The CyberWire Daily Podcast 6.15.16
Ep 121 | 6.15.16

Run DNC has legs. NFL players get social media savvy. Online jihad. More big breaches.


Dave Bittner:: [00:00:03:16] Run DNC, the Russians were in the Democrats' networks. Russian espionage looks at traditional targets. Chinese operators, despite ongoing talks with the US, are out for trade secrets in cyberspace. Investigation into the Orlando shootings turns toward the shooter's family connections. ISIS claims to have inspired the massacre. New breaches flood the black market with credentials and server access. The US Air Force may have lost more than a decade's worth of IG case data. Microsoft patches, but Adobe holds off until it can address a new zero-day.

Dave Bittner:: [00:00:41:20] It's time to thank one of our sponsors, E8. And let me ask a question. Do you fear the unknown? Lots of people do, of course. Leprechauns, crop circles, stuff like that. But we're not talking about those. We're talking about real threats, unknown unknowns lurking in your networks. The people at E8 have a white paper on hunting the unknowns with machine learning and big data analytics that go beyond the old school legacy signature matching and human watch standing. Go to, and download their free white paper, "Detect, Hunt, Respond." It describes a fresh approach to the old problem of recognizing and containing a threat no one has ever seen before.

Dave Bittner:: [00:01:20:08] The known unknowns, like thunderbirds, like bugbears, they're nothing compared to the unknown unknowns out there in the wild. See what E8's got to say about them,

Dave Bittner:: [00:01:41:17] I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, June 15th, 2016. Yesterday, the Democratic National Committee and CrowdStrike disclosed that the US political party had been successfully compromised by Russian intelligence services.

Dave Bittner:: [00:01:56:19] "Cozy Bear," APT 29, probably an FSB operation, had been in the network since last summer. "Fancy Bear," APT 28, a GRU operation, arrived this April, a bit more noisily. Cozy was peering into emails and chats. Fancy was interested in many things, but particularly opposition research. The DNC says it's now got its network security well under control. Others think this is just the beginning for political organizations generally.

Dave Bittner:: [00:02:26:02] APT 28 has also been known as Sofacy, and Palo Alto Networks points out that this group is involved in an ongoing spearphishing campaign against US officials. APT 29 was implicated in earlier intrusions into US unclassified email systems at the White House, State Department, and Joint Staff.

Dave Bittner:: [00:02:45:03] Cozy and Fancy are typical espionage efforts directed against traditional targets. Chinese services, despite ongoing talks with the US about reaching a peaceful arrangement in cyberspace, are still widely believed to engage in economic espionage. A Chinese employee of a US company is on trial for industrial espionage, and Wired reports, quote, "an almost one-to-one correlation between the breaches and China's economic interests," end quote, in campaigns against German, Indian, and other countries' firms.

Dave Bittner:: [00:03:15:10] ISIS claims the Orlando massacre, and some think this is a mistake, as shooter Mateen led an unedifying life of drink, clubbing, and uncontrolled rage. But this is to misread not only the concept of martyrdom, which is redemption by death in righteous combat, not by following precepts of right living, but also the style, audience, and intent of ISIS information operations.

Dave Bittner:: [00:03:38:03] It's instructive that the Cyber Caliphate's online graphics look like those you'd find in a first person shooter's artwork. That is, it looks crazy, violent and dark, like the kind of thing a tweener boy would have in his room. Investigation into the Orlando horror itself reveals Mateen's ill-informed but attentive consumption of various forms of online jihadist propaganda. It's also turning up unfortunate corners of his father's and wife's online lives.

Dave Bittner:: [00:04:04:24] Yesterday was patch Tuesday, and Microsoft issued its customary fixes. These were overshadowed, however, by the news that a new Flash zero-day is being actively exploited. Kaspersky researchers say that a new APT they're calling "ScarCruft" has been exploiting the vulnerability against high-profile individuals since March. Adobe has promised a fix sometime this week, perhaps as early as tomorrow.

