, which will prevent those IMSI catcher from being able to be effective against 5G phones.

Dave Bittner: [00:11:36:08] Are those the popularly known as Sting Rays, is that what we're talking about?

Dr Charles Clancy: [00:11:39:15] Exactly, yes, that's the brand name that's associated with it most frequently. But it's a, basically sometimes called a Base Station Emulator but it is essentially a device that acts like a cell phone base station and engages your phone in a conversation or to get your phone to reveal its identity.

Dave Bittner: [00:11:57:10] Now we still have the issue of sort of the backwards compatibility issue of forcing a device to be able to fall back to some of the older standards?

Dr Charles Clancy: [00:12:06:18] Of course, yes. So 2G, 3G and 4G would all still be vulnerable. So 5G is at a great inflection point right now to begin to solve some of the problems that we've been wanting to solve for a while in telecommunications and cyber security. But of course, because of the backward compatibility it will be many more years before those older technologies are fully phased out and we have the full benefit of these new security features.

Dave Bittner: [00:12:28:18] All right, Dr Charles Clancy, thanks for joining us.

Dr Charles Clancy: [00:12:31:12] My pleasure.

Dave Bittner: [00:12:37:05] Now a moment to tell you about our sponsor ObserveIT. It's 2018. Traditional data loss prevention tools aren't cutting it anymore. They're too difficult to deploy, too time consuming to maintain and too heavy on the end point. They are high maintenance and require endless fine tuning. It's time to take a more modern approach. With ObserveIT, you can detect insider threats, investigate incidents quickly and prevent data loss. With its lightweight agent and out of the box insider threat library, ObserveIT is quick to deploy and far more effective at stopping data from leaving your organization. That's because ObserveIT focuses on user behavior. It's built to detect and respond to insider threats and it's extremely difficult even for the most technical users to bypass. Bring your data loss prevention strategy into the modern era with ObserveIT. Learn more at That's And we thank ObserveIT for sponsoring our show.

Dave Bittner: [00:13:46:14] My guest today is Merike Kaeo, she's Chief Technical Officer at Farsight Security, a company that offers passive DNS cybersecurity solutions. Previously in her career, she led the first security initiative at CISCO Systems in the mid-90s and authored the first CISCO book on security.

Merike Kaeo: [00:14:05:19] My background is that I have an electrical engineering degree and my first job was starting out designing and deploying campus backbone networks. So the first month on the job was the infamous Morris worm that has historically known as the first Internet worm. And I would say that started my foray into security because I became very involved as we were designing our backbone to look at authentication, integrity and auditing functions, the basics of security. And some of the listeners may laugh, but we were changing out software by actually changing out the E prompts, so actual chips was how we did swap for upgrades when there were issues found, bugs found, that now some of them might be classified as security issues.

Merike Kaeo: [00:14:53:10] So as my career progressed and the Internet grew to billions of devices and millions of users, the criminal and malicious activity also increased. And so I find myself now at Farsight Security since everyone in the company also has a passion for making the Internet a more trusted and secure and stable means of communicating and also creating business transactions.

Dave Bittner: [00:15:20:04] Now one of the things we wanted to discuss today was using DNS data as an early warning system for cyber threats. Can you describe for us, where do we find ourselves in terms of how DNS data is used and what are the implications of that?

Merike Kaeo: [00:15:34:22] Domain names are the basic functions of anything that you are doing on the Internet. Humans think of names and machines think of numbers. Every device on the Internet is identified by a name and a number. The number is referred to as an IP address and the name is typically the fully qualified domain names. So what the DNS does, it associates various information with domain names assigned to a particular entity and very often you are doing a mapping between the domain name and an IP address. One item that is extremely important for many to understand and who may not be so familiar with the domain name system, is that the criminals really have started utilizing the domain name system as a fundamental building block to many of their scams. There are things called domain generating algorithms where it's a capability to generate hundreds of domain names a second. And they're designed for resiliency so that if a domain name gets discovered to be used for malicious use, they just move to other domain names. And so this is a way that the malicious underground is able to register and retain control of several botnets that could be used for malicious campaigns.

Dave Bittner: [00:17:03:03] And so in terms of being an early warning system, how does that come into play?

Merike Kaeo: [00:17:07:16] There are malicious actors who try to impersonate your specific domain name or email address. So with the real time information you can determine whether or not somebody's trying to impersonate your site and whether or not your sending your information like, your banking credentials, username and passwords, to a fake banking site where then the criminal underground can use it to sell your information. There are numerous breaches of domain registers where domain names have been impersonated. And so this often happens to luxury brands to create websites for various forge scams, or to any sites where the malicious activity required a user to believe that a site they are going to is valid. So these scams are used to get user names, passwords and other personal information.

Merike Kaeo: [00:18:06:16] What I really think is very important is also that everybody should be paying attention to how a criminal is flying under the radar, utilizing international domain names for example, as lookalike domains to try and create email and phishing scams. And also how can you detective IPv6 related spam and phishing campaigns. So I think everybody has a part in the ecosystem.

Dave Bittner: [00:18:31:05] I'm curious from your own point of view, coming up in this industry. Do you have any words of wisdom or advice for those who are looking for a career in security?

Merike Kaeo: [00:18:40:07] I do. My advice would be never stop learning and never stop asking questions. I think security is very complex because there's so many details that are involved. And I think that the more you understand, the more you ask questions why is this, and even challenging some of the old ideas. Because we need new input, we need new ways of thinking, the old ways of thinking of security are clearly not good enough. So I would challenge everybody to just look at how are things done? How can we make things more secure? How are you identifying somebody? What information are you logging and auditing? How do you preserve integrity of information knowing that nobody has modified anything in transit? So it's a very, very large field and I just encourage people to look into their passions and never stop asking, why and offering solutions.

Dave Bittner: [00:19:49:00] That's Merike Kaeo from Farsight Security.

Dave Bittner: [00:19:56:19] And that's The CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you through the use of artificial intelligence, visit And thanks to our supporting sponsor, VMware, creators of Workspace ONE intelligence. Learn more at

Dave Bittner: [00:20:18:05] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our show is produced by Pratt Street Media with editor John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe and I'm Dave Bittner. Thanks for listening.