The CyberWire Daily Podcast 6.9.16
Ep 117 | 6.9.16

Ransomware spreads (backup or pay up?). Safe travels. FTC, NFL embarrassed.


Dave Bittner: [00:00:03:19] Ransomware scores in Alberta, and it's low-cost and low-risk elsewhere, too, so back up your files. Twitter credentials turn up for sale on the dark web, although Twitter itself seems not to have been breached. Old LinkedIn compromises are being used to craft spearphishing campaigns in Europe. This week's NATO conference takes up cyber workforce development, surprising approaches to innovation, the need for more cooperation, and the risk of strategic surprise. Cylance becomes the cyber sector's newest unicorn. And there's another cyber fumble in the NFL.

Dave Bittner: [00:00:37:07] Todays podcast is made possible by ThreatConnect. Join their free webinar and learn how security incidents happen at the seams between tools and teams, and how you can unite your people, processes, and technologies behind an intelligence-driven defense. Sign up today at

Dave Bittner: [00:00:59:23] I'm Dave Bittner in Baltimore, with your CyberWire summary for Thursday, June 19th, 2016.

Dave Bittner: [00:01:05:17] Ransomware spreads, as this low-cost, low-risk caper continues to grow in popularity among the criminal element. The week Canada’s University of Calgary is one of the latest victims to pay up, sending $20,000 Canadian, that’s about $16,000 U.S., to extortionists who locked up its systems. As we’ve seen in the Hollywood Presbyterian incident, the decision to pay was a cost-benefit one. One university official said, "The last thing we want to do is lose someone’s life’s work," and the easiest way to avoid that was to pay the ransom.

Dave Bittner: [00:01:38:21] The attack was discovered on May 28th. The university hasn't said what strain of ransomware was involved, and Calgary police are investigating.

Dave Bittner: [00:01:47:11] Over the weekend more than 100 million VK credentials turned up for sale in the dark web. At midweek users of another social media platform - Twitter - faced a similar problem. 32 million Twitter credentials are also now up for sale. The handle associated with this theft, “,” also appeared in connection with the VK breach. It seems that the problem in this later case is not Twitter’s - and Twitter has been actively tweeting that it’s investigated and is confident that it hasn’t itself been breached. Suspicion currently focuses on a connection between these Twitter users and the old breaches of LinkedIn, MySpace, and Tumblr.

Dave Bittner: [00:02:27:07] That old breaches can continue to do damage for years may be seen not only in this incident, but also in a spearphishing campaign currently afflicting Europe. Data from the LinkedIn breach is being exploited to craft unusually specific and convincing messages to closely targeted victims.

Dave Bittner: [00:02:43:18] It’s worth noting that Twitter credentials seem to fetch a higher price than corresponding data from VK. The hacker asked for 1 Bitcoin, about $570, for all one hundred million plus VK accounts, but Tessa88 wants ten times this amount, according to reports, for Twitter data: 10 Bitcoin, roughly $5800.

Dave Bittner: [00:03:05:04] Issues of cyber workforce development continue to worry both industry and government. They’ve come up at NATO talks underway in Estonia, and industry continues to nag schools to do more to inspire and develop students for careers in the field. Some see generational problems here: the US White House, for example, laments that its lagging technological set-up makes it hard to recruit millennials to work there - they think the President’s IT is, as the kids say, “lame.”

Dave Bittner: [00:03:32:08] There’s also a view abroad in the travel industry that millennials are particularly vulnerable to cyber threats faced by travelers, because millennials are particularly accustomed to and dependent on Internet access. But travelers of all ages face risks when they’re abroad. We spoke to one expert, Authentic8's Scott Petry, about some of the measures people might use to protect themselves while they’re traveling.

Scott Petry: [00:03:53:19] My advice to my friends, if they're using a mobile phone, is to shut off WiFi - don't auto-join any network, because of the embarrassing ease with which a WiFi network can be spoofed. It's very easy for me to run something called a "rogue access point" - I can basically publish my WiFi router with that same name, and that same SSID of that network, and your phone will automatically connect to my network. So, your access point into the public Internet would be through the WiFi node that I control, and that would give me the ability to break open your data and start snooping your information, and, in the worst case, potentially even steal your information.

Dave Bittner: [00:04:31:15] And of course it's not just your Internet access point that's vulnerable. Your web browser itself is a common threat vector, and Petry and his team at Authentic8 have what they say is an effective solution - run your browser from the cloud.

Scott Petry: [00:04:44:19] The list of vulnerabilities in accessing Internet services is really endless, and what we've done is we've said, "Let's keep all of the web code - all of the HTML, all of the JavaScript, all of the Flash, all of the cookies and trackers - off of the user's device. We run a disposable browser, in the cloud, on our servers, and then we provide a high fidelity display of that browser session to the user's device, so the only thing that's reaching the user's device is a display of that remote browser session, so they're keeping themselves away from any exploitive code.

Scott Petry: [00:05:21:01] And to tie it together with the WiFi story, we speak over point-to-point encrypted protocol, so that we know that the client we're presenting the data to is actually the client, and there's no-one in the middle trying to snoop the packets. So we've designed this to be as close to end-to-end secure for accessing the Internet as can be developed, even to the point where you can use an infected PC over a corrupted WiFi hotspot and none of your data is going to be exposed, because it's securely speaking our protocol to the browser that's running on our servers.

Dave Bittner: [00:05:57:00] That's Scott Petry from Authentic8.

