CyberWire Daily - MysteryBot developed from LokiBot. Satan rebranded as DBGer. Snooping on iOS got harder, but maybe not impossible. IG report on the FBI is out, not damning but not good, either.
Episode Date: June 15, 2018In today's podcast we hear that MysteryBot is under development and presumably being prepared for sale on the black market. Satan ransomware gets a makeover and a new name. Apple has taken measures t...o make iOS traffic less accessible to snooping, but lawful snoops may already have a way around that security. Kasperky will no longer work with Europol. The US Justice Department IG reports on the FBI. And a former Jeopardy champion cops a hacking plea. Robert M. Lee from Dragos, on his efforts to educate through the use of comic strips. Guest is Scott Petry from Authentic8 discussing their FAKE booth at the RSA conference.  Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Mystery Bot is under development and presumably being prepared for sale on the black market.
Satan Ransomware gets a makeover and a new name.
Apple has taken measures to make iOS traffic less accessible to snooping,
but lawful snoops may already have a way around that security.
Kaspersky will no longer work with Europol.
The U.S. Justice Department IG reports on the FBI.
And a former Jeopardy! champion cops a hacking plea.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, June 15, 2018.
Researchers at ThreatFabric are tracking what they've named MysteryBot, multifunctional
Android malware under criminal development
that combines a keylogger with a banking trojan and mobile ransomware.
Mystery Bot seems capable of targeting both Android 7 and 8 devices.
Mystery Bot abuses usage access permissions.
Threat Fabric assesses the new malware as derived from Loki Bot,
whose source code has leaked.
MysteryBot's ransomware module seems defective,
but Threat Fabric thinks the developers are working on a tool that will fetch a good price in the black market.
The authors of Satan Ransomware have rebranded and upgraded their product.
Malware Hunter says the criminals behind the code are now calling it DBGier
and have incorporated Mimikatz to facilitate lateral movement within targeted networks.
Apple may have closed off an access point police had used to get into suspects' iOS devices,
but forensic experts think Grayshift may have found a way around the new USB-restricted mode.
think Grayshift may have found a way around the new USB-restricted mode. In other Intercept news,
Elcomsoft says it's upgraded its phone breaker tool to decrypt iMessages in iCloud.
Kaspersky will suspend cooperation with Europol. The Russian cybersecurity firm has long partnered with European Police Investigation of Cybercrime, but now that the European Parliament is called for a ban on its products as security risks,
Kaspersky has said goodbye to all that.
The U.S. Justice Department's Inspector General yesterday afternoon
released the report on the FBI's investigations of various actions
by the Federal Bureau of Investigation and Department of Justice in advance of the 2016
election. The inquiry covers, essentially, the FBI's investigation of former Secretary of State
Clinton's handling of classified material and her use of a private server during her tenure as
Secretary. That case, connected as it was to Russian hacking of the Clinton campaign in the
Democratic National Committee, has been of interest to the cybersecurity sector for the last two years.
The report's 586 pages find more impropriety and insubordination than political bias.
On balance, it's not good news for the Bureau.
Five agents have been referred for consideration under Bureau disciplinary standards.
As the report puts it, the agents' use of bureau systems and devices
to exchange messages that intermingled traffic about the ongoing investigations
with partisan political opinion showed, quote,
extremely poor judgment and a gross lack of professionalism.
We therefore refer this information to the FBI for its handling and consideration
of whether the messages sent by the five employees listed above
violated the FBI's offense code of conduct.
End quote.
The partisan opinion so vigorously expressed went so far as to suggest
that senior members of the Bureau would determine the election result.
Those senior officials, notably Deputy Assistant Director
Peter Strzok, say that these were regrettable temperamental utterances not to be taken seriously,
but the IG, after making due allowances for the right to hold personal political opinions,
is not amused. It's unprofessional, to say the least. Anyone who's chatted and emailed will
recognize, with an uneasy twinge of conscience, that they've typed things better left unexpressed.
But indeed, these indiscretions by members of the Bureau really do reflect discredit upon the organization.
The Inspector General also found that some senior FBI officials, including former Director Comey, used personal accounts for official business and took other actions that contravened bureau and departmental policy. The use of personal
accounts contains an instructive lesson for security practitioners. If a tool is cumbersome
or frustrating to use, you'll drive users to find less secure, sometimes grossly insecure,
workarounds. We often see this in shadow IT.
In this case, the FBI's official messaging platform, Microsoft Link,
was generally unpopular enough with employees that they sought unofficial chat channels.
At least one of the officials who received the IG's attention during the investigation,
Deputy Assistant Director Peter Strzok,
says that he and his frequent correspondent, FBI Attorney Lisa Page,
really hated the clunky autocorrect on their bureau-issued Samsung phones,
and that's why they used other private systems to conduct business and exchange views.
Strzok was involved in both the Clinton email and Russian influence probes.