Dave Bittner:: [00:04:29:21] Verizon and D-Link also issued patches yesterday, with Verizon fixing a bug in the messaging system that could have enabled email compromise. The D-Link patch upgraded weak crypto in the company's mydlink devices.

Dave Bittner:: [00:04:43:22] Several breaches again flood the black market with credentials. 51,000,000 iMesh accounts, 45,000,000 VerticalScope forum accounts. VerticalScope caters to automotive, sports, tech, and other interests. And nearly 8,000,000 customer accounts from Japanese travel agency JTB. The costs of the breaches to the affected enterprises are higher than whatever the crooks are making from the sale of credentials.

Dave Bittner:: [00:05:08:04] And there's a new shop in the black market bazaar. Kaspersky reports finding a “boutique” forum selling access to government, corporate, and university servers. If illicit money's being made here, the secret is surely volume, because the cost of access is running at around $6. That's less than you’d pay for a glass of Cabernet at a Laurel, Maryland, happy hour...or so we're told.

Dave Bittner:: [00:05:31:01] The US Air Force is attempting to recover from a June 6 system crash that may have eliminated records from Inspector General cases going back to 2004. Observers aren't optimistic. The database corruption, apparently a failure, not a hack, may have rendered the records unrecoverable for good.

Dave Bittner:: [00:05:49:02] In industry news, Phishlabs, IBM, and others continue to offer threat intelligence and information-sharing services. We spoke with Charles Clancy from Virginia Tech’s Hume Center about how and why information sharing can be important, and valuable. We'll hear from him after the break.

Dave Bittner:: [00:06:04:24] In other industry news, K2 Intelligence, an investigative and cyber defense services firm, has been hired by the National Football League Players Association to help NFL players and their families live safely and securely with social media. We spoke with K2 Intelligence's Vinnie D’Agostino about what his company’s doing for the NFLPA.

Vinnie D'Agostino:: [00:06:25:00] NFL players, much like anybody who has any kind of high-profile job, the unique challenges that are, that are there really center around the fact that they're so accessible and they're so easily identifiable. And so whereas a normal person may have a Twitter account or Facebook account that, should they have poor security controls on or should they post something that may reflect badly upon them, the chances of it going viral and really affecting them in their day to day life are slim.

Vinnie D'Agostino:: [00:06:52:18] An NFL player is the exact opposite situation. They are very well-known, they are not only known through what they do for a living, but the fact that they, they typically are paid very well. And so, that makes them a target. That makes it more likely for somebody on the outside to want to make a name for themselves, maybe, by virtue of embarrassing a player.

Dave Bittner:: [00:07:11:00] D'Agostino and his team came to this task already accustomed to working with high-profile clients, thanks to work with their previous employer.

Vinnie D'Agostino:: [00:07:19:01] For us, it wasn't too difficult to sort of grasp, because myself and our core team here on our cyber team are all former FBI agents. And so this is stuff we were dealing with very often on the government side, where we would have victims come to the FBI, whether they were former athletes or people that are otherwise in the limelight, actresses, musicians, etc., and become victims of these types of attack. So, the first step for any of these cases is to identify sort of that digital footprint that exists for that player. You know, what accounts are out there?

Vinnie D'Agostino:: [00:07:49:23] And you'd be surprised at how often players or, or any of our high-profile clients will tell us, "Well, I have three or four accounts. I have, you know, one email, one Facebook, one Twitter account, and that's it." And once we start digging into that background and looking at what other accounts are associated with email accounts they may have owned in the past or other online accounts, we might find 30 or 40 orphaned accounts out there that are vectors for bad guys to use to gain access to more critical accounts.

Vinnie D'Agostino:: [00:08:17:02] So, they can start with an abandoned AOL account. They can start with an abandoned MySpace account and use that to pivot within those social media profiles to gain access to other accounts, which is a real danger.

Dave Bittner:: [00:08:29:05] Putting the proper technical security measures in place is important, but Vinnie D'Agostino emphasized the importance of providing specific training for the players and their families as well.

Vinnie D'Agostino:: [00:08:38:20] The use of social media is so widespread that not many people spend time to talk about how are you securing your account. You know, "I have a password." Well, how strong is the password? Do you have two-factor set up? Do you have alerts, alerting set up? So, if somebody logs in from an unknown IP address, are you going to become aware of that? Who has access to those accounts? Who in your entourage have you given, you know, access to your Twitter account for whatever reason? Do they still have access? Should they have access? Things like that. So, there's always an educational component to that that I think really benefits them going forward, because it's sort of the teach a man to fish philosophy where now they leave and they're in a much better posture for themselves and many times for their families, to let them know the things that they can do to better secure their accounts.

Dave Bittner:: [00:09:23:01] That's Vinnie D'Agostino from K2 Intelligence.

Dave Bittner:: [00:09:28:12] Finally, "deep learning" is now the popular name for a lot of stuff we used to call "artificial intelligence." "Artificial intelligence" sounded scary enough, and, yes, thank you, we did see "The Terminator" back in the day, but "deep learning" sounds positively occult, the kind of esoterica the Sorcerer's Apprentice read from his mentor's book of spells. And that didn't end well either. But before you turn off your water and lock up your brooms, Wired wants you to remember, it’s all just math. Read the whole thing, and if you have trouble finding it, there's always a link in the CyberWire's daily issue.

Dave Bittner:: [00:10:04:11] I want to take a quick moment to tell you about our sponsors at ThreatConnect. ThreatConnect is an enterprise-level security platform that allows you to unite all of your people, processes and technologies behind an intelligence-driven defense. They're teaming up with Forrester, the global research and advisory firm, for a look at fragmentation in the security industry, what it means, and what can be done about it. You can hear what they've got to say and consider how to apply the lessons to your own organization by signing up for ThreatConnect's webinar. It's scheduled for Tuesday, June 28th.

Dave Bittner:: [00:10:33:15] Catch Forrester's Jeff Pollard and ThreatConnect's Chief Intelligence Officer Rich Barger as they discuss the issues fragmentation poses for organizations of all sizes, and offer their thoughts on how to unify security operations in your enterprise. Visit, and let them know the CyberWire sent you. Best of all, the price is right, it's free. That's

Dave Bittner:: [00:11:02:23] Joining me once again is Dr. Charles Clancy, director of the Hume Center for National Security and Technology at Virginia Tech. Charles, I know one of your cyber security research initiatives is in the area of information sharing.

Charles Clancy:: [00:11:15:01] Well, not everyone has broad visibility to the Internet in the same way that, for example, the NSA may have. And as an individual organization, trying to combat a threat that's coming at you from many different vectors across the Internet, the only way to effectively do that is to kind of pool the resources with your peer organizations. And so we're seeing information-sharing as a key trend between peer organizations in order for them to have the data needed to do the analytics necessary to combat the growing cyber threat.

Dave Bittner:: [00:11:44:15] And so, what kind of work are you all doing to help move this along?

Charles Clancy:: [00:11:48:18] We are working currently with the telecommunications industry on STIX and TAXII. STIX and TAXII are two standards that were originally developed with funding from DHS, but are now international standards for information-sharing. And we're currently working on a pilot with the telecommunications sector to begin to allow several operators and landline operators the ability to share information about threats to their subscribers and their networks themselves.

Dave Bittner:: [00:12:14:17] And so, what's the desired outcome once we are able to share information in a more efficient way? What are we hoping to have come from that?

Charles Clancy:: [00:12:22:21] So once we can more efficiently share information, then we can begin to pool analytic resources. Most recently, the DHS and the White House have proposed the development of the Information Sharing Analysis Organizations or ISAOs, which would be industry-oriented groups that would be able to take all this data that has been shared among peers, and use that as part of an analytic process that would help identify who the specific actors are and be able to develop better policies for remediation of those threats.

Dave Bittner:: [00:12:51:16] Dr. Charles Clancy, thanks for joining us.

Dave Bittner:: [00:12:55:16] And that's the CyberWire. For links to all of our stories, visit If you have questions for any of our academic and research partners, you can send them in to We'd love to hear from you. The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. I'm Dave Bittner. Thanks for listening.