Dave Bittner: [00:06:02:23] At NATO’s conference, senior officials of the Atlantic Alliance don’t like the way they’ve been surprised by mostly Russian initiation of hybrid warfare in recent years. They’re looking for better use of intelligence products, and improved intra-alliance cyber cooperation. Estonia, which has long punched far above its weight in cyber security, had pointed out that budget constraints can breed innovation: they’ve found that if you have less to work with, you’re often forced to be more creative.

Dave Bittner: [00:06:30:08] But money does continue to flow into the cyber sector. Despite some rocky IPOs and reports that venture capital is becoming more skeptical, the industry this week welcomes its newest unicorn, as Cylance’s Series D round puts the company’s valuation above $1 billion.

Dave Bittner: [00:06:48:10] The chief technologist of the Federal Trade Commission, the agency that’s aggressively pushing to become one the biggest US enforcers of cybersecurity law, and policy, shared her own recent experience of identity theft. Someone apparently walked into a phone store and hijacked her mobile number. The thief used a fake photo ID. The FTC advises victims of such fraud to report it to

Dave Bittner: [00:07:13:17] And finally, listeners to American sports talk radio - you know who you are - will have heard Tuesday’s and Wednesday’s kerfuffle over the National Football League’s apparent Tweet that the league’s commissioner had passed away. It was of course a hoax; an unfunny joke: Commissioner Goodell is alive and well. How the NFL’s account was hijacked remains under investigation, although the league has recovered control of its Twitter presence.

Interviewer: [00:07:38:02] The credentials seem to have been compromised by some “miscreants,"as Dark Reading calls them, calling themselves the “Peggle Crew” and possibly associated with the now-suspended Twitter account “IDissEverything.” The compromise may have been enabled by hacking an NFL staffer’s email. The NFL Twitter account’s password is said to have been “olsen3culvercam88,” which Ars Technica sniffs at as “weak.” Still, it seems to us, better than “dadada.”

Dave Bittner: [00:08:12:12] Today's podcast is made possible by E8 Security - detect, hunt, respond. E8 security is transforming the effectiveness of enterprise security teams. Read their informative white paper, a unified use case for preventing unknown security threats, at E8

Dave Bittner: [00:08:37:23] And joining me once again is Joe Carrigan, from the Johns Hopkins University Information Security Institute. Joe, when it comes to back up, you can back up locally, you can back up to the cloud.

Joe Carrigan: [00:08:48:00] That's right.

Dave Bittner: [00:08:48:07] You could do both.

Joe Carrigan: [00:08:48:20] You can do both.

Dave Bittner: [00:08:49:12] What are the pros and cons of each of those methods?

Joe Carrigan: [00:08:51:23] You should do both - that's first. The pros and cons are, you're kind of defending against two different eventualities. First off, you should be backing up your data. Eventually - your hard drive is a physical device - it's going to crash, it's going to fail at some point in time.

Dave Bittner: [00:09:05:18] It's a ticking time-bomb, as they say.

Joe Carrigan: [00:09:07:22] They wear out. So if you have a backup locally - let's say you have one of these little external drives, or maybe you are actually talented enough to set up a RAID array in your house, where you can keep these files off your machine and onto another machine - that protects you from a hard drive failure but it doesn't protect you, say, from, like, your house burning down. So if your house burns down, of course, the first thing that happens is the fire department shows up and they spray water everywhere - that's generally not good for electronics.

Joe Carrigan: [00:09:38:10] So there's also a cloud backup solution - there's also a number of different providers out there that provide backup where they encrypt your files online, and these are all big companies, and they're people you can trust with your data, I would suppose, but, you know, there have been cases where these companies have just stopped functioning, or actually got hacked, in the case of one company called Code Spaces, which was a code repository for collaboration, and also for backup of source code. Somebody got their credentials to their Amazon cloud; they were running in the Amazon Cloud, and just deleted all the machines for that company - it's actually just destroyed the company, and took everybody's backups and destroyed them.

Dave Bittner: [00:10:22:05] So you're really putting your fate in someone's hands. If that cloud service provider has some sort of catastrophic failure, or some kind of major security breach, you could be subject to that as well.

Joe Carrigan: [00:10:31:16] That's right. That is the risk with these cloud storage providers, is a security breach, and of course that's also going to be dependent upon you, as the users of these services, to make sure that you behave in a way that is more secure than anybody else, really. I guess that's kind of what you're hoping, is that you're the guy that's hard to guess his password, so they don't bother you because there's hundreds of people out there whose passwords are easy to guess.

Dave Bittner: [00:10:53:24] Right, right! I don't have to outrun the bear - I just have to outrun you.

Joe Carrigan: [00:10:57:21] Exactly.

Dave Bittner: [00:10:59:02] So really a belt-and-braces approach - good to have both local backup and cloud storage. Why not? These things are inexpensive, and readily available.

Joe Carrigan: [00:11:09:07] Very cheap.

Dave Bittner: [00:11:10:05] Yeah. All right, Joe Carrigan - good advice as always. Thanks for joining us.

Joe Carrigan: [00:11:13:10] My pleasure.

Dave Bittner: [00:11:16:03] And that's The CyberWire. Sorry I'm a little froggy today - I was out for a run yesterday and I inhaled a bug. I think it's still in there.

Dave Bittner: [00:11:24:06] For links to all of today's stories, along with interviews, our glossary, and more, visit The people who are interested in those stories tend to be people who read or listen to The CyberWire. If you'd like to reach them, visit and find out how you can sponsor the news brief or podcast. And thanks to all of our sponsors, who make The CyberWire possible.

Dave Bittner: [00:11:44:08] The CyberWire podcast is produced by Pratt Street Media. The editor is John Petrik, and I'm Dave Bittner. Thanks for listening.