There were also findings concerning leaks to reporters that the IG
found particularly troubling and corrosive to the Bureau's professional culture. The IG notes that
the FBI strictly limits who's authorized to speak to the media, but that this policy was widely
ignored during the period under investigation. The report says, quote, we identified numerous FBI
employees at all levels
of the organization and with no official reason to be in contact with the media who were nevertheless
in frequent contact with reporters, end quote. The IG regards such contact with profound concern.
Incredibly, the report goes on to say, quote, we identified instances where FBI employees improperly received benefits from reporters, including tickets to sporting events, golfing outings, drinks and meals, and admittance to non-public social events, end quote.
A separate report on these will be forthcoming.
Such conduct is obviously out of line, but the IG points out that fear of leaks and potential leaks
had an unfortunate effect on the conduct of the investigation,
including the timing of various announcements and letters to Congress.
It's a cultural problem, the IG says.
Bureau policy is both sound and unambiguous.
It just wasn't followed.
Congress expects to follow up the IG report with more hearings of its own,
at least in the House Judiciary Committee,
whose chair has said they expect a subpoena struck and others if necessary.
We turn with unaccustomed relief to that other prominent member of the U.S. intelligence community,
the Central Intelligence Agency.
Motherboard, wondering, like most of you,
who and where in the world Satoshi Nakamoto is, submitted a Freedom of Information Act request to
the CIA, asking if they had the goods or at least a file on the legendary creator of Bitcoin.
The agency replied tersely that it can neither confirm nor deny that it has any information on Satoshi-san.
So who he is, or even if he exists at all,
are questions we'll get no help with from Langley.
And finally,
the answer is guilty.
And the question, Alex, is,
what plea did the former Jeopardy! champ cop in that email hacking case?
Stephanie June Joss, former professor of history at Michigan's Adrian College,
and at one time the top-scoring woman in the long history of the Jeopardy! quiz show,
told Lanowee County Circuit Judge Margaret M. S. Noe, quote,
Yes, I knew what I was doing, end quote, when she pled guilty to one felony account of unauthorized computer access. She accessed another person's email account at Adrian College.
Sentencing is currently scheduled for July 20th,
and Ms. Jass could receive up to five years and a $10,000 fine.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting Thank you. and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
and joining me once again is robert m lee he's the ceo at dragos rob welcome back um i wanted to talk today about a little side project that you have that i know many of us uh enjoy and it
is the little bobby comic strip uh there's also the little bobby, which you can get on Amazon. There's a print
version. There's also an electronic version, which I understand if you're an Amazon Prime
subscriber, you can get for free. So I don't know how you feel about that. But I wanted to dig...
Take money out of my comic book empire.
That's exactly, exactly. I wanted to dig into the motivation. How did this start? And why you chose this as a way to get some of those messages out there?
Yeah, I think comic books are approachable.
And so originally, I mean, I have to admit, a lot of, there was a variety of discussions around SCADA, industrial control systems.
And I found it very difficult to explain to folks.
And I think I started seeing some teams pop up.
And I remember one team said, hey, we want to do offense against SCADA.
I was like, oh, goodness.
I did civilian infrastructure.
I don't know if we should do that.
But if you're going to do it, I don't want you to do it wrong.
So I'll teach you what I know.
And I spent hours with them, like showing them things and teaching them things.
And at the end, here are these new offensive folks who are like, yeah, cool.
So what does SCADA stand for?
I'm like, what?
You're standing up like an offensive mission.
You couldn't even be bothered to Google the term.
I kind of got mad at it, actually.
And so I sort of furiously went home and wrote out the book Skated in Me, a book for children in management.
And it was a little bit of a snark.
And my buddy, Jeff Haas, is a comic book illustrator.
And so I asked him to sort of take my really awful drawings and make them better and as we gave it back to these you know these military folks when that
happened but uh you know surprise surprise to me is they were laughing and sort of took it in good
stride and like hey yeah you know we were just randomly assigned to this mission like ah okay
well you know no one's trying to be a jerk. Since then, I've
kept it alive. It's been
crazily well-received in the community
and then even published a second one,
Threat Intelligence and Me, a book for
children and analysts.
And then every week,
every Sunday, Jeff and I publish another
little comic strip on our
website to take some complex
topic and try to break it down
into an easy to understand kind of three-pane comic. Yeah, and it strikes me that it allows
you the opportunity to kind of speak truth to power in a way that by having this construct of
a child who is often questioning folks who are, I don't know, spewing platitudes or misconceptions,
questioning uh folks who are i don't know spewing platitudes or misconceptions and uh it sort of um it allows you to have a i guess like you know the court jester was the only one who could
criticize the king right yeah absolutely i think you know you're hitting on something there too
with with a lot of our our professionals in infosec i think sometimes we can be afraid to
ask questions and we're we're seen as the you know smartest person in the room sometimes unfortunately on any given topic and then we all know in reality that we all have sort
of our small niche you know expertise but but it can be intimidating to ask the questions or some
vendor or some senator or some you know whoever comes and pitches like we're gonna do blockchain
and artificial intelligence and you're like how is that and artificial intelligence. And you're like, how is that going to work?
And you want to ask questions.
You're like, oh, okay.
So it's kind of, yeah, it's kind of that outlet where little Bobby can do it for us.
Like, you know what?
Can somebody explain the blockchain value to me for security?
And then nothing happens.
He's like, okay, that's about what I thought.
Right, right.
All right.
Well, it's definitely a lot of fun worth checking out.
What's the best place for folks to check out Little Bobby?
Yeah, it's the website every Sunday, the Free Comics Publish. So it's littlebobbycomic.com.
All right. Terrific. Rob Lee, as always, thanks for joining us.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly
and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your
company safe and compliant. At the RSA conference this year, there was one vendor booth that was not like the others.
Selling his wares was one Francis Archibald Keyes Esquire.
Yes, those initials spell fake.
Complete with top hat, handlebar mustache, and a traveling salesman's horse-drawn wagon full of tonics and liniments that were sure to cure whatever cybersecurity ailments you might be suffering from.
Fake security, indeed, made all the more mysterious by the fact that that booth had no reference whatsoever to any known cybersecurity company.
Needless to say, it generated some buzz.
Scott Petrie is CEO and co-founder of Authenticate,
and he may just know something about what was going on here.
The birth of the idea came from two places, I think.
One is the fact that the industry has been promising
customers solutions to the cybersecurity dilemma for years and just continues to sell more and more tech into the community.
And if you go to events like RSA, it's a cacophony of vendors yelling and selling.
The other thing that drove us to do it was the fact that trade shows, they're hard.
They tax organizations from a dollar perspective, from a messaging and creative perspective, from getting people to stand in the booth and try to engage with the customers. They're difficult. And we said, can we combine the observation in one and have fun in two and do something completely different at RSA? Hopefully get a little bit of awareness. Yeah. And I think one of the things that certainly caught people's eye is the fact that there was not any branding for Authenticate in the booth, which lent the whole thing a certain air of mystery. It's funny, yeah, because up until the day before, we were having
discussions about how do we reveal who we are? I stood by the booth. I was just enjoying the
process so much. And we decided, we're not going to say anything about it. In fact, we coached the actors to say, if they keep digging and keep asking, just dig in more and be more obstinate. I don't know who this authenticate is, but I can tell you that these are all the solutions you need here.
it was almost created a psychological sort of game about it.
And there was one thing, my favorite thing coming out of it was there was an information security team that did a deep forensic dive of how they tried to figure out who we were.
They did who is records on our fake security dot com website.
They looked at registered vendors. It wasn't that hard
because we bought the RSA booth under the name of Authenticate. So, you know, you didn't have to
reach very far, but we created enough confusion by not being authenticated in the booth that people
had to dig a little bit deeper. We went there having no expectations, just let's call the lie to the market and let's
have fun doing it. And it turned out to be a pretty good way to get some people to be aware
of our company and aware of our message. Now, take us through what was the spectrum
of responses? Did everybody get the joke? And were there some people who didn't appreciate it?
More got it than not. I think when if we had a reveal quickly, like, oh,
we're just joking, we're Authenticate, I think then people would have kind of, maybe, oh, it's
just another clever marketing tactic by a company. Since we stuck to our guns, you could look at the
faces of people where they'd walk by, they'd do the double take, and then the actor would engage
them and start riffing about the extract of artificial intelligence or whatever and start touting the goodness of the tonic.
And then they'd smile, and then they'd have this look on their face like, what's the catch? What's the hook?
And there'd be no catch. We'd hand them a bottle and then be gone to the next person.
People universally enjoyed it. We didn't get any negative response. We had one guy who was an executive from another company basically respond to a LinkedIn post about it,
which says, that's not going to win you any friends in the industry.
So I don't think other vendors necessarily liked it.
But to the people walking by, you know, attending a trade show, I think it was a little bit of a respite from the cacophony.
The people walking by, you know, attending a trade show, I think it was a little bit of a respite from the cacophony. What does it say to you that the response that it got here in certainly the largest industry trade show of the year, that this resonated so much?
What does it say to you about the state of the industry and how people are feeling about the products that are out there?
I think it says very simply, the industry knows that it's an
unhealthy relationship between customer and vendor, but they have to do it. You can't not
buy security solutions. You can't not stay current on your technologies. You can't not
listen to vendors talking about breakthrough enhancements or new capabilities. At the same
time, we've been hearing those promises forever.
We're still in a situation where things are getting worse. And it was maybe refreshing
to step above it and acknowledge that we're all part of this equation. We didn't have a lot of
discomfort about should we make this investment? Should we try something that's a little bit more
shocking or less traditional? We knew we were going to execute it well.
We just weren't sure how it would land.
And so I was very relieved that it landed well because we put a lot of effort into this.
And really, we were resolute that we were going to stay true to it and stay committed.
So it was a big relief that it actually worked.
That's Scott Petrie from Authenticate.
The campaign is still running online.
It's at fakesecurity.com.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash,
Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious,
but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable
impